Conference PaperPDF Available

Detecting Workload-based and Instantiation-based Economic Denial of Sustainability on 5G environments


Abstract and Figures

This paper reviews the Economic Denial of Sustainability (EDoS) problem in emerging network scenarios. The performed research studied them in context of adaptive approaches grounded on self-organizing networks (SON) and Network Function Virtualization (NFV). In particular, two novel threats were reviewed in depth: Workload-based EDoS (W-EDoS) and Instantiation-based EDoS (I-EDoS). With the aim to contribute to their mitigation a security architecture with network-based intrusion detection capabilities is proposed. This architecture implements machine learning techniques, network behaviour prediction, adaptive thresholding methods, and productivity-based clustering for detecting entropy-based anomalies based on the observed workload (W-EDoS) or suspicious variations of the productivity observed at the virtual instances (I-EDoS). A detailed experimentation has been conducted considering different calibration parameters under different network scenarios, on which the security architecture has been assessed. The results have proven good accuracy levels, hence demonstrating the proposal effectiveness.
Content may be subject to copyright.
Detecting Workload-based and Instantiation-based Economic
Denial of Sustainability on 5G environments
Jorge Maestre Vidal, Marco Antonio Sotelo Monge, Luis Javier García Villalba
Department of Software Engineering and Articial Intelligence
School of Computer Science, Complutense University of Madrid
C/ Prof. José García Santesmases, 9, Ciudad Universitaria, 28040, Madrid, Spain
This paper reviews the Economic Denial of Sustainability (EDoS)
problem in emerging network scenarios. The performed research
studied them in context of adaptive approaches grounded on self-
organizing networks (SON) and Network Function Virtualization
(NFV). In particular, two novel threats were reviewed in depth:
Workload-based EDoS (W-EDoS) and Instantiation-based EDoS (I-
EDoS). With the aim to contribute to their mitigation a security
architecture with network-based intrusion detection capabilities
is proposed. This architecture implements machine learning tech-
niques, network behaviour prediction, adaptive thresholding meth-
ods, and productivity-based clustering for detecting entropy-based
anomalies based on the observed workload (W-EDoS) or suspicious
variations of the productivity observed at the virtual instances (I-
EDoS). A detailed experimentation has been conducted considering
dierent calibration parameters under dierent network scenarios,
on which the security architecture has been assessed. The results
have proven good accuracy levels, hence demonstrating the pro-
posal eectiveness.
Network management; Cloud Computing;
rity and privacy Network Security;
Economical denial of sustainability, information security, intrusion
detection systems, network function virtualization, self-organizing
The complexity and sophistication of emerging network architec-
tures has noticeably increased and nowdays, they demand more
agile, robust and eective network management paradigms, were
their scalability is mandatory. In the last years, 5G networks have
emerged as a promising technology towards the fulllment of the
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specic permission
and/or a fee. Request permissions from
ARES 2018, August 27–30, 2018, Hamburg, Germany
©2018 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 978-1-4503-6448-5/18/08.. .$15.00
challenging requirements posed by the current and future commu-
nication scenarios [
]. They have motivated a smart integration
of innovative communication network solutions, such as Network
Function Virtualization (NFV), cloud computing, Software Dened
Networking (SDN), articial intelligence, Self-Organizing Networks
(SON), among others. In particular, the suitable combination of SDN
and SON is considered one of the most relevant to accomplish the
5G Key Performance Indicators (KPI) [
]. Because of this, recent
5G projects have been integrating such technologies to incorporate
cognitive capabilities for the inference of the network status, thus
enhancing the autonomic management capacity [
] when dealing
with heterogeneous network environments [
]. A clear example of
this is observed in the SELFNET project [
], where a 5G-oriented
framework for self-organizing management is proposed.
The research introduced in this paper is thereby focused on SON-
networks as promising solutions for fullling the aforementioned
challenges. Originally, SON networks were proposed as a response
to address the problem of LTE mobile network eciency [
], being
consequently standardized by the Third Generation Partnership
Project (3GPP) on which their capability to reduce operational costs
by automation is remarked [
]. In this way, SON poses a transition
from traditional management paradigms where human intervention
is mandatory (open-loop) towards a fully automated model (closed-
loop). Another important topic of this research is the role of cloud
computing in the SON context, which has allowed the virtualization
of network functions aimed to address scalability issues of network
infrastructures [
], which in the meantime yields the reduction
of costs in the deployment of sensors and actuators involved at
SON. That network elasticity is orchestrated through auto-scaling
policies, which expose vulnerabilities that can be exploited by an
attacker with the aim to produce an economical overspending of
the target victims, hence making a cloud service unsustainable [
This eect is known as Economical Denial of Sustainability (EDoS),
and it poses security threats which have not been reviewed in
depth by the research community, being frequently confused with
ooding-based or complexity-based Denial of Service (DoS) attacks.
EDoS threats have gained sophistication with the expansion of the
next generation technologies, hence demanding the deployment
of detection strategies toward their mitigation [
]. The research
presented throughout this paper contributes with an in-depth re-
view of the EDoS problem in conventional cloud infrastructures
and their adaptation to self-organizing scenarios. It has entailed
the distinction of two main threats: EDoS based on the exploitation
of the network elements workload (W-EDoS), and EDoS based on
fraudulent instantiation of virtualized network functions (I-EDoS).
It is also proposed a multilayered architecture compatible with the
] model for their detection, which combines machine
learning techniques, prediction methods and clustering algorithms.
The eectiveness of the detection strategy has been assessed in a
real SON environment, which has exposed promising preliminary
This paper is divided into seven sections, being the present intro-
duction the rst of them. Section II reviews the state of the art about
EDoS attacks related with SON environments and the proposals for
their mitigation. Section III denes the W-EDoS and I-EDoS attacks
and their characterization. In section IV, the proposed approach for
detecting EDoS threats is introduced. Section V describes the evalu-
ation methodology conducted throughout the experimentation. In
section VI the experimental results are discussed. Finally, Section
VII presents the conclusions and highlights the future research
This section describes the main characteristics of EDoS attacks,
and the eorts proposed by the research community towards their
2.1 Economical Denial of Sustainability
The expression Economical Denial of Sustainability was coined by C.
