Machine Learning Based Web-Traffic Analysis for Detection of Fraudulent Resource Consumption Attack in Cloud
14 Oct 2019-pp 456-460
TL;DR: This paper proposes a novel scheme for the detection of the FRC attack on a cloud based web-server by dividing the web-pages into a number of quantiles based on their popularity index and training an Artificial Neural Network model.
Abstract: Attackers can orchestrate a fraudulent resource consumption (FRC) attack by wittingly consuming metered resources of the cloud servers for a long duration of time. The skillful over-consumption of the resources results in significant financial burden to the client. These attacks differ in intent but not in content, hence they are hard to detect. In this paper, we propose a novel scheme for the detection of the FRC attack on a cloud based web-server. We first divide the web-pages into a number of quantiles based on their popularity index. Next, we compute the number of requests per hour for each of these quantiles. Discrete Wavelet Transform is then applied to these quantiles to remove any high-frequency anomaly and smoothen the time series data. The n-tuple data from these quantiles along with their label (attack or normal) is used to train an Artificial Neural Network model. Our trained model for low percent of FRC attack (5%) obtained an accuracy of 98.51% with a precision of 0.983 and recall of 0.987 in detecting the FRC attack. CCS CONCEPTS • Security and privacy → Intrusion/anomaly detection and malware mitigation; → Computing methodologies → Supervised learning by classification.
Citations
More filters
[...]
TL;DR: The proposed P-estimation detection scheme is able to detect attacks as low as 2% intensity and also delivers a mitigation and attribution technique to identify such attackers and block them.
Abstract: Fraudulent Resource Consumption (FRC) attacks can be synthesized by subtly consuming metered resources of the cloud servers over a sustained period of time. The objective of the attacker in such attacks is to exploit the utility pricing model by fraudulently consuming cloud resources. This skillful over-consumption of resources results in a considerable financial burden to the client. These attacks are characterized by low-intensity HTTP requests per hour, akin to requests by legitimate users. Hence, the attack requests differ in intent but not in content, which makes FRC attacks hard to detect. In this paper, we propose P-estimation detection scheme to effectively detect these attacks. This is accomplished by training several deep learning LSTM models based on the web server logs. An estimate of attack percentage is calculated and then used to deploy the appropriate detection model. This technique takes into account the dynamic nature of websites where the popularity of web pages can change with time, by retraining and updating the detection models periodically. To the best of the authors’ knowledge, this technique outperforms all the existing FRC detection techniques with a False Negative Rate (FNR) and False Positive Rate (FPR) of 0.0059% and 0.0% respectively. The proposed technique is able to detect attacks as low as 2% intensity. In addition to the detection scheme, this paper also delivers a mitigation and attribution technique to identify such attackers and block them.
2 citations
[...]
TL;DR: The results show that the ARASD algorithm can achieve better resistance to resource-consuming attacks than other state-of-the-art algorithms in a large-scale edge computing architecture.
Abstract: With the rapid development of edge computing, a new paradigm has formed for providing the nearest end service close to the data source. However, insufficient supply of resources makes edge computing devices vulnerable to attacks, especially sensitive to resource-consuming attacks. This article first designs system function module, aiming to deal with resource-consuming attacks based on the general three-layer architecture of edge computing. Combined with the mean field game, an anti-attack model is designed to transform the security defense problem of large terminal-edge-cloud devices into the mean field countermeasure problem, and the self-organizing neural network is used to approximate the mean field coupling equation. On this basis, a distributed AI-driven resource-consuming attack security defense (ARASD) algorithm is designed to obtain the optimal solution for devices security interaction, thereby improving the system’s anti-attack ability. Finally, the effectiveness of the self-organizing neural network is verified through numerical simulation, and the parameters such as the number of initial terminal-edge-cloud devices and the number of iterations of different security defense algorithms are evaluated. The results show that the ARASD algorithm can achieve better resistance to resource-consuming attacks than other state-of-the-art algorithms in a large-scale edge computing architecture.
1 citations
[...]
TL;DR: In this article, a variety of data science techniques are employed to detect FRC attacks in a cloud environment, including statistical, time series, and machine learning methods, but none of these techniques is independently sufficient for detection for their experiments due to characteristics of the data set used, but summarize lessons learned from their research.
Abstract: Fraudulent resource consumption (FRC) attacks threaten the economic viability of cloud consumers. Detection of these attacks is difficult as they often blend in with normal traffic patterns although they can still cause dramatic financial consequences. We employ a variety of data science techniques to detect FRC attacks in a cloud environment. Statistical, time series, and machine learning methods all achieve various levels of success and, in some cases, failure at detection. Unfortunately, none of these techniques is independently sufficient for detection for our experiments due to characteristics of the data set we used, but we summarize lessons learned from our research.
