33 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 05, Issue 08, August, 2018 Available at http://www.ijcsonline.com/
SDN-based DoS Attack Detection and Mitigation System for Cloud Environment
Janitza Punto GutierrezȦ, Kilhung LeeḂ
ȦDepartment of Computer Science and Engineering, Seoul National University of Science and Technology, Seoul, Korea
ḂDepartment of Computer Science and Engineering, Seoul National University of Science and Technology, Seoul, Korea (Corresponding Author)
Abstract
Cloud Computing is a technology that brings advantages such as a dynamic architecture, on-demand offered services and resources, ubiquitous access and reduced costs. All of these characteristics make it popular between companies and organizations, who are adopting and implementing it in their systems. However, all this attention also attract attackers, worrying the users of the cloud. For this, Software Defined Networking appears as an innovative method which enables a more flexible and easy management of the network, permitting also the quick implementation of security policies and solutions. Following that, a SDN-based DoS attack detection and mitigation system for cloud environments was proposed. This solution uses the monitoring API called sFlow and the OpenFlow protocol, which permits to have a mapping of IP addresses, MAC addresses and ports and gather traffic statistics from the networking devices and servers. The purpose of this system also includes the detection of any additional IP or MAC spoofing attack, common characteristic of recent DoS attacks to avoid identifying the origin of the attack, so the design will help identify any internal host abused by an attacker or if the attack is coming from an external host. Additionally, the solution will include a DoS Security application, which will define security policies about the detection and mitigation of DoS attacks and will orchestrate the modules that performs those activities.
Keywords: Cloud Computing, Software Defined Network, Open Flow, Spoofing Attack, DoS Security.
I. INTRODUCTION
Cloud computing aims to deliver a flexible architecture which is accessible from anywhere, this means it can be shared between many users and be easily accessed from different locations. This technology offers services according to users' requirements and it is possible to be scaled while keeping low costs [1]. For this reason, the cloud computing environment is being adopted by more and more organizations. However, this quick evolution towards the cloud has increased the concerns on security perspective since some risks and challenges have appeared due to the use of cloud computing [2]. To preserve the benefits offered by this technology, the services offered and systems implemented in it should be utilized appropriately and the cloud should be able to manage security threats [3].
Traditional computer networks are composed of diverse types of devices which have a specific function and are configured by using already defined tools. This represents a big challenge when managing a large number of network devices since it can lead to many errors, affecting reliability, extensibility and flexibility of the cloud [4]. Software Defined Networking is meant to address this issue, where a static architecture exists and doesn't support the dynamism, scalability and storage needs of more modern computing environments such as cloud computing [5]. With this background, a SDN-based solution is proposed. The purpose of this design is to detect and mitigate DoS attacks that may include MAC or IP spoofing attack.
The organization is as follows: in section II there is a review of concepts
about cloud computing, including a description of the service and deployment models; then we mention the main security challenges in cloud computing in section III; in section IV Software Defined Networking concepts are explained, indicating also benefits and challenges of the technology; after that, in section V some solutions for cloud security issues in recent literature were explained; finally, in section VI we present our solution.
II. CLOUD COMPUTING :REVIEW OF CONCEPTS Cloud can be described as a system that offers services according to users' requirements, can be easily accessed by network, implicates reduced maintenance, can be quickly escalated up or down and increases productivity [1]. Based on this, cloud computing is mainly offering computing at the Internet scale. As instance, cloud computing can make available resources as compute, storage, networking infrastructure and development and deployment platforms, following the needs of users and in a short period of time[6]. The National Institute of Standards and Technology (NIST) defines Cloud as "a model that enables convenient on-demand network access to a shared pool of configurable computing resource, that can be rapidly allocated, scaled as well as released with minimum management effort or service provider intervention" [6] [7] [8] [9]. All these characteristics are summarized as: On-demand self-service, broad network access, Resource pooling, rapid elasticity, measured service [8] [10] [11].
cloud users to ask for more storage or computing power using web interfaces and get the new resources automatically, since they are part of a pool of resources that the cloud provider made available. Due to this feature, the user doesn't need to buy in advance a fixed capacity, only rents what it is needed and during the period that is required, without the necessity of creating and supporting physical infrastructure. After that, the resources are released and the payment is according to what was used [8].
Usually, the collection of cloud resources are connected through a high speed network, providing to the cloud a high performance, the capability of support many services, and the possibility to save a lot of data. Besides, with cloud computing the cost of services is small and the quality of them is guaranteed to a certain degree, making cloud computing an attention-catching solution when there are limited resources. [3]. Cloud computing can be used as a powerful and flexible platform able to perform modeling, analysis, and data storage, allowing many operating systems and analysis software, which can be shared by teams making use of the same resources from different locations. For example, researchers working together can perform analysis of big datasets by utilizing cloud resources as they need without buying or installing any software [8].
