Volume 3, Issue 5, May-2016, pp.

369-375 ISSN (O): 2349-7084

International Journal of Computer Engineering In Research Trends

Available online at: www.ijcert.org

Defensive Cloud Service Providers Against

Stealthy Denial of Service Strategy
1Mrs.
P.SRILAKSHMI, 2 Mrs. N.SUJATHA
1
Pursuing M.Tech(CSE)from Jagruti Institute of Engineering and Technology
2
Associate Professor, Department of Computer Science and Engineering,
Jagruti Institute of Engineering and Technology, Telangana State, India.

Abstract Cloud Computing allows customers to access cloud resources and services. On-demand, self-service
and pay-by-use business model are adapted for the cloud resource sharing process. Service level agreements (SLA)
regulate the cost for the services that are provided for the customers. Cloud data centers are employed to share data
values to the users. Denial-of-Service (DoS) attack is an attempt by attacker to prevent legitimate users from using
resources. Distributed Denial of Service (DDoS) Attacks is generated in a many to one dimension. In DDoS attack
model large number of compromised host are gathered to send useless service requests, packets at the same time
.DoS and DDoS attacks initiates the service degradation, availability and cost problems under cloud service
providers. Brute-force attacks are raised against through specific periodic, pulsing and low-rate traffic patterns. Rate-
controlling, time-window, worst-case threshold and pattern-matching are adapted to discriminate the legitimate and
attacker activities. Stealthy attack patterns are raised against applications running in the cloud. Slowly-Increasing-
Polymorphic DDoS Attack Strategy (SIPDAS) can be applied to initiate application vulnerabilities. SIPDAS degrades
the service provided by the target application server running in the cloud. Polymorphic attacks changes the message
sequence at every successive infection to avoid signature detection process. Slowly-increasing polymorphic behavior
induces enough overloads on the target system. XML-based DoS (XDoS) attacks to the web-based systems are
applied as the testing environment for the attack detection process we describe both how to apply the proposed
strategy, and its effects on the target system deployed in the cloud.

KeywordsRaincloud computing, erudite attacks strategy, stumpy-rate attacks, interference detection.

1. INTRODUCTION bandwidth) [2]. Such attacks have special effects

in the cloud due to the adopted pay-by-use
Cloud Computing is an emerging paradigm that business model. Specifically, in Cloud
allows customers to obtain cloud resources and Computing also partial service degradation due
services according to an on-demand, self-service, to an attack has direct effect on the service costs,
and pay-by-use business model. Service Level and not only on the performance and availability
Agreements (SLA) regulates the costs that the perceived by the customer. The delay of the
cloud customers have to pay for the provided cloud service provider to diagnose the causes of
Quality of Service (QoS) [1]. A side effect of such the service degradation (i.e., if it is due to either
a model is that, it is prone to DoS and Distributed an attack or an overload) can be considered as a
DoS (DDoS), which aim at reducing the service security vulnerability. It can be exploited by
availability and performance by exhausting the attackers that aim at exhausting the cloud
resources of the services host system (including resources (allocated to satisfy the negotiated
memory, processing resources, and network QoS), And seriously degrading the QoS, as

2016, IJCERT All Rights Reserved Page | 369

P.SRILAKSHMI et al., International Journal of Computer Engineering In Research Trends
Volume 3, Issue 05, May-2016, pp. 369-375

