Sampling Rate Distribution for Flow Monitoring and DDoS Detection in Datacenter

Rajorshi Biswas; Sungji Kim; Jie Wu

doi:10.1109/TIFS.2021.3054522

Sampling Rate Distribution for Flow Monitoring and DDoS Detection in Datacenter

Rajorshi Biswas, Sungji Kim, Jie Wu

Division of Engineering, Business & Computing (Berks)

Research output: Contribution to journal › Article › peer-review

7 Scopus citations

Abstract

Monitoring all the internal flows in a datacenter is important to protect a victim against internal distributed denial-of-service (DDoS) attacks. Unused virtual machines (VMs) in a datacenter are used as monitors and flows are copied to the monitors from software defined networking (SDN) switches by adding some special rules. In such a system, a VM runs a machine learning method to detect DDoS behavior but it can only process a limited number/amount of flows. When the amount of flows is beyond the capacities of all monitor VMs, the system sub-samples each flow probabilistically. The sampling rate affects the DDoS detection rate of the monitors. Besides, the DDoS detection rates of different types of flows are different for the same sampling rate. A uniform sampling rate might not produce a good overall DDoS detection rate. Assigning different sampling rates to different flows may produce the best result. In this paper, we propose a flow grouping approach based on behavioral similarity among the VMs followed by hierarchical clustering of VMs. The sampling rate is uniform among all the flows in a group. We investigate the relationship between the sampling rate and the DDoS detection rate. Then, we formulate an optimization problem for finding an optimal sampling rate distribution and solve it using mix-integer linear programming. We conduct extensive experiments with Hadoop and Spark and present results that support the feasibility of our model.

Original language	English (US)
Article number	9335605
Pages (from-to)	2524-2534
Number of pages	11
Journal	IEEE Transactions on Information Forensics and Security
Volume	16
DOIs	https://doi.org/10.1109/TIFS.2021.3054522
State	Published - 2021

All Science Journal Classification (ASJC) codes

Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1109/TIFS.2021.3054522

Cite this

@article{17ee0129c9524db98085e9c76467ff61,

title = "Sampling Rate Distribution for Flow Monitoring and DDoS Detection in Datacenter",

abstract = "Monitoring all the internal flows in a datacenter is important to protect a victim against internal distributed denial-of-service (DDoS) attacks. Unused virtual machines (VMs) in a datacenter are used as monitors and flows are copied to the monitors from software defined networking (SDN) switches by adding some special rules. In such a system, a VM runs a machine learning method to detect DDoS behavior but it can only process a limited number/amount of flows. When the amount of flows is beyond the capacities of all monitor VMs, the system sub-samples each flow probabilistically. The sampling rate affects the DDoS detection rate of the monitors. Besides, the DDoS detection rates of different types of flows are different for the same sampling rate. A uniform sampling rate might not produce a good overall DDoS detection rate. Assigning different sampling rates to different flows may produce the best result. In this paper, we propose a flow grouping approach based on behavioral similarity among the VMs followed by hierarchical clustering of VMs. The sampling rate is uniform among all the flows in a group. We investigate the relationship between the sampling rate and the DDoS detection rate. Then, we formulate an optimization problem for finding an optimal sampling rate distribution and solve it using mix-integer linear programming. We conduct extensive experiments with Hadoop and Spark and present results that support the feasibility of our model. ",

author = "Rajorshi Biswas and Sungji Kim and Jie Wu",

note = "Funding Information: Manuscript received April 15, 2020; revised October 22, 2020; accepted January 16, 2021. Date of publication January 25, 2021; date of current version February 23, 2021. This work was supported in part by the NSF under Grant CNS 1824440, Grant CNS 1828363, Grant CNS 1757533, Grant CNS 1618398, Grant CNS 1651947, and Grant CNS 1564128. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Issa Traore. (Corresponding author: Rajorshi Biswas.) The authors are with the Department of Computer and Information Sciences, Temple University, Philadelphia, PA 19122 USA (e-mail: rajorshi@ temple.edu; sungji.sj.kim@temple.edu; jiewu@temple.edu). Digital Object Identifier 10.1109/TIFS.2021.3054522 Publisher Copyright: {\textcopyright} 2005-2012 IEEE.",

year = "2021",

doi = "10.1109/TIFS.2021.3054522",

language = "English (US)",

volume = "16",

pages = "2524--2534",

journal = "IEEE Transactions on Information Forensics and Security",

issn = "1556-6013",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Sampling Rate Distribution for Flow Monitoring and DDoS Detection in Datacenter

