FMEC2020

Transcript

1. FMEC 2020: The Fifth International Conference on Fog and Mobile

   Edge Computing Paris, France. June 30th to July 3rd, 2020 Dynamic Economic-Denial-of-Sustainability (EDoS) Detection in SDN-based Cloud D. Phuc Trinh, Minho Park - Soongsil University, Seoul, South Korea [email protected]

2. Outline I. Background Knowledge II. Problem Statement III. Related Work

   IV. Our Proposed EDoS Attack Defense V. Implemental Setup VI. Performance Evaluation VII. Conclusion & Future Work The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​

3. I. Background Knowledge – Cloud Computing Figure 1. Cloud Computing

   service providers The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 • Cloud computing refers to applications and services that run on a distributed network using virtualized resources and accessed by common Internet protocols and networking standards. ​ • Cloud computing takes the technology services and applications that are similar to those on the Internet and turns them into a self-service utility: • E-mail services (Gmail) • Web conferencing (ZOOM) • Storage (Microsoft Onedrive) • Biggest Cloud Computing service providers nowdays are Microsoft Azure, AWS, GCP,... 1/28

4. I. Background Knowledge - SDN • Software-defined networking (SDN) technology,

   by contrast, focuses solely on separation of the network control plane from the data plane. • In traditional network, the data plane and control plane are set on the same a network device. • The control plane makes decisions about how packets should flow through the network. • The data plane actually moves packets from place to place. Source: Energy-Aware Routing in Carrier-Grade Ethernet using SDN Approach Figure 2. Traditional networking vs SDN The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 2/28

5. I. Background Knowledge - SDN SDN is composed of 3

   different layers: • Application Layer: This layer covers an array of applications focusing on network services, and they are mainly software applications communicating with the control layer. • Control Layer: As the core of SDN, the control layer consists of a centralized controller, which logically maintains a global and dynamic network view, takes requests from the application layer, and manages the network devices via standard protocols. • Data-plane Layer: Infrastructure including switches, routers and network appliances. In SDN context, these devices are programmable and support standard interfaces. Source: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7350211 Figure 3. SDN architecture The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 3/28

6. I. Background Knowledge - NFV • Network function virtualization (NFV)

   is proposed to address these issues by implementing network functions as pure software on commodity and general hardware. • NFV allows flexible provisioning, deployment, and centralized management of virtual network functions. • NFV benefits a wide range of applications (e.g., service chaining) and is becoming the dominant form of NFV Integrated with SDN, the software- defined NFV architecture further offers agile traffic steering and joint optimization of network functions and resources. Source: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7350211 Figure 4. NFV Infrastructure (NFVI) The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 4/28

7. I. Background Knowledge – Software-defined NFV • The trend of

   integrating SDN with NFV (the software- defined NFV architecture) to achieve various network control and management goals has seen an noticeable growth. • SDN when applied to NFV can help in addressing the challenges of dynamic resource management and intelligent service orchestration. • Through NFV, SDN is able to create a virtual service environment dynamically for a specific type of service chain, consequently the dedicated hardware and complex labor work to provide a new coming service request is avoid. • In conjunction with the use of SDN, NFV further enables real-time and dynamic function provisioning along with flexible traffic forwarding. Figure 5. SDN-based NFV design The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 5/28

8. I. Background Knowledge – Software-defined NFV • The SDN/NFV architecture

   consists of NFV Orchestration, Controller Platform, forwarding devices, and servers. • SDN controller is responsible for controlling the traffi c path using primarily OpenFlow protocol to communi cate with forwarding devices (OpenFlow switch) to im pose policies from the control plane to the data plane. • Meanwhile, the NFV uses standard computing virtualization technology to consolidate in commodity hardware (i.e., servers or cloud platform (e.g OpenStack)) to deliver Network functions of high bandwidth and high performance with low cost. • Hypervisors, which run on servers, primarily focus on supporting VMs that enable them to operate Network Functions such as Firewall, Proxies, IDS. Figure 5. SDN-based NFV design The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 6/28

9. I. Background Knowledge – Software-defined NFV Figure 6. illustrates a

   typical SDN-based cloud environment prototype including three technologies, SDN, NFV, and cloud platform. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 7/28

