云环境下一种基于信任的加密流量DDoS发现方法

A Trust-Based DDoS Discovery Approach for Encrypted Traffic in Cloud Environment

针对云环境下分布式拒绝服务(distributed denial-of-service,DDoS)攻击加密攻击流量隐蔽性更强、更容易发起、规模更大的问题,提出了一种云环境下基于信任的加密流量DDoS发现方法TruCTCloud.该方法在现有基于机器学习的DDoS攻击检测中引入信任的思想,结合云服务自身的安全认证,融入基于签名和环境因素的信任评估机制过滤合法租户的显然非攻击流量,在无需对加密流量解密的前提下保障合法租户流量中包含的敏感信息.其后,对于其他加密流量和非加密流量,引入流包数中位值、流字节数中位值、对流比、端口增速、源IP增速这5种特征,基于特征构建Ball-tree并提出基于k近邻(k-nearest neighbors,k NN)的流量分类算法.最后,在OpenStack云环境下检测了提出方法的效果,实验表明TruCTCloud方法能快速发现异常流量和识别DDoS攻击的早期流量,同时,能够有效保护合法用户的敏感流量信息.

In the cloud environment,DDoS(distributed denial of service)attacks may be more covert,easier to launch and potentially larger because data flow can be encrypted.A trust-based DDoS attack discovery approach for the encrypted traffic in the cloud environment called TruCTCloud is proposed.Firstly,a trust evaluation mechanism is introduced to filter the non-attack traffic of legitimate tenants by exploiting signature of the cloud service itself with the other environmental factors,and then the sensitive information contained in legitimate tenants traffic is guaranteed.Secondly,a traffic classification algorithm based on the k NN(k-nearest neighbors)is proposed to detect and identify for the filtered encrypted traffic and other unencrypted traffic,where five kinds of characteristics including flow median of packets per flow,flow median of bytes per flow,percentage of correlative flow,port growth rate and source IP growth rate are introduced to construct a Ball-tree data structure of characteristics.Finally,some experiments are conducted to evaluate the proposed method in the OpenStack cloud platform.The results suggest that our method can quickly detect the abnormal traffic or early traffic of DDoS attack and effectively protect the sensitive traffic information of legitimate users from the DDoS attack.