According to how the cloud services are provided and the purposes of the services, cloud service models can be described as follows:
Software as a Service (SaaS): This model includes software and applications that are hosted on a cloud and can be accessed by customers [1]. An important characteristic of SaaS is that user can be unaware about the underlying hardware, does not have to manage the software, and can access to the software through different types of devices via web or program, without worrying for the maintenance and security since they are managed by the Cloud Service Provider (CSP) [8] [10]. There is no initial setup expenses and all the updates are automatically executed, so the customer controls minimally aspects of security and infrastructure [7].
Platform as a Service (PaaS): By implementing this model, the CSP provides an operating system and software libraries, which will help the user when developing, deploying and running applications [1] [10]. The user can start or stop the platform according to needs and save parameters such as operating system, size, libraries, storage, and so on. Also the resources conforming the platform can be customized as needed, so this permits payment based on the time the platform was used [8]. In this case, customers possess more control over the deployed applications [7].
I Infrastructure as a Service (IaaS): This model can be described as a scenario in which computing and storage resources are given. However, differently from previous models, the user has to install operating systems, applications, and any required component [8]. With IaaS, only the computing
resources are provided [1]. For this reason, customers are able to control the operating system, installed services and partly the network [7]. Following the described service models (Fig. 1), cloud computing contains, as a first layer, hardware on which the system is created. In case of IaaS service model, the physical elements are abstracted as virtual servers and virtual storage, which can be given on demand to users, who can flexibly manage the resources. On top of this the PaaS model is built, which constitutes a platform that developers can utilize in order to develop cloud applications. Finally, above this is the SaaS model, which offers an entire application as a service, letting consumers use the cloud without being aware of the hardware, OS or any installation [3][6].
Figure 1. Cloud Service Models
In addition, NIST has defined four deployment models for clouds:
Private Cloud: It is described as a cloud computing infrastructure that is made for only one enterprise, which opposes to the actual version of a corporation data center that shares the infrastructure [6]. For this reason, it is frequently managed by companies and can be accessed by specific users as a dedicated platform [1] [10]. Usually it is a deployment model that is for the use of only a client or research group where high security is required (e.g. banks, health care providers, etc.) [8].
Community cloud: This deploy model is a cloud infrastructure that a community of various organizations share with a common purpose [6] [7]. It can be considered as a platform shared by a group of organizations with same concerns [10]. Even though it can be accessed by a group of corporations, it is managed by a third party provider [1]. In order to use this model, the CSP offers an amount of resources and a community makes use and pays for them, following the community rules [8].
small, so it is possible to share the cloud as a fully public resource [8].
Hybrid cloud: This deployment model is a mixture of different deployments [6].
It can be considered as the grouping of previous deploying models [1]. The infrastructure is formed by two or more different deployment models [7] [10]. The model has the capability to easily move data between the infrastructures according to users' requirements [8].
Figure 2. Cloud Deployment Models
III. SECIRITY VULANERABILITIES IN CLOUR COMPUTING
As the previous review of cloud computing concepts, it provides services and shares resources. Consequently, in order to keep a good performance and reliability, those resources should be used adequately and the platform should be able to manage security threats [3]. However, some challenges related to fully use cloud resources exists, not only about insufficient network connectivity and bandwidth but also about security concerns. As instance, government agencies may limit the use of cloud computing if security is not guaranteed [8].
Specifically about network security in a cloud, this implicates any method by which the customers access to the cloud environment, utilize the resources and perform desired tasks. Among those methods, we have browsers, network links and information transference. However, network security in the cloud can be considered as the greatest security challenge since usual attacks in the cloud are related to networks using traditional computing models. Another factor is that cloud processes are associated and dependent on the network deployment. For example, many security issues are consequences of the inappropriate network firewall use and unsuitable network security configurations. This situation can lead to attackers pretending to be a legitimate user to gain access to the cloud or lead to DoS attacks where malicious users take advantage of vulnerabilities in internet protocols [10]. Furthermore, since cloud offers access to anyone anytime from anywhere, data integrity may be affected. For instance, some CSPs can rent servers from other CSPs, which can even be in different locations, increasing the risk of stolen data [12].
In [5] they made an important remark about network security in cloud environments. Commonly, security is
based on perimeter access control. However, the cloud infrastructure is deployed on the CSP hardware and cohabits with software from the provider and other cloud users. This means cloud doesn't possess an unchanging infrastructure and, as a result, there only exist virtual security perimeters, not physical.
As stated by U.S. National Vulnerability Database, 84 network vulnerabilities were found in cloud computing only by February 2013, which put in danger the security of cloud computing. It was also revealed that malicious network attacks are usually the cause of a big amount of data destruction, altering and falsification in the cloud. This indicates that, if network security in cloud computing is not properly set up, all cloud services are open to many attacks. Moreover, because conventionally the network security devices are situated at front-end of cloud computing, there is no protection between virtual machines [4].
