Securing virtual machines from DDoS attacks using hash-based detection techniques

Abstract

Virtual Machines (VM) are very commonly used resources in a cloud environment. However, due to Distributed Denial of Service attacks, VM’s became more vulnerable and its performance gets degraded. Hence, there is an inherent need for improving the security mechanism to detect and prevent the DDoS attacks in a VM. The crux for such mechanism is about guaranteeing that fast and early detection with minimal false alarm rate and ensures that the legitimate requests are not affected. At this end, a secure framework which includes cryptographic hash functions such as MD5 and SHA256 which are suggested and used in this work to create unique hash keys for each and every cloudlet (client request) into the virtual machines to identify illegitimate users in a VM. This work also conducts experimental comparisons on the computational overheads and it is proven that SHA-256 is more secure when compared to MD5. The obtained results show that the robustness and significance of the model towards mitigating the DDoS attacks in a virtual environment with maximum accuracy.

Keywords

Cloud computing security Distributed Denial of Service attacks virtual machines taxonomy defenses

1. Introduction

Cloud computing is defined as a set of computers organized and collected together in the same or different locations, operating together to serve various clients with distinct needs and provides on-demand services with the support of virtualization technology. Cloud computing is the most user-friendly approach for customers to deal with their requirements individually through the internet. To utilize various cloud services, customers need a browser with an internet connection. In recent days the cloud services like Gmail, Hotmail, Yahoo mail, Facebook, Dropbox, etc. are extensively used. Cloud computing provides Infrastructure as a Service; the cloud infrastructure is completely virtualized to make use of hardware through the massive database and remote servers as data centers trusted third party or cloud service providers will guard the cloud infrastructure and its maintenance [1]. This makes huge IT companies and other industries attracted to adopt cloud computing for their business to minimize the cost. The latest advancement in the cloud computing platform proved to be extremely helpful to various industries and individual clients in terms of getting a number of on-demand virtual services and resources through the internet. Virtualization is one of the essential technologies which make cloud computing achievable [33, 34, 37]. However, security issues are a concern to be a major challenge to a cloud environment [4, 35, 36]. Due to the lack of security in the cloud, many organizations are not willing to trust to relocate their activities because many security issues are making the cloud resource vulnerable as well as threatening the cloud users. As the cloud environment offers numerous benefits to the user concurrently it offers the ability to the intruders. In recent years several security attacks are encountered in the cloud environment [9, 12, 32]. Among all of them, Distributed Denial of Service attack (DDoS) [4, 5, 9] is one the considerable trouble to the availability of resources in the cloud. There is a high increase of DDoS attack reported events to make it one of the most considerable threats among many attacks [6, 12]. DDoS is performed conductive to agitate the services afforded by the cloud providers. The intruder can extremely disrupt the network connectivity of the victim or completely degrade the quality of the service. The malicious user initially compromises numerous agents and then utilizes them to degrade the performance of the target system. The main intention of a DDoS attack is to make the target system not capable to provide the resources to the intended/genuine user. Several mitigation techniques have been adopted to avoid Denial of Service attacks in the past few years [19], such as encryption mechanisms [3], classification methods [2, 4, 6, 22], Scaling of resources [22, 23], service resizing [10] and Software Defined Networking [26]. As DDoS attacks can be implemented in several forms [17, 2, 6, 13], the type/form of this kind of attacks cannot be anticipated in a virtual environment. In this paper, a novel detection mechanism is proposed, that is proficient to identify the typical DDoS attacks [29] which cripple downs the performance of the virtual machine. This work primarily attempts to answer the following significant questions,

1.
How to identify and mitigate DDoS attacks in VMs by using hash-based mechanisms?
2.
Are VMs more vulnerable under DDoS attacks? If so, to what extent does their performance damages?