happened to the Bit Bucket Cloud, which went based and jobs arrival pattern-based. The former
down for 19h [3]. Therefore, the cloud have been designed in order to achieve the worst-
management system has to implement specific case complexity of O(n) elementary operations
countermeasures in order to avoid paying credits per submitted job, instead of the average case
in case of accidental or deliberate intrusion that complexity of O(1) [14], [15], [16]. The jobs arrival
cause violations of QoS guarantees. Over the past pattern based attacks exploit the worst case traffic
decade, many efforts have been devoted to the arrival pattern of requests that can be applied to
detection of DDoS attacks in distributed systems. the target system [7], [17]. In general, such
Security prevention mechanisms usually use sophisticated attacks are performed by sending
approaches based on rate controlling, time low-rate traffic in order to be unnoticed by the
window, worst-case threshold, and pattern DDoS detection mechanisms. Due to its high
matching methods to discriminate between the similarity to legitimate network traffic and much
nominal system operation and malicious lower launching overhead than classic
behaviors [4]. On the other hand, the attackers DDoSattack, this new assault type cannot be
are aware of the presence of such protection efficiently detected or prevented by existing
mechanisms. They attempt to perform their network-based solutions [21], [22]. Therefore, in
activities in a stealthy fashion in order to elude recent years, the target of DDoS attacks has
the security mechanisms, by orchestrating and shifted from network to application server
timing attack patterns that leverage specific resources and procedures. The attack takes
weaknesses of target systems [5]. They are carried advantage of the capacity to forecast the time at
out by directing flows of legitimate service which the responses to incoming requests for a
requests against a specific system at such a low- given service occur. This capability is used to
rate that would evade the DDoS detection schedule an intelligent pattern in such a way that
mechanisms, and prolong the attack latency, i.e., the attacked server becomes busy the most time
the amount of time that the ongoing attack to the in processing of the malicious requests instead of
system has been undetected. We show that the those from legitimate users.
features offered by the cloud provider, to ensure
the SLA negotiated with the customer (including 2.1 Cloud Resources Provisioning Cloud
the load balancing and autoscaling mechanisms), providers offer services to rent computation and
can be maliciously exploited by the proposed storage capacity, in a way as transparent as
stealthy attack, which slowly exhausts the possible, giving the impression of unlimited
resources provided by the cloud provider, and resource availability. However, such resources
increases the costs incurred by the customer. are not free. Therefore, cloud providers allow
customers to obtain and configure suitably the
2. BACKGROUND AND RELATED system capacity, as well as to quickly renegotiate
WORK such capacity as their requirements change, in
order that the customerscanpay only for
Sophisticated DDoSattaks are defined as that resources that they actually use. Several cloud
category of attacks, which are tailored to hurt a providers offer the load balancing service for
specific weak point in the target system design, in automatically distributing the incoming
order to conduct denial of service or just to application service requests across multiple
significantly degrade the performance [12], [7]. instances, as well as the auto scaling service for
The term stealthy has been used in [13] to enabling consumers to closely follow the demand
identify sophisticated attacks that are specifically curve for their applications (reducing the need to
designed to keep the malicious behaviors acquire cloud resources in advance). In order to
virtually invisible to the detection mechanisms. minimize the customer costs, the auto scaling
The methods of launching sophisticated attacks ensures that the number of the application
can be categorized into two classes: job-content instances increases seamlessly during the

2016, IJCERT All Rights Reserved Page | 370

P.SRILAKSHMI et al., International Journal of Computer Engineering In Research Trends
Volume 3, Issue 05, May-2016, pp. 369-375