AU - Biswas, Rajorshi

AU - Kim, Sungji

AU - Wu, Jie

N1 - Funding Information: Manuscript received April 15, 2020; revised October 22, 2020; accepted January 16, 2021. Date of publication January 25, 2021; date of current version February 23, 2021. This work was supported in part by the NSF under Grant CNS 1824440, Grant CNS 1828363, Grant CNS 1757533, Grant CNS 1618398, Grant CNS 1651947, and Grant CNS 1564128. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Issa Traore. (Corresponding author: Rajorshi Biswas.) The authors are with the Department of Computer and Information Sciences, Temple University, Philadelphia, PA 19122 USA (e-mail: rajorshi@ temple.edu; sungji.sj.kim@temple.edu; jiewu@temple.edu). Digital Object Identifier 10.1109/TIFS.2021.3054522 Publisher Copyright: © 2005-2012 IEEE.

PY - 2021

Y1 - 2021

N2 - Monitoring all the internal flows in a datacenter is important to protect a victim against internal distributed denial-of-service (DDoS) attacks. Unused virtual machines (VMs) in a datacenter are used as monitors and flows are copied to the monitors from software defined networking (SDN) switches by adding some special rules. In such a system, a VM runs a machine learning method to detect DDoS behavior but it can only process a limited number/amount of flows. When the amount of flows is beyond the capacities of all monitor VMs, the system sub-samples each flow probabilistically. The sampling rate affects the DDoS detection rate of the monitors. Besides, the DDoS detection rates of different types of flows are different for the same sampling rate. A uniform sampling rate might not produce a good overall DDoS detection rate. Assigning different sampling rates to different flows may produce the best result. In this paper, we propose a flow grouping approach based on behavioral similarity among the VMs followed by hierarchical clustering of VMs. The sampling rate is uniform among all the flows in a group. We investigate the relationship between the sampling rate and the DDoS detection rate. Then, we formulate an optimization problem for finding an optimal sampling rate distribution and solve it using mix-integer linear programming. We conduct extensive experiments with Hadoop and Spark and present results that support the feasibility of our model.

AB - Monitoring all the internal flows in a datacenter is important to protect a victim against internal distributed denial-of-service (DDoS) attacks. Unused virtual machines (VMs) in a datacenter are used as monitors and flows are copied to the monitors from software defined networking (SDN) switches by adding some special rules. In such a system, a VM runs a machine learning method to detect DDoS behavior but it can only process a limited number/amount of flows. When the amount of flows is beyond the capacities of all monitor VMs, the system sub-samples each flow probabilistically. The sampling rate affects the DDoS detection rate of the monitors. Besides, the DDoS detection rates of different types of flows are different for the same sampling rate. A uniform sampling rate might not produce a good overall DDoS detection rate. Assigning different sampling rates to different flows may produce the best result. In this paper, we propose a flow grouping approach based on behavioral similarity among the VMs followed by hierarchical clustering of VMs. The sampling rate is uniform among all the flows in a group. We investigate the relationship between the sampling rate and the DDoS detection rate. Then, we formulate an optimization problem for finding an optimal sampling rate distribution and solve it using mix-integer linear programming. We conduct extensive experiments with Hadoop and Spark and present results that support the feasibility of our model.

UR - http://www.scopus.com/inward/record.url?scp=85100447791&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85100447791&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2021.3054522

DO - 10.1109/TIFS.2021.3054522

M3 - Article

AN - SCOPUS:85100447791

SN - 1556-6013

VL - 16

SP - 2524

EP - 2534

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

M1 - 9335605

ER -

Sampling Rate Distribution for Flow Monitoring and DDoS Detection in Datacenter

Abstract

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this