Figure 3. Security Vulnerabilities in Cloud Compouting
All those vulnerabilities in cloud computing that were mentioned before can be mainly grouped as follows (Fig. 3):
Account and provision stealing: Some threats of lacking secure network are that users without authorization can penetrate the cloud by imitating a legitimate user and affect the entire cloud, which can result in a big damage to clients [12]. For instance, unauthorized users can perform cloud account hijacking, acting as hackers and obtaining access to a legitimate user's account. Some examples can include phishing, fraud, and exploit of software vulnerabilities. The biggest worry in hijacking is illegal manipulation of user account, so through it spy during transactions, impact the data, providing incorrect and business damaging replies to clients, and also send customers to wrong sites [1]. Another examples related to these kind of attacks are IP, ARP, SOAP-Spoofing and Sniffing in order to get sensitive information such as username, password and credit card details [13]. Privileged user access: In some cases, sensitive
can provide accessibility to unauthorized entities. This may cause impact in confidentiality, integrity and availability of the cloud services.
Multi-tenancy: One of the critical security issues in cloud computing environment is multi-tenancy. The information of shared resources and data about many connected systems are kept in the cloud servers, for this reason the CSP needs to ensure the security of those virtual machines. Indeed, overcoming this issue has become a difficult task because it is necessary to consider some aspects, such as isolation of virtually connected machines, communication over network, processing of data and the use of memory resources [1]. Also in [7] it was indicated that virtualization confidentiality can be considered a security issue due to Virtual Networks or VLANs which are not totally isolated. In the scenario of isolated virtual networks, it would be possible to evade illicit flow of data through them, which means restringing VM access to the Local area network by applying suitable methodologies. However, there are always probabilities of sniffing or spoofing such virtual networks.
Insecure interface of API: Often developers utilize API as a connection between the CSP and the client. By using API, users can manage and obtain information from CSPs. This results in the requirement of making a highly secured API and related software, because through them the data can be accessed by users. In other words, API acts as a front door to access the data, so it includes many threats in itself [1]. In [7] they mentioned the wrapping attack, which is considered a data integrity vulnerability and a common attack for services based on web. Therefore, the enemy can affect the cloud and execute malicious codes [12]. External users can start attacks and impact data confidentiality and integrity by interfering with the communication channels [13].
DoS attacks: The Denial of Service attack in the Cloud system can be considered as a security issue that affects the data/service availability. Commonly it targets the network/transport level or the application level. In some cases they can even be performed using the cloud environment through bot clouds. The enemy starts sending big quantity of requests to a service. Since cloud computing offers more resources as it is required by users or customers, the cloud provides more computational power after identifying the high workload. This situation can lead to an Indirect Denial of Service attack because other services sharing same server with an attacked service may become unable to respond [7] [13].
Inadequacy of standards: The lack of cloud standards, rules and interoperability has made it hard to move their data between private, public and hybrid clouds. This problem can reduce the cloud adoption. As there are no proper universally approved or recognized cloud standards to
establish powerful security, many groups of standards bodies are working to enhance these specifications [1].
Furthermore, the diversity of the cloud service delivery models makes cloud computing more vulnerable to attacks compared to other computing platforms [3]. Network security issues on cloud can be associated to a service model as follows [10]:
SaaS: Cloud users have limited security control compared to the other service models, so they must rely on CSPs to guarantee security of their data. Moreover, most of network devices can access easily to cloud applications by using only a web browser. This facilitates the appearance of additional security risks to the cloud service such as: malicious insiders and account hijacking. PaaS: Users can develop and set up applications
without incurring in hardware or software maintenance costs, but in this model the security of the platform and the applications is the main issue. Even if it is necessary to have relations with third party providers in order to group contents or services from different applications, due to those associations PaaS models have data and network security issues.
IaaS: Even if the users have more security control of the software running in VMs compared to the other service models, the underlying computing resources, network infrastructure and storage devices are managed by the CSPs, who are responsible of taking the appropriate security measures to prevent threats resulted from the creation of VMs, communication between them, monitoring, modification and changing location of VMs between data centers.
IV. SOFTWARE DEFINED NETWORKING :CONCEPTS AND CHALLENGES
As revised in the previous section, cloud computing can be implemented due to virtualization, where software runs independently of hardware, and data centers provide the IT resources. If the concept of virtualization is applied to network by separating control of traffic from network hardware, it results in Software Defined Networking (SDN) [16] [25]. Software-defined networking is a way to implement a network and permits administrators and researchers to control the network behavior dynamically through the use of open interfaces and abstraction of functionalities from lower level. This means that entities which take decision about sending traffic and entities that forward network traffic to the destination are separated [15]. SDN is a structure designed to have a simple and better network management that possesses high flexibility, because network programmability is enhanced and this leads to more innovation opportunities [18]. The primary purpose of SDN is decreasing costs by virtualization, automation and simplification [25].
Data Plane: This plane mainly forwards and process data in the network [15]. It is composed by networking devices such as switches and routers that interact with data traffic directly and don't have embedded control or software to take self-directed decisions. This enables diverse function such as packet inspection, caching, anomaly detection and traffic engineering [18] [19] [16]. Control Plane: This structure is considered a
logical entity that receives instructions and requirements from the application layer and then indicates to the switches what to do when a packet arrives, so it represents an intermediary layer between the applications and the data plane [15] [19] [16]. Generally, the control plane is composed by two components: the application part, which includes programs for metering and monitoring the network; and the network operating system (NOS), which acts as a SDN controller per se and offers an abstract and centralized view of the complete network. It is important to mention that control layer is considered the most important component, which many researchers aim to improve in aspects such as scalability, flexibility, security and availability [18].
