The triumph of the cloud computing archetype is owing to its on-demand, self-service, and pay-by-use nature. The possessions of Denial of Service (DoS) attacks engross not only the quality of the delivered service, but also the service continuance costs in terms of reserve utilization. Explicitly, the longer the detection delay is, the elevated the costs to be incurred. Consequently, a fastidious consideration has to be paid for stealthy DoS attacks. They aim at minimizing their visibility, and are sophisticated attacks adapted to influence the worst-case recital of the target system through definite periodic, pulsing, and low-rate traffic patterns. A strategy to orchestrate stealthy attack patterns, which reveal a slowly-increasing-intensity inclination premeditated to impose the utmost financial cost to the cloud Customer has been proposed, while relating to the job size and the service advent rate obligatory by the detection mechanisms. It is described both how to apply the proposed strategy, and its effects on the target system deployed in the cloud.
2. Dr. V. Goutham and M. Tejaswini
http://www.iaeme.com/IJCET/index.asp 180 editor@iaeme.com
general public users irrespective of their original association. A private Cloud’s usage
is restricted to members, employees, and trusted partners of the organization. A
hybrid Cloud enables the use of private and public Cloud in a seamless manner. Cloud
computing applications span many domains, including business, technology,
government, health care, smart grids, intelligent transportation networks, life sciences,
disaster management, automation, data analytics, and consumer and social networks.
Various models for the creation, deployment, and release of these applications as
Cloud services have emerged. To compose data management scalable in cloud
computing, deduplication has been a well-known technique and has fascinated more
and more attention in recent times [1]. Service level agreements (SLA) legalize the
costs that the cloud customers have to pay for the provided quality of service (QoS)
[1]. A side effect of such a model is that, it is flat to Denial of Service (DoS) and
Distributed DoS (DDoS), which intend at tumbling the service availability and
concert by grueling the resources of the service’s host system [2]. Such attacks have
special effects in the cloud due to the adopted pay-by-use business model. Explicitly,
in cloud computing also a partial service degradation due to an attack has direct effect
on the service costs, and not only on the performance and availability professed by the
customer. The delay of the cloud service provider to diagnose the causes of the
service degradation be capable of considered as a security vulnerability. Over the past
decade, many efforts have been devoted to the detection of DDoS attacks in
distributed systems. Security prevention mechanisms frequently use approaches based
on rate-controlling, time-window, worst-case threshold, and pattern-matching
methods to discriminate between the nominal system operation and malicious
behaviors. They attempt to perform their activities in a “stealthy” fashion in order to
elude the security mechanisms, by orchestrating and timing attack patterns that
leverage specific weaknesses of target systems and the amount of time that the
ongoing attack to the system has been undetected. Here a sophisticated strategy is
presented to orchestrate stealthy attack patterns against applications running in the
cloud. In preference to aiming at making the service unavailable, the proposed
strategy aims at exploiting the cloud flexibility, forcing the application to use more
resources than needed, disturbing the cloud customer more on financial aspects than
on the service availability. The attack pattern is orchestrated in order to evade, or
however, greatly delay the techniques proposed in the literature to detect low-rate
attacks. It does not exhibit a periodic waveform typical of low-rate exhausting attacks.
In particular, the attack potency is slowly enhanced by a patient attacker, in order to
inflict significant financial losses, even if the attack pattern is performed in
accordance to the maximum job size and arrival rate of the service requests allowed in
the system. Using a simplified model empirically designed, we derive an expression
for gradually increasing the potency of the attack, as a function of the reached. We
show that the features offered by the cloud provider, to ensure the SLA negotiated
with the customer, can be maliciously exploited by the proposed stealthy attack,
which slowly exhausts the resources provided by the cloud provider, and increases the
costs incurred by the customer. The proposed attack strategy, namely Slowly-
Increasing-Polymorphic DDoS Attack Strategy (SIPDAS) can be applied to several
kind of attacks, that leverage known application vulnerabilities, in order to degrade
the service provided by the target application server running in the cloud. The term
polymorphic is inspired to polymorphic attacks which change message sequence at
every successive infection in order to evade signature detection mechanisms [9]. Even
if the victim detects the SIPDAS attack, the attack strategy can be re-initiate by using
different application vulnerability or a different timing. In order to validate the
3. A Denial of Service Strategy To Orchestrate Stealthy Attack Patterns In Cloud Computing
http://www.iaeme.com/IJCET/index.asp 181 editor@iaeme.com
stealthy characteristics of the proposed SIPDAS attack, we explore potential solutions
proposed in the literature to detect sophisticated low-rate DDoS attacks. in order to
explore the attack impact against an application deployed in a cloud environment, this
paper focuses on one of the most serious threats to cloud computing, which comes
from XML-based DoS (XDoS) attacks to the web-based systems.
