Mitigando Ataques DDoS em SGIs por Reorganizações em Agrupamentos de IdP
Resumo
Os sistemas de gerenciamento de identidades (SGI) utilizam Identity Providers (IdP) como guardiões das informações críticas dos usuários. No entanto, ataques DDoS (Distributed Denial-of-Service) podem indisponibilizar as operações prestadas por IdPs, prejudicando usuários legítimos. Este trabalho apresenta SAMOS, um esquema para mitigar ataques DDoS em SGIs através de uma abordagem inovadora: a reorganização de agrupamentos de IdPs usando técnicas de otimização. SAMOS atua em resposta ao monitoramento dos recursos de memória e processamento dos IdPs, diferentemente das soluções da literatura que agem em resposta à detecção do ataque através da análise do tráfego de rede. SAMOS minimiza os efeitos dos ataques DDoS empregando os IdPs operacionais do sistema, se distinguindo das propostas existentes que utilizam recursos computacionais externos. Resultados considerando dados de um SGI real indicam a viabilidade da proposta.
Referências
Arias Cabarcos, P., Almenárez, F., Gómez Mármol, F., and Marín, A. (2014). To federate or not to federate: A reputation-based mechanism to dynamize cooperation in identity management. Wirel. Pers. Commun., 75(3):1769–1786.
Aron, M., Druschel, P., and Zwaenepoel, W. (2000). Cluster reserves: A mechanism for resource management in cluster-based network servers. In Proceedings of the 2000 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pages 90–101, New York, NY, USA. ACM.
Barreto, L., Siqueira, F., Fraga, J., and Feitosa, E. (2013). An intrusion tolerant identity management infrastructure for cloud computing services. In IEEE International Conference on Web Services, pages 155–162.
Cao, Y. and Yang, L. (2010). A survey of identity management technology. In IEEE International Conference on Information Theory and Information Security, pages 287-293.
Carlson, F. R. (2014). Security analysis of cloud computing. CoRR, abs/1404.6849.
Compagno, A., Conti, M., Gasti, P., and Tsudik, G. (2013). Poseidon: Mitigating interest flooding ddos attacks in named data networking. In IEEE Conference on Local Computer Networks, pages 630–638.
Fu, Z., Papatriantafilou, M., and Tsigas, P. (2012). Mitigating distributed denial of service attacks in multiparty applications in the presence of clock drifts. IEEE Transactions on Dependable and Secure Computing, 9(3):401–413.
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., and Maglaris, V. (2014). Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments. Computer Networks, 62(0):122 – 136.
Goldberg, D. E. (1989). Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1st edition.
Handl, J. and Knowles, J. (2007). An evolutionary approach to multiobjective clustering. Evolutionary Computation, IEEE Transactions on, 11(1):56–76.
Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., and Powell, W. (2014). Catch me if you can: A cloud-enabled ddos defense. In IEEE/IFIP DSN, pages 264–275.
Karp, R. (1972). Reducibility among combinatorial problems. In Miller, R. and Thatcher, J., editors, Complexity of Computer Computations, pages 85–103. Plenum Press.
Kreutz, D., Feitosa, E., and Cunha, H. (2014). Provedores de identidade resilientes e confiáveis. Anais do XV Workshop de Testes e Tolerância a Falhas.
Leuven (2015). Guide: Local monitoring of a shibboleth identity provider. https://shib.kuleuven.be/docs/idp/2.x/install-idp-2.1-rhel-monitoring.html. Último Acesso: Junho de 2015.
Lonea, A., Tianfield, H., and Popescu, D. (2013). Identity management for cloud computing. In Balas, V. E., Fodor, J., and Várkonyi-Kóczy, A. R., editors, New Concepts and Applications in Soft Computing, volume 417 of Studies in Computational Intelligence, pages 175–199. Springer Berlin Heidelberg.
Shah, H., Anandane, S. S., and Shrikanth (2013). Security issues on cloud computing. CoRR, abs/1308.5996.
Tan, Y., Sengupta, S., and Subbalakshmi, K. (2011). Analysis of coordinated denial-of-service attacks in ieee 802.22 networks. IEEE Journal on Selected Areas in Communications, 29(4):890–902.
Torres, J., Nogueira, M., and Pujolle, G. (2013). A survey on identity management for the future network. IEEE Communications and Surveys Tutorials, 15(2):787–802.