Application Layer: This plane communicates with SDN controller using application programming interfaces [15]. It is located at the top of the SDN architecture and is composed of all the applications that utilize the services offered by the controller in order to perform network-related tasks [18]. Commonly, it includes programmable business applications, which indicate to the controller any network requirement and desired network behavior [19]. It is responsible of network management auditing and reporting [16].
Figure 4. SDN Architecture
Due to SDN layered architecture, the software developer task of controlling network devices has become easier [18]. With SDN it is possible to run and analyze various networks trials using the software intelligence at the centralized controller [11]. Moreover, SDN permits the monitoring of OS, processor and memory information of the network and it is aware about network device status. As a result, with SDN it is possible to generate alerts when a device lifetime is completed and facilitates the replacement of the devices [19].
Additionally, SDN architecture includes a southbound interface, which connects SDN controller and physical hardware; and northbound interface, which connects network applications and SDN controller [15]. Also, SDN permits the utilization of many controllers in a distributed architecture [25]. In this case, there exists East/West bound API, which permits communication between them [16] [20].
The main characteristics of SND architecture includes: Centralized Network Provisioning: By separating
control plane and data plane, SDN permits to have quick delivery of services, gives more agility to store virtual and physical devices and has a centralized view of all the network infrastructure [19] [24]. For this reason, SDN offers an easier management of resources, by using the controller [15]. Control logic is transferred to an independent object, and it is implemented in a dedicated server [16].
Agile and Flexible: SDN represents a big help to organizations since they can quickly implement new applications, services and infrastructure to catch up with the business goals. With SDN it is possible to programmatically modify or configure network devices by using automation tool, due to the segregation of control functions and forwarding functions [15] [24]. SDN facilitates the administrator's task of experimenting on the network without affecting any application [19]. Enhanced Granular Security: SDN offers the
possibility of managing security in an organization by giving a centralized controller which distributes security policies continuously [15] [19].
Reducing Operating Cost: SND permits designing, deploying, managing and scaling the network in an easier way, reducing operating costs [15] [24]. However, SDN also brings some challenges, as described next [15] [20] [24]:
Security: In SDN context, the most vulnerable element is the controller, so it is necessary to protect it and verify any application which intend to access to the control plane.
Scalability: In SDN, there is a possibility to have a maximum number of distributed network controllers so this can mean an obstacle to increase the size of the network.
Interoperability: Most of the organizations and companies are still using traditional networks; in consequence, in case of changing to SDN network, a period of interoperability with a hybrid legacy will be required.
V. COUNTERMEASURES FOR SECURITY ISSUES IN CLOUD COMPUTING
Some research works contributing to secure the cloud environment are reviewed in this section. In [5] the model IaaS was analyzed as an implementation based on native virtualization and composed by a layer of software, denominated hypervisor, running on hardware, permitting the existence of several virtual machines and providing them isolation from other VMs. Additionally, the physical infrastructure of IaaS model possess a VM manager. Consequently, VM users has more control compared to the CSP who only control hypervisor and the VM manager. This may cause security issues so the security system should work on a superior layer compared to the VM manager and hypervisor layers. Based on this, the use of a Virtual Intrusion Detection System (V-IDS) was proposed. The V-IDS captures network and host activity data, examines it and offers automatic response during and after an incident.
Moreover, instead of using a centralized V-IDS and sending all the collected network data to a central management system, the use of a distributed V-IDS was proposed [5], which is structured by one or more virtual devices that help each other to collect data and report. In this scenario, each node in the cloud infrastructure is in charge of locally performing detection intrusion, while neighboring nodes help to explore in a wider range. Every node will cooperate to detect intrusion and take actions. In practical cases, this distributed architecture of ubiquitous IDSs can be part of and be managed by different associations or companies where each V-IDS can act according to a set of rules, pre-established in cooperation, and constitute complex security tools.
In [2] the proposed solution uses encryption techniques such as AES for file encryption, Blowfish algorithm for securing communication, SHA3 hashing for securing tables and one time password for authentication before accessing the cloud. These methods were chosen according to their performance and factors like encryption time, decryption time, memory usage, flexibility and scalability. In the system, there will be a secure channel between users and the main system. The user request sent to the server is encrypted, same as the password used for logging. The requested files or data will be decrypted on the receiving end with the blowfish algorithm. Also, the required password will be used only one time. This means that password will be generated randomly and be stored using SHA 3 hashing, while the newly generated password will erase the older password. It was proposed that password will be sent by mail or to an authorized mobile number. Additionally, all documents or data stored in the cloud will be protected by using AES encryption algorithm.
