CN105323241A - LDoS attack detection method in cloud computing based on available bandwidth Euclidean distance - Google Patents

Abstract

Due to the characteristic that cloud computing data centre networks (DCNs) are more easily attacked by the low-rate denial of service (LDoS), an attacker reduces the service quality of a system by utilizing the shared bandwidth thereof and vulnerability of virtual machines to congest a bottleneck link among the virtual machines. According to the invention, aiming at an LDoS attack in the DCNs, research on two aspects is carried out: the LDoS attack: a network model of the LDoS attack in the DCNs is analyzed; and the phenomenon that the LDoS attack in the DCNs has the better effect than a FDoS attack can be verified; and LDoS detection: according to distributed storage characteristics of a cloud computing platform, a new characteristic that the available bandwidth of a link is simultaneously increased due to the LDoS attack is extracted; and thus, the detection method based on the available bandwidth average Euclidean distance is provided. The accuracy for measuring the available bandwidth is increased by designing an improved probe gap model method.

Description

Based on the LDoS attack detection method of available bandwidth Euclidean distance in cloud computing

Technical field

The present invention relates to a kind of computer network security technology, especially in cloud computing for the detection of low rate denial of service (Low-rateDenialofService, LDoS), can high-accuracy detect attack.

Background technology

Cloud computing is the development trend of current information technology, how to ensure that the safety of cloud computing is key issue urgently to be resolved hurrily.Cloud computing platform presents many new characteristics, and some of them characteristic contributes to the fail safe (such as: the safety management of specialty) improving cloud computing.But cloud computing platform also shows some new potential safety hazards, these potential safety hazards may utilize by victim.Compared with traditional network configuration, cloud computing framework equally also can be subject to the threat of Denial of Service attack.In addition the height of cloud computing is open, makes the harmfulness of this attack larger.In order to produce better attack effect, assailant often tends to attack cloud data center or cloud service provider, once successfully launch a offensive, will bring about great losses.

At present, more for the LDoS attack research in traditional network architecture, but the LDoS attack still not having document inner to cloud computation data center network (DataCenterNetworks, DCNs) does systematized modeling and analysis.LDoS attack is a kind of novel DoS attack, and target of attack is mainly based on the end system of Transmission Control Protocol.In cloud computing, no matter be the host-host protocol of DCNs inside, or the Data Transport Protocol that DCNs is external, use Transmission Control Protocol more.Therefore, inner at DCNs, LDoS attack is just had an opportunity to take advantage of.Assailant can utilize in cloud computing and share bandwidth and virtualized leak, is reached the object reducing system service quality by the bottleneck link between congested virtual machine.The feature of this attack is that Mean Speed is low, disguised strong.Therefore, traditional detection method is difficult to prove effective.The research that the inner LDoS attack model of DCNs and LDoS attack detect, has safely important meaning to protection cloud computing.

For the DoS attack of cloud computing, there are some research work at present.JosephIdziorek etc. have studied a kind of FRC for publicly-owned cloud (FraudulentResourceConsumption) and attack, first the harm that traditional flood formula DoS attack describes this attack is contrasted, then the method for this attack of reply has been set forth, namely prevent, detect, follow the trail of and alleviate.AshleyChonka etc. ^[8]propose a kind of novel HX-DoS to attack, this attack utilizes the leak of widely used HTTP and XML in cloud computing, reduces the service quality of cloud computing.For this attack, also proposed a set of ENDER (Pre-Decision, AdvanceDecision, LearningSystem) system of defense, its core utilizes the method for packet making to attack to the HX-DoS alleviated in cloud platform.The method of a kind of CTB of the employing such as BansidharJoshi (CloudTraceBack) and reverse neural network resists the DoS attack in cloud computing.First use CTB technology pursuit attack source, re-use reverse neural network technical filter attack stream, attack detecting rate is more than 75%.HarkeeratSinghBedi etc. propose physical machine in cloud computing and share that routing queue is congested may cause DoS attack.Set up game theory (Game) model and carry out attack to the DoS of defense, and demonstrate the availability of the method.AngelosD.Keromytis etc. propose a kind of safe nerve of a covering, the filtering function utilizing it powerful and secure tunnel technology, can effectively stop DoS attack cloud computation data center.Han Zhijie etc. mainly have studied the problem of cloud computing platform carrying out Denial of Service attack to HTTP application.By detecting attack to the feature such as CPU, network throughput, filter attack stream by the method for black and white lists.Han Wei etc. study the attack stream based on Hadoop cloud computing platform, and in conjunction with himself heartbeat inspecting mechanism, propose a kind of completely newly based on Hadoop cloud node DoS detect with selfreparing defend model.LanjuanYang etc. propose the method for tracing SBTA (SOA-BasedTracebackApproach) based on SOA (ServiceOrientedArchitecture), and the method utilization is that the framework of core goes follow the tracks of and search DoS attack source with service.The Wu Zhijun of Civil Aviation University of China etc. also have certain research in DoS attack, and the DoS attack mainly for a kind of low rate is studied, and have carried out DoS attack in conjunction with the PaaS service environment of cloud computing and detect and the exploration and practice of defense technique.

