DDoS defence for service availability in cloud computing

Doctoral Thesis


Permanent link to this Item
Journal Title
Link to Journal
Journal ISSN
Volume Title

University of Cape Town

Cloud computing presents a convenient way of accessing services, resources and applications over the Internet by shifting the focus of industries and organizations from the deployment and day-to-day running of their IT facilities, to provide an on-demand, self-service, and pay-as-you-go business model. Despite its increased popularity, ensuring security and availability of data, resources and services remains an ongoing research challenge. Distributed Denial of Service (DDoS) attacks are not a new threat but they remain a major security challenge in achieving a secure and guaranteed service and resources in cloud computing. Mitigating DDoS attack in cloud computing presents a new dimension to the solutions proffered in traditional computing, therefore, this work proposes DDoS defence solutions that identify and classify packet traffic as either legitimate or malicious, based on its attributes. This thesis has three objectives. Firstly, it investigates a major attribute of DDoS attack, the spoofing of source IP address that hides its identity to disallow easy traceback or deceive the cloud provider to enjoy certain services accrued to a trusted host. Secondly, due to the increased number and sophistication of DDoS attacks against cloud services and the magnitude of traffic that needs to be processed, the analysis of feature selection methods and classification techniques was carried out. Feature selection has been identified as a pre-processing phase in cloud DDoS attack defence that could potentially increase the classification accuracy and reduce the computational complexity, by identifying important features from the original dataset, during supervised learning. Finally, this thesis studies the packet inter-arrival time (IAT) feature of traffic traces, in order to determine the presence of an attack using a change-point detection. The DDoS attack pattern is detected by leveraging on the fact that most DDoS attacks are automated, thus exhibiting similar patterns. The main contributions are as follows: (i) This thesis proposes an IP spoofing detection technique that uses a passive and active host-based operating system (OS) fingerprinting to detect the true source of a packet during a spoofed DDoS attack; (ii) this thesis proposes an ensemble-based multi-filter feature selection (EMFFS) method that combines the output of four filter methods to achieve an optimum selection, and a decision-tree classifier to detect DDoS attacks; and (iii) this thesis proposes a change-point monitoring algorithm to detect DDoS flooding attacks against cloud services, by examining the packet IAT. A DDoS attack pattern is distinguished from normal traffic by using cumulative sum algorithm (CUSUM). The results obtained show a high detection rate and classification accuracy, when compared with other classification techniques in the literature.