Research On DDoS Attack Defense Integrating Trust And Learning In Cloud Environment

With the rapid development and application of cloud computing technology,many enterprises gradually deploy services and data to cloud platforms.The online business and data information that supported by cloud computing data centers have all grown rapidly.Therefore more and more DDoS attack sources have migrated to the cloud,while consuming a large amount of cloud computing resources,which also affects the availability of cloud services,and brings serious security challenges to the cloud computing environment.Compared with traditional networks,on the one hand,the openness of cloud services makes it easier for attackers to launch DDoS attacks such as EDOS,meanwhile,the centralized IT resources in the cloud environment make DDoS attacks larger and cause more serious harm;On the other hand,under the cloud service model,users have increased privacy protection requirements for communication data,which makes encrypted traffic such as HTTPS account for nearly 70% of total traffic.When DDoS attacks against specific ports,protocols,and services are initiated through encrypted traffic,it will be more covert and difficult to detect and prevent.Therefore,how to effectively prevent DDoS attacks with encrypted traffic in the cloud environment has become one of the important issues in the development and application of cloud computing.At present,there are researches been proposed to defend against DDoS attacks,such as traffic decryption and cleaning,machine learning-based DDoS detection,and DDoS attack interception and response.However,some important problems still exist such as decryption and cleaning that will leak non-attack traffic sensitive information,detection efficiency needs to be improved,and response rules cannot be updated in real time,etc.In view of the above problems,this article analyzes the characteristics of the cloud environment and DDoS attacks,and proposes a DDoS attack defense framework(DDoSDCloud)in the cloud environment that combines trust and learning.It also focuses on the key technologies of encrypted traffic filtering based on trust evaluation,DDoS traffic detection based on machine learning,and DDoS attack response based on real-time updates of the flow table.The main research results are as follows:1.A cloud encryption traffic filtering method based on trust evaluation is proposed.First,it uses the s Flow protocol to collect encrypted and non-encrypted protocol traffic.Second,it introduces the idea of trust and combines the security authentication of the cloud service itself to provide a trust evaluation mechanism based on signatures and environmental factors.Then,based on the trust evaluation mechanism,an encrypted traffic filtering algorithm is given to filter out the apparently non-attack traffic of legitimate tenants,thereby protecting the sensitive information contained in legitimate tenant traffic without decrypting the encrypted traffic.Finally,the experimental evaluation of the proposed method shows that it cannot only effectively support subsequent attack detection,but also improve the CPU utilization of the DDoSDCloud server and reduce the resource overhead caused by DDoS attack defense.2.A KNN-based method for discovering DDoS attacks is proposed.First,it improves the feature extraction method for encrypted and non-encrypted traffic,and adds detection of port characteristics and source IP speed increase characteristics in the three common features: the median value of the number of stream packets,the median value of the number of stream bytes and the convection ratio.Secondly,it introduces the BALL-TREE data structure to improve the KNN algorithm to classify the traffic;Finally,based on classic data sets such as NDL-KDD,experiments were performed on the Openstack platform.The results show that the proposed method has 98.3% accuracy and 0.53% false positive rate,which is superior to traditional KNN and support vector machine methods.3.A DDoS attack response method based on real-time updates of the flow table is proposed.First,it receives the detection results of the aforementioned DDoS attack discovery method in real time,and collects the characteristics of the classified abnormal traffic;Second,it analyzes the characteristics of the detected abnormal traffic flow table,processes the source address port attack duration and other information,generates blacklist rules for abnormal traffic,and adds DDoS attack response rules;when a new traffic request is received,the DDoS attack response method will use the latest blacklist rules to initiate a response to the request at any time to intercept the marked abnormal traffic.Finally,the feasibility and effectiveness of the method are deployed and verified through experiments.4.The prototype of DDoSDCloud is implemented.First,based on the Open Stack platform and the above research results,it gives the design ideas,architecture,and implementation process of the DDoSDCloud prototype.Second,a DDoSDCloud prototype was deployed under the Open Stack cloud platform.Finally,the performance of DDoSDCloud is tested experimentally,which results show that the additional overhead generated by DDoSDCloud will not affect the normal operation of the cloud service.