Ho in 2008 [
] [
] to describe attacks originally targeted against
cloud computing platforms, in which the intruder has the goal to
fraudulently increase the economic expenditures derived from the
maintenance of the hosted cloud services. Therefore, their main
consequence is to aect the economic viability in the wake of higher
expenses, which can motivate either the migration to other cloud
provider or, even worse, the service unsustainability. Interested in
this new threat, R. Cohen [
] extended its denition pointing out
the exploitation of vulnerabilities of self-scaling processes as the
most implemented procedures to achieve the aforementioned fraud,
an approach that nowadays is mainly supported by the research
community. Although EDoS introduces a new paradigm of intru-
sion inherent in emerging network technologies, it has drawn the
attention of dierent organizations for information security, which
usually refer to EDoS as Reduction of Quality (RoQ) [
] attacks or
Fraudulent Resource Consumption (FCR) [
] threats that typically
take advantage of the payment-for-service solutions oered by the
cloud computing suppliers [
]. These threats usually try to go
unnoticed by monitoring elements via registering consumption dis-
tributions and requests that resemble those of normal and legitimate
clients [
] [
]. Therefore, it is common to undertake the intrusion
by requesting computationally expensive requests [
]. This also
poses a representative dierence with events of legitimate nature
capable of jeopardizing the availability of the protected system,
such as the massive access of legitimate users to the hired services,
commonly referred as ash crowds [
]. At the present time, there
are dierent techniques to perpetrate EDoS threats, for example,
by requesting large les or costly queries to databases [
requests linked from XML content [
], or by exploiting specic
vulnerabilities of the web service platforms [
]. In addition
to causing an economic impact, EDoS attacks potentially lead to
other secondary risks. G. Sonami et al. [
] reviewed this problem
by pointing out dierent collateral damages, which vary depending
on the role of each actor in a cloud computing deployment. For
example, the provider tends to lose reputation while customers
decide to contract cheaper services to rival enterprises. Clients also
may pay an excessive amount of money for services that they were
not using. These threats also may aect the operational capacity of
the services at the dierent information processing layers that sup-
port them, this being the case of infrastructure, network function
virtualization or multitenacy [9][35].
2.2 Countermeasures
Despite the growing relevance of the EDoS threat at the emerging
networking landscape, the bibliography does not provide an exten-
sive number of publications that address the challenges it poses.
They usually describe solutions based on analyzing network-level
metrics typical on ooding-based denial of service recognition.
In order to facilitate their understanding, the contributions are
classied as they are classical organized at the research related to
conventional DDoS defense [
]: detection, mitigation/prevention,
and source identication.
Detection. The publications at this eld aim on identifying the
EDoS attacks. A signicant portion of them analyzed local-level
metrics for modeling the resource consumption and self-scaling
processes of the monitored environment [
]. Other publications
lie on studying network-level data [
] and the browsing habits of
the clients [
]. Note that although the research focused on local
metrics has proven to be eective by best tting the denition
of EDoS attacks proposed by Ho [
] [
], the network-based
solutions are able to take advantage of the state-of-the-art about
ooding-based DDoS and the emerging communication paradigms.
Mitigation and Prevention. The contributions towards EDoS mit-
igation trend to focus on increasing the restriction level of the
protected system through access control techniques. Turing tests
based on image recognition [
] or resolution of cryptographic
puzzles [
] are usually the most commonly applied methods. In
contrast to the detection techniques, they do not require the pre-
vious identication of the threat, but their deployment usually
penalizes the user Quality of Service or the operational expenditure.
It worth emphasizing that most of the proposals categorized as
mitigation solutions can be implemented as prevention measures,
hence ignoring previous threat identication stages.
Source Identication. Finally, the research that aims on discov-
ering the origin of EDoS situations attempts to track the attacker.
Because of the complexity that this challenge implies, the scope
of identifying the threat source is often reduced to get as close as
possible to the attacker. The bibliography related with the defense
against DDoS serves to this purpose [
], being worth to highlight
among the previous publications those based on analyzing error
messages [
], honeypot deployment [
] and packet marking [
Ho [
] pointed out the great similarity that EDoS activities
present with respect to the legitimate trac. It is then assumable
that, in the context of a client-server architecture, that similarity
is expressed in terms of the set of clients and the requests they
generated, thus taking into account their number, distribution over
time and computational complexity. These traits characterize both
Cloud deploymentCloud deployment
... Client Request s
Clients (C)
... Client Request s
Clients (C)
Scale up
Figure 1: Auto-scaling triggered by W-EDoS
Cloud deployment
Cloud deployment
... Requests
Clients (C)
... Requests
Clients (C)
LB Scale out
Productivity: Optimal Medium Lazy
Figure 2: Auto-scaling triggered by I-EDoS
normal and EDoS situations, consequently being assumed through-
out the performed research. The following subsections dene each
type of attack, its characterization and impact on the cost model.
3.1 W-EDoS: Workload-based EDoS
An attack of Economic Denial of Sustainability based on Workload
(W-EDoS) is characterized by the execution of operations of high
computational cost in the virtual instances hosted on a cloud com-
puting provider. They are executed at server-side, thus generating a
high workload in response to seemingly legitimate client requests.
Under this premise, the existence of a W-EDoS attack is assumed
when a monitored network environment presents conditions of
similarity with legitimate network trac, but where the average
workload per request is signicantly greater in terms of quantity
and distribution. Fig. 1 shows a representation of a W-EDoS attempt
launched on an instantiated VNF. The eect of the W-EDoS attack is
to force the SON management layer to scale the instantiated VNFs
vertically or horizontally, hence implying to waste additional com-
putational resources (computation, storage, etc.) hired by payment
per use policies, which causes negative eects in the economic
sustainability of the oered services they support.
3.2 I-EDoS: Instantiation-based EDoS
An attack of Economic Denial of Sustainability based on Instanti-
ation (I-EDoS) is characterized by the exploitation of some exist-
ing vulnerability either in the cloud service platform or in virtual
functions, that leads to the automatic creation of additional VNF
instances in one or several points of the network. In this way, an
increase in the number of deployed instances is observed. Note that
their average productivity is typically considerably lower, since
their deployment would not have been necessary under legitimate
circumstances. Therefore, the existence of an I-EDoS attack is as-
sumed when a monitored network environment displays conditions
of similarity with legitimate network trac; but with a signicant
increase in the number and distribution of virtual instances, as well
as a decrease in their average productivity. Fig. 2 shows a graphic
representation of an I-EDoS attack in which the cloud service plat-
form exposes a vulnerability that triggers the creation of additional
virtual instances with dierent degree of productivity. The group of
unproductive instances was fraudulent instantiated by the attacker,
which causes extra costs derived by the time they remain in execu-
tion and their resource consumption, in this way jeopardizing the
economic sustainability of the oered services.
The performed research aimed on distinguishing legitimate situa-
tions from those related to EDoS attacks in self-organized scenarios.
The following describes its design principles, architecture, and the
EDoS threat discovery approach.
4.1 Design Principles
Thorough this section the requirements, assumptions and limita-
tions (scope) of the performed research are detailed, which are
enumerated as follows:
The architecture must be capable of detecting W-EDoS and
I-EDoS attacks assuming the characteristics described in the
previous section, in this way distinguishing them from legit-
imate activities (typied as normal trac and ash crowds).
The detection of conventional ooding-based DoS attacks is
beyond the scope of the performed research.
The non-stationarity inherent to the emerging monitoring
environments is assumed [14].
For simplicity and facilitating the understanding of the pro-
posal, the attacks based on mimicry or identity theft [
weaponized for avoiding the proposed EDoS detection ap-
proach are not studied.