The reviewed solution design in [4] is called NetSecCC. There are five entities conforming this design: a system domain (manages resources for SMD and services domains), security management domains (SMD), security meta-group (SMG), service domains and virtual switcher (vSwitch). In case an external o internal traffic intends to access cloud users' services located in service domains, the vSwitch forwards traffic to the SMG, who inspects the traffic following a sequence of logical policies called SIC according forwarding rules in vSwitch, so traffic that will
reach the service domains is secure and trusted. The forwarding rules in vSwitch are created by SMD based on users' services security requirements and the load in network security devices. SMD changes those rules in order to accomplish load balancing and fault tolerance in each security meta-group.
After experiments, it was confirmed that solution in [4] offers protection against not only malicious attacks from external traffic but also internal traffic, differently from traditional architecture. Additionally, even if during test with a single node in a security meta-group the performance degrades significantly, thanks to the SMD, a new node was created and the detection rate rose, also showing a high recovery efficiency. However, there was an impact of longer latency and lower throughput with NetSecCC compared to a model without it.
Another work revised in recent literature [14] stated that the deployment of network intrusion detection techniques in cloud environment is determined by the type of services offered in the cloud, so IDS can be important for protecting the cloud from outside and inside attackers.
Moreover, it may be of greater help if used with Honeypot Networks which can discover the intention of users. For that reason, a framework was proposed, containing the following modules: network intrusion detection system (NIDS) module, Honeypot Network Module, Analysis Module, and Signature Module. NIDS modules are located in various spots to capture external, internal and local traffic, properly produce alerts and perform preventive actions against malicious attacks; while, Honeypot Network Module will imitate cloud services to draw attention from attackers and get relevant information about them, which will be studied by the Analysis Module. Finally, the Signature Module creates specific rules according to information obtained in analysis module and changes rules in NIDS. After the tests, the results showed that, thanks to the proposed system, rules are generated in case of malicious attacks, which can improve security and decrease processing overheads.
TABLE I. COUNTERMEASURES FOR SECURITY VULNERABILITIES IN CLOUD
Solution Vulnerability Main remarks
Distributed Virtual IDS [5]
Account and provision Stealing Multi-tenancy
Attack detection by using neighboring nodes to secure the cloud
Use of
cryptographic techniques [2]
Account and provision Stealing Multi-tenancy Insecure
interface of APIs
Securing the
communication channels with encryption, securing the information in cloud with SHA3, and one time
password for
authentication
NetSecCC [4]
Account and provision stealing Privileged User
Access Control
Protection against attacks from external and internal traffic
Network IDS (NIDS) and HoneyPot network [14]
Account and provision stealing Privileged user
access control DoS attacks
Attack detection and mitigation, creation of a model of attacker’s features and protect the cloud from outside and inside attackers
SDN-based solution focused on control plane security in cloud [11]
Account and provision stealing DoS attacks
Detection and mitigation of control plane security attacks, such as DoS attacks, by using firewall,
ACL, Intrusion
Prevention and Detection System
HostWatcher [17]
Privileged User Access Control DoS attacks
DoS attack mitigation based on SDN, by using a caching-and-resending scheme and a round-robin resending scheme Data security
for PaaS model [28]
Account and provision Stealing Multi-tenancy
Securing the data in cloud implemented as PaaS model, by employing AES encryption method
Transparency Service Model (TSM) [29]
Privileged User Access Control Multi-tenancy
Limitation of Cloud Service Provider Access and performing user authentication, by employing a TSM which knows cloud storage devices and storages the data
Broker-based framework of Cloud Security – SLA [30]
Inadequacy of standards
Development of a standardized, quantitative and measurable format to present the SLA
Security as a Service for Public cloud tenants [31]
Account and provision Stealing Multi-tenancy
Implementation of security architecture that considers cloud users’ security requirements individually
AnonyControl-F [32]
Account and provision Stealing Privileged User
Access Control Multi-tenancy
Keeping privilege control and identity privacy, preventing user’s information leakage
Another solution using SDN is the work described in [17]. The design uses SDN techniques to have a flexible network management, caching-and-resending scheme to reduce packet loss, round-robin resending scheme to achieve a better QoS and reduce delay of non-attacking packets, and a distributed processing scheme to make the system scalable. The architecture is composed of HostWatcher module, residing in the controller, and a Caching-and-Resend module, residing in the watchers. Also, two tables are created in OpenFlow: "Table 0" with HostWatcher rules and "Table 1" with regular routing rules. For normal hosts, the packets will be processed according to "Table 1". For abnormal hosts, in case a host is receiving or sending more packets than expected, the packets will be forwarded to watcher and be cached there in sub queues according to protocol. After that, the watcher will resend the packets to the switch, using round-robin scheduling and lower rate and the switch will resend them according to rules in "Table 1". After the simulation, it was concluded that it is possible to keep a small delay of normal packets under attack situation, guaranteeing QoS, and to keep a small side effect in packet delivery time under normal scenario. However, this proposal lacks of an analysis to estimate appropriate values of resending packet rate, length of caching queues, number of watchers, number of hosts per watcher, and so on.