Above-mentioned research concentrates on the DoS attack from cloud computing outside.Mainly detect whether there occurs DoS attack by the Model Matching of known attack or by the mode of adding up abnormal traffic.But by changing attack mode and covering the abnormal traffic, said method will lose efficacy.In addition, the mode by adding up abnormal traffic finds that DoS attack also likely also filters out the normal traffic.In addition, the method for following the trail of based on IP also has certain limitation.Because Internet is a network crossing over some management domains and administration authority, stoping attack by the network manager contacted near attack source, is also very difficult usually.

Inner at cloud computing center, share bandwidth and virtually bring new security breaches, the correlative study disclosing these leaks is at present also fewer.Therefore, for the DoS attack research relative deficiency between cloud computing center internal virtual machine.But this does not represent that attack does not exist, in default of corresponding testing mechanism, novel DoS attack just may be caused to spring up as undercurrent.LDoS attack is exactly wherein a kind of.In legacy network, LDoS attack is extensively studied, but in cloud computing, the achievement in research of LDoS attack is less.The new feature that ZhenqianFeng demonstrates cloud computation data center network makes a tenant can implement effective Shrew with considerably less flow to attack, and discusses some counterplots.But the network model of not systematic analysis LDoS attack, does not propose effectively detect and resist method yet.

In cloud computation data center, traditional FDoS (FloodDenialofService) attacks and is difficult to prove effective.This is because cloud computation data center manages each dummy node by heartbeat mechanism, and the attack stream that FDoS attacks transmission flood formula exhausts server resource or complete blocking links.So when FDoS attacks generation, heartbeat message also will be blocked.If can not receive the heartbeat message of certain dummy node in some cycles, so Controlling vertex will think that this server is delayed machine, thus starts standby server, by Service Migration.Therefore, FDoS attack effect and not obvious.

LDoS attack is a kind of more intelligent DoS attack, to reduce for the purpose of service quality, instead of exhausts end system resource completely or blocks link completely.Be characterized in that average attack rate is low, pass through for heartbeat message so leave certain available bandwidth.In addition existing mechanism is difficult to effectively detect LDoS attack and defend.So, when LDoS attack occurs, the existence of the imperceptible attack of Controlling vertex, and end of being injured can only the lower service quality of maintenance quietly.

LDoS attack is by the short pulse attack stream of burst type, and periodic congested bottleneck link, makes TCP hold and enter Retransmission timeout state frequently, thus reduce the service quality of system.A LDoS attack pulse train can be expressed as A (L, R, T) by a tlv triple, and wherein L is pulse length, represents the time period that assailant continues to give out a contract for a project; R is pulse amplitude, the flank speed that representative is attacked, and is generally more than or equal to bottleneck link bandwidth; T is the time interval between two pulses, represents the attack cycle.The cloud computation data center network architecture and the conventional data centers network architecture different, this makes cloud computation data center more easily by LDoS attack.In cloud computation data center, sharing bandwidth deficiency is the major reason causing LDoS attack.

