Article Preview
TopIntroduction
Nowadays, Cloud computing is widely used by companies as well as individuals due to its benefits such as access on-demand resources. Moreover, you pay only for the resources that you use. Currently, it enables every entity to execute, analyse, and store large amount of data without even setting up own Information Technology (IT) infrastructure (Kumar, 2018). Therefore, the services provided by the cloud are categorized as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) (Almulla, 2010). In cloud environment, self-service provisioning based on virtualization and multi-tenancy are the potential properties. The self-service provisioning means that it is easier for customers to rent more cloud services as Central Processing Unit (CPU), memory and network services when they need them whereas the multi-tenancy indicates that multiple users or tenants running the software in a shared environment on its servers (Hurwitz, 2010). So, these properties can be used by DDoS attackers in cloud environment. In virtual environment, all isolated and virtualized guest Operating Systems (OSs) called Virtual Machines (VMs) supported by a single host OS called VMM on a single physical server. Indeed, when the VMM is crashed because of the DDoS attack which is generated by some VMs so that all the VMs will be affected (Sabahi, 2012; Luo, 2011). In view of this, the DDoS attack can obtain full root access to the physical server to compromise it (Luo, 2011). On the other hand, the physical server can be crashed by DDoS attack from outside. So, as a result, all the VMs created by VMM on this physical server will be affected.
DDoS attack usually originates from distributed zombies and targets to exhaust the victim’s bandwidth or resources (Wang, 2015). In practice, there are plenty of DDoS attacks such as SYN flood, User Datagram Protocol (UDP) flood and Internet Control Message Protocol (ICMP) flood (Haddadi, 2018). Indeed, when the DDoS attack is carried out, there are some correlation characteristics between some attributes of each packet in Internet Protocol (IP) and Transmission Control Protocol (TCP) headers. Thus, in the case of UDP flood attack, there is a relationship between protocol type and random destination port number selected from allowable value ranges. Moreover, there is a relationship between the protocol type and SYN flag value in the TCP SYN flood attack. In addition, there is a relationship between the source IP address and Time To Live (TTL) value in the IP spoofing attack.
In the last decade, many approaches have been proposed for dealing with DDoS attacks in cloud environment. But they cannot achieve good performance metrics. This is because of the unrealistic value of the studied variable which means that it cannot have the exact value. In view of this challenge, a novel filtering approach is proposed which uses Confidence Interval (CI) to estimate the realistic value of the studied variable at a level of significance α to detect DDoS attacks with high detection accuracy and low false positive and false negative rates.
The remainder of this paper is organized as follows: Section 2 outlines the theoretical background cited in recent literature review. Section 3 introduces the concept of confidence interval. Section 4 provides a design of the proposed approach and its experimental environment. Simulation results and analysis are given in Section 5. Finally, a brief conclusion of our work is given in section VI.