demand spikes (to maintain the contracted weaknesses of target systems. They are carried
performance), and decreases automatically out by directing flows of legitimate service
during the demand lulls. requests against a specific system at such a low-
rate that would evade the DDoS detection
3. HANDLING DENIAL OF SERVICE mechanisms, and prolong the attack latency, i.e.,
ATTACKS IN CLOUD the amount of time that the ongoing attack to the
system has been undetected. This paper presents
Cloud Computing is an emerging paradigm that
a sophisticated strategy to orchestrate stealthy
allows customers to obtain cloud resources and
attack patterns against applications running in
services according to an on-demand, self-service,
the cloud. Instead of aiming at making the service
and pay-by use business model. Service level
unavailable, the proposed strategy aims at
agreements (SLA) regulate the costs that the
exploiting the cloud flexibility, forcing the
cloud customers have to pay for the provided
application to consume more resources than
quality of service (QoS) [1]. A side effect of such a
needed, affecting the cloud customer more on
model is that, it is prone to Denial of Service
financial aspects than on the service availability.
(DoS) and Distributed DoS (DDoS), which aim at
The attack pattern is orchestrated in order to
reducing the service availability and performance
evade, greatly delay the techniques proposed in
by exhausting the resources of the services host
the literature to detect low-rate attacks. It does
system. Such attacks have special effects in the
not exhibit a periodic waveform typical of low-
cloud due to the adopted pay-by-use business
rate exhausting attacks [8]. In contrast with them,
model. Specifically, in cloud computing also
it is an iterative and incremental process. In
partial service degradation due to an attack has
particular, the attack potency is slowly enhanced
direct effect on the service costs, and not only on
by a patient attacker, in order to inflict significant
the performance and availability perceived by the
financial losses, even if the attack pattern is
customer. The delay of the cloud service provider
performed in accordance to the maximum job
to diagnose the causes of the service degradation
size and arrival rate of the service requests
can be considered as security vulnerability. It can
allowed in the system. Using a simplified model
be exploited by attackers that aim at exhausting
empirically designed, we derive an expression for
the cloud resources and seriously degrading the
gradually increasing the potency of the attack, as
QoS, as happened to the BitBucket Cloud, which
a function of the reached service degradation. We
went down for 19h. Therefore, the cloud
show that the features offered by the cloud
management system has to implement specific
provider, to ensure the SLA negotiated with the
countermeasures in order to avoid paying credits
customer can be maliciously exploited by the
in case of accidental or deliberate intrusion that
proposed. Stealthy attack, which slowly exhausts
cause violations of QoS guarantees. Over the past
the resources provided by the cloud provider and
decade, many efforts have been devoted to the
increases the costs incurred by the customer. The
detection of DDoS attacks in distributed systems.
proposed attack strategy, namely Slowly-
Security prevention mechanisms usually use
Increasing-Polymorphic DDoS Attack Strategy
approaches based on rate controlling, time-
(SIPDAS) can be applied to several kind of
window, worst-case threshold, and pattern-
attacks, that leverage known application
matching methods to discriminate between the
vulnerabilities, in order to degrade the service
nominal system operation and malicious
provided by the target application server running
behaviors. On the other hand, the attackers are
in the cloud. The term polymorphic is inspired to
aware of the presence of such protection
polymorphic attacks which change message
mechanisms. They attempt to perform their
sequence at every successive infection in order to
activities in a stealthy fashion in order to elude
evade signature detection mechanisms [9]. Even
the security mechanisms, by orchestrating and
if the victim detects the SIPDAS attack, the attack
timing attack patterns that leverage specific

2016, IJCERT All Rights Reserved Page | 371

P.SRILAKSHMI et al., International Journal of Computer Engineering In Research Trends
Volume 3, Issue 05, May-2016, pp. 369-375

strategy can be reinitiate by using a different detection is low Service degradation and
application vulnerability, or a different timing. In resource consumption cost analysis is not
order to validate the stealthy characteristics of the performed
proposed SIPDAS attack, we explore potential
solutions proposed in the literature to detect 5. STEALTHY DOS ATTACKS ON
sophisticated low-rate DDoS attacks. We show CLOUD SERVICES
that the proposed slowly-increasing polymorphic
5.1. DoS Attacks Against Cloud Applications
behavior induces enough overload on the target
system and evades, or however, delays greatly In this section are presented several attack
the detection methods. In order to explore the examples, which can be leveraged to implement
attack impact against an application deployed in the proposed SIPDAS attack pattern against a
a cloud environment, this paper focuses on one of cloud application. In particular, we consider
the most serious threats to cloud computing, DDoS attacks that exploit application
which comes from XMLbased DoS (XDoS) vulnerabilities, including: the Oversize Payload
attacks to the web-based systems [10]. The attack that exploits the high memory
experimental testbed is based on the mOSAIC consumption of XML processing; the Oversized
framework, which offers both a Software Cryptography that exploits the flexible usability
Platform that enables the execution of of the security elements defined by the
applications developed using the mOSAIC API, WSSecurity specification the Resource
and a Cloud Agency, that acts as a provisioning Exhaustion attacks use flows of messages that are
system, brokering resources from a federation of correct regarding their message structure, but
cloud providers [11]. that are not properly correlated to any existing
process instance on the target server and attacks
4. PROBLEM STATEMENT that exploit the worst-case performance of the
Brute-force attacks are raised against through system, for example by achieving the worst case
complexity of Hash table data structure, or by
specific periodic, pulsing and low-rate traffic
using complex queries that force to spend much
patterns. Rate-controlling, time-window, worst-
CPU time or disk access time. In this paper, we
case threshold and pattern-matching are adapted
to discriminate the legitimate and attacker use a Coercive Parsing attack as a case study,
which represents one of the most serious threat
activities. Stealthy attack patterns are raised
for the cloud applications. It exploits the XML
against applications running in the cloud. Slowly-
verbosity and the complex parsing process. In
Increasing- Polymorphic DDoS Attack Strategy
particular, the Deeply-Nested XML is a resource
(SIPDAS) can be applied to initiate application
exhaustion attack, which exploits the XML
vulnerabilities. SIPDAS degrades the service
message format by inserting a large number of
provided by the target application server running
nested XML tags in the message body. The goal is
in the cloud. Polymorphic attacks changes the
to force the XML parser within the application
message sequence at every successive infection to
server, to exhaust the computational resources by
avoid signature detection process. Slowly-
increasing polymorphic behavior induces enough processing a large number of deeply-nested XML
tags.
overloads on the target system. XMLbased DoS
(XDoS) attacks to the web-based systems are 5.2. Stealthy Attack Objectives
applied as the testing environment for the attack
detection process. The following drawbacks are The system is aimed to defining the objectives
identified from the existing system. SIPDAS that a sophisticated attacker would like to
based attack detection is not supported achieve, and the requirements the attack pattern
Polymorphic behavior identification is not has to satisfy to be stealth. Recall that, the
adapted Application level vulnerability purpose of the attack against cloud applications

