A moving target DDoS defense mechanism
•We design a moving target mechanism to defend against Internet service DDoS attacks.•We propose a shuffling model to segregate innocent clients from malicious insiders.•A greedy algorithm is designed to accelerate the segregation of insiders.•Greedy algorithm enables defenders to plan defense resou...
Gespeichert in:
| Veröffentlicht in: | Computer communications 2014-06, Vol.46, p.10-21 |
|---|---|
| Hauptverfasser: | , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 21 |
|---|---|
| container_issue | |
| container_start_page | 10 |
| container_title | Computer communications |
| container_volume | 46 |
| creator | Wang, Huangxin Jia, Quan Fleck, Dan Powell, Walter Li, Fei Stavrou, Angelos |
| description | •We design a moving target mechanism to defend against Internet service DDoS attacks.•We propose a shuffling model to segregate innocent clients from malicious insiders.•A greedy algorithm is designed to accelerate the segregation of insiders.•Greedy algorithm enables defenders to plan defense resource to meet QoS goals.
In this paper, we introduce a moving target defense mechanism that defends authenticated clients against Internet service DDoS attacks. Our mechanism employs a group of dynamic, hidden proxies to relay traffic between authenticated clients and servers. By continuously replacing attacked proxies with backup proxies and reassigning (shuffling) the attacked clients onto the new proxies, innocent clients are segregated from malicious insiders through a series of shuffles. To accelerate the process of insider segregation, we designed an efficient greedy algorithm which is proven to have near optimal empirical performance. In addition, the insider quarantine capability of this greedy algorithm is studied and quantified to enable defenders to estimate the resource required to defend against DDoS attacks and meet defined QoS levels under various attack scenarios. Simulations were then performed which confirmed the theoretical results and showed that our mechanism is effective in mitigating the effects of a DDoS attack. The simulations also demonstrated that the overhead introduced by the shuffling procedure is low. |
| doi_str_mv | 10.1016/j.comcom.2014.03.009 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_miscellaneous_1642216845</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0140366414000954</els_id><sourcerecordid>1642216845</sourcerecordid><originalsourceid>FETCH-LOGICAL-c385t-33a1d298c18ae0ed6582009e3df4d3dd099e048710f947c009c6519653a19dd3</originalsourceid><addsrcrecordid>eNp9UD1rwzAQFaWFpmn_QQdPpYvdkyXL8lIISb8g0KEZugkhnVOZ2EolJ9B_XwV3Lhzc8D7u3SPklkJBgYqHrjC-T1OUQHkBrABozsiMyprlNbDPczJLAORMCH5JrmLsAIDXNZuRu0XW-6MbttmowxbHbLXyH5nFFoeIWY_mSw8u9tfkotW7iDd_e042z0-b5Wu-fn95Wy7WuWGyGnPGNLVlIw2VGgGtqGSZsiCzLbfMWmgaBC5rCm3Da5MgIyraiCrpGmvZnNxPtvvgvw8YR9W7aHC30wP6Q1RU8LKkQvIqUflENcHHGLBV--B6HX4UBXVqRXVqakWdWlHAVDqXZI-TDNMXR4dBReNwMGhdQDMq693_Br_5e2qI</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1642216845</pqid></control><display><type>article</type><title>A moving target DDoS defense mechanism</title><source>ScienceDirect Journals (5 years ago - present)</source><creator>Wang, Huangxin ; Jia, Quan ; Fleck, Dan ; Powell, Walter ; Li, Fei ; Stavrou, Angelos</creator><creatorcontrib>Wang, Huangxin ; Jia, Quan ; Fleck, Dan ; Powell, Walter ; Li, Fei ; Stavrou, Angelos</creatorcontrib><description>•We design a moving target mechanism to defend against Internet service DDoS attacks.•We propose a shuffling model to segregate innocent clients from malicious insiders.•A greedy algorithm is designed to accelerate the segregation of insiders.•Greedy algorithm enables defenders to plan defense resource to meet QoS goals.
