Details



Cloud Sentry: Innovations in Advanced Threat Detection for Comprehensive Cloud Security Management

Subash Banala

24-35

Vol 17, Jan-Jun, 2023

Date of Submission: 2023-01-29 Date of Acceptance: 2023-02-19 Date of Publication: 2023-04-02

Abstract

Cloud services are renowned for their touted benefits, such as seamless resource access, scalability, and elasticity. However, they also face significant challenges from various threats at both infrastructure and application levels, with application-layer distributed denial of service (DDoS) attacks posing challenging problems to counter. These attacks typically overwhelm targeted servers, causing performance degradation and service unavailability by exhausting available resources. While some existing solutions like intrusion detection and protection can mitigate specific attacks, evolving application-layer DDoS attacks often find ways to evade these defences. In response, this paper introduces SENTRY, a novel and efficient methodology designed to combat application-layer DDoS attacks. SENTRY employs a challenge-response strategy that (a) assesses attackers' physical bandwidth resources, (b) dynamically adjusts to varying workload conditions, and (c) blocks suspicious service requests from potentially malicious clients.

References

  1. Akamai Technologies, “Akamai state of the internet security report,” 2015, https://www.akamai.com/us/en/multimedia/documents/report/q4-2015-state-of-the-internet-security-report.pdf.
  2. S. Ranjan, K. Karrer, and E. Knightly, “Wide area redirection of dynamic content by internet data centers,” Proc. of INFOCOM, pp. 816–826, 2004.
  3. Atlassian, “Bitbucket Data Center,” https://bitbucket.org
  4. Glenn Butcher, “Atlassian subject to Denial Of Service attack,” 2011, http://blogs.atlassian.com/2011/06/atlassian subject to denial of service attack
  5. S. VivinSandar and S. Shenai, “Economic denial of sustainability (edos) in cloud services using http and xml based ddos attacks,” International Journal of Computer Applications, vol. 41, no. 20, pp. 11–16, 2012.
  6. S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, “Ddos-resilient scheduling to counter application layer attacks under imperfect detection,” Proc. of INFOCOM, pp. 1–13, 2006.
  7. J. Mirkovic and P. Reiher, “A taxonomy of ddos attack and ddos defense mechanisms,” In SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 39–53, 2004.
  8. Amazon Inc, “Amazon CloudWatch,” 2015, https://aws.amazon.com/ cloudwatch/details/?nc2=h ls.
  9. Y. Xie and S. Yu, “A large-scale hidden semi-markov model for anomaly detection on user browsing behaviors,” In Transactions on Networking, vol. 17, no. 1, pp. 54–65, 2009.
  10. C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot, “Packet-level traffic measurements from the sprint ip backbone,” In IEEE Network, vol. 17, no. 6, pp. 6–16, 2003.
  11. R. Sedgewick and K. Wayne, In Algorithms. Pearson Education, 2011.
  12. A. Stavrou, J. Ioannidis, A. Keromytis, V. Misra, and D. Rubenstein, “A pay-per-use dos protection mechanism for the web,” Proc. of Applied Cryptography and Network Security, pp. 120–134, 2004.
  13. L. Von, M. Blum, N. Hopper, and J. Langford, “Captcha: Using hard ai problems for security,” Proc. of EUROCRYPT-Advances in Cryptology, pp. 294–311, 2003.
  14. G. Mori and J. Malik, “Recognizing objects in adversarial clutter: Breaking a visual captcha,” Proc. of Computer Society Conference on Computer Vision and Pattern Recognition, pp. I–134, 2003.
  15. W. Yen and M. Lee, “Defending application ddos with constraint random request attacks,” Proc. of Asia-Pacific Conference on Communications,, pp. 620–624, 2005
  16. Y. Xie, S. Tang, X. Huang, C. Tang, and X. Liu, “Detecting latent attack behavior from aggregated web traffic,” In Computer Communications, vol. 36, no. 8, pp. 895–907, 2013.
  17. S. Seufert and D. O’Brien, “Machine learning for automatic defence against distributed denial of service attacks,” Proc. of International Conference on Communications, pp. 1217–1222, 2007.
  18. J. Yu, C. Fang, L. Lu, and Z. Li, “A lightweight mechanism to mitigate application layer ddos attacks,” Proc. of Scalable Information Systems, pp. 175–191, 2009.
  19. S. Khor and A. Nakao, “Daas: Ddos mitigation-as-a-service,” in Proc. of Applications and the Internet, 2011, pp. 160–171
  20. B. Wang, Y. Zheng, W. Lou, and Y. Hou, “Ddos attack protection in the era of cloud computing and software-defined networking,” In Computer Networks, vol. 81, pp. 308–319, 2015.
  21. M. Abadi, M. Burrows, M. Manasse, and T. Wobber, “Moderately hard, memory-bound functions,” In Transactions on Internet Technology, vol. 5, no. 2, pp. 299–327, 2005.
  22. M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker, “Ddos defense by offense,” In SIGCOMM Computer Communication Review, vol. 36, no. 4, pp. 303–314, 2006.
  23. S. Khanna, S. Venkatesh, O. Fatemieh, F. Khan, and C. Gunter, “Adaptive selective verification: An efficient adaptive countermeasure to thwart dos attacks,” In Transactions on Networking, vol. 20, no. 3, pp. 715–728, 2012.
Download PDF
Back