UB (2013). UB Identity Management and Authentication Metrics. https://ubidm.buffalo.edu/stats/. Último Acesso em Outubro de 2013.
Watt, J., Sinnott, R., Inman, G., and Chadwick, D. (2011). Federated authentication and authorisation in the social science domain. In International Conference on Availability, Reliability and Security, pages 541–548.
Aron, M., Druschel, P., and Zwaenepoel, W. (2000). Cluster reserves: A mechanism for resource management in cluster-based network servers. In Proceedings of the 2000 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pages 90–101, New York, NY, USA. ACM.
Barreto, L., Siqueira, F., Fraga, J., and Feitosa, E. (2013). An intrusion tolerant identity management infrastructure for cloud computing services. In IEEE International Conference on Web Services, pages 155–162.
Cao, Y. and Yang, L. (2010). A survey of identity management technology. In IEEE International Conference on Information Theory and Information Security, pages 287-293.
Carlson, F. R. (2014). Security analysis of cloud computing. CoRR, abs/1404.6849.
Compagno, A., Conti, M., Gasti, P., and Tsudik, G. (2013). Poseidon: Mitigating interest flooding ddos attacks in named data networking. In IEEE Conference on Local Computer Networks, pages 630–638.
Fu, Z., Papatriantafilou, M., and Tsigas, P. (2012). Mitigating distributed denial of service attacks in multiparty applications in the presence of clock drifts. IEEE Transactions on Dependable and Secure Computing, 9(3):401–413.
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., and Maglaris, V. (2014). Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments. Computer Networks, 62(0):122 – 136.
Goldberg, D. E. (1989). Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1st edition.
Handl, J. and Knowles, J. (2007). An evolutionary approach to multiobjective clustering. Evolutionary Computation, IEEE Transactions on, 11(1):56–76.
Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., and Powell, W. (2014). Catch me if you can: A cloud-enabled ddos defense. In IEEE/IFIP DSN, pages 264–275.
Karp, R. (1972). Reducibility among combinatorial problems. In Miller, R. and Thatcher, J., editors, Complexity of Computer Computations, pages 85–103. Plenum Press.
Kreutz, D., Feitosa, E., and Cunha, H. (2014). Provedores de identidade resilientes e confiáveis. Anais do XV Workshop de Testes e Tolerância a Falhas.
Leuven (2015). Guide: Local monitoring of a shibboleth identity provider. https://shib.kuleuven.be/docs/idp/2.x/install-idp-2.1-rhel-monitoring.html. Último Acesso: Junho de 2015.
Lonea, A., Tianfield, H., and Popescu, D. (2013). Identity management for cloud computing. In Balas, V. E., Fodor, J., and Várkonyi-Kóczy, A. R., editors, New Concepts and Applications in Soft Computing, volume 417 of Studies in Computational Intelligence, pages 175–199. Springer Berlin Heidelberg.
Shah, H., Anandane, S. S., and Shrikanth (2013). Security issues on cloud computing. CoRR, abs/1308.5996.
Tan, Y., Sengupta, S., and Subbalakshmi, K. (2011). Analysis of coordinated denial-of-service attacks in ieee 802.22 networks. IEEE Journal on Selected Areas in Communications, 29(4):890–902.
Torres, J., Nogueira, M., and Pujolle, G. (2013). A survey on identity management for the future network. IEEE Communications and Surveys Tutorials, 15(2):787–802.
UB (2013). UB Identity Management and Authentication Metrics. https://ubidm.buffalo.edu/stats/. Último Acesso em Outubro de 2013.
Watt, J., Sinnott, R., Inman, G., and Chadwick, D. (2011). Federated authentication and authorisation in the social science domain. In International Conference on Availability, Reliability and Security, pages 541–548.
Publicado
09/11/2015
Como Citar
MACEDO, Ricardo; MELNISKI, Leonardo; SANTOS, Aldri; GHAMRI-DOUDANE, Yacine; NOGUEIRA, Michele.
Mitigando Ataques DDoS em SGIs por Reorganizações em Agrupamentos de IdP. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 15. , 2015, Florianópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2015
.
p. 58-71.
DOI: https://doi.org/10.5753/sbseg.2015.20085.