The Self-Organized Networks pose complex monitoring sce-
narios in which a large number of sensors collects infor-
mation about the state of the network in real time. This
information should be aggregated into observations that can
be treated by high-level analytical tools. Although in the
experimentation the impact of the data granularity is briey
discussed, the introduction of methods for data granularity
calibration is postponed for future investigation.
The correlation and management of the discovered incidents
] are beyond the scope of this publication. However, it is
assumed that the acquired knowledge must be notied to
the security management layers.
4.2 Architecture
Fig. 3 illustrates the proposed architecture, which was designed in
accordance with the most widely accepted framework for Network
Function Virtualization (ETSI-NFV) and next generation networks
(5G) [
]. Accordingly, the data decoupling and data plane man-
agement make possible the distinction of the dierent functional
layers. The Virtualization Layer is executed on the Physical Layer
commonly implemented with Commercial-O-The-Shelf (COTS)
hardware. At a higher level, the Cloud Layer manages the auto-
matic instantiation of Virtual Network Functions (VNFs) through
interaction with the Virtualization Layer, which is responsible for
providing the requested resources. The deployed Cloud environ-
ment interconnects VNFs through the underlying virtual network
composing one or more Network Services (NS) accessible to users.
It is also assumed that the Cloud Layer has the ability to extract
monitoring metrics, which are subsequently analyzed in the SON
Autonomic layer in the following steps:
Data collection. In SON environments the sensors (S) play an im-
portant role by monitoring custom metrics at the application-level,
such as response times, memory consumption per process, NFV
instances productivity, etc. Likewise, cloud computing platforms
dispose of monitoring tools (e.g. Ceilometer [
]) capable of oer-
ing a signicant number of metrics related to the usage mode of
the network and the performance of the instantiated resources; e.g.
CPU or memory consumption, latency, etc. In this way, the archi-
tecture collects information from both sensors (ALM) and cloud
platform (VIFM).
Data Aggregation. The high volume of data generated by the
monitoring tasks requires to run periodic aggregation procedures
while generate time series able to be handled by the analytic com-
ponents, by this approach being empowered their projection to
future observations. At application-level, this is achieved through
the Feature Extraction (FE), which implements at least the methods
involved in EDoS detection described in the forthcoming sections,
for example, the measurement of the data disorder by entropy anal-
ysis. On the other hand, the metrics directly gathered from the
cloud computing platform are extracted and added (VRA) through
queries to the API of the monitoring tool. In both cases, the granu-
larity of the time series is determined by the periodicity with which
the aggregation operations are executed.
EDoS Detection. The discovery of EDoS situations is addressed
by the analytics and decision-making stages. In this framework, the
rst of them allows the inference of predictive models (MD) applied
to time series of aggregated metrics, which results are considered
for building prediction intervals (AT) based on the estimated error
per observation. Consequently, unexpected behaviors are deduced
when the observations are outside the prediction interval. Besides
that, groups of instances based on the similarity (SM) observed at
their productivity indicators are clustered, thus giving rise to the
identication of groups with low productivity potentially related
with I-EDoS situations. At decision-making stage, the analyzed
data is taken into account to create inference rules designed to
detect anomalies (AD) that reect the presence of an EDoS threat,
hence assuming as factual knowledge the information directly gath-
ered from the monitored environment or acquired by the previous
analytical steps.
Notication. The inferred conclusions are notied as possible
EDoS situations. They serve the purpose of avoiding the creation
of instances whose fraudulent origin generates surcharges derived
from their usage.
4.3 W-EDoS detection
The following details the W-EDoS detection metrics and the ana-
lytical processes this task involves:
W-EDoS metrics. According to the W-EDoS denition, this type of
attacks maintains a condition of network similarity with the normal
and legitimate usage model but displaying signicant variations
in terms of VNF workload. Because if this, the detection strategy
considers the CPU consumption (
) and the response time at
application level (
) as W-EDoS indicators. It is important to
clarify that the rst of them measures the CPU consumption at
operating system level, while the second measures the total time
required to process each request at server-side. With the motivation
of discovering unexpected behaviors, the rst performed step is
to analyze the variations in
, which is achieved by studying
their disorder degree in xed time intervals. The reviewed literature
suggests the correlation of these observations in terms of entropy
], as commonly accepted for classical DDoS recognition.
As indicated by Bhuyan et al. [
], the entropy dened by Rènyi pro-
vides a general-purpose solution particularly eective at this type
of problems. It is dened by
Hα(Xapp )
in the following equation,
being αthe entropy order, α0and α,1.
Hα(Xapp )=1
is the random variable with n possible outcomes and cor-
with (i = 1,2,...,n) probabilities. For experimental
purposes, the normalized solution
Hα(Xapp )/log n
is considered.
Note that if
1, the particular case is observed in which the
Rènyi entropy coincides with that of Shannon. The successive mea-
surements of entropy give rise to the creation of the time series:
Hα(xapp )t=0,Hα(xapp )t=1,· · · ,Hα(xapp )t=n(2)
and the CPU consumption indicators expressed as the time series:
(xcpu )t=0,(xcp u )t=1,· · · ,(xcpu )t=n(3)
The rest of analytical steps to detect W-EDoS are the same for
. Henceforth,
is used to refer indistinctly to any of them.
Unexpected behaviors derived from W-EDoS. The proposed detec-
tion method lies on deciding whether the estimation
at time
diers signicantly from
. This requires predicting
time series of variable
in a predetermined horizon, which allows
comparing the forecasted values with the actual observations. The
Double Exponential Smoothing (DES)predictive algorithm has been
implemented, because it reduces the adaptation time by requiring
shorter time series for data modeling, in this way outperforming
autoregressive solutions as ARIMA [34]. Its adjustment parameters
are auto-calibrated as described in [
] but instead of inferring
variations with respect to the estimated points, prediction intervals
are constructed as suggested in [
]. They are expressed consider-
ing the prediction error
based on the Mahalanobis distance at
particularly when t=m, according to the following equation:
SON-Autonomic Layer
Network Physical Infrastructure
Data collection Data Aggregation
Tenant X Tenant Y
level Monitor
(VIFM) Virtual Resource
Aggregation (VRA)
Feature Extraction
EDoS Detection
Thresholding (AT)
Similarity (SM)
detection (AD)
Cloud services
Analytics Decision-Making
Virtualization Engine
Figure 3: SON Architecture for EDoS detection
The Prediction Interval (PI) is expressed as follows:
PI =xt=n±ηpσ2(ϵt)(5)
is the variance of the prediction error
. Consequently,
and its prediction
at horizon
, the observation
is considered a workload-based unexpected behavior if
, i.e. when
dier signicative. Since
is a variable independent from
, the proposal assumes
that each
unexpected observation at both
unmask a potential W-EDoS threat if
displays increasing
trend, in this case reporting a W-EDoS incident.
