Mitigando Ataques DDoS em SGIs por Reorganizações em Agrupamentos de IdP
Abstract
Identity management (IdM) systems employ Identity Providers (IdPs), as guardians of users' critical information. However, Distributed Denial-of-Service (DDoS) attacks can make IdPs operations unavailable, compromising legitimate IdM system users. This work presents SAMOS, a novel schema to mitigate DDoS attacks in IdM systems through a novel approach: Organizations of IdP clustering using optimization techniques. SAMOS is started based on the monitoring of processing and memory resources, differently from solutions in the literature that are started based on DDoS detection through the network traffic analysis. SAMOS minimizes DDoS effects using the system operational IdPs, differentiating from proposes that employ external computer resources. Results considering data from a real IdM systems indicate the scheme viability.
References
Arias Cabarcos, P., Almenárez, F., Gómez Mármol, F., and Marín, A. (2014). To federate or not to federate: A reputation-based mechanism to dynamize cooperation in identity management. Wirel. Pers. Commun., 75(3):1769–1786.
Aron, M., Druschel, P., and Zwaenepoel, W. (2000). Cluster reserves: A mechanism for resource management in cluster-based network servers. In Proceedings of the 2000 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pages 90–101, New York, NY, USA. ACM.
Barreto, L., Siqueira, F., Fraga, J., and Feitosa, E. (2013). An intrusion tolerant identity management infrastructure for cloud computing services. In IEEE International Conference on Web Services, pages 155–162.
Cao, Y. and Yang, L. (2010). A survey of identity management technology. In IEEE International Conference on Information Theory and Information Security, pages 287-293.
Carlson, F. R. (2014). Security analysis of cloud computing. CoRR, abs/1404.6849.
Compagno, A., Conti, M., Gasti, P., and Tsudik, G. (2013). Poseidon: Mitigating interest flooding ddos attacks in named data networking. In IEEE Conference on Local Computer Networks, pages 630–638.
Fu, Z., Papatriantafilou, M., and Tsigas, P. (2012). Mitigating distributed denial of service attacks in multiparty applications in the presence of clock drifts. IEEE Transactions on Dependable and Secure Computing, 9(3):401–413.
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., and Maglaris, V. (2014). Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments. Computer Networks, 62(0):122 – 136.
Goldberg, D. E. (1989). Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1st edition.
Handl, J. and Knowles, J. (2007). An evolutionary approach to multiobjective clustering. Evolutionary Computation, IEEE Transactions on, 11(1):56–76.
Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., and Powell, W. (2014). Catch me if you can: A cloud-enabled ddos defense. In IEEE/IFIP DSN, pages 264–275.
Karp, R. (1972). Reducibility among combinatorial problems. In Miller, R. and Thatcher, J., editors, Complexity of Computer Computations, pages 85–103. Plenum Press.
Kreutz, D., Feitosa, E., and Cunha, H. (2014). Provedores de identidade resilientes e confiáveis. Anais do XV Workshop de Testes e Tolerância a Falhas.
Leuven (2015). Guide: Local monitoring of a shibboleth identity provider. https://shib.kuleuven.be/docs/idp/2.x/install-idp-2.1-rhel-monitoring.html. Último Acesso: Junho de 2015.
Lonea, A., Tianfield, H., and Popescu, D. (2013). Identity management for cloud computing. In Balas, V. E., Fodor, J., and Várkonyi-Kóczy, A. R., editors, New Concepts and Applications in Soft Computing, volume 417 of Studies in Computational Intelligence, pages 175–199. Springer Berlin Heidelberg.
Shah, H., Anandane, S. S., and Shrikanth (2013). Security issues on cloud computing. CoRR, abs/1308.5996.
Tan, Y., Sengupta, S., and Subbalakshmi, K. (2011). Analysis of coordinated denial-of-service attacks in ieee 802.22 networks. IEEE Journal on Selected Areas in Communications, 29(4):890–902.
Torres, J., Nogueira, M., and Pujolle, G. (2013). A survey on identity management for the future network. IEEE Communications and Surveys Tutorials, 15(2):787–802.