2. DOS ATTACKS EXPLOITING APPLICATION
VULNERABILITIES
Oversize Payload attack that exploits the high memory consumption of XML
processing, the Oversized Cryptography that exploits the stretchy usability of the
security elements defined by the WS-Security specification. The Resource Exhaustion
attacks use flows of messages that are correct regarding their message structure, but
that are not properly correlated to any existing process instance on the target server
(i.e., messages that can be discarded by the system, but at the expense of a huge
amount of redundant work, such as the Business Process Execution Language
(BPEL)based document, which must be read and processed completely, before they
may safely be discarded); and attacks that exploit the worst-case performance of the
system, for example by achieving the worst case complexity of Hash table data
structure, or by using complex queries that force to spend much CPU time or disk
access time. Coercive Parsing attack as a case study, which represents one of the most
serious threat for the cloud applications [10]. It exploits the XML verbosity and the
complex parsing process (by using a large number of namespace declarations,
oversized prefix names or namespace Uris). In particular, the Deeply-Nested XML is
are source exhaustion attack, which exploits the XML message format by inserting a
large number of nested XML tags in the message body. The goal is to force the XML
parser within the application server, to exhaust the computational resources by
processing a large number of deeply-nested XML tags [30].
3. MODELING OF DDOS ATTACK AGAINST AN APPLICATION
SERVER IN CLOUD
Concerning the quality of service provided to the user, it is assumed that the system
performance under a DDoS attack is more degraded, as higher the average time to
process the user service requests compared to the customary procedure. Furthermore,
the attack is more exclusive for the cloud customer and/or cloud provider, as higher
the cloud resource utilization to process the malevolent requests on the target system.
From the point of view of the attacker, the key intention is to capitalize on the ratio
between the amount of ‘damage’ caused by the attack (in terms of service degradation
and cloud resources consumed),and the cost of escalating such an attack called
‘budget’ the first requirement to design an efficient DDoS attack pattern is the
capability of the attacker to evaluating the damage that the attack is inflicting to the
system, by spending a specific budget to produce the malevolent further load. The
attack damage is a function of the ‘attack potency’, which depends on the number of
contemporaneous attack sources, the request-rate of the attack flows, and the job-
content associated to the service requests to be processed. In order to make the attack
stealthy, the attacker has to be able to estimate the maximum attack strength to be
performed, without that the attack pattern exhibits a behavior that may be considered
anomalous by the mechanisms used as a protection for the target system.
4. Dr. V. Goutham and M. Tejaswini
http://www.iaeme.com/IJCET/index.asp 182 editor@iaeme.com
3.1. SYNTHETIC REPRESENTATION OF THE SYSTEM UNDER
ATTACK TO ASSESS THE SERVICE DEGRADATION
It is considered that the system consists of a group of distributed VMs provided by the
cloud provider, on which the application instances run. A load balancing mechanism
dispatches the user service requests among the instances. The instances can be
automatically scaled up or down, by monitoring some parameter suitable to assess the
provided QoS. Specifically, we model the system under attack with a comprehensive
capability, which represents a global amount of work the system is able to perform in
order to process the service requests. Such capability is affected by several
parameters, such as the number of VMs assigned to the application, the CPU
performance, the memory capability, etc. Each service request consumes a certain
amount wi of the capability on the base of the payload of the service request. Thus,
the load CN of the system at time t can be modeled by a queuing system M/M/n/n with
Poisson arrivals, exponentially distributed service times, multiple servers, and n
incoming requests in process (system capability). Moreover, the auto scaling feature
of the cloud is modeled in a simple way: when new resources (e.g., VMs) are added to
the system, the effect is an increase of the system capability.