In this paper, we introduce a moving target defense mechanism that defends authenticated clients against Internet service DDoS attacks. Our mechanism employs a group of dynamic, hidden proxies to relay traffic between authenticated clients and servers. By continuously replacing attacked proxies with backup proxies and reassigning (shuffling) the attacked clients onto the new proxies, innocent clients are segregated from malicious insiders through a series of shuffles. To accelerate the process of insider segregation, we designed an efficient greedy algorithm which is proven to have near optimal empirical performance. In addition, the insider quarantine capability of this greedy algorithm is studied and quantified to enable defenders to estimate the resource required to defend against DDoS attacks and meet defined QoS levels under various attack scenarios. Simulations were then performed which confirmed the theoretical results and showed that our mechanism is effective in mitigating the effects of a DDoS attack. The simulations also demonstrated that the overhead introduced by the shuffling procedure is low.</description><identifier>ISSN: 0140-3664</identifier><identifier>EISSN: 1873-703X</identifier><identifier>DOI: 10.1016/j.comcom.2014.03.009</identifier><language>eng</language><publisher>Elsevier B.V</publisher><subject>Clients ; Computer simulation ; DDoS ; Denial of service attacks ; Greedy algorithms ; Insider ; Moving target defense ; Moving targets ; Proxy client servers ; Psychological effects ; Secret proxy ; Segregations ; Shuffling</subject><ispartof>Computer communications, 2014-06, Vol.46, p.10-21</ispartof><rights>2014 Elsevier B.V.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c385t-33a1d298c18ae0ed6582009e3df4d3dd099e048710f947c009c6519653a19dd3</citedby><cites>FETCH-LOGICAL-c385t-33a1d298c18ae0ed6582009e3df4d3dd099e048710f947c009c6519653a19dd3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.comcom.2014.03.009$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,780,784,3548,27923,27924,45994</link.rule.ids></links><search><creatorcontrib>Wang, Huangxin</creatorcontrib><creatorcontrib>Jia, Quan</creatorcontrib><creatorcontrib>Fleck, Dan</creatorcontrib><creatorcontrib>Powell, Walter</creatorcontrib><creatorcontrib>Li, Fei</creatorcontrib><creatorcontrib>Stavrou, Angelos</creatorcontrib><title>A moving target DDoS defense mechanism</title><title>Computer communications</title><description>•We design a moving target mechanism to defend against Internet service DDoS attacks.•We propose a shuffling model to segregate innocent clients from malicious insiders.•A greedy algorithm is designed to accelerate the segregation of insiders.•Greedy algorithm enables defenders to plan defense resource to meet QoS goals.
In this paper, we introduce a moving target defense mechanism that defends authenticated clients against Internet service DDoS attacks. Our mechanism employs a group of dynamic, hidden proxies to relay traffic between authenticated clients and servers. By continuously replacing attacked proxies with backup proxies and reassigning (shuffling) the attacked clients onto the new proxies, innocent clients are segregated from malicious insiders through a series of shuffles. To accelerate the process of insider segregation, we designed an efficient greedy algorithm which is proven to have near optimal empirical performance. In addition, the insider quarantine capability of this greedy algorithm is studied and quantified to enable defenders to estimate the resource required to defend against DDoS attacks and meet defined QoS levels under various attack scenarios. Simulations were then performed which confirmed the theoretical results and showed that our mechanism is effective in mitigating the effects of a DDoS attack. The simulations also demonstrated that the overhead introduced by the shuffling procedure is low.</description><subject>Clients</subject><subject>Computer simulation</subject><subject>DDoS</subject><subject>Denial of service attacks</subject><subject>Greedy algorithms</subject><subject>Insider</subject><subject>Moving target defense</subject><subject>Moving targets</subject><subject>Proxy client servers</subject><subject>Psychological effects</subject><subject>Secret proxy</subject><subject>Segregations</subject><subject>Shuffling</subject><issn>0140-3664</issn><issn>1873-703X</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2014</creationdate><recordtype>article</recordtype><recordid>eNp9UD1rwzAQFaWFpmn_QQdPpYvdkyXL8lIISb8g0KEZugkhnVOZ2EolJ9B_XwV3Lhzc8D7u3SPklkJBgYqHrjC-T1OUQHkBrABozsiMyprlNbDPczJLAORMCH5JrmLsAIDXNZuRu0XW-6MbttmowxbHbLXyH5nFFoeIWY_mSw8u9tfkotW7iDd_e042z0-b5Wu-fn95Wy7WuWGyGnPGNLVlIw2VGgGtqGSZsiCzLbfMWmgaBC5rCm3Da5MgIyraiCrpGmvZnNxPtvvgvw8YR9W7aHC30wP6Q1RU8LKkQvIqUflENcHHGLBV--B6HX4UBXVqRXVqakWdWlHAVDqXZI-TDNMXR4dBReNwMGhdQDMq693_Br_5e2qI</recordid><startdate>20140615</startdate><enddate>20140615</enddate><creator>Wang, Huangxin</creator><creator>Jia, Quan</creator><creator>Fleck, Dan</creator><creator>Powell, Walter</creator><creator>Li, Fei</creator><creator>Stavrou, Angelos</creator><general>Elsevier