Table 1 shows the countermeasures for security vulnerabilities in the cloud that were reviewed for this research. It indicates the name of the solution, the addressed vulnerabilities and the main remarks about the solution.
VI. PROPOSED SOLUTION
As indicated in section III, security issues in cloud are still a big challenge, involving system vulnerability, confidentiality, data loss and cloud service abuse. However, availability is the main concern since one main characteristic of cloud is providing on-demand service, with DoS and DDoS as the most common attacks [16]. This kind of attack may include combination of other attacks such as IP or MAC Spoofing [21]. In section IV, some benefits of using SDN were mentioned. Considering the capability of offering a more dynamic and adaptive management of the network, a SDN-based DoS attack detection system is proposed, taking also as baseline the works [21] [22] [23]. The system will be explained based on the modules installed in the SDN controller, the security policies indicated by the SDN applications and use cases or scenarios.
A. Modules
block them, and b) external mitigator that targets external attackers. The proposed architecture is shown in Fig. 5.
Talking about the monitor, it will use a signature-based Intrusion Detection Systems (IDS). This type of IDS operates as a virus scanner by looking for a known identity or signature when an intrusion event occurs, but it is considered as good as the extent of the updated signature database [10]. This monitor will also collect information about the network, which will be useful to the IDS module. To perform that function, the monitor will use sFlow, which is a technology to monitor performance of network elements and servers [23]. In sFlow, there are three important definition [27]:
Counters: Includes data regarding statistics from switches and servers, such as number of packets received, number of bytes, etc.
Flow Samples: The sampling of packets is used to characterize network traffic by employing randomness in the process, with this it is possible to prevent synchronization with any periodic pattern in the traffic. In the present work, the sampling rate (number of generated samples per observed packets) will be configured/changed according to the security policies.
sFlow Datagrams: Contain information such as the sFlow version, the origin's IP address, how many samples it contains and the samples themselves. In the proposed solution, datagrams will be sent from switches and servers (sFlow agents) to the monitor (sFlow collector).
Another important component of the solution is the analyzer. This element will use the information from the monitor to identify if there is also an IP or MAC spoofing attack after getting alert from the monitor. Due to the use of OpenFlow [26], it is possible to collect the Packet-in and Port Status messages and build a mapping about MAC address, IP address and switch ports (active or inactive). This information will be in tables, which will be updated according to the data contained in the collected messages. When the cloud starts working, the analyzer will collect MAC and IP addresses information of all the internal hosts. After receiving the attack alert, the analyzer will check the IP and MAC address to determine if the attacker is internal (known host) or external. If the IP or MAC address is known, that means the attacker may be internal, so first the analyzer should check if there is spoofing attack. If there is not spoofing attack, the attacker is considered to be coming from an internal host. Otherwise, the analyzer can conclude is an external attacker. Depending of the conclusion got by the analyzer, there are two mitigator modules that can be employed. The first one is the external mitigator module, which will be in charge of adding Firewall rules in the SDN switches in order to drop the incoming packets with origin in the attacker's IP or MAC address. These rules will be kept in the switches until the monitor indicates the attack has stopped, so this external mitigator will be mainly responsible of managing the firewall rules in switches. The second mitigator is in charge of internal attacks. In this scenario, the mitigation measures can vary according to the cloud service provider or cloud administrator. Since the host abused by the attacker to perform malicious activities
can be hosting additional and innocuous virtual machines, it is not possible to block completely the traffic from that host as the external mitigator does. Additionally, it is important to consider that dropping the packets coming for the suspicious host can affect the SLA defined to the non-attacker virtual machines residing in the host [33]. For this reason, this internal mitigator will only disable the up-scaling of resources for the services or virtual machines included in the suspicious host, preventing them to increasing the processing power to continue with the attack. Additionally, in order to reduce the damage to victim hosts, the internal mitigator can apply techniques such as [17] to reduce the packet rate by queuing the packets before been sent, without dropping any packet and ensuring the SLA previously mentioned. Still, these measures will be disable according to the indications of the monitor when the attack stops.
TABLE II. PROPOSED SOLUTION MODULES AND ACTIONS
Module Action
Monitor Alerts the existence/termination of a DoS attack by using information collected with sFlow and using an IDS
Analyzer Checks if an IP or MAC spoofing has occurred and determines if the DoS attack is internal or external
External
Mitigator Manages firewall rules in switches according to monitor indications Internal
Mitigator
Applies measures according to CSP or cloud administrator without affecting SLA
B. Security Policies
The security policies defined by a DoS Security Application will help to deal appropriately with a DoS attacks that may include an IP or MAC spoofing attack, since it is possible to consider patterns to identify those attacks. For example, there could be a sudden increment of traffic volume because this type of attack tries to exhaust the network resource of the victim. So this can be identified by setting up a control threshold over the baseline traffic. Another example to identify such attacks is related to fake IP addresses, where an adequate knowledge of the network topology is necessary to recognize which addresses are legitimate and which ones are not. For this reason, data in those packets of fake IP addresses have to be gathered and inspected as needed [22]. Still, the application needs to work without affecting the performance of the overall cloud.
