Visible to the public Understanding botclouds from a system perspective: A principal component analysis

TitleUnderstanding botclouds from a system perspective: A principal component analysis
Publication TypeConference Paper
Year of Publication2014
AuthorsBadis, H., Doyen, G., Khatoun, R.
Conference NameNetwork Operations and Management Symposium (NOMS), 2014 IEEE
Date PublishedMay
Keywordsattack-as-a-service delivery model, botclouds, cloud computing, Computer crime, computer network security, Context, Correlation, DDoS Attacks, invasive software, IT industry, Measurement, principal component analysis, state-of-the-art botnets detection, Storms, TCP-flood, transport protocols, UDP-storm
Abstract

Cloud computing is gaining ground and becoming one of the fast growing segments of the IT industry. However, if its numerous advantages are mainly used to support a legitimate activity, it is now exploited for a use it was not meant for: malicious users leverage its power and fast provisioning to turn it into an attack support. Botnets supporting DDoS attacks are among the greatest beneficiaries of this malicious use since they can be setup on demand and at very large scale without requiring a long dissemination phase nor an expensive deployment costs. For cloud service providers, preventing their infrastructure from being turned into an Attack as a Service delivery model is very challenging since it requires detecting threats at the source, in a highly dynamic and heterogeneous environment. In this paper, we present the result of an experiment campaign we performed in order to understand the operational behavior of a botcloud used for a DDoS attack. The originality of our work resides in the consideration of system metrics that, while never considered for state-of-the-art botnets detection, can be leveraged in the context of a cloud to enable a source based detection. Our study considers both attacks based on TCP-flood and UDP-storm and for each of them, we provide statistical results based on a principal component analysis, that highlight the recognizable behavior of a botcloud as compared to other legitimate workloads.

DOI10.1109/NOMS.2014.6838310
Citation Key6838310