2016, IJCERT All Rights Reserved Page | 372

P.SRILAKSHMI et al., International Journal of Computer Engineering In Research Trends
Volume 3, Issue 05, May-2016, pp. 369-375

is not to necessarily deny the service, but rather For each attack period, fixed the maximum
to inflict significant degradation in some aspect number of nested tags (tagThreshold), the routine
of the service, namely attack profit PA, in order pickRandomTags(. . .) randomly returns the
to maximize the cloud resource consumption CA number of nested tags nT for each message.
to process malicious requests. In order to elude Based on nT , the routine compute Inter arrival
the attack detection, different attacks that use Time uses a specific algorithm to compute the
low-rate traffic have been presented in the inter-arrival time for injecting the next message.
literature. Therefore, several works have
proposed techniques to detect low-rate DDoS
attacks, which monitor anomalies in the
fluctuation of the incoming traffic through either
a time or frequency-domain analysis. They
assume that, the main anomaly can be incurred
during a low- rate attack is that, the incoming
service requests fluctuate in a more extreme
manner during an attack. The abnormal
fluctuation is a combined result of two different
kinds of behaviors: (i) a periodic and impulse
trend in the attack pattern, and (ii) the fast Fig 1. Attach approach
decline in the incoming traffic volume. Therefore,
in order to perform the attack in stealthy fashion At the end of the period T, if the condition attack
with respect to the proposed detection Successful is false, the attack intensity is
techniques, an attacker has to inject low-rate increased. If the condition attack Successful is
message flows Aj = [j,1, . . . , j,m], that satisfy true, the attack intensity is maintained constant
the following optimization problem: until either the attack is detected or the auto-
scaling mechanism enabled in the cloud adds
5.3. Attack Approach
new cloud resources. The attack is performed
In order to implement SIPDAS-based attacks, the until it is either detected, or the average message
following components are involved: rate of the next burst to be injected is greater than
dT. In this last case, the Agent notifies to the
a Master that coordinates the attack; Master that the maximum average message rate
is reached and continues to inject messages
Agents that perform the attack; and formatted according to the last level of load CR
reached.
a Meter that evaluates the attack effects. The
approach implemented by each Agent to perform 6. FURTIVE DOS DESCRIPTION AND
a stealthy service degradation in the cloud MODELING
computing. It has been specialized for an X-DoS
attack. Specifically, the attack is performed by This section defines the characteristics that a
injecting polymorphic bursts of length T with an DDoS attack against an application server
increasing intensity until the attack is either running in the cloud should have to be stealth.
successful or detected. Each burst is formatted in quality of service provided to the user, we
such a way as to inflict a certain average level of assume that the system performance under a
load CR. In particular, we assume that CR is DDoS attack is more degraded, as higher the
proportional to the attack intensity of the flow average time to process the user service requests
Aj during the period T. Therefore, denote I0 as 3.2 Server Under Attack Model In order to assess
the initial intensity of the attack, and assuming the service degradation attributed to the attack,
CR = I as the increment of the attack intensity. we define a synthetic representation of the

2016, IJCERT All Rights Reserved Page | 373

P.SRILAKSHMI et al., International Journal of Computer Engineering In Research Trends
Volume 3, Issue 05, May-2016, pp. 369-375

system under attack. We suppose that the system [4] Yongdong Wu, Zhigang Zhao, Feng Bao and
consists of a pool of distributed VMs provided by Robert H. Deng, Software Puzzle: A
the cloud provider, on which the application Countermeasure to Resource-Inflated Denial-of-
instances run. Service Attacks, IEEE Transactions On
Information Forensics And Security, Vol. 10, No.
7. CONCLUSIONS 1, January 2015