UB (2013). UB Identity Management and Authentication Metrics. https://ubidm.buffalo.edu/stats/. Último Acesso em Outubro de 2013.
Watt, J., Sinnott, R., Inman, G., and Chadwick, D. (2011). Federated authentication and authorisation in the social science domain. In International Conference on Availability, Reliability and Security, pages 541–548.
Aron, M., Druschel, P., and Zwaenepoel, W. (2000). Cluster reserves: A mechanism for resource management in cluster-based network servers. In Proceedings of the 2000 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pages 90–101, New York, NY, USA. ACM.
Barreto, L., Siqueira, F., Fraga, J., and Feitosa, E. (2013). An intrusion tolerant identity management infrastructure for cloud computing services. In IEEE International Conference on Web Services, pages 155–162.
Cao, Y. and Yang, L. (2010). A survey of identity management technology. In IEEE International Conference on Information Theory and Information Security, pages 287-293.
Carlson, F. R. (2014). Security analysis of cloud computing. CoRR, abs/1404.6849.
Compagno, A., Conti, M., Gasti, P., and Tsudik, G. (2013). Poseidon: Mitigating interest flooding ddos attacks in named data networking. In IEEE Conference on Local Computer Networks, pages 630–638.
Fu, Z., Papatriantafilou, M., and Tsigas, P. (2012). Mitigating distributed denial of service attacks in multiparty applications in the presence of clock drifts. IEEE Transactions on Dependable and Secure Computing, 9(3):401–413.
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., and Maglaris, V. (2014). Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments. Computer Networks, 62(0):122 – 136.
Goldberg, D. E. (1989). Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1st edition.
Handl, J. and Knowles, J. (2007). An evolutionary approach to multiobjective clustering. Evolutionary Computation, IEEE Transactions on, 11(1):56–76.
Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., and Powell, W. (2014). Catch me if you can: A cloud-enabled ddos defense. In IEEE/IFIP DSN, pages 264–275.
Karp, R. (1972). Reducibility among combinatorial problems. In Miller, R. and Thatcher, J., editors, Complexity of Computer Computations, pages 85–103. Plenum Press.
Kreutz, D., Feitosa, E., and Cunha, H. (2014). Provedores de identidade resilientes e confiáveis. Anais do XV Workshop de Testes e Tolerância a Falhas.
Leuven (2015). Guide: Local monitoring of a shibboleth identity provider. https://shib.kuleuven.be/docs/idp/2.x/install-idp-2.1-rhel-monitoring.html. Último Acesso: Junho de 2015.
Lonea, A., Tianfield, H., and Popescu, D. (2013). Identity management for cloud computing. In Balas, V. E., Fodor, J., and Várkonyi-Kóczy, A. R., editors, New Concepts and Applications in Soft Computing, volume 417 of Studies in Computational Intelligence, pages 175–199. Springer Berlin Heidelberg.
Shah, H., Anandane, S. S., and Shrikanth (2013). Security issues on cloud computing. CoRR, abs/1308.5996.
Tan, Y., Sengupta, S., and Subbalakshmi, K. (2011). Analysis of coordinated denial-of-service attacks in ieee 802.22 networks. IEEE Journal on Selected Areas in Communications, 29(4):890–902.
Torres, J., Nogueira, M., and Pujolle, G. (2013). A survey on identity management for the future network. IEEE Communications and Surveys Tutorials, 15(2):787–802.
UB (2013). UB Identity Management and Authentication Metrics. https://ubidm.buffalo.edu/stats/. Último Acesso em Outubro de 2013.
Watt, J., Sinnott, R., Inman, G., and Chadwick, D. (2011). Federated authentication and authorisation in the social science domain. In International Conference on Availability, Reliability and Security, pages 541–548.
Published
2015-11-09
How to Cite
MACEDO, Ricardo; MELNISKI, Leonardo; SANTOS, Aldri; GHAMRI-DOUDANE, Yacine; NOGUEIRA, Michele.
Mitigando Ataques DDoS em SGIs por Reorganizações em Agrupamentos de IdP. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 15. , 2015, Florianópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2015
.
p. 58-71.
DOI: https://doi.org/10.5753/sbseg.2015.20085.