3.2. OBJECTIVES OF STEALTHY ATTACK
The purpose of the attack against cloud applications is not to necessarily deny the
service, but rather to impose noteworthy squalor in some aspect of the service, namely
attack profit PA, in order to maximize the cloud resource consumption CA to process
malicious requests. In order to escape the attack detection, dissimilar attacks that use
low-rate traffic have been presented in the literature. Therefore, several works have
proposed techniques to distinguish low-rate DDoS attacks, which monitor anomalies
in the instability of the incoming traffic through either a timeout frequency-domain
analysis. They assume that, the main anomaly can be incurred during a low-rate attack
is that, the incoming service requests fluctuate in amore extreme manner during an
attack. The uncharacteristic vacillation is a combined result of two different kinds of
behaviors a periodic and impulse trend in the attack pattern, and the fast decline in the
incoming traffic volume. Therefore, in order to perform the attack in stealthy fashion
with respect to the proposed detection techniques, an attacker has to inject low-rate
message flows that satisfy the optimization problem.
3.3. CREATION OF SERVICE DEGRADATION
Considering a cloud system with a comprehensive capability to process service
requests and a queue with size B that represents the bottleneck shared by the
customer’s flows and the DoS flows. Denote C0 as the load at time the onset of an
attack period T, and CN as the load to process the user requests on the target system
during the time window T. To exhaust the target resources, a number n of flows have
to be orchestrated, the load to process the malicious requests during the period T.
Assume that the attack flows are not limited to a peak rate due to a network bottleneck
or an attacker’s access link rate, and the term CN can be neglected during the attack
(CA _ CN), the malicious resource consumption CA can be maximized. Moreover,
assume that during the period T, the requests burst at an average rate, whereas the
flow bursts at an average rate. Denote B0 as the queue size at time t0, and d as the
time that the queue becomes full, such that: where is the average rate of requests
processed on the target system (i.e., the system throughput during the period T). After
5. A Denial of Service Strategy To Orchestrate Stealthy Attack Patterns In Cloud Computing
http://www.iaeme.com/IJCET/index.asp 183 editor@iaeme.com
d seconds, the queue remains full. In particular, under attack, if d, the attacker can
archive the best profit PA during the time window.
4. SLOWLY-INCREASING POLYMORPHIC ATTACK
STRATEGY
To implement an attack pattern that maximizes PA and CA, without knowing in
advance the target system characteristics, a Slowly-Increasing Polymorphic attack
strategy, which is an iterative and incremental process is proposed. At the first
iteration only a limited number p of flows fA are injected. The value p is increased by
one unit at each iteration p, until the desired service degradation is achieved. During
each iteration, the flows fA exhibit the attack intensity shown in Fig. 2. Specifically,
each flow consists of burst of messages, in which the parameter means the initial
attack intensity at the iteration p, T is the length of the burst period, and DI is the
increment of the attack intensity each time a specific condition V is false. V is tested
at the end of each period T. The satisfaction of the condition V identifies the
achievement of the desired service degradation. The purpose of using an iterative and
incremental approach is related to the inability of knowing in advance the target
system capability and the payload. The parameter DI sets the hypothetical overload
that the attacker would like to add on the target system. The value DI has to be
manipulated by the attacker, and controlled within a very small range to hide the
attack behavior, and prolong the attack detection latency. The intensity is periodically
increased until it exceeds a threshold, beyond which the attack may be detected. In
such case, anew attack iteration is performed, in which another flow is added, and
new attack intensity is computed for each flow. Therefore, in order to inject a number
of requests strictly necessary for achieving a certain level of service degradation, the
intensity the number of involved flows fA are slowly enhanced. Moreover, each burst
is a sequence of legitimate messages, randomly chosen within the set u, injected with
an inter-arrival time tI that is proportional to the alleged load associated to the injected
message. In the following is described as the SIPDAS-based attacks can be
implemented, and how to estimate their effects on the target system.
I. EVALUATION OF ATTACK
The same cloud framework adopted for building up the target server application SUA
has been used in the proposed strategy. As a result, the implemented attack can be
offered as a services through a simple web interface. Web interface is used to setup
the attack parameters and observe the status of the attack. When the attack is activated
by the web interface, a set of parameters is sent to the Master, including the target
system URL, the attack intensity I0, the attack increment DI, the thresholds NT and dT,
and the attack period T. The Master coordinates the attack, by enabling the Agent
instances, and interacting with the Meter that performs legitimate requests to the
server under attack, and differently from the Agents, evaluates the response time tS.
The KV store shared among the Cloudlets, maintains all the information related to the
attack state, including the parameters used by the Agents and the attack results
evaluated by the Meter. The Master periodically acquires information from the ‘KV
store’, and sends messages to Agents in order to update their actions.