In this paper, we propose a strategy to implement [5] Hisham A. Kholidy, Fabrizio Baiardi and
stealthy attack patterns, which exhibit a slowly- Salim Hariri, DDSGA: A Data-Driven
increasing polymorphic behavior that can evade, SemiGlobal Alignment Approach for Detecting
or however, greatly delay the techniques Masquerade Attacks, IEEE Transactions On
proposed in the literature to detect low-rate Dependable And Secure Computing, Vol. 12, No.
attacks. Exploiting a vulnerability of the target 2, March/April 2015
application, a patient and intelligent attacker can
orchestrate sophisticated flows of messages, [6] Subrat Kumar Dash, K. S. Reddy, and K. A.
indistinguishable from legitimate service Pujari, Adaptive Naive Bayes method for
requests. In particular, the proposed attack masquerade detection, Security Commun.
pattern, instead of aiming at making the service Netw., vol. 4, no. 4, pp. 410417, 2011.
unavailable, it aims at exploiting the cloud
flexibility, forcing the services to scale up and [7] Guojun Wang, Felix Musau, Song Guo and
consume more resources than needed, affecting Muhammad Bashir Abdullahi, Neighbor
the cloud customer more on financial aspects Similarity Trust against Sybil Attack in P2P E-
than on the service availability. The system Commerce, IEEE Transactions On Parallel And
minimizes the application level vulnerabilities. Distributed Systems, Vol. 26, No. 3, March 2015
Attack behavioral changes are automatically
[8] X. Xu, X. Guo, and S. Zhu, A queuing
detected by the system.
analysis for low-rate DoS attacks against
REFERENCES application servers, in Proc. IEEE Int. Conf.
Wireless Commun., Netw. Inf. Security, 2010, pp.
[1] M. C. Mont, K. McCorry, N. Papanikolaou, 500504.
and S. Pearson, Security and privacy governance
in cloud computing via SLAS and a policy [9] L. Wang, Z. Li, Y. Chen, Z. Fu, and X. Li,
orchestration service, in Proc. 2nd Int. Conf. Thwarting zero-day polymorphic worms with
Cloud Comput. Serv. Sci., 2012, pp. 670674. network-level length-based signature
generation, IEEE/ACM Trans. Netw., vol. 18, no.
[2] S. Malek and S. Salvatore, Detecting 1, pp. 5366, Feb. 2010.
masqueraders: A comparison of one-class bag-
ofwords user behavior modeling techniques, in [10] A. Chonka, Y. Xiang, W. Zhou, and A. Bonti,
Proc. 2nd Int. Workshop Managing Insider Cloud security defense to protect cloud
Security Threats, Morioka, Iwate, Japan. Jun. computing against HTTP-DOS and XMLDoS
2010, pp. 313. attacks, J. Netw. Comput. Appl., vol. 34, no. 4,
pp. 10971107, Jul. 2011.
[3] A. S. Sodiya, O. Folorunso, S. A. Onashoga,
and P. O. Ogundeyi, An improved semi-global [11] D. Petcu, C. Craciun, M. Neagul, S. Panica, B.
alignment algorithm for masquerade detection, Di Martino, S. Venticinque, M. Rak, and R.
Int. J. Netw. Security, vo1. 12, no. 3, pp. 211 220, Aversa, Architecturing a sky computing
May 2011. platform, in Proc. Int. Conf. Towards Serv.-
Based Int., 2011, vol. 6569, pp. 1-13.

2016, IJCERT All Rights Reserved Page | 374

P.SRILAKSHMI et al., International Journal of Computer Engineering In Research Trends
Volume 3, Issue 05, May-2016, pp. 369-375

ABOUT THE AUTHORS

Mrs. P.SRILAKSHMI is pursuing M.Tech degree in,
Computer Science and Engineering from Jagruti
Institute of Engineering and Technology, Telangana
State, India.

Mrs.N.SUJATHA is presently
working as Associate Professor in,
Department of computer science and
engineering, Telangana
State,India.She has published several
research papers in both International and National
conferences and Journals.

2016, IJCERT All Rights Reserved Page | 375