10. II. Problem Statement FigSource: Fahad Zaman Chowdhury, Laiha Binti Mat

    Kiah, M. A Manazir Ahsan - Published 2017, Computer Science, 2017 International Conference on Electrical Engineering and Computer Science (ICECOS) Figure 7: EDoS Attacks in Cloud Computing The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Cloud Computing offers some of the exclusive features such as payment according to usage, elasticity, auto scalability, which are considered an opportune demand over traditional computing services. A cloud service provider generally auto-scales up the resources for a customer to satisfy the service level agreements (SLA) for the availability of the service for the customer and charges the customer for the use. EDoS attacks exploit this feature to make the cloud unsustainable by fading the cloud billing mechanism to charge the cloud user's bill for the attack's activities. 8/28

11. II. Problem Statement – DDoS vs EDoS • In DDoS

    attack, the attacker’s goal is to disrupt the services offered by a cloud service provider. Therefore, in most of the cases, DDoS attackers irrationally launch an attack over a short amount of time with their maximum resources. • The purpose of such an attack is to shut down the service completely or significantly degrade the service quality. • Conversely, in EDoS attacks, attackers are typically more clever and highly rational. They particularly target an individual or specific group of cloud users. They gradually push illegitimate traffic over a longer period of time. Their motivation is to increase the financial cost incurred by the targeted cloud user through the over-provisioning of cloud resources. Figure 8. EDoS attack region with attack strength The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 9/28

12. II. Problem Statement – EDoS: types of attacks The Fifth

    International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ For the viewpoint of SDN, which is a flow-based rule network system, types of EDoS attack are listed in Table I. These volumetric-based attacks not only make cloud user but also SDN controller or Virtual Network Function consuming a lot of resources (e.g. CPU, RAM and so on). 10/28

13. III. Related Work The Fifth International Conference on Fog and

    Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Proposal Description Limitation EDoS-Shield [7] Two main components, virtual firewall (VFs) and authentication nodes (V-nodes), perform a major role to detect EDoS attacks It is easily susceptible to spoofing attacks and possesses a higher false-positive rate by blocking many legal user IP addresses since the two lists are not updated in an efficient manner sPoW [8] its main function is to filter illegitimate traffic There are few shortcomings of the scheme. • An attacker can easily start a puzzle accumulation attack • The scheme may be prone to false-positive rates as some of the benign users might be prevented from the service request due to rising puzzle complexity. EDoS Armor [9] it uses two-phase defense system, consists of admission control and congestion control. The aim of admission control is to restrict the number of end- users. Congestion control sets priorities to the client based on their past browsing behavior which is categorized as good and bad users utilizing decision tree algorithm (J48). EDoS Armor is relatively effectual, however, the adaptability of the model needs to take into account because potential new clients might lose interest using the site if it is too complicated. 11/28

14. III. Related Work – Recent Work The Fifth International Conference

    on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Proposal Description Limitation EDoS-eye [12] EDoS Eye employing game theory to mitigate the invalid traffic. The authors obtained optimal threshold value through the Nash equilibrium and incorporated honeypot to minimize false rates. With the use of honeypot, the game theory algorithm seems to be ignored since honeypot is a signature- based. Karami & Chen [13] An anomaly-based detection system in which Markov models were obtained. The technique primarily aimed at identifying EDoS traffic instead of mitigation.  The existing work used predefined threshold to classify the attack sources -> this approach results in high false-alarm errors.  The existing work conducted the attack in a very simple testbed and lack of detail -> Hard to evaluate their approach exactly. 12/28

15. IV. Proposed EDoS Attack Defense – Our Observation • In

    the SDN-based cloud, cloud consumers are typically monitored with multivariate time series, whose anomaly detection is critical for service quality management. • Networking metrics such as Memory usage, CPU load, TCP connections and etc are supervised by a network administrator, and when an EDoS attack is launched, one of the selected features will suddenly change their values. • Thus, we need an intelligent model to discover any changes in values of multiple time series simultaneously to detect EDoS. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 13/28

16. IV. Proposed EDoS Attack Defense – Our Approach • Therefore,

    in our proposal, an algorithm called LSTM is adopted for multivariate time series anomaly detection. By learning from historical data and then using live data to predict future values, we compare the values with a dynamic error threshold to determine anomalies. • Because of that our proposed scheme is very a practical and effective approach to detect such a stealthy attack like EDoS. Figure 9. Conceptual Architecture of our proposed scheme The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 14/28

17. IV. Proposed EDoS Attack Defense – System Design Figure 10.

    Conceptual Architecture of our proposed scheme in which SDN architecture synchronized with OpenStack controller and it is an extension in the Control Plane. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 15/28