II. EXPERIMENTAL EVALUATION
In the following experiments, it is assumed that during the normal operation the target
application SUA runs on a certain number of VMs (with 2 CPU x86, 32 bit, 2.0 Ghz
with 1GB of memory) in a mOSAIC-based private cloud. The auto-scaling
6. Dr. V. Goutham and M. Tejaswini
http://www.iaeme.com/IJCET/index.asp 184 editor@iaeme.com
mechanism is enabled by the m OSAIC Platform when the average CPU load on the
involved VMs exceeds the 90 percent for a time period greater than 10minutes.
Moreover, the developed TPC-W emulator both to simulate the customer workload
and to evaluate the attack effect is adopted. The TCP-W emulator and the attacker
application are deployed on different VMs and connected to the target cloud through a
private network (100 Mb/s Ethernet LAN).In order to achieve a small evaluation time,
the attack period is chosen to be T=120s. The mOSAIC auto scaling mechanism is
disabled. During the first experiment, it is evaluated the maximum message rate
necessary to inflict a substantial service degradation. In order to show the attack
effects, the WIPS variation with respect to the time, achieved with a single Agent
against SUA deployed on a single VM on the server side. In order to make more clear
the achieved results, the WIPS values are aggregated at a fixed time interval TS=30 s
and the average value is shown. Experimental results show that are sufficient about
nine attack periods as well as to achieve a service degradation greater than 90 percent.
The smallest reached inter-arrival time between two consecutive message is tI=26ms,
whereas the average value is tI = 73ms.In the second experiment, we set the threshold
dT to the average value tI reached. Results show that a single Agent is not able to
inflict a significant service degradation. At this point, the Master enables another
Agent and sets a new initial attack intensity of the two Agents with the maximum
service degradation is achieved after a time period. In the third experiment, the
mOSAIC auto-scaling mechanism is enabled and assumed that in normal conditions
the target application runs on two VMs, whereas in case of overloading due to a
workload peak, the auto-scaling mechanism can incrementally add other five VMs.
Experimental results show that after about 3 hours the attack inflicts the maximum
service degradation with five Agents.
III.CONCLUSION AND FUTURE WORK
An approach to execute stealthy attack patterns, which demonstrate a slowly-
increasing polymorphic performance that can evade, or conversely, greatly delay the
techniques projected in the literature to detect low-rate attacks. Exploiting a
susceptibility of the target application, a patient and intellectual attacker can
orchestrate complicated flows of messages, indistinguishable from genuine service
requests. In exacting, the proposed attack pattern, as an alternative of aiming at
making the service unavailable, it aims at exploiting the cloud flexibility, forcing the
services to scale up and munch through more resources than needed, distressing the
cloud customer more on financial aspects than on the service availability. In the future
expectations, extending the approach to a larger set of application level
vulnerabilities, as well as defining a sophisticated method able to detect SIPDAS
based attacks in the cloud computing environment has to be focused.
REFERENCES
[1] M. C. Mont, K. McCorry, N. Papanikolaou, and S. Pearson, Security and privacy
governance in cloud computing via SLAS and a policy orchestration service,” in
Proc. 2nd Int. Conf. Cloud Comput. Serv. Sci., 2012, pp. 670–674.
[2] F. Cheng and C. Meinel, Intrusion Detection in the Cloud, in Proc. IEEE Int. Conf.
Dependable, Autonom. Secure Comput, Dec. 2009, pp. 729–734.
[3] C. Metz. (2009, Oct.).DDoS attack rains down on Amazon Cloud [Online].
Available: http://www.theregister.co.uk/2009/10/05/ amazon_bitbucket_ outage/S
7. A Denial of Service Strategy To Orchestrate Stealthy Attack Patterns In Cloud Computing
http://www.iaeme.com/IJCET/index.asp 185 editor@iaeme.com
[4] K. Lu, D. Wu, J. Fan, S. Todorovic, and A. Nucci, Robust and efficient detection
of DDoS attacks for large-scale internet, Comput. Netw, 51(18), pp. 5036–5056,
2007.
[5] H. Sun, J. C. S. Lui, and D. K. Yau, Defending against low-rate TCP attacks:
Dynamic detection and protection, in Proc. 12th
IEEE Int. Conf. Netw. Protocol,
2004, pp. 196-205.
