Cloud, Big in addition to Cloud Attacks, Bad Cloud, Big in addition to Cloud Attacks, Bad Yet, T

Cloud, Big in addition to Cloud Attacks, Bad Cloud, Big in addition to Cloud Attacks, Bad Yet, T www.phwiki.com

Cloud, Big in addition to Cloud Attacks, Bad Cloud, Big in addition to Cloud Attacks, Bad Yet, T

Mallace, Michael, General Manager has reference to this Academic Journal, PHwiki organized this Journal The Dark Menace: Characterizing Network-based Attacks in the Cloud1(authors are unavailable to attend;talk presented by John Heidemann, USC/ISI)Rui Miao Rahul PotharajuMinlan Yu Navendu JainCloud, Big in addition to Cloud Attacks, BadThe market as long as cloud computing is growingReached $40 billion in 2014; 23%-27% growth YoY2Cloud, Big in addition to Cloud Attacks, BadThe market as long as cloud computing is growingReached $40 billion in 2014; 23%-27% growth YoYCloud becoming an attractive target as long as attacks3In 2013, an attack caused 50+ services to go offlineIn 2011, 100+ million customer accounts compromised

Baltimore Hebrew University US www.phwiki.com

This Particular University is Related to this Particular Journal

Yet, There are no Systematic StudiesQ1: How many attacks in in addition to outWhat attack types are prevalentQ2: What do attacks look likeWhat is the peak rate How long do they lastQ3: Who attacks in addition to is attackedWhat are the sources in addition to targets Do they spoof IPs4Yet, There are no Systematic StudiesQ1: How many attacks in in addition to outWhat attack types are prevalentQ2: What do attacks look likeWhat is the peak rate How long do they lastQ3: Who attacks in addition to is attackedWhat are the sources in addition to targets Do they spoof IPsImplications: Guide cloud operators in addition to researchers to 1. Analyze current DDoS mitigation approaches 2. Design new detection in addition to mitigation solutions 3. Ensure compliance (ex: U.S. FISMA requirements)5Contribution: Characterize Attacks in the CloudFirst study of cloud attacks: inbound in addition to outboundMajor cloud provider: 10,000+ services, 10+ data centersCollect three-month NetFlow data at edge routersClassification of cloud attacks: 9 typesNetwork-level: a variety of DDoS attacks, port scanApplication-level: SQL injection in addition to spamGuidelines as long as detection in addition to mitigation6

Contribution: Characterize Attacks in the CloudFirst study of cloud attacks: inbound in addition to outboundMajor cloud provider: 10,000+ services, 10+ data centersCollected three-month NetFlow data at edge routersClassification of cloud attacks: 9 typesFrom DDoS to application-level SQL injection in addition to spamAnalyzed attack scale, complexity in addition to distributionGuidelines as long as detection in addition to mitigationH in addition to le attack diversity in addition to intensity (across VIPs, time)Enable application-defined security policies7Cloud OperationCloud traffic entersIs Routed in addition to filteredMeets serviceseach runs on a VIP Virtual IP AddressEdge routersDatacenternetworksSecurity applianceVMVMVMTrafficData CenterVMVIP1VIP2NetFlixOne Drive8 NetflowMeasuring Cloud AttacksMajor cloud provider10k+ services, 10+ data centersCapture NetFlow at edge routers200 TB over three monthsUpstream of DDoS applianceSampled at 1 in 4096Cannot capture all the attacksGood as long as studying attack characteristicsAggregated in 1-minute window by VIPsEdge routersDatacenternetworksSecurity applianceVMVMVMTrafficData CenterVMVIP : Virtual IP as long as a serviceVIP1VIP2NetFlixOne Drive9

Attack Categories in addition to Detection10volume-based: packets/second with sequential change-point detectionAttack Categories in addition to Detection11volume-based: packets/second with sequential change-point detectionspread:abnormal fan-in or fan-out ( conns or hosts)Attack Categories in addition to Detection12

volume-based: packets/second with sequential change-point detectionspread:abnormal fan-in or fan-out ( conns or hosts)Attack Categories in addition to Detection13signatures: (TCP)volume-based: packets/second with sequential change-point detectionspread:abnormal fan-in or fan-out ( conns or hosts)signatures: (TCP)communications with known malicious hostsAttack Categories in addition to Detection14Characterizing Cloud AttacksQ1: How many attacks in in addition to outQ2: What do attacks look likeQ3: Who attacks in addition to is attacked15

Attack Distribution35% Inbound vs. 65% outbound normalized by total number of attacksMore outbound floods than inbound: Easier to abuse the cloud resourcesInbound are dominated by flood, brute- as long as ce, in addition to port scanOutbound are dominated by flood, brute- as long as ce, in addition to SQL injectionImplication: High diversity Need several detection methods2x more outbound attacks Improve security of out traffic16Inboundmethod: compare us to security appliance DDoS alertswe see most inbound attacks (79% of appliance-reports)miss some attacks due to NetFlow sampling (1:4096)Alerts may have some false positives (e.g., flash crowds)Outboundmethod: compare us to external complaints (incident reports)we see most outbound attacks (84% of incident reports)we miss application-level attacks (e.g., phishing, malware)Validation: How Complete Are We17Characterizing Cloud AttacksQ1: How many attacks in in addition to out9 diverse attack types: From DDoS to SQL injection, spamInbound vs. outbound: 2x more outbound attacksQ2: What do attacks look likeQ3: Who attacks in addition to is attacked18