4.4 I-EDoS detection
The I-EDoS detection metrics and the adopted analytical procedure
are described below:
I-EDoS metrics. The I-EDoS threat preserves a condition of net-
work similarity with the normal and legitimate usage model. How-
ever, and as previously indicated, these attacks are characterized by
the appearance of new instances, which causes a direct relationship
between the new NFVs deployment and their low productivity. Con-
sequently, two metrics are mainly taken into account for I-EDoS
detection: the number of VNFs instantiated per observation (
and their productivity (
), where
is the set
Z={z1· · · zY,Y
that denes the productivity of the dierent virtual instances of
the observation at
. In analogy to the proposed solution for W-
EDoS detection, they are monitored over time, hence leading to the
generation of the following time series:
Yt=0,Yt=1,· · · ,Yt=n;(Yn
Zt=0,Zt=1,· · · ,Zt=n;(Zn
where an observation at
is suspicious when
a signicant increase and
Zt={z1,· · · ,zY(t)}
contains a group of
VNFs instances with clear low productivity, which is referred as lazy
group. They are suspicious of deriving in an additional resource
consumption and empowering the anomalous raising of Yt.
Unexpected behaviors derived from I-EDoS. As in W-EDoS attack
detection, at I-EDoS situations there is a signicant increase in
the number of instances
when for a time horizon
the calcu-
lated error between its forecasted value
and its observation
falls outside the previously dened prediction interval (
When an auto-scaling action has triggered the creation of new
VNFs instances with productivity
Zt={z1,· · · ,zYt}
it is possi-
ble to assess if part of them are involved in an I-EDoS attack by
applying a density-based clustering; in the solution implemented
at the performed experimentation, this method is particularized
through a Density-Based Spatial Clustering of Applications with
Noise (DBSCAN) algorithm [
]. This approach considers the exis-
tence of groups of observations based on the density of its closest
K-neighbors. The observations that are not reachable within the
same group are considered outliers [
]. DBSCAN has been cho-
sen because it is tolerant to noise and does not require previous
estimation of the number of groups, being congured at the experi-
mentation by an heuristic approach recommended in [
is executed per set of productivity values
Zt={z1,· · · ,zYt}
, and
the result is a set of
clusters represented by
Ct={c1,· · · ,ck}
Zt={z1,· · · ,zYt}
the set of productivity measures at the in-
stances in
classied as
Ct={c1,· · · ,ck}
0and ordered
s(Ct)=[c1,· · · ,cK]
, there is an I-EDoS based unexpected be-
havior (labeled as possible I-EDoS at
) when a signicant growth
at the time of creation of the VNFs instances belonging to
observed, where c1is the least productivity (lazy) group of VNFs.
This section presents the network environment where the EDoS
detection approach has been evaluated. The Cloud Layer and related
SON components are described below.
5.1 Testbed
Fig 3. illustrates the experimental testbed where the Cloud Layer
has been implemented with Openstack [
]. It has been deployed in
two servers: Controller and Compute. The Controller server hosts
the network service (Neutron), and the Compute node provides
orchestration (Heat), clustering (Senlin) and telemetry (Ceilome-
ter) services; on which the auto-scaling policies are supported. All
Openstack services are communicated via RabbitMQ message ex-
change buses. On the other hand, the processing stages of the SON
autonomic layer combine custom implementations and open source
tools. Thus, the Collection node periodically fetches the response
times calculated per instance; whereas the metrics related with
the instantiated VNFs are gathered by Ceilometer. Then, data ag-
gregation functions are applied, rstly aiming on calculating the
entropy from data of the central node; and secondly, by queryng
the Ceilometer API for obtaining the average CPU consumption of
the instantiated VNFs per observation. The time series feed the al-
gorithms implemented for the detection stage. The acquired factual
knowledge is analyzed by production rules congured in Drools
with the aim of inferring unexpected behaviors labeled as potential
EDoS situations [38].
5.2 W-EDoS characterization
An HTTP REST web service that supports GET requests to seven
URIs (numbered 1 to 7) has been implemented in a virtual Openstack
instance, each URI with a dierent response time, from the simplest
(18.56ms) to the most complex queries (36.73ms). An eighth URI
with 226.04 ms of average response time is also implemented, which
represents the point of greatest computational cost that can be
exploited as vulnerability. The metrics required for EDoS detection
are collected per second, which serve for building time series and
calculating the Rènyi entropy degree of the monitored observations.
On the other hand, the CPU based indicators are obtained per
instance from the Ceilometer API, thus creating additional time
series. In the experimental test, the requests have been launched
from 500 clients implemented as Python threads, that in normal
trac situations randomly communicate with URIs 1 to 8, while
in attack scenarios only URI 8 is requested. In both situations, a
self-scaling policy that creates a new instance of the web service has
been congured, which occurs when the average CPU consumption
reported is greater than 60% in a one-minute time interval. Two
adjustment factors allowed to congure the attack intensity: the
number of compromised nodes, and the variation of the connection
rate per second. From them, the rules for discovering unexpected
behaviors derived from W-EDoS were congured.
5.3 I-EDoS characterization
At the I-EDoS scenario, the implemented REST application has been
modied to expose a single URI that performed request with an
average execution time of 27.89ms. For hosting the virtual image in-
stances, an Openstack cluster was created with minimum length of
2 VNFs and maximum length of 12. The implemented auto-scaling
policy orchestrated the creation of a new NFV instance when the
average CPU consumption was higher than 80%; and the removal
of an instance of the lower productivity cluster when this value
was less than 40%. A stress-test was launched on the server for
establishing the default productivity level. This has been evaluated
with Httperf [
], and the obtained results reected the lowest
achieved productivity when the connection rate per second was
less than 10, in this way causing a maximum CPU consumption
of 39.1% that approached the lowest threshold of the congured
auto-scaling policy. The optimal performance levels were recorded
with a connection rate that varied from 10 to 40 per second, result-
ing in an average CPU consumption from 41.2% to 81.6%. In the
aforementioned use case the percentage of connection errors was
0%. However, when the trac injected above 40 connections per
second, the CPU consumption reached its highest levels, thus regis-
tering values between 82.7 and 99.6% that exceeded the auto-scaling
threshold and that posed connection errors higher than 10%.
The network parameters and the resulting productivity served
for DBSCAN to identify the groups of VNFs that due to their behav-
ior may be compromised by an I-EDoS situation. Their workload
resembled a random Poisson distribution [
] where the expected
was the number of connections of the cluster at certain
observation, for which has been tested by rates from 53 to 286
connections per second in a time period of three hours. The same
default workload has been applied at both normal and attack scenar-
ios. In the malicious situation, the VNF self-scaling was triggered
through manipulating metrics gathered by Ceilometer, where it is
assumed the ability of the attacker for exploiting vulnerabilities
like CVE- 2016-9877 [
] to poison the information collected via
RabbitMQ data buses. They enabled turning the original CPU read-
ings (JSON messages) into fake values randomly ranging from 90%
to 100%. The manipulated metrics were nally registered at the
Ceilometer database, which led to fraudulently deploy additional
VNFs instances due to auto-scaling policies.
The following discusses the eectiveness of the proposal when
assessed at the evaluation testbed. This section separates the results
obtained when dealing with W-EDoS and I-EDoS situations.