In cloud computing architecture, router and virtual machine constitute the network model of a sandwich construction, and bottom route is delivered to high level by after traffic aggregation.In this network architecture, the restricted number of transmission path link is supplied to the available bandwidth of user.Such as, in figure 3, multiple stage virtual machine is connected with R1 and brings the problem of shared bandwidth.Hypothesize attack person controls the virtual machine be in R1 routed domain, and virtualized leak provides great possibility for invading virtual machine.Assailant and then can detect between R1 and R4 and there is bottleneck link.Afterwards, assailant sends periodic LDoS attack and flows through the receiving terminal that bottleneck link arrival is in another routed domain.Due to the restriction of shared bandwidth, LDoS attack can easy to do congested bottleneck link.Now, other TCP being in same routed domain with assailant hold that becoming is injured holds, and end of being injured reduces the service quality that cloud outside provides.

Summary of the invention

The Euclidean distance of the available bandwidth sequence of all links under calculating same routed domain in the present invention, just can extract the foundation detecting LDoS attack.

The impact of LDoS attack on bar link available bandwidth every under same routed domain can be derived in the following manner.Assuming that time scale is τ, the available bandwidth A of link l _l(t, t+ τ) can be expressed as the mean value under certain hour yardstick:

$A_l(t,t+\mathrm{\τ})=C_l\×(1-\frac{{\∫}_t^{t+\mathrm{\τ}}\underset{t=1}{\overset{M}{\mathrm{\Σ}}}{W}_l^t\left(x\right)\mathrm{dx}+{\∫}_t^{t+\mathrm{\τ}}Q\left(x\right)\mathrm{dx}}{C_l\×\mathrm{\τ}})$

Wherein, C _lfor the total bandwidth of link l, M is TCP transmitting terminal sum on this link, be the congestion window of i-th TCP transmitting terminal, for the TCP flow amount that link injects, for the LDoS attack flow that link injects. represent link bandwidth average utilization.

When there is no LDoS attack flow, namely because concrete business demand is different, no matter be on same link, or between different link, the Changing Pattern that each TCP congestion window is ununified.Therefore, the available bandwidth similarity between link is lower.And when there being LDoS attack flow to inject, hypothesize attack person does not change attack rate.Although very little, but affect by it, the significantly reduction congestion window that the TCP transmitting terminal in same routed domain on each link is all unified.If attack effect is enough good, available bandwidth even may be close to the total bandwidth that link can provide, and available bandwidth shows stronger similarity.

According to above model analysis, Euclidean distance is adopted to weigh the similarity of different link available bandwidth.Measure the available bandwidth of all links, measurement result is regarded as a random process: { B (t), t=n Δ }, wherein Δ is measuring intervals of TIME.A stochastic variable be correspond to for each time t, B (t).B (t) forms one and measures sequence, represents all measured values of this link available bandwidth.Thus the available bandwidth sequence obtaining i-th link is B _t(m), m=1,2 ..., n.Wherein, m represents the sequence number of each value.Suppose that the total bandwidth of two links is all C _l.Article two, the Euclidean distance d (B of the available bandwidth sequence of link _i, B _j) be defined as:

$d(B_i,B_j)=\frac{\sqrt{\underset{m=1}{\overset{n}{\mathrm{\Σ}}}{(B_i\left(m\right)-B_j\left(m\right))}^2}}{C_l}$

Wherein, B _iand B _jbe two link available bandwidth sequences, i and j represents link label.Have multilink under considering a routed domain, each Euclidean distance obtained is averaged, defines average Euclidean distance in (2) for:

$\stackrel{\‾}{d_{\mathrm{ij}}}=\frac{\underset{i=1,j=1}{\overset{k}{\mathrm{\Σ}}}d(B_i,B_j)}{C_k^2},i\≠j$

Wherein, k represents link sum.

According to the theory analysis of available bandwidth similarity, following hypothesis testing can be made:

$\left\{\begin{array}{c}{H}_0:\stackrel{\‾}{d_{\mathrm{ij}}}>\mathrm{\μ}\\ H_1:\stackrel{\‾}{d_{\mathrm{ij}}}\≤\mathrm{\μ}\end{array}\right.$

In (4), if be greater than threshold value μ, then H ₀accept, be judged to be normal condition.Otherwise be less than or equal to threshold value μ, then H ₁accept, be judged to LDoS attack occurs.

Accompanying drawing explanation

Fig. 1 is LDoS attack model.

Fig. 2 is the distributed architecture of server, and wherein (a) is conventional data centers architecture, and (b) is cloud data based plinth framework.

Fig. 3 is the LDoS attack in DCNs.