References
More filters
[...]
TL;DR: The complexity of ML/DM algorithms is addressed, discussion of challenges for using ML/ DM for cyber security is presented, and some recommendations on when to use a given method are provided.
Abstract: This survey paper describes a focused literature survey of machine learning (ML) and data mining (DM) methods for cyber analytics in support of intrusion detection. Short tutorial descriptions of each ML/DM method are provided. Based on the number of citations or the relevance of an emerging method, papers representing each method were identified, read, and summarized. Because data are so important in ML/DM approaches, some well-known cyber data sets used in ML/DM are described. The complexity of ML/DM algorithms is addressed, discussion of challenges for using ML/DM for cyber security is presented, and some recommendations on when to use a given method are provided.
1,245 citations
"Machine Learning Based Web-Traffic ..." refers background in this paper
[...]
[...]
TL;DR: This survey analyzes the design decisions in the Internet that have created the potential for denial of service attacks and the methods that have been proposed for defense against these attacks, and discusses potential countermeasures against each defense mechanism.
Abstract: This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service attacks. We review the state-of-art mechanisms for defending against denial of service attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermeasures against each defense mechanism. We conclude by highlighting opportunities for an integrated solution to solve the problem of distributed denial of service attacks.
710 citations
"Machine Learning Based Web-Traffic ..." refers methods in this paper
[...]
[...]
TL;DR: In this article, several skill scores are defined, based on the mean-square-error measure of accuracy and alternative climatological standards of reference, each of which is shown to possess terms involving 1) the coefficient of correlation between the forecasts and observations, 2) a measure of the nonsystematic (i.e., conditional) bias in the forecast, and 3) the systematic bias in forecasts.
Abstract: Several skill scores are defined, based on the mean-square-error measure of accuracy and alternative climatological standards of reference. Decompositions of these skill scores are formulated, each of which is shown to possess terms involving 1) the coefficient of correlation between the forecasts and observations, 2) a measure of the nonsystematic (i.e., conditional) bias in the forecast, and 3) a measure of the systematic (i.e., unconditional) bias in the forecasts. Depending on the choice of standard of reference, a particular decomposition may also contain terms relating to the degree of association between the reference forecasts and the observations. These decompositions yield analytical relationships between the respective skill scores and the correlation coefficient, document fundamental deficiencies in the correlation coefficient as a measure of performance, and provide additional insight into basic characteristics of forecasting performance. Samples of operational precipitation probabil...
642 citations
"Machine Learning Based Web-Traffic ..." refers methods in this paper
[...]
[...]
TL;DR: D-WARD is proposed, a DDoS defense system deployed at source-end networks that autonomously detects and stops attacks originating from these networks that offers good service to legitimate traffic even during an attack, while effectively reducing DDoS traffic to a negligible level.
Abstract: Distributed denial-of-service (DDoS) attacks present an Internet-wide threat. We propose D-WARD, a DDoS defense system deployed at source-end networks that autonomously detects and stops attacks originating from these networks. Attacks are detected by the constant monitoring of two-way traffic flows between the network and the rest of the Internet and periodic comparison with normal flow models. Mismatching flows are rate-limited in proportion to their aggressiveness. D-WARD offers good service to legitimate traffic even during an attack, while effectively reducing DDoS traffic to a negligible level. A prototype of the system has been built in a Linux router. We show its effectiveness in various attack scenarios, discuss motivations for deployment, and describe associated costs.
480 citations
"Machine Learning Based Web-Traffic ..." refers methods in this paper
[...]
[...]
TL;DR: This work proposes a heuristic and a data-structure that network devices (such as routers) can use to detect (and eliminate) denial-of-service bandwidth attacks.
Abstract: A denial-of-service bandwidth attack is an attempt to disrupt an online service by generating a traffic overload that clogs links or causes routers near the victim to crash. We propose a heuristic and a data-structure that network devices (such as routers) can use to detect (and eliminate) such attacks. With our method, each network device maintains a data-structure, MULTOPS, that monitors certain traffic characteristics. MULTOPS (MUlti-Level Tree for Online Packet Statistics) is a tree of nodes that contains packet rate statistics for subnet prefixes at different aggregation levels. The tree expands and contracts within a fixed memory budget.
A network device using MULTOPS detects ongoing bandwidth attacks by the significant, disproportional difference between packet rates going to and coming from the victim or the attacker. MULTOPS-equipped routing software running on an off-the-shelf 700 Mhz Pentium III PC can process up to 340,000 packets per second.
397 citations
"Machine Learning Based Web-Traffic ..." refers methods in this paper
[...]
Related Papers (5)
[...]
[...]