6.1 Eectiveness at W-EDoS attacks
In Fig. 4 the eectiveness of the proposal when varying the Rènyi
entropy degree is illustrated. The lower
values minimize the im-
pact of the inferred noise, this being the main reason that led them
to yield more accurate results. Consequently, during the rest of
the experimentation the best observed adjustment achieved (i.e.
= 1) was assumed. The W-EDoS attacks have been injected in
intervals of 1%, 5% and 10%, where the percentage represents the
proportion of malicious requests that characterize the attack in-
tensity. Additionally, four scenarios have been studied based on
the average of requests per second (px) performed by clients: 50;
60; 70; 80, where K is the adjustment value for the creation of the
prediction intervals. It has been experimented with dierent values
of K (from 0.1 to 6), this being the parameter that varies the degree
of sensitivity of the detection. The best results were obtained when
0 0.2 0.4 0.6 0.8 1
TPR (Sensitivity)
FPR (1−Specificity)
Figure 4: Entropy degree impact at W-EDoS detection
Figure 5: ROC curve when 80 px at W-EDoS detection
the request rate was 80px and the intensity was 10% (Fig. 5), being
0.995 the trapezoidal approximation of the Area Under the ROC
Curve (AUC). According to the Yauden statistic, the best congu-
ration registered True Positive Rate (TPR) of 1 and False Positive
Rate (FPR) of 0.01. In the opposite case, the worst results were ob-
served with a request rate of 60px and attack intensity of 1%, where
AUC=0.901, TPR=0.816 and FPR=0.15. From them it is possible to
conclude that, as the attack intensity makes the threat more visible
and the request rate increases, the accuracy of the system improves
since these conditions lead to more noticeable variations in terms of
entropy and CPU overload. In general terms, the obtained accuracy
demonstrates the ability of the proposed method to detect W-EDoS
attacks in scenarios similar to those considered for evaluation.
6.2 Eectiveness at I-EDoS attacks
The I-EDoS situation recognition capabilities of the proposal have
also been evaluated according to the attack intensity, which impact
translates into a growth of 10%, 20%, 30% 40% and 50% of the num-
ber of instantiated VNFs. As was easy to deduce, this adjustment
parameter directly inuenced the eectiveness of the proposal. This
fact is illustrated in Fig. 6, where the ROC curve obtained at the
dierent experimental conditions is displayed. In general terms,
the hit rate experienced small and inconspicuous variations. At
the rst group of attacks (10%, 20%, 30%, 40%), a distance of 0.022
(0.025%) was observed between the minimum hit rate (TPR = 0.89
when 10% intensity) and the best hit rate (TPR = 0.91 when 40%
0 0.05 0.1 0.15 0.2 0.25
TPR (Sensitivity)
FPR (1−Specificity)
Figure 6: ROC curve at I-EDOS detection
intensity); note that as in the previous tests, the best adjustments
were estimated according to the Yauden criteria. Likewise, when
the attack gained intensity (50%) the hit rate slightly increased
(TPR = 0.94). However, by taking into account the percentage of
false positives the observed variations were more signicant; in
particular, the detection method registered FPR = 0.12 when 10%
intensity; but when gaining intensity, the best conguration (at
40% and 50% intensities) resulted in FPR = 0.07, which represents
an improvement of 58.3% over the worst result. This pattern can
be observed in Fig. 6 where the AUC varies according to the attack
intensity, being AUC = 0.9811 in the best adjustment and AUC
= 0.9483 in the worst scenario. The variations in eectiveness is
caused at the clustering stage based on the VNFs productivity. Thus,
the more visible the attack, the greater the number of instances
that belong to the group of unproductive instances. In view of the
obtained results, it can be concluded that the proposed strategy is
able to successfully identify I-EDoS situations at scenarios similar
to that considered for evaluation.
The problem of Economic Denial of Sustainability (EDoS) in the
SON landscape has been studied and dened from two paradigms:
workload (W-EDoS) and instantiation (I-EDoS) exploitation. In this
context, two novel detection strategies have been proposed, which
were able to recognize each of them. Both were based on modeling
the normal behavior of the protected system and the discovery of
discordant activities at the monitoring environment. In particular,
for W-EDoS recognition the study of signicant prediction errors
was adopted, which lies in analyzing the evolution of the CPU
consumption and the entropy estimated on the response times at
the application level calculated in VNFs instances. On the other
hand, for I-EDoS detection purposes, the relationships between
the growing of the number of instantiated VNFs belonging to low
productive clusters was studied. The eectiveness of the proposal
was proven through the performed experimentation, in which the
impact of varying dierent adjustment parameters was studied (in-
tensity of the attacks, condence of prediction intervals or entropy
degree). Consequently, it was possible to demonstrate that the pro-
posal meets its main objective on the deployed testbed. However, it
should be noted that aiming on enhancing the understanding of our
contribution, some aspects also necessary for its application to real
scenarios were not discussed in-depth, among them strengthen-
ingl against adversarial threats or supporting the adoption of data
protection policies, which pose interesting lines of future research.
This work was partially funded by the JSAN Travel Award 2018
bestowed by the MDPI Journal of Sensors and Actuator Networks
(JSAN). In addition, the authors sincerely appreciate the support
of the European Commission Horizon 2020 Programme under the
Grant Agreements number H2020-ICT-2014-2/671672 (SELFNET:
Framework for Self-Organized Network Management in Virtualized
and Software Dened Networks) and H2020-FCT-04-2015/700326
(RAMSES: Internet Forensic platform for tracking the money ow
of nancially-motivated malware).
3GPP TS 32.500 2008. Self-Organising Networks (SON): Concepts and require-
ments. (2008).
5G PPP Security Working Group 2017. 5G PPP Phase1 Security Landscape. (2017).
N.M. Alenezi and M.J. Reed. 2014. Uniform DoS traceback. Computers & Security
45, 1 (2014), 17–26.
A. A. Atayero, O. I. Adu, and A. A. Alatishe. 2014. Self organizing networks
for 3GPP LTE. In Proceedings of the International Conference on Computational
Science and Its Applications. Springer, Cham, 242–254.
C. Barakat, P. Thiran, G. Iannaccone, C. Diot, and P. Owezarski. 2003. Modeling
Internet backbone trac at the ow level. IEEE Transactions on Signal and
Processing 51 (2003), 2111–âĂŞ2124.
P.S. Bawa and S. Manickam. 2015. Critical Review of Economical Denial of
Sustainability (EDoS) Mitigation Techniques. Journal of Computer Science 11
(2015), 855–862. Issue 7.
A.S. Bhingarkar and B.D. Shah. 2015. A survey: Securing cloud infrastructure
against edos attack. In Proceedings of the 2015 of the International Conference on
Grid Computing and Applications (GCA). Athens, Greece, 16–22.
M. Bhuyan, D.Bhattacharyya, and J. Kalita. 2015. An empirical evaluation of
information metrics for low-rate and high-rate DDoS attack detection. Pattern
Recognition Letters 51 (2015), 1–7. Issue 1.
