Author Details

We propose new security architecture to enhance direct control to the information stored in cloud servers. It splits the cloud stack to two layers and having the security control for the owner of the information between them. By executing security-critical operations at the inline owner agent, the owner of the data logically preserves the essential security control to its data physically stored in a private cloud. The shadow auditor monitors the integrity of information stored in a cloud server to detect unauthorized modification of the information even by the administrators in the clouds while real-time lineage summaries provide cloud users timely feedback on the quality of data without disturbing their workflow. Our performance evaluations showed that real-time lineage summaries are effective for feedbacking quality of information for systems that have frequent references to the information. The shadow auditor was also workload scalable, while the major bottleneck was securing communication between the split cloud and the owner agent. The proposed security architecture will be a solution to make secure transition to clouds while the advantages of clouds are maintained.

Keywords

Cloud Security, Data Lineage, Information Assurance, Information Quality, Private Clouds

Full Text

Layered Migrating Overlay for Effectively Sieving Internal DoS/DDoS Attackers-Its Designs and Effectiveness

Abstract Views :257 | PDF Views:1

Authors

Hiroshi Fujinoki ¹

Affiliations
1 Department of Computer Science, School of Engineering, Southern Illinois University Edwardsville, Edwardsville, Illinois, US

Source

Journal of Network and Information Security, Vol 6, No 1 (2018), Pagination: 1-11

Abstract

Several overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server computers. The recent evolutions in DDoS attacks, especially in the increase in the number of bots involved in a DDoS attack and in the degree of control such bots have to the hijacked host computers, pause serious threats to the overlay-based solutions. We designed and assessed the potential of new overlay-based security architecture that addresses the recent evolutions in DDoS attacks. The new security architecture, called “Layered Migrating Overlay (LMO)”, is designed to protect cloud servers (a) when their legitimate users convert to DoS/DDoS attackers or (b) when DDoS attacks are launched from the legitimate users’ host computers that are hijacked by DDoS coordinators. LMO copes with the situations by sieving attacking traffic from the hijacked legitimate users’ host computers using dynamic binary user splits over the migrating entry points to an overlay network. Our discrete event driven simulation suggested that LMO will efficiently sieve DDoS attacking hosts in many different situations, when a small number of attacking hosts hide behind a large legitimate user group, or when a stampede of DDoS attacking hosts occupy the majority of incoming traffic, without requiring a large number of migrating entry points. We also found that how quickly each migrating entry point can detect excess traffic is a key to keep convergence delay short.

Keywords

Network Management, Overlay Networks, Security Management, Denial of Services, Insider Threats.

Full Text

References

B. Prabadevi, and N. Jeyanthi, “Distributed denial of service attacks and its effects on cloud environment- A survey,” Proceedings of the International Symposium on Networks, Computers and Communications, pp. 1-5, 2014.

M. Durairaj, and A. Persia, “ANM to perceive and thwart denial of service attack in WLAN,” International Journal of Communication Networks and Information Security, vol. 7, no. 6, pp. 59-66, 2015.

G. Booth, A. Soknacki, and A. Somayaji, “Cloud Security: Attacks and Current Defenses,” Proceedings of the Annual Symposium on Information Assurance, pp. 56-62, 2013.

P. Ferguson, and D. Senie, “Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing,” RFC-2827, May 2000.

J. Ioannidis, and S. M. Bellovin, “Implementing pushback: Router-based defense against DDoS attacks,” Proceedings of Network and Distributed System Security Symposium, pp. 100-108, 2002.

M. Darwish, A. Ouda, and L. F. Capretz, “Cloud-based DDoS attacks and defenses,” Proceedings of the International Conference on Information Society, pp. 67-71, 2013.

E. Cooke, F. Jahanian, and D. McPherson, “The zombie roundup: Understanding, detecting, and disrupting botnets,” Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p. 6, 2005.

E. Shi, I. Stoica, and D. A. Perrig, “OverDoSe: A generic DDoS protection service using an overlay network,” Carnegie Mellon University Computer Science Department Technical Report CMU-CS-06-114, 2006.

S. Khattab, C. Sangpachatanaruk, R. Melhem, D. Moss´e, and T. Znati, “Proactive server roaming for mitigating denial-of-service attacks,” Proceedings of International Conference on Information Technology Research and Education, pp. 286-290, 2003.

N. Jeyanthi, N. Ch. S. N Iyengar, P. C. M. Kumar, and A. Kannammal, “An enhanced entropy approach to detect and prevent DDoS in cloud environment,” International Journal of Communication Networks and Information Security, vol. 5, no. 2, pp. 163-173, 2013.

T. Okumura, D. Mosse, M. Minami, and O. Nakamura, “Operating system support for network control: A virtual network interface approach for end-host OSS,” Proceedings of IEEE International Workshop on Quality of Service, pp. 170-179, 2002.

C. Sangpachatanaruk, S. M. Khattab, T. Znati, R. Melhem, and D. Moss´e, “A simulation study of the proactive server roaming for mitigating denial of service attacks,” Proceedings of the Annual Symposium on Simulation, pp. 7-14, 2003.

V. K. Pingali, and J. D. Touch, “Protecting public servers from DDoS attacks using drifting overlays,” Proceedings of the IEEE Computer and Information Technology Workshops, pp. 270-272, 2008.

H. Wang, Q. Jia, D. Fleck, W. Powell, F. Li, and A. Stavrou, “A moving target DDoS defense mechanism,” Computer Communications, vol. 46, no. 15, pp. 10-21, June 2014.

J. Kurian, and K. Sarac, “Provider provisioned overlay networks and their utility in DoS defense,” Proceedings of IEEE Global Telecommunications Conference, pp. 474-479, 2007.

S. Khattab, R. Melhem, D. Moss´e, and T. Znati, “Honeypot back-propagation for mitigating spoof ing distributed denial-of-service attacks,” Proceedings of the IEEE International Parallel and Distributed Processing Symposium, pp. 1152-1164, 2006.

S. Khattab, C. Sangpachatanarukz, D. Moss´e, R. Melhemx, and T. Znatixz, “Roaming honeypots for mitigating service-level denial-of-service attacks,” Proceedings of International Conference on Distributed Computing Systems, pp. 328-337, 2004.

D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra, and D. Rubenstein, “Web SOS: Protecting web servers from DDoS attacks,” Proceedings of the IEEE International Conference on Networks, pp. 455-460, 2003.

D. G. Anderson, “Mayday: Distributed filtering for internet services,” Proceedings of USENIX Symposium on Internet Technologies and Systems, pp. 3-15, 2003.

I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan, “Chord: A scalable peer-to-peer lookup service for internet applications,” Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 149-160, 2010.

M. Canini, D. Fay, D. J. Miller, A. W. Moore, and R. Bolla, “Per flow packet sampling for high-speed network monitoring,” Proceedings of the Communication Systems and Networks and Workshops, pp. 1-10, 2009.

A. Broder, and M. Mitzenmacher, “Network applications of bloom filters: A survey,” Internet Mathematics, vol. 1, no. 4, pp. 485-509, November, 2003.

Username
Password
Remember me