Following this, the system will be ruled by the next security policies:
1) If the monitor identifies a sudden increase in the traffic based on the collected samples and a threshold for normal traffic set by the DoS Security application, it will alert the application.
2) The application will indicate the monitor to increase the sFlow sampling rate to get more information only from the suspicious device or host
4) If the analyzer concludes there is an IP or MAC spoofing attack too, this means an external attacker is trying to impersonate an internal host and the external mitigation module should be used. Otherwise, the internal mitigation module should be used.
5) The mitigation modules will apply measures according to if the attacker is internal or external. The monitor will check continuously if the attack persists; in consequence, when it identifies the attack stopped, it should indicate to the mitigation modules to disable any previously taken measure.
Figure 5. Proposed Solution Architecture
C. Use Cases
In case an internal host's MAC address is spoofed, the attacker's MAC address can be found in the mapping tables stored in the analyzer, but the corresponding IP address will be different. So it is necessary to identify if there was a previous IP address modification. If this was the case, there should be a previous request to a DHCP server, so the MAC-IP address mapping should be updated and the internal host is considered to be abused by an attacker, so the internal mitigator module should take action. On the other hand, if there is no previous request to get new IP address, the host's MAC address is considered as spoofed and it is possible to conclude the attack comes from an external host. Consequently, the external mitigator module will add rules in the switches to drop packets from the identified IP address.
In case an internal host's IP address is spoofed, the attacker's IP address can be found in the mapping tables, but the corresponding MAC address will be different. It is necessary to check if there is any port status changing report, which is included in Port Status messages. If there was a change for the corresponding port (on-off and off-on changes), this means the new MAC address corresponds to a new connected device or the device was changed, so the MAC-IP address mapping should be updated and it can be concluded that the internal host is controlled by an attacker and the internal mitigator should be alerted. However, if there is no changes of the port, this means the IP address
was spoofed and the attacks comes from an external host and, similarly to the previous case, the external mitigator module will insert rules in switches.
VII. CONCLUSIONS
In this paper, we reviewed existing security challenges in cloud environment. Among those challenges, we can list the main ones such as account and provision stealing, privilege user access control, multi-tenancy, insecure interface of used APIs, DoS attacks and inadequacy of standards. In recent literature, some proposed solutions for security issues in cloud include the use of Intrusion Detection Systems (IDS), encryption algorithms and Honeypots. Additionally to these methods, Software Defined Networking (SDN) is gaining popularity because it permits to have a centralized network provisioning, an agile and flexible management, a quick implementation of security policies and all of that with low cost.
Based on SDN a design was proposed with the aim of detecting and mitigating DoS attacks in cloud environments. The presented system will make use of a monitor and an analyzer, which will be located in the SDN controller. While the monitor has an IDS module, utilizes sFlow to monitor statistics from the network devices and alerts the analyzer if a DoS attack is detected; the analyzer utilizes the OpenFlow protocol, collects the Packet-in and Port Status messages to build a mapping between IP addresses, MAC addresses and ports and is able to detect IP or MAC spoofing attacks and conclude if an internal or external attack. Additionally, the solution includes two mitigation modules for each scenario and a DoS Security Application. This application will set a threshold for the normal traffic and indicate to the monitor if it is necessary to inspect more in detail the traffic, but also it will manage security policies to protect the cloud against external or internal DoS attacks. With this system, it will be possible to identify internal hosts controlled by malicious users and later take corresponding countermeasures, such as limiting resources of the affected hosts, and identify if the attacks come from external hosts and drop packets coming from them.
ACKNOWLEDGMENT
This study was supported by the Research Program funded by the SeoulTech(Seoul National University of Science and Technology).
REFERENCES
[1] G. Shanmugasundaram, V. Aswini and G. Suganya, "A comprehensive review on cloud computing security," 2017 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS), Coimbatore, 2017, pp. 1-5.
[2] A. R. Wani, Q. P. Rana and N. Pandey, "Cloud security architecture based on user authentication and symmetric key cryptographic techniques," 2017 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO), Noida, 2017, pp. 529-534.
[3] M. A. Khan, "A survey of security issues for cloud computing," Journal of Network and Computer Applications, vol. 71, 2016, pp. 11-29.
[5] P. Donadio, G. B. Fioccola, R. Canonico and G. Ventre, "Network security for Hybrid Cloud," 2014 Euro Med Telco Conference (EMTC), Naples, 2014, pp. 1-6.
[6] D. Sitaram, G. Manjunath, Moving to the Cloud: Developing Apps in the New World of Cloud Computing, 1st ed., Syngress, 2011. [7] S. Basu et al., "Cloud computing security challenges & solutions-A
survey," 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, 2018, pp. 347-356.
[8] T. C. Vance, N. Merati, C. Yang, M. Yuan, Cloud Computing in Ocean and Atmospheric Sciences, 1st ed., Academic Press, an imprint of Elsevier, 2016.