B.V</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>20140615</creationdate><title>A moving target DDoS defense mechanism</title><author>Wang, Huangxin ; Jia, Quan ; Fleck, Dan ; Powell, Walter ; Li, Fei ; Stavrou, Angelos</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c385t-33a1d298c18ae0ed6582009e3df4d3dd099e048710f947c009c6519653a19dd3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2014</creationdate><topic>Clients</topic><topic>Computer simulation</topic><topic>DDoS</topic><topic>Denial of service attacks</topic><topic>Greedy algorithms</topic><topic>Insider</topic><topic>Moving target defense</topic><topic>Moving targets</topic><topic>Proxy client servers</topic><topic>Psychological effects</topic><topic>Secret proxy</topic><topic>Segregations</topic><topic>Shuffling</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Wang, Huangxin</creatorcontrib><creatorcontrib>Jia, Quan</creatorcontrib><creatorcontrib>Fleck, Dan</creatorcontrib><creatorcontrib>Powell, Walter</creatorcontrib><creatorcontrib>Li, Fei</creatorcontrib><creatorcontrib>Stavrou, Angelos</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computer communications</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Wang, Huangxin</au><au>Jia, Quan</au><au>Fleck, Dan</au><au>Powell, Walter</au><au>Li, Fei</au><au>Stavrou, Angelos</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A moving target DDoS defense mechanism</atitle><jtitle>Computer communications</jtitle><date>2014-06-15</date><risdate>2014</risdate><volume>46</volume><spage>10</spage><epage>21</epage><pages>10-21</pages><issn>0140-3664</issn><eissn>1873-703X</eissn><abstract>•We design a moving target mechanism to defend against Internet service DDoS attacks.•We propose a shuffling model to segregate innocent clients from malicious insiders.•A greedy algorithm is designed to accelerate the segregation of insiders.•Greedy algorithm enables defenders to plan defense resource to meet QoS goals.
In this paper, we introduce a moving target defense mechanism that defends authenticated clients against Internet service DDoS attacks. Our mechanism employs a group of dynamic, hidden proxies to relay traffic between authenticated clients and servers. By continuously replacing attacked proxies with backup proxies and reassigning (shuffling) the attacked clients onto the new proxies, innocent clients are segregated from malicious insiders through a series of shuffles. To accelerate the process of insider segregation, we designed an efficient greedy algorithm which is proven to have near optimal empirical performance. In addition, the insider quarantine capability of this greedy algorithm is studied and quantified to enable defenders to estimate the resource required to defend against DDoS attacks and meet defined QoS levels under various attack scenarios. Simulations were then performed which confirmed the theoretical results and showed that our mechanism is effective in mitigating the effects of a DDoS attack. The simulations also demonstrated that the overhead introduced by the shuffling procedure is low.</abstract><pub>Elsevier B.V</pub><doi>10.1016/j.comcom.2014.03.009</doi><tpages>12</tpages><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0140-3664 |
| ispartof | Computer communications, 2014-06, Vol.46, p.10-21 |
| issn | 0140-3664 1873-703X |
| language | eng |
| recordid | cdi_proquest_miscellaneous_1642216845 |
| source | ScienceDirect Journals (5 years ago - present) |
| subjects | Clients Computer simulation DDoS Denial of service attacks Greedy algorithms Insider Moving target defense Moving targets Proxy client servers Psychological effects Secret proxy Segregations Shuffling |
| title | A moving target DDoS defense mechanism |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-11T13%3A02%3A57IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20moving%20target%20DDoS%20defense%20mechanism&rft.jtitle=Computer%20communications&rft.au=Wang,%20Huangxin&rft.date=2014-06-15&rft.volume=46&rft.spage=10&rft.epage=21&rft.pages=10-21&rft.issn=0140-3664&rft.eissn=1873-703X&rft_id=info:doi/10.1016/j.comcom.2014.03.009&rft_dat=%3Cproquest_cross%3E1642216845%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1642216845&rft_id=info:pmid/&rft_els_id=S0140366414000954&rfr_iscdi=true |