18. IV. Proposed EDoS Attack Defense – Workflow System Figure 11.

    Detailed architecture modules synchronized OpenStack controller located in the SDN application layer. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 16/28

19. IV. Proposed EDoS Attack Defense – Raw Data Processing Module

     DATA COLLECTOR: this module simply runs in the SDN controller. It collects data from both OpenFlow statistics and the utilization rate of the physical and virtual resources comprising deployed clouds.  FEATURE EXTRACTOR: it extracts data information from Data Collector to take out several attributes, as shown in Table II. These features are key features which are selected by selecting k highest scores based on our empirical research and are verified by using chi-squared statistic. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 17/28

20. IV. Proposed EDoS Attack Defense – Raw Data Processing Module

     FEATURE TRANSFORMATION & STANDARDIZATION: at this stage, all the categorical features, which are extracted in the previous stage, are transformed from categorical data into numeric by using One-Hot encoding technique. After the transformation, the data needs to be normalized, and its formula can be expressed as: z = (x − µ) / σ where x is the value that is standardized µ is the mean of the distribution σ is the standard deviation of the distribution This module not only significantly improves the LSTM Model’s predictive power, but also offers them for faster to run and more easily understood. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 18/28

21. IV. Proposed EDoS Attack Defense – LSTM Model The Fifth

    International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Figure 12. A visual representation of the input matrices used for prediction at each time step t. Current prediction errors are compared to past errors to determine if they are anomalous. 19/28

22. IV. Proposed EDoS Attack Defense – Dynamic Threshold Selection The

    Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Figure 13. ε is the dynamic threshold 20/28

23. IV. Proposed EDoS Attack Defense – Dynamic Threshold Selection The

    Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Where () is a smoothed error element of a sequence ∈ S(i) indicates the severity of the anomaly 21/28

24. IV. Proposed EDoS Attack Defense – Mitigation Agent If the

    traffic is declared as abnormal traffic, then, in order to mitigate the EDoS attack, the mitigation Agent sends a flow_mod message with a delete action to the edge OpenFlow switch and requests the forwarding engine of the SDN controller to drop packet_in messages of attacking sources (as illustrated below). The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 22/28

25. V. Experimental Setup – Software-defined NFV • Server Machine Dataset

    (SMD) is used to train the LSTM. This new dataset was collected from a large Internet company. The SMD includes an anomaly traffic with the ratio of 10.72% and the training & testing set size is 58317 and 73729, respectively. • Table III describes the model parameters that we used. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 23/28

26. V. Experimental Setup – Software-defined NFV • Figure 13 shows

    the testbed for virtual networks to simulate EDoS attack in production environment which comprises of a OpenStack platform (one Controller node, one Network node, one VMware ESXI server to create multiple VMs, and three Compute nodes running OvS drivers for cloud networking), a SDN controller (ONOS), the Internet connection and botnets. • As we stated in section IV.a, our modules locate in the SDN application layer of the ONOS server (Figure 13). The ONOS server system configurations are dodeca-core CPU (Intel(R) Core(TM) i7- 8700 CPU @ 3.20GHz) and a total 48GB memory, running 64 bit Ubuntu Linux v18.04. Figure 13. Experimental Setup The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 24/28

27. VI. Performance Evaluation – DR, Accuracy, FAR The Fifth International

    Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Figure 14: The Detection Rate, Accuracy, FAR comparison 25/28

28. VI. Performance Evaluation – Response Time The Fifth International Conference

    on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Figure 15: The experimental result of the response time 26/28

29. VI. Performance Evaluation – CPU and Memory Usage The Fifth

    International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ Figure 16: The percentage of the CPU (left) and memory (right) usage 27/28

30. VII. Conclusion and Future Work • In this paper, we

    propose an unsupervised learning approach called Long Short-Term Memory (LSTM), which is a multivariate time series anomaly detection integrated with a dynamic error threshold, to mitigate EDoS attacks in SDN-based cloud environment. • The evaluation in section VI shows that our proposed scheme is very efficient in both terms of accuracy and resource consumption. • As our future work, we expect to improve the mechanism and compare our proposal with other existing works using more evaluation criteria. The Fifth International Conference on Fog and Mobile Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ 28/28

31. Thank You The Fifth International Conference on Fog and Mobile

    Edge Computing Paris, France. June 30th to July 3rd, 2020 ​ [email protected]