Ntxissacsc5 yellow 7 protecting the cloud with cep

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Protecting the Cloud Computing Environment with CEP Shield against

DDoS Attacks

Venkatesan Pillai (aka VP)

Cybersecurity Practitioner & Instructor

Way11 Consulting

11/10/2017

• Cybersecurity Practitioner & Instructor

• Specialized in Network Security, Data Security & Application Security

• Independ Technology Evaluator

• Cybersecurity Instructor @ Collin College

• Served member of EC Council review board

• Working group member of Healthcare cybersecurity

Outline

•Introduction

•Problem

•Objectives

•Existing System

•Proposed System

•Implementation

•References

Introduction

• Cloud computing environment is the most popular business model adopted by organizations worldwide.

• As cloud deployment is increasing in the recent years, there is a paradigm shift of the attackers taking benefit of cloud resources for unintended purpose.

• DDoS is the one of the security attack in the cloud that needs efficient detection and prevention mechanisms.

Top Cloud Threats

DDoS Targets

45% 23%

Q2 2016 DDoS Trends Report by Verisign

DDoS Attacks

Problem

• Cloud environment is exposed to threats and the security risk is very high when the virtual machines patches are not updated frequently.

• Anomalies in the computing environment affect the normal functioning of the cloud services.

Objectives

• Develop DDoS Detection system with highdetection accuracy.

• Respond to the attack traffic with fastresponse time.

DDoS Attack Taxonomy

DDoS Attack

Bandwidth Depletion

Attacks

Flood Attack

ICMP Attack UDP Attack

Specified Port Random Port

Amplification Attack

Smurf Fraggle

Direct Loop

Resource Depletion

Attacks

Protocol Exploit Attack

TCP SYN

PUSH-ACK

Malformed Packet Attack

IP Address

IP Packet Options

B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014

Cloud Attacks

Browser level attacks

1.Cache poisoning

2.Hidden field manipulation

3.SQL injection attacks

4. Man-in-middle attacks

5.Cloud malware injection attack

Application level attacks

1.Backdoor and debug options

2. CAPTCHA breaking

3. Google hacking

4. Cross site scripting attack

5.Hypervisor level attacks

6. Dictionary attack

Network level attacks

1. Sybil attack

2. BGP prefix hijacking

3. Port scanning

4. DNS attacks

5. Sniffer attacks

6. Amplification attack

7. Reflector attack

8. Smurf attack

9. Bandwidth attack

10. ICMP flood

Server level attacks

1. DoS attacks

2. DDoS attack

3. XML signature element wrapping

B. Prabadevi and N.Jeyanthi, Distributed Denial of service Attacks and its effects in Cloud Environment- a Survey , IEEE, 2014

Cloud Attacks

Attack Type Definition Detection/Prevention technique

VM level attacks Vulnerabilities in the hypervisor

Advanced cloud protection system

Bandwidth attack Consumes target resources MULTOPS detects disproportional packets both incoming and outgoing

ICMP flood Variation of bandwidth due to ICMP packets

ScreenOS

Amplification attack Induces the device to generate large responses

High performance OS, load balancer, rate limiting

Reflector attack Third parties bounce the traffic from the attacker

Deterministic edge router marking

Cloud Attacks

SMURF ICMP echo request to generate DoS attacks

Ingress filtering

DNS attack DNS server name poisoning Radware carrier solution, DNS Security Extensions

BGP Prefix hijacking Flawed announcement about the IP addresses in Autonomous system (AS) is made

Autonomous security system

Port scanning Due to open ports Encrypted security portsFirewall against port attacks

Sniffer attack Data loss by capturing sensitive data transferred through the over the transmission channel

Detection based on ARP and RTT

Cloud Attacks

Issue of reused IP Remains in the DNS cache memory each insertion and when it is assigned to new user

DNS cache cookies need to be cleared

Cookie poisoning Impersonates the legitimate user Encryption, Web application firewall

Hidden field manipulation Retrieve contents in the hidden fields of web page

Security policies and session token

SQL injection attacks Malicious SQL query Parametrized queries

Man-in-middle Overhear the information in communication channel

Encryption

Cloud Attacks

Cloud malware injection attack Malicious code in the cloud Utilization of the file allocation table

Backdoor and debug options unauthorized use of the website in the debug mode to hack the website

Should be disabled after use

CAPTCHA breaking Audio system to track the CAPTCHA

Increase string length

Cross site scripting Disguising the script in the URL Active content filtering. Content based data leakage prevention

Dictionary attack Possible word combinations for successful decryption of the data residing in/flowing over the network