[6] A. Kuzmanovic and E. W. Knightly, Low-rate TCP-Targeted denial of service
attacks: The shrew vs. the mice and elephants, inProc. Int. Conf. Appl., Technol.,
Archit., Protocols Comput. Commun, 2003, pp. 75–86.
[7] M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, Reduction of quality (RoQ)
attacks on internet end-systems,” in Proc. IEEE Int. Conf. Comput. Commun, Mar.
2005, pp. 1362–1372.
[8] X. Xu, X. Guo, and S. Zhu, A queuing analysis for low-rate DoS attacks against
application servers, in Proc. IEEE Int. Conf. Wireless Commun, Netw. Inf.
Security, 2010, pp. 500–504.
[9] L. Wang, Z. Li, Y. Chen, Z. Fu, and X. Li, Thwarting zero-day polymorphic
worms with network-level length-based signature generation, IEEE/ACM Trans.
Netw., 18(1), pp.53–66, Feb. 2010.
[10] A. Chonka, Y. Xiang, W. Zhou, and A. Bonti, Cloud security defense to protect
cloud computing against HTTP-DOS and XMLDoS attacks, J. Netw. Comput.
Appl., 34(4), pp. 1097–1107, Jul. 2011.
[11] X. Luo and R. K. Chang, On a new class of pulsing denial-of-service attacks and
the defense, in Proc. Netw. Distrib. Syst. Security Symp, Feb. 2005, pp. 61–79.
[12] Y. Chen and K. Hwang, Collaborative detection and filtering of shrew DDoS
attacks using spectral analysis, J. Parallel Distrib. Comput, 66(9), pp. 1137–1151,
Sep. 2006.
[13] H. Liu. Real-time detection of stealthy ddos attacks using time series
decomposition, in Proc. Int. Conf. Commun., 2010, pp. 1–6.
[14] A. Jumratjaroenvanit and Y. Teng-amnuay, Probability of attack based on system
vulnerability life cycle, in Proc. IEEE Int. Conf. Electron. Commerce Security,
Aug. 2008, pp. 531–535.
[15] Amazon EC2—Auto Scaling Feature. Giu.(2012) [Online]. Available:
http://aws.amazon.com/autoscaling/
[16] M. Jensen, N. Gruschka, and R. Herkenh, A survey of attacks on web services,
Comput. Sci., 24(4), pp. 185–197, 2009.
[17] M. Ficco and M. Rak, Intrusion tolerance of stealth DoS attacks to web services,
in Proc. Int. Conf. Inf. Security Privacy, 2012, Vol 376, pp. 579–584.
[18] M. Ficco and M. Rak, Intrusion tolerant approach for denial of service attacks to
web services, in Proc. IEEE Int. Conf. Data Compression, Commun. Process, Jun.
2011, pp. 285–292.
[19] TPC Benchmark W (TPC-W). A transactional web benchmark. (2013) [Online].
Available: at http://www.tpc.org/tpcw/
[20] C. Guang, G. Jian, and D. Wei, A time-series decomposed model of network
traffic, in Proc. 1st Int. Conf. Adv. Natural Comput., 2005, pp. 338–345.
[21] A.Lourdes Mary and Dr. R.Ravi, Survey On The Performance Analysis of Cloud
Computing Services, International Journal of Computer Engineering and
Technology, 5(2), 2014, pp. 66–70.
[22] Gurudatt Kulkarni, Jayant Gambhir, Amruta Dongare, Security In Cloud
Computing, International Journal of Computer Engineering and Technology, 3(1),
2012, pp. 258–265.
8. Dr. V. Goutham and M. Tejaswini
http://www.iaeme.com/IJCET/index.asp 186 editor@iaeme.com
[23] Gurudatt Kulkarni, Jayant Gambhir, Amruta Dongare, Security In Cloud
Computing, International Journal of Computer Engineering and Technology, 4(3),
2013, pp. 70–76.
ABOUT THE AUTHORS
Dr V. GOUTHAM is a Professor and Head of the Department of computer Science
and Engineering at TKR Engineering College affiliated to J.N.T.U Hyderabad. He
received M. Tech from Andhra University and B. Tech from J.N.T.U Hyderabad. He
worked for various MNC Companies in Software Testing and Quality as Senior Test
Engineer. His research interests are Software Reliability Engineering, software
testing, software Metrics, and cloud computing.
Ms. M. TEJASWINI Department of computer Science and Engineering at TKR
Engineering College affiliated to J.N.T.U Hyderabad. AP