Fig. 4 is the theory analysis of available bandwidth-time, and wherein (a) is without LDoS attack, and (b) has LDoS attack.

Fig. 5 is the experimental situation that the present invention applies, the Attack Scenarios of simulation LDoS.

Fig. 6 is the experimental situation that the present invention improves, and detects LDoS attack.

Embodiment

1. first contrast the attack effect of FDoS and LDoS in DCNs inside, under the scene that Fig. 5 simulates, adopt Hadoop platform checking LDoS attack effect.Hadoop is a kind of cloud framework of maturation, and most cloud computing provider all uses Hadoop (such as: Google, IBM, Microsoft).In Hadoop framework, Slave node is to clients providing data service, and Master is responsible for monitor and managment Slave.Each Salve node constantly sends heartbeat to Master node and notices its survivability.In experimental situation, configure a Master node and two Salve nodes.Under normal circumstances, Client downloads the different fragments of a file from two Slave nodes, and HFDS (HadoopDistributedFileSystem) provides the transmission based on TCP.Then FDoS attack and LDoS attack is carried out respectively, contrast attack effect.Under FDoS attacks, bottleneck link is by completely congested, and Master cannot receive the heartbeat of Slave1.After a period of time, Master just can monitor only has Slave2 to survive; Under LDoS attack, because LDoS attack Mean Speed is low, leave certain available bandwidth to bottleneck link.Now, the heartbeat of Slave1 still can arrive Master, and therefore Master still thinks two Slave survivals, thus describes the disguise of LDoS attack.After FDoS occurs, bottleneck link is by completely congested, and Client cannot download current resource segment from Slave1.After Client need wait for that Master finds that Slave1 rolls off the production line, after on Service Migration to Slave2, Client could continue to download.Total download time 136s.LDoS attack does not cause Slave1 to delay machine, Master also not by Service Migration on Slave2.But download time but increases greatly, amount to 240s.Visible, LDoS reaches the object reducing service quality, and effect is better than FDoS.

2., under the experimental situation simulated at Fig. 6, carry out LDoS attack detection.Build one and comprise 3 servers (Server), attack end (Attacker), 1 receiving terminal (Recever) and 1 client (Client) for 1.3 Server are physical hosts, and each operation above 3 virtual machines, they are connected to router (Router1) by respective link, link bandwidth 1Gbps.Router1 realizes routing function by a multi-network card server, is configured by iproute and tc.The bottleneck link of to be bandwidth between Router1 and Router2 be 1Gbps.

Cloud computing platform still uses Hadoop, and according to the feature of HDFS distributed storage, the role of virtual machine on configuration Server, Client carries out read operation to the file that DataNode stores.In normal condition with when having LDoS attack, detect the available bandwidth of Link1, Link2 and Link3 tri-links respectively, detection packet interval delta _tget 100 μ s, load is the UDP bag of 10 1500Byte.The experimental result of statistics 500s.Carry out 100 experiments, the average Euclidean distance value that a sequence length is 100 can be obtained.

The detection perform obtained under different thresholding is different.Need at verification and measurement ratio, compromise between false dismissed rate and false alarm rate.According to following table data:

Through great many of experiments, choose 1.8 these thresholdings, compared with other threshold values, it makes correct decision rate enough high, and False Rate is enough low.Therefore, the LDoS attack detection perform under this thresholding is best, reaches the verification and measurement ratio of 98%.

If be greater than threshold value 1.8 and think H ₀accept, be judged to be normal condition; Otherwise be less than threshold value 1.8, then H ₁accept, be judged to be that LDoS attack occurs.

Claims (3)

1. in cloud computing based on low-speed denial of service attack (Low-rateDenialofService, the LDoS) attack detection method of available bandwidth Euclidean distance, it is characterized in that:

(1) LDoS attack of cloud computation data center inside utilizes the leak of the cloud computation data center network architecture;

(2) the probe interval model (ProbeGapModel, PGM) by improving carries out Measurement accuracy to network availability bandwidth;

(3) detect LDoS attack based on available bandwidth Euclidean distance, the method is specifically designed to the LDoS attack detecting cloud computation data center inside; By hypothesis testing, the calculated value of available bandwidth Euclidean distance and the threshold value of setting are compared as final criterion.