A. Bremler-Barr, E.Bros, and M. Sides. 2017. DDoS attack on cloud auto-scaling
mechanisms. In Proceedings of 2017 IEEE Conference on Computer Communications
(INFOCOM 2017). Atlanta, GA, US, 1–9.
C. Ho 2008. Cloud Computing Security: From DDoS (Distributed Denial
Of Service) to EDoS (Economic Denial of Sustainability). (2008). http:
com/blog/2008/11/cloud-computing- security-from-
ddos-distributed- denial-of- service-to-edos- economic-denial- of-sustaina.html
C. Ho 2009. A Couple of Follow-Ups On The EDoS (Economic Denial Of
Sustainability) Concept... (2009). http://rationalsecurity
V. Chandola, A. Banerjee, and V. Kumar. 2009. Anomaly Detection: A Survey.
Comput. Surveys 41, 15 (2009). Issue 3.
Common Vulnerabilities and Exposures 2016. CVE-2016-9877. (2016). https:
G. Ditzler, M. Roveri, C. Alippi, and R. Polikar. 2015. Learning in Nonstationary
Environments: A Survey. IEEE Computational Intelligence Magazine 10, 4 (2015),
M. Ester, H.P. Kriegel, J. Sander, and X. Xu. 1996. A density-based algorithm
for discovering clusters a density-based algorithm for discovering clusters in
large spatial databases with noise. In Proceedings of the Second International
Conference on Knowledge Discovery and Data Mining (KDDâĂŹ96). Portland,
Oregon, 226–231.
ETSI GS NFV 002 V1.2.1 2014. Network Functions Virtualisation (NFV); Architec-
tural Framework. (2014). http://www
European Technology Platform for communications networks and services
(Networld2020) 2014. 5G: Challenges, Research Priorities, and Recom-
mendations. (2014). https://networld2020
NetWorld2020Joint-Whitepaper-V8public- consultation.pdf
Httperf 2018. The Httperf H TTP load generator. (2018). https://github
R. J. Hyndman, A. B. Koehler, J. K. Ord, and R.D. Snyder. 2005. Prediction intervals
for exponential smoothing state space models. Journal of Forecasting 24 (2005),
J. Idziorek, M. Tannian, and D. Jacobson. 2012. Attribution of fraudulent resource
consumption in the cloud. In Proceedings of the 5th IEEE International Conference
on Cloud Computing. Honolulu, HI, USA, 99–106.
J. Idziorek, M. Tannian, and D. Jacobson. 2012. Attribution of fraudulent resource
consumption in the cloud. In Proceedings of the 5th IEEE International Conference
on Cloud Computing. Honolulu, HI, USA, 99–106.
M.N. Kumar, P. Sujatha, V. Kalva, R. Nagori, A.K. Katukojwala, and M. Kumar.
2012. Mitigating Economic Denial of Sustainability (EDoS) in Cloud Computing
Using In-cloud Scrubber Service. In Proceedings of the 4th International Conference
on Computational Intelligence and Communication Networks (CICN). Mathura,
India, 535–539.
L.I. Barona Lopez, A.L. Valdivieso Caraguay, M.A. Sotelo Monge, and L.J. Garcia
Villalba. 2016. Key Technologies in the Context of Future Networks. Future
Internet 9, 1 (2016).
S. Makridakis, S. Wheelwright, and S. Hyndman. 1998. Forecasting Methods and
Applications. John Wiley & Sons, New York, NY, US.
M. Masood, Z. Anwar, S.A. Raza, and M.A. Hur. 2013. EDoS Armor: A cost eective
economic denial of sustainability attack mitigation framework for e-commerce
applications in cloud environments. In Proceedings of the 16th International Multi
Topic Conference (INMIC). Lahore, Pakistan, 37–42.
NGMN Alliance 2015. 5G White Paper. (2015). https://www
Openstack 2018. Ceilometer measurements. (2018). https://docs
Openstack 2018. Open Source Software for Creating Private and Public Clouds.
I. Ozcelik and R.R. Brooks. 2015. Deceiving entropy based DoS detection. Com-
puters & Security 48, 1 (2015), 234–245.
P.Singh, S. Manickam, and S. U. Rehman. 2014. A survey of mitigation techniques
against Economic Denial of Sustainability (EDoS) ttack on cloud computing
architecture. In Proceedings of 3rd International Conference on Reliability, Infocom
Technologies and Optimization (ICRITO). Noida, India, 1–4.
R. Cohen 2009. Cloud attack: Economic denial of sustainability (edos). (2009). economic-denial- of .html
SELFNET 2018. Self-Organized Network Management in Virtualized and Software
Dened Networks. (2018). http://www
E. Shubert, J. Sander, M. Ester, H.P. Kriegel, and X. Xu. 2017. DBSCAN Revisited:
Why and How You Should (Still) Use DBSCAN. ACM Transactions on Database
Systems 42, 19 (2017). Issue 3.
A. Singh and K. Chatterjee. 2017. Cloud security issues and challenges: A survey.
Journal of Network and Computer Applications 79 (2017), 88–115.
K. Singh, P. Singh, and K. Kumar. 2017. Application layer HTTP-GET ood DDoS
attacks: Research landscape and challenges. Computers & Security 65 (2017),
G. Somani, M.S. Gaur, D. Sanghi, and M. Conti. 2016. DDoS attacks in cloud
computing: Collateral damage to non-targets. Computer Networks 109 (2016),
M.A. Sotelo Monge, J. Maestre Vidal, and L.J Garcia Villalba. 2017. Entropy-Based
Economic Denial of Sustainability Detection. Entropy 19, 649 (2017). Issue 5.
M.A. Sotelo Monge, J. Maestre Vidal, and L.J Garcia Villalba. 2017. Reasoning
and Knowledge Acquisition Framework for 5G Network Analytics. Sensors 17,
2405 (2017). Issue 10.
J. Maestre Vidal, A.L. Sandoval Orozco, and L.J. Garcia Villalba. 2017. Alert
correlation framework for malware detection by anomaly-based packet payload
analysis. Journal of Network and Computer Applications 97 (2017), 11–22.
J. Maestre Vidal, A.L. Sandoval Orozco, and L.J. Garcia Villalba. 2018. Adaptive
articial immune networks for mitigating DoS ooding attacks. Swarm and
Evolutionary Computation 38 (2018), 94–108.
S. Vivinsandar and S. Shenai. 2012. Economic Denial of Sustainability (EDoS) in
Cloud Services using HTTP and XML based DDoS Attacks. International Journal
of Computer Applications 41 (2012), 11–16. Issue 20.
K. Wang, M. Du, S. Maharjan, and Y. Sun. 2017. Strategic Honeypot Game Model
for Distributed Denial of Service Attacks in the Smart Grid. IEEE Transactions on
Smart Grid 8 (2017), 2474–2482. Issue 5.
G. Yao, J. Bi, and A. V. Vasilakos. 2015. Passive IP Traceback: Disclosing the
Locations of IP Spoofers From Path Backscatter. IEEE Transactions on Information
Forensics and Security 10 (2015), 471–484. Issue 3.
