Monitoring all the internal flows in a datacenter is important to protect a victim against internal distributed denial-of-service (DDoS) attacks. Unused virtual machines (VMs) in a datacenter are used as monitors and flows are copied to the monitors from software defined networking (SDN) switches by adding some special rules. In such a system, a VM runs a machine learning method to detect DDoS behavior but it can only process a limited number/amount of flows. When the amount of flows is beyond the capacities of all monitor VMs, the system sub-samples each flow probabilistically. The sampling rate affects the DDoS detection rate of the monitors. Besides, the DDoS detection rates of different types of flows are different for the same sampling rate. A uniform sampling rate might not produce a good overall DDoS detection rate. Assigning different sampling rates to different flows may produce the best result. In this paper, we propose a flow grouping approach based on behavioral similarity among the VMs followed by hierarchical clustering of VMs. The sampling rate is uniform among all the flows in a group. We investigate the relationship between the sampling rate and the DDoS detection rate. Then, we formulate an optimization problem for finding an optimal sampling rate distribution and solve it using mix-integer linear programming. We conduct extensive experiments with Hadoop and Spark and present results that support the feasibility of our model.
|Original language||English (US)|
|Number of pages||11|
|Journal||IEEE Transactions on Information Forensics and Security|
|State||Published - 2021|
All Science Journal Classification (ASJC) codes
- Safety, Risk, Reliability and Quality
- Computer Networks and Communications