2. in cloud computing according to claim 1 based on the LDoS attack detection method of available bandwidth Euclidean distance, it is characterized in that:

Wherein: the LDoS attack in feature (1) utilizes the leak of cloud computation data center intra-sharing bandwidth deficiency, by congested bottleneck link, cause other TCP being in same routed domain with assailant to hold and become victim, victim reduces the service quality that cloud outside provides;

The PGM availability bandwidth measurement method that feature (2) is improved is applicable to the characteristic of cloud computing high speed transmission, and improving measures is: 1) with longer time interval Δ _isend two detection packet, ensure that two detection packet can appear in queue simultaneously; The time interval Δ of these two detection packet is received in receiving terminal measurement _o; 2) increase by one section of load flow sent prior to detection packet, ensure that two detection packet can appear in queue simultaneously; Namely have powerful connections traffic transport, between two detection packet, router queue is not empty, and the transmission rate of background traffic is wherein, C is bottleneck link bandwidth; And then available bandwidth A can calculate as follows:

$A=(1-\frac{{\mathrm{\Δ}}_o-{\mathrm{\Δ}}_i}{{\mathrm{\Δ}}_i})\×C$

Design detection packet size is P byte, and the packet that load flow is S byte by N number of size is formed; The time interval then between first load bag and second detection packet is T ₀=N × S × 8/C+ Δ _i; Suppose that the packet arrival rate of background traffic is r, then at time T ₀the flow inside altogether entering router queue is N × S × 8+r × T ₀, in order to make router queue for empty, the flow that demand fulfillment enters router queue is greater than the flow that router can process, that is:

N×S×8+r×T ₀＞C×T ₀

Further derivation can obtain Δ _ispan:

${\mathrm{\&Delta;}}_i<N\&times;S\&times;8(\frac{1}{C-r}-\frac{1}{C})$

Above formula describes Δ _irelation with N, reasonably arranges Δ _ijust available bandwidth can be measured more accurately, for LDoS attack detection algorithm provides input with N;

The calculating of feature (3) to link available bandwidth Euclidean distance is achieved in the following ways: the available bandwidth measuring all links, measurement result is regarded as a random process: { B (t), t=n Δ }, wherein Δ is measuring intervals of TIME.A stochastic variable be correspond to for each time t, B (t); B (t) forms one and measures sequence, represents all measured values of this link available bandwidth; Thus the available bandwidth sequence obtaining i-th link is B _i(m), m=1,2 ..., n; Wherein, m represents the sequence number of each value.Suppose that the total bandwidth of two links is all C _l; Article two, the Euclidean distance d (B of the available bandwidth sequence of link _i, B _j) be defined as:

$d(B_i,B_j)=\frac{\sqrt{\underset{m=1}{\overset{n}{\mathrm{\&Sigma;}}}{(B_i\left(m\right)-B_j\left(m\right))}^2}}{C_l}$

Wherein, B _iand B _jbe two link available bandwidth sequences, i and j represents link label; Have multilink under considering a routed domain, each Euclidean distance is averaged, define average Euclidean distance for:

$\stackrel{\&OverBar;}{d_{\mathrm{ij}}}=\frac{\underset{i=1,j=1}{\overset{k}{\mathrm{\&Sigma;}}}d(B_i,B_j)}{C_k^2},i\&NotEqual;j$

Wherein, k represents link sum;

According to the theory analysis of available bandwidth similarity, carry out following hypothesis testing:

$\left\{\begin{array}{c}{H}_0:\stackrel{\&OverBar;}{d_{\mathrm{ij}}}>\mathrm{\&mu;}\\ H_1:\stackrel{\&OverBar;}{d_{\mathrm{ij}}}\&le;\mathrm{\&mu;}\end{array}\right.$

If be greater than threshold value μ, then H ₀accept, be judged to be normal condition.Otherwise be less than or equal to threshold value μ, then H ₁accept, be judged to LDoS attack occurs.

3. in described cloud computing according to claim 2 based on the LDoS attack detection method of available bandwidth Euclidean distance, it is characterized in that: choose 1.8 for threshold value, now LDoS attack detection perform is best, if be greater than threshold value 1.8 and think H ₀accept, be judged to be normal condition; Otherwise be less than threshold value 1.8, then H ₁accept, be judged to be that LDoS attack occurs.