S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tangm. 2012. Discriminating DDoS
Attacks from Flash Crowds Using Flow Correlation Coecient. IEEE Transactions
on Parallel and Distributed Systems 23 (2012), 1073–1080. Issue 6.
Q. Zhang, L. Cheng, and R. Boutaba. 2010. Cloud computing: state-of-the-art and
research challenges. Journal of internet services and applications 1 (2010), 7–18.
Issue 1.
W. Zhou, W. Jia, S. Wen, Y. Xiang, and W. Zhou. 2014. Detection and defense
of application-layer DDoS attacks in backbone web trac. Future Generation
Computer Systems 38 (2014), 36–46.
... Because of their novelty, EDoS threats caught the attention of the research community, which framed their modus operandi as part of the Reduction of Quality (RoQ) [28] and Fraudulent Resource Consumption (FRC) threats [29][30][31]. In [32,33] the problem of EDoS was reviewed in the context of the Self-Organizing Network (SON) paradigm, which presented one of the studies closer to the TDoS paradigms. Accordingly, SON deployments may be jeopardized for causing Workload-based EDoS (W-EDoS) and Instantiation-based (I-EDoS). ...
... These services feed operational intelligence, C2 and join planning capabilities, from which the fulfillment of the strategic objectives depends. In this context, by achieving a conventional I-EDoS situation [33], the attacker forced the instantiation of redundant VNFs, with among others, heavily impact on the energy efficiency of the mobile tactical infrastructure that enables network and datacenter operations. They support the IST, SA, C2 and Decision-making services deployed at the Tactical Edge, which usability will be reduced as the redundant VNFs pointless consume energy. ...
The last decade consolidated the cyberspace as fifth domain of military operations, which extends its preliminarily intelligence and information exchange purposes towards enabling complex offensive and defensive operations supported/supportively of parallel kinetic domain actuations. Although there is a plethora of well documented cases on strategic and operational interventions of cyber commands, the cyber tactical military edge is still a challenge, where cyber fires barely integrate to the traditional joint targeting cycle due to, among others, long planning/development times, asymmetric effects, strict target reachability requirements, or the fast propagation of collateral damage; the latter rapidly deriving on hybrid impacts (political, economic, social, etc.) and evidencing significant socio-technical gaps. In this context, it is expected that Tactical Clouds disruptively facilitate cyber operations at the edge while exposing the rest of the digital assets of the operation to them. On these grounds, the main purpose of the conducted research is to review and in depth analyze the risks and opportunities of jeopardizing the sustainability of the military Tactical Clouds at their cyber edge. Along with a 1) comprehensively formulation of the researched problematic, the study 2) formalizes the Tactical Denial of Sustainability (TDoS) concept; 3) introduces the phasing, potential attack surfaces, terrains and impact of TDoS attacks; 4) emphasizes the related human and socio-technical aspects; 5) analyzes the threats/opportunities inherent to their impact on the cloud energy efficiency; 6) reviews their implications at the military cyber thinking for tactical operations; 7) illustrates five extensive CONOPS that facilitate the understanding of the TDoS concept; and given the high novelty of the discussed topics, this paper 8) paves the way for further research and development actions.
... Several strategies, such as data encryption, mutual authentication, and other approaches can be used to address this issue. A study published in the article [6] examined the EDoS problem in emerging network situations. SON and NFV are the foundations for adaptive approaches. ...
Full-text available
Due to the rapid development of the fifth-generation (5G) applications, and increased demand for even faster communication networks, we expected to witness the birth of a new 6G technology within the next ten years. Many references suggested that the 6G wireless network standard may arrive around 2030. Therefore, this paper presents a critical analysis of 5G wireless networks’, significant technological limitations and reviews the anticipated challenges of the 6G communication networks. In this work, we have considered the applications of three of the highly demanding domains, namely: energy, Internet-of-Things (IoT) and machine learning. To this end, we present our vision on how the 6G communication networks should look like to support the applications of these domains. This work presents a thorough review of 370 papers on the application of energy, IoT and machine learning in 5G and 6G from three major libraries: Web of Science, ACM Digital Library, and IEEE Explore. The main contribution of this work is to provide a more comprehensive perspective, challenges, requirements, and context for potential work in the 6G communication standard.
This paper reviews the threat of economic denial of sustainability on recent communication networks and discusses their adaptation to emergent scenarios suited for self-organization and network function virtualization. Thorough the performed research two novel threats were defined: workload-based EDoS (W-EDoS) and Instantiation-based EDoS (I-EDoS). W-EDoS is characterized by executing expensive requests in terms of computational resources at the victim system, hence exhausting its workload and forcing operators to contract additional resources. On the other hand, I-EDoS occurs when the cloud management software deploys more instances of virtual network functions than needed as a response to requests that resemble legitimate, but are malicious, thus increasing the cost of the hired resources. In order to contribute to their mitigation, a security architecture that incorporates network-based intrusion detection capabilities for their recognition is proposed. It implements strategies that lie on predicting the behavior of the protected system, constructing adaptive thresholds, and clustering of instances based on productivity. An extensive experimentation has been conducted to demonstrate the proposal effectiveness, which includes case studies and the accuracy assessment when considering different adjustment parameters. Under the most intense conditions, the highest AUC performed above 98% when assessing the I-EDoS detection accuracy, being the same reading higher than 99% in the case of W-EDoS.
Full-text available
In recent years, an important increase in the amount and impact of Distributed Denial of Service (DDoS) threats has been reported by the different information security organizations. They typically target the depletion of the computational resources of the victims, hence drastically harming their operational capabilities. Inspired by these methods, Economic Denial of Sustainability (EDoS) attacks pose a similar motivation, but adapted to Cloud computing environments, where the denial is achieved by damaging the economy of both suppliers and customers. Therefore, the most common EDoS approach is making the offered services unsustainable by exploiting their auto-scaling algorithms. In order to contribute to their mitigation, this paper introduces a novel EDoS detection method based on the study of entropy variations related with metrics taken into account when deciding auto-scaling actuations. Through the prediction and definition of adaptive thresholds, unexpected behaviors capable of fraudulently demand new resource hiring are distinguished. With the purpose of demonstrate the effectiveness of the proposal, an experimental scenario adapted to the singularities of the EDoS threats and the assumptions driven by their original definition is described in depth. The preliminary results proved high accuracy.
Full-text available
Autonomic self-management is a key challenge for next-generation networks. This paper proposes an automated analysis framework to infer knowledge in 5G networks with the aim to understand the network status and to predict potential situations that might disrupt the network operability. The framework is based on the Endsley situational awareness model, and integrates automated capabilities for metrics discovery, pattern recognition, prediction techniques and rule-based reasoning to infer anomalous situations in the current operational context. Those situations should then be mitigated, either proactive or reactively, by a more complex decision-making process. The framework is driven by a use case methodology, where the network administrator is able to customize the knowledge inference rules and operational parameters. The proposal has also been instantiated to prove its adaptability to a real use case. To this end, a reference network traffic dataset was used to identify suspicious patterns and to predict the behavior of the monitored data volume. The preliminary results suggest a good level of accuracy on the inference of anomalous traffic volumes based on a simple configuration.