Encryption, challenge-response system

Cloud Attacks

Sybil attack Malicious code in the cloud Firewall

Google hijacking Sensitive information through google search

Standard security

DoS No.of requests that exceeds the server capacity

DDoS DoS attack with multiple nodes IDS

XML signature element wrapping Hacker changes the message and signature value in XML document

Digital signature

IP Spoofing

Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz, Cloud-based DDoS Attacks and Defenses, IEEE, pp.67-71, 2013

SYN Flooding

Ping of Death

Existing System

Type of Attack External Internal Defense Mechanism Disadvantages

IP Spoofing Hop count filtering in PaaS

IP2HC table can be built by the attacker

Trust based in IaaS

SYN Flooding SYN cache in PaaS Increased latency

SYN cookies in PaaS Low performance of the cloud

Reduced time in SYN-Rx in PaaS

Possibility of legitimate packet dropping

Existing System

SYN Flooding Filtering in IaaS Not reliable

Firewall in PaaS Performance of the cloud is affected

Monitoring in IaaS Possibility of legitimate packet dropping

SMURF Configuring virtual machines in PaaS

Configuring network resources in IaaS

Existing System

Buffer overflow Analysing static and dynamic code in SaaS

Time consumption

Array bound checking in SaaS

Runtime instrumentation in SaaS

Ping of death

Teardrop

Layered filtering Attack may propagate to other layers if is unnoticed in the previous layers

Complex Event Processing

• Complex event processing or CEP is an event processing

method to combine information from multiple sources to

understand an event or patterns.

• In networked systems, the event correlation technique

analyses the huge events and detects the attacks with event

patterns.

• CEP can link low level events with low significance to high

level events with criticality.

• CEP is the aggregation of multiple simple events into complex

event.

Action

Complex Event Processing

Event Sources

CEP Engine System,

Processes and

Sensors

Event Output

Alerts and

triggered and

actions

CEP Query

Select src.IP and dest.IP where pkt.cnt>threshold #window time

CEP Applications

• Monitoring and security

• Object and Inventory tracking

• Financial Trading

• Fraud detection

Proposed System

Event Tracking

Event Detection

Sources

Prediction Analysis

Statistical Data

Event Patterns

Knowledge Base

Proposed System

• Cloud Dataset: Cloud environment is used to generate DDoS attack traffic with

selected virtual machines installed with DDoS attack tools to send flooding

packets against target.

• DDoS Detection: The parameters of the traffic such as source address, source

port, protocol, destination address, destination port is fed into the CEP engine to

classify the attack and legitimate sources.

• DDoS Response: The alerts contain the source IP that need to blocked

immediately. The block list is passed to the attack response system to block the

attack traffic.

Implementation

• Openstack Cloud

• Esper engine

• Machine learning algorithms

Metrics

• Memory usage

• CPU utilization

• Bandwidth

• Response time

• Availability

Future Directions

• Collaborative detection system for DDoS attacks using learning algorithms

References

• https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

• https://blog.verisign.com/security/verisign-q2-2016-ddos-trends-layer-7-ddos-attacks-a-growing-trend/

• http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle

• https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/,

• http://www.theregister.co.uk/2015/12/17/hackers_threaten_xbox_live_psn

• http://www.darkreading.com/attacks-breaches/wave-of-ddos-attacks-down-cloud-based-services/d/d-id/1269614, November 6, 2014.

References

• http://www.infosecurity-magazine.com/news/ddos-ers-launch-attacks-from-amazon-ec2/

• https://blogs.microsoft.com/cybertrust/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks/

• http://www.darkreading.com/attacks-and-breaches/bank-attackers-restart-operation-ababil-ddos-disruptions/d/d-id/1108955?

Contact

Email : Venkatesan.P@Outlook.com

www.linkedin.com/in/venkatesanpillai/

Thank you

Ntxissacsc5 yellow 7 protecting the cloud with cep

Internet

CONFIDENCE INTERVALS FOR CEP WHEN THE … · confidence intervals for cep when the errors are ... confidence intervals for cep when the errors are elliptical normal 7, ... cep = 1.1774

CEP - TLV · 2018. 12. 25. · November 2016 CEP EngineeringProgress, Progress, CEP

Artigo CEP

Cep Guidance for Cep Applications

Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr_kohler

Cep report uk_business_15112011

Ntxissacsc5 yellow 1-beginnerslinux bill-petersen

CEP evaluation

Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney

CEP submission: How to prepare a New Application? CEP

Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz

Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller

Ntxissacsc5 purple 1-eu-gdpr_patrick_florer

CEP Report

CEP 2020 Editorial Calendar CEP - AIChE · 2019-09-09 · cep 2020 editorial calendar chemical engineering progress cep issue january february march april may june july august september

Ntxissacsc5 blue 3-shifting from incident to continuous response bill white

Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx

Salloum cep

Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

CEP Samalkot