当前位置: X-MOL 学术IEEE Trans. Inform. Forensics Secur. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Sampling Rate Distribution for Flow Monitoring and DDoS Detection in Datacenter
IEEE Transactions on Information Forensics and Security ( IF 6.8 ) Pub Date : 2021-01-25 , DOI: 10.1109/tifs.2021.3054522
Rajorshi Biswas , Sungji Kim , Jie Wu

Monitoring all the internal flows in a datacenter is important to protect a victim against internal distributed denial-of-service (DDoS) attacks. Unused virtual machines (VMs) in a datacenter are used as monitors and flows are copied to the monitors from software defined networking (SDN) switches by adding some special rules. In such a system, a VM runs a machine learning method to detect DDoS behavior but it can only process a limited number/amount of flows. When the amount of flows is beyond the capacities of all monitor VMs, the system sub-samples each flow probabilistically. The sampling rate affects the DDoS detection rate of the monitors. Besides, the DDoS detection rates of different types of flows are different for the same sampling rate. A uniform sampling rate might not produce a good overall DDoS detection rate. Assigning different sampling rates to different flows may produce the best result. In this paper, we propose a flow grouping approach based on behavioral similarity among the VMs followed by hierarchical clustering of VMs. The sampling rate is uniform among all the flows in a group. We investigate the relationship between the sampling rate and the DDoS detection rate. Then, we formulate an optimization problem for finding an optimal sampling rate distribution and solve it using mix-integer linear programming. We conduct extensive experiments with Hadoop and Spark and present results that support the feasibility of our model.

中文翻译:

数据中心流量监控和DDoS检测的采样率分布

监视数据中心中的所有内部流对于保护受害者免受内部分布式拒绝服务(DDoS)攻击很重要。数据中心中未使用的虚拟机(VM)用作监视器,并通过添加一些特殊规则将流从软件定义的网络(SDN)交换机复制到监视器。在这样的系统中,VM运行机器学习方法来检测DDoS行为,但它只能处理有限数量/数量的流。当流量超过所有监控器VM的容量时,系统会概率性地对每个流量进行子采样。采样率会影响监视器的DDoS检测率。此外,对于相同的采样率,不同类型的流的DDoS检测率是不同的。统一的采样率可能不会产生良好的总体DDoS检测率。为不同的流量分配不同的采样率可能会产生最佳结果。在本文中,我们提出了一种基于虚拟机之间的行为相似性然后进行虚拟机分层聚类的流分组方法。一组中所有流之间的采样率是一致的。我们研究了采样率与DDoS检测率之间的关系。然后,我们为找到最佳采样率分布制定了一个优化问题,并使用混合整数线性规划对其进行了求解。我们对Hadoop和Spark进行了广泛的实验,并给出了支持我们模型可行性的结果。一组中所有流之间的采样率是一致的。我们研究了采样率与DDoS检测率之间的关系。然后,我们为找到最佳采样率分布制定了一个优化问题,并使用混合整数线性规划对其进行了求解。我们对Hadoop和Spark进行了广泛的实验,并给出了支持我们模型可行性的结果。一组中所有流之间的采样率是一致的。我们研究了采样率与DDoS检测率之间的关系。然后,我们为找到最佳采样率分布制定了一个优化问题,并使用混合整数线性规划对其进行了求解。我们对Hadoop和Spark进行了广泛的实验,并给出了支持我们模型可行性的结果。
更新日期:2021-02-26
down
wechat
bug