Characterizing Cloud AttacksQ1: How many attacks in in addition to out9 diverse attack types: From DDoS to SQL injection, spamInbound vs. outbound: 2x more outbound attacksQ2: What do attacks look likeQ3: Who attacks in addition to is attacked19Attack throughputAttacks consume lots of cloud resources median aggregate attack traffic is 1% of mean cloud trafficattackers are disproportionally heavy (1% tfc but ~0.1% VIPs)High variation in throughput across time in addition to VIPsInbound brute- as long as ce: Peak vs. median = 361 timesInbound floods have 13-238 times higher peak than outbound20Implication: Attack defenses need to dynamically adapt resources (over time in addition to VIPs) to be cost-effectiveAttack durationAttacks often have short duration ( < 10 min)Hard to detectQuickly move to a different targetA few attacks can last hours or even daysDNS reflection has long durationHard to detect: from many DNS resolvers having a low query rateImplication: Need fast (order of 10s-100s of seconds) in addition to accurate detection to defend against most attacks21Often with short duration Only a small fraction of VIPs involvedInbound: 8 out of 10,000 VIPs per day Outbound: 11 out of 10,000 VIPs per dayOccasional attacks vs. frequent attacksAttack frequency per VIPA few VIPs experience 30-150 attacks in a day (usually SYN floods)Mostly one attack in a dayImplication: Need to focus on the VIPs at the tail as long as attack detection in addition to mitigation22VIP : Virtual IPAttacks on the same VIPMulti-vector attacks: exploit the vulnerabilities 6.1% of inbound attacks in addition to 0.83% of outbound attacksCompromised VIPs as long as outbound attacksInbound brute- as long as ce attack from 85 sources over one weekOutbound UDP flood against ~500 Internet sitesImplication: Need joint analysis of inbound in addition to outbound traffic to identify causality in attacks; find compromised VMs23Attacks on multiple VIPsMost attacks have only a few targets1 VIP in the median, <10 VIPs in the 99th percentileA few cases with 20-60 VIPs simultaneouslyImplication: Need to correlate traffic across VIPs to coordinate attack detection in addition to mitigationBrute- as long as ce on 60+ VIPs:Two sources scan 8 IP subnets (500 VIPs) over 5 data centers24 Mallace, Michael KNRJ-FM General Manager www.phwiki.com

Characterizing Cloud AttacksQ1: How many attacks in in addition to out9 diverse attack types: From DDoS to SQL injection, spamInbound vs. outbound: 2x more outbound attacksQ2: What do attacks look likePeak rate: 100pps-9Mpps; out 13x-238x higher than inDuration: Most attacks have short duration (<10 mins)Frequency: Most VIPs see 1 attack/day; a long tail existsQ3: Who attacks in addition to is attacked25Characterizing Cloud AttacksQ1: How many attacks in in addition to out9 diverse attack types: From DDoS to SQL injection, spamInbound vs. outbound: 2x more outbound attacksQ2: What do attacks look likePeak rate: 100pps-9Mpps; out 13x-238x higher than inDuration: Most attacks have short duration (<10 mins)Frequency: Most VIPs see 1 attack/day; a long tail existsQ3: Who attacks in addition to is attacked26Percentage of attacksOrigins of inbound attacksBig cloud, Small ISPs in addition to Customer Net dominateMostly high-volume UDP floods, SQL injection, TDS attacks due to large availability of resourcesLess security expertise in addition to weak defenses;relatively easy to be compromised by attackers27Implications: (1) Better cloud security can help everyone;(2) Need to help those with less security expertise Targets of outbound attacksAttacks target many ASesTop 10 ASes are targets of 8.9% of the attacksSpecific attacks target hosts in one AS, usually (80%)Mostly SQL injection in addition to TDS attacksMostly brute- as long as ce in addition to spamImplication: Important to coordinate measures across the cloud in addition to these networks to protect against these attacks28Percentage of attacksMore in the paperAre source IPs spoofedWhat is the inter-arrival time of attacksWhat services are targeted by attacksHow prevalent are attacks from mobile networksWhat is the geo-distribution of attacks29ConclusionCloud attacks are prevalent, both in in addition to outKey findings:attacks are diverse: type, scale in addition to distributionoutbound attacks dominate: many compromised cloud VMsexisting DDoS defenses are limited: many short attacksImplications:using correlation can improve detectionneed programmable, scale-out, in addition to flexible solutions to detect diverse attacksquestions {rmiao, minlanyu}@usc.edu, {rapoth,navendu}@microsoft.com30 31Backup SlidesIdentify the attack incidentsCannot detect an attack over its entire durationDue to low sampling rate in NetFlowSeparate attack incidents using inactive heuristicAggregate NetFlow by VIP in 1-minute windowMeasure inactive time between two attack minutes32Pick ``knee point’’ using linear regression:No statistically significant difference in the incidents

Mallace, Michael General Manager

Mallace, Michael is from United States and they belong to KNRJ-FM and they are from  Scottsdale, United States got related to this Particular Journal. and Mallace, Michael deal with the subjects like Music

Journal Ratings by Baltimore Hebrew University

This Particular Journal got reviewed and rated by Baltimore Hebrew University and short form of this particular Institution is US and gave this Journal an Excellent Rating.