Theories And Technologies Of DoS Attack And Defense In Cloud Computing

Security is one of the most critical challenges in cloud computing, and availability of service is the most basic security requirement. Denial of Service(Do S) attack reduces service availability by preventing or denying the legitimate user to access servers. In the cloud computing environment, the more complicated and diversified characteristics are shown for Do S attack. Cloud computing system suffered Do S attacks from both inside and outside the cloud server cluster. Classically, attackers dominate a botnet to launch Distributed Denial of Service(DDo S) attack towards a victim server or cluster.DDo S attack improves the power of Do S attack exponentially. If the communication or authentication protocol is designed improperly, any device and facility can be utilized by an attacker to launch Do S attack, which can happen between two virtual servers. For instance, virtual server and subscriber terminal equipment, or virtual server and network equipment(or data acquisition equipment). Therefore,in the cloud computing, researching on the theories and technologies of Do S attack and defense has important theoretical and practical significance to the security of cloud users and service providers.The main contributions of this paper are summarized as follows.(1) A dynamic game model is proposed, aiming at the attack and defense of DDo S attack launched outside the server cluster. Such model treat the attacker and defender as the two game parties.The process of attack and defense is a non-cooperative repeated game with incomplete information. It has been proved that the sub-game perfect Nash equilibrium is existent in the game model, which supports the optimal dynamic strategies(algorithms) for both sides. On the one hand, the optimal strategy of the defender can adjust the firewall configuration dynamically according to the workload of network as well as the detection status of the connections. It aims to reduce the false alarm rate of the intrusions detection system for further improve the services quality of the network user. On the other hand, the optimal algorithm strategy of the attacker can reduce the exposure rate of the bot master to enhance them the effective attack with minimum cost. Moreover, the model can achieve quantitative evaluation upon the defense strength of an intrusion detection system. Then, the current security situation of server cluster can be analyzed for supporting the upgrade and improvements of security and defense capability of the cloud platform.(2) A novel DDo S attack method, entitled Cloud-Droplet-Freezing(CDF) attack is proposed towards the internal cloud server cluster. Experiments show that the attack can not only exhaust the internal network bandwidth resources, but also can greatly consume CPU and memory resources of the physical server. It can lead to the security problems of resources, which are originally assigned to legitimate virtual machines(VMs), but now depleted illegally by a Do S attack. By anaylizing the principle of CDF attack, it is proved that any improper VM migration can deteriorate the internal DDo S attack instead alleviate it. This makes the availability of cloud services more vulnerable. The experiments show that the VM migration, designated for ensuring the service availability, has the risk of increasing attack effects. Furthermore, according to the principle of CDF attack, some potential defense ideas are given for this type of DDo S attacks.(3) An optimization model, is proposed, for the multicast data origin authentication signature to resist key-exhausted Do S attack. In a time-critical multicast communication scenario(such as cloud computing or Internet of the things), key-exhausted Do S attack happens while the system required consumption(update) rate is greater than the generation rate. Based on the game theory and Shannon information theory, the model can describe the relationship between the security and efficiency in a time-critical multicast communication scenario to ensure the maximum availability of the system. By analyzing the model, the existence of Nash equilibrium is proved. Based on this, the optimization strategy of updating digital signature keys is proposed. The strategy, by ensuring Information-theoretic security of the messages, is the least upper bound of the reused numbers of the key. By applying such optimization strategy on multicast communication, the updating and producing rate of the key can be effectively reduced.Thus, it dramatically improves the defensive capability towards key-exhausted Do S attack. The model can conduct Efficiency Optimization upon key updating strategy of RSA based signature algorithm(such as IEC62351 standard and PKCS#1 v2.1 standard), MAC based signature algorithm(such as Incomplete-key-set scheme, TESLA scheme) and TV-HORS scheme.