Full-text available
Advanced Metering Infrastructure (AMI) is an important component for a smart grid system to measure, collect, store, analyze and operate users consumption data. The need of communication and data transmission between consumers (smart meters) and utilities make AMI vulnerable to various attacks. In this paper, we focus on Distributed Denial of Service (DDoS) attack in the AMI network. We introduce honeypots into the AMI network as a decoy system to detect and gather attack information. We analyze the interactions between the attackers and the defenders, and derive optimal strategies for both sides. We further prove the existence of several Bayesian-Nash Equilibriums (BNEs) in the honeypot game. Finally, we evaluate our proposals on an AMI testbed in the smart grid, and the results show that our proposed strategy is effective in improving the efficiency of defense with the deployment of honeypots.
Full-text available
Application layer Distributed Denial of Service (DDoS) attacks have empowered conventional flooding based DDoS with more subtle attacking methods that pose an ever-increasing challenge to the availability of Internet based web services. These attacks hold the potential to cause similar damaging effects as their lower layer counterparts using relatively fewer attacking assets. Being the dominant part of the Internet, HTTP is the prime target of GET flooding attacks, a common practice followed among various application layer DDoS attacks. With the presence of new and improved attack programs, identifying these attacks always seems convoluted. A swift rise in the frequency of these attacks has led to a favorable shift in interest among researchers. Over the recent years, a significant research contribution has been dedicated toward devising new techniques for countering HTTP-GET flood DDoS attacks. In this paper, we conduct a survey of such research contributions following a well-defined systematic process. A total of 63 primary studies published before August 2015 were selected from six different electronic databases following a careful scrutinizing process. We formulated four research questions that capture various aspects of the identified primary studies. These aspects include detection attributes, datasets, software tools, attack strategies, and underlying modeling methods. The field background required to understand the evolution of HTTP-GET flood DDoS attacks is also presented. The aim of this systematic survey is to gain insights into the current research on the detection of these attacks by comprehensively analyzing the selected primary studies to answer a predefined set of research questions. This survey also discusses various challenges that need to be addressed, and acquaints readers with recommendations for possible future research directions.
Full-text available
Cloud computing is the next revolution in the Information and Communication Technology arena. It is a model in which computing is delivered as a commoditized service similar to electricity, water and telecommunication. Cloud computing provides software, platform, infrastructure and other hybrid models which are delivered as subscription-based services in which customers pay based on usage. Nevertheless, security is one of the main factors that inhibit the proliferation of cloud computing. Economic Denial of Sustainability (EDoS) is a new breed of security and economical threats to the cloud computing. Unlike the traditional Distributed Denial of Service (DDoS) which brings down a particular service by exhausting the resources of the server in traditional setup, EDoS takes advantage of the elasticity of the cloud service. This causes the resources to dynamically scale to meet the demand (as a result of EDoS attack) resulting in a hefty bill for the customer. In this survey, we review various EDoS mitigation techniques that have been introduced in recent years.
Intrusion detection based on identifying anomalies typically emits a large amount of reports about the malicious activities monitored; hence information gathered is difficult to manage. In this paper, an alert correlation system capable of dealing with this problem is introduced. The work carried out has focused on the study of a particular family of sensors, namely those which analyze the payload of network traffic looking for malware. Unlike conventional approaches, the information provided by the network packet headers is not taken into account. Instead, the proposed strategy considers the payload of the monitored traffic and the characteristics of the models built during the training of such detectors, in this way supporting the general-purpose incident management tools. It aims to analyze, classify and prioritize alerts issued, based on two criteria: the risk of threats being genuine and their nature. Incidences are studied both in a one-to-one and in a group context. This implies the consideration of two different processing layers: The first one allows fast reactions and resilience against certain adversarial attacks, and on the other hand, the deeper layer facilitates the reconstruction of attack scenarios and provides an overview of potential threats. Experiments conducted by analyzing real traffic demonstrated the effectiveness of the proposal.
At SIGMOD 2015, an article was presented with the title “DBSCAN Revisited: Mis-Claim, Un-Fixability, and Approximation” that won the conference’s best paper award. In this technical correspondence, we want to point out some inaccuracies in the way DBSCAN was represented, and why the criticism should have been directed at the assumption about the performance of spatial index structures such as R-trees and not at an algorithm that can use such indexes. We will also discuss the relationship of DBSCAN performance and the indexability of the dataset, and discuss some heuristics for choosing appropriate DBSCAN parameters. Some indicators of bad parameters will be proposed to help guide future users of this algorithm in choosing parameters such as to obtain both meaningful results and good performance. In new experiments, we show that the new SIGMOD 2015 methods do not appear to offer practical benefits if the DBSCAN parameters are well chosen and thus they are primarily of theoretical interest. In conclusion, the original DBSCAN algorithm with effective indexes and reasonably chosen parameter values performs competitively compared to the method proposed by Gan and Tao.
Denial of service attacks pose a threat in constant growth. This is mainly due to their tendency to gain in sophistication, ease of implementation, obfuscation and the recent improvements in occultation of fingerprints. On the other hand, progress towards self-organizing networks, and the different techniques involved in their development, such as software-defined networking, network-function virtualization, artificial intelligence or cloud computing, facilitates the design of new defensive strategies, more complete, consistent and able to adapt the defensive deployment to the current status of the network. In order to contribute to their development, in this paper, the use of artificial immune systems to mitigate denial of service attacks is proposed. The approach is based on building networks of distributed sensors suited to the requirements of the monitored environment. These components are capable of identifying threats and reacting according to the behavior of the biological defense mechanisms in human beings. It is accomplished by emulating the different immune reactions, the establishment of quarantine areas and the construction of immune memory. For their assessment, experiments with public domain datasets (KDD’99, CAIDA’07 and CAIDA’08) and simulations on various network configurations based on traffic samples gathered by the University Complutense of Madrid and flooding attacks generated by the tool DDoSIM were performed.
The cloud computing provides on demand services over the Internet with the help of a large amount of virtual storage. The main features of cloud computing is that the user does not have any setup of expensive computing infrastructure and the cost of its services is less. In the recent years, cloud computing integrates with the industry and many other areas, which has been encouraging the researcher to research on new related technologies. Due to the availability of its services & scalability for computing processes individual users and organizations transfer their application, data and services to the cloud storage server. Regardless of its advantages, the transformation of local computing to remote computing has brought many security issues and challenges for both consumer and provider. Many cloud services are provided by the trusted third party which arises new security threats. The cloud provider provides its services through the Internet and uses many web technologies that arise new security issues. This paper discussed about the basic features of the cloud computing, security issues, threats and their solutions. Additionally, the paper describes several key topics related to the cloud, namely cloud architecture framework, service and deployment model, cloud technologies, cloud security concepts, threats, and attacks. The paper also discusses a lot of open research issues related to the cloud security.