[9] P. Mell, T. Grance (2011). The NIST Definition of Cloud
Computing. [Online]. Available:
http://faculty.winthrop.edu/domanm/csci411/Handouts/NIST.pdf [10] C. B. O. M. E. Moctar and K. Konaté, "A survey of security
challenges in cloud computing," 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), Chennai, 2017, pp. 843-849.
[11] P. Rengaraju, V. R. Ramanan and C. H. Lung, "Detection and prevention of DoS attacks in Software-Defined Cloud networks," 2017 IEEE Conference on Dependable and Secure Computing, Taipei, 2017, pp. 217-223.
[12] J. Qadiree, M. I. Maqbool, "Solutions of Cloud Computing Security Issues," International Journal of Computer Science Trends and Technology (IJCS T), vol. 2, 2016, pp. 38-42.
[13] L. Coppolino, S. D'Antonio, G. Mazzeo, L. Romano, "Cloud security: Emerging threats and current solutions," Computers & Electrical Engineering, vol. 59, 2017, pp. 126-140.
[14] V. Mahajan and S. K. Peddoju, "Integration of network intrusion detection systems and honeypot networks for cloud security," 2017 International Conference on Computing, Communication and Automation (ICCCA), Greater Noida, 2017, pp. 829-834.
[15] A. Garg, V. Saini, M. Imran and M. A. Qadeer, "Performance analysis of software defined networks," 2017 9th International Conference on Computational Intelligence and Communication Networks (CICN), Girne, 2017, pp. 58-61.
[16] T. Tamanna, T. Fatema and R. Saha, "SDN, A research on SDN assets and tools to defense DDoS attack in cloud computing environment," 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), Chennai, 2017, pp. 1670-1674.
[17] B. Yuan, D. Zou, H. Jin, S. Yu, L. T. Yang, "HostWatcher: Protecting hosts in cloud data centers through software-defined networking," Future Generation Computer Systems, 2017. [18] R. Masoudi, A. Ghaffari, "Software defined networks: A survey,"
Journal of Network and Computer Applications, vol. 67, 2016, pp. 1-25.
[19] P. Patel, V. Tiwari and M. K. Abhishek, "SDN and NFV integration in openstack cloud to improve network services and security," 2016 International
[20] Conference on Advanced Communication Control and Computing Technologies (ICACCCT), Ramanathapuram, 2016, pp. 655-660.[20] K. Benzekki, A. El Fergougui and A. Elbelrhiti Elalaoui, "Software-defined networking (SDN): a survey," Security Comm. Networks, vol. 9, 2016, pp. 5803-5833.
[21] Y. E. Oktian, S. Lee and H. Lee, "Mitigating Denial of Service (DoS) attacks in OpenFlow networks," 2014 International Conference on Information and Communication Technology Convergence (ICTC), Busan, 2014, pp. 325-330.
[22] T. Chin, X. Mountrouidou, X. Li and K. Xiong, "Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN)," 2015 IEEE 35th International Conference on Distributed Computing Systems Workshops, Columbus, OH, 2015, pp. 95-99.
[23] W. Navid and M. N. M. Bhutta, "Detection and mitigation of Denial of Service (DoS) attacks using performance aware Software Defined Networking (SDN)," 2017 International Conference on Information and Communication Technologies (ICICT), Karachi, 2017, pp. 47-57.
[24] J. H. Cox et al., "Advancing Software-Defined Networks: A Survey," in IEEE Access, vol. 5, pp. 25487-25526, 2017.
[25] G. Pujolle, Software Networks: Virtualisation, SDN, 5G and security, 1st. ed., London: WileyISTE, 2015.
[26] Open Networking Foundation, OpenFlow Switch Specification ver. 1.5.1, March 26, 2015; Available at:
https://3vf60mmveq1g8vzn48q2o71a-wpengine.netdna-ssl.com/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf [27] sFlow.org, sFlow version 5, July, 2004; Available at:
https://sflow.org/sflow_version_5.txt
[28] B. H. Lee, E. K. Dewi and M. F. Wajdi, "Data security in cloud computing using AES under HEROKU cloud," 2018 27th Wireless and Optical Communication Conference (WOCC), Hualien, Taiwan, 2018, pp. 1-5.
[29] S. Ashraf, T. Kehkashan, M. Gull and S. Moin u Din, "Transparency service model for data security in cloud computing," 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), Sukkur, 2018, pp. 1-6. [30] T. Halabi, M. Bellaiche, "A broker-based framework for
standardization and management of Cloud Security-SLAs," Computers & Security, vol. 75, 2018, pp. 59-71.
[31] M. Hawedi, C. Talhi, H. Boucheneb, "Security as a Service for Public Cloud Tenants (SaaS)," Procedia Computer Science, vol. 130, 2018, pp. 1025-1030.
[32] T. Jung, X. Y. Li, Z. Wan and M. Wan, "Control Cloud Data Access Privilege and Anonymity With Fully Anonymous Attribute-Based Encryption," in IEEE Transactions on Information Forensics and Security, vol. 10, no. 1, pp. 190-199, Jan. 2015.