In this connection, a couple of dynamic hash-based defense techniques (MD5 and SHA256) is introduced in this paper which helps to identify as well as prevent DDoS attacks by generating unique hash keys to each and every client request known as cloudlet which compraises client ID, Client IP, arrival time of cloudlet, length and size of cloudlet. The hash mechanisms which are introduced in this work can be proficient to protect the virtual machines in a cloud environment from malicious entries. This dynamic attack detection method will not only improve the detection rate of the attack but also helps to improve the performance. This work provides a practical approach towards securing the virtual machine using the cloudsim simulator. Experimental results show that this methodology reduces the malicious utilization of computation time, performance cost and network bandwidth of a VM in a cloud environment. Additionally, this work provides experimental evaluations of two hashing mechanisms individually. The rest of paper is organized as follows: In Section 2, a concise description of related/existing work is presented, Section 3 describes the scenario of DDoS attacks in VMs and illustrates the hash-based mechanisms employed in this work. Section 4 presents the experimental results and analysis. Finally, this paper concludes in Section 5.
2. Literature review

Securing and protecting the virtual machine against Denial of Service (DoS) and Distributed Denial of Service attacks are an extremely essential part of a cloud environment [27, 30]. In recent years, various defense mechanisms have been proposed to resolve this issue [3, 7, 9, 21]. In this section, few existing mitigation mechanisms against DDoS attacks are considered briefly.

Intrusion Detection System (IDS) can be considered as the most widely used anomaly detection strategies used to identify malicious attacks which endeavours to trade off the security goals [20, 28, 31]. However, this technique arguably fails to distinguish the most potential attributes for DoS attacks which should be tended to its initial occurrence [15, 16]. [29] focused on identifying some of the potential properties of DoS attacks in view of computing weight for each of the features using the Shannon entropy calculation. However, this work doesn’t specify performance measures. [24] proposes a DDoS attack detection and prevention mechanism by using a feature selection method and Intensive Care Request Processing Unit (ICRPU). This mechanism is used to classify the incoming requests. A self-tuning Cloud examining and administration mode is developed for expansion of virtual resources in [8]. But, attack prevention schemes are clearly not specified in this work moreover this mechanism is depending on co-operative intelligent agents. Nevertheless, this method supports only small infrastructures. A mitigation scheme described in [19] comprises of constant traffic separating through field firewalls, which can contrarily channel the attack packets; disconnected particular based traffic examination by means of VNFs in the neighbourhood servers. However, this mechanism probably identifies only DDoS attacks not another type of attacks [11]. [14] describes low rate DDoS attacks which abuse the cloud flexibility keeping in order to inflict extra operational expenses to cloud service providers. Advanced deep packet inspection-based methodologies using Software Defined Networking are examined in [7]. This mechanism describes how to effectively and quickly shield virtual machines from malicious attacks without consuming its resources. However, this approach will lead to scalability issues [1]. Describes the experimental evaluation of a DDoS attack on the OpenStack cloud platform. The analysis shows that DDoS attacks [14, 26] can consume the system resources and have a very negative effect as far as performance and cost incurred to cloud customers as well as providers. [14] illustrate the hypothesis test based on tstatistic to identify Low-rate DoS assault flow in a cloud environment. Depending upon services input workloads, authors identify suspicious activities by inspecting with real thermal data. A novel and promising technology called Software Defined Networking (SDN) is discussed by [26]. This architecture provides a dynamic networking architecture for cloud computing. A variety of abilities in SDN like centralized control, software-based traffic analysis, global view of the network, dynamic updating of forwarding rules will motivate the easier identification of DDoS attacks. However, some scalability and performance issues are considered as the drawbacks of this dynamic network architecture.

A novel filtering mechanism against DDoS is proposed by [7, 25, 26]. To scrutinize the strategic communications between a malicious user as well as a defender, a prominent decoy system known as honeypot-based detection strategy is introduced by [18]. Nevertheless, the best drawback of honeypot mechanism is its thin field of view. Usually, honeypots just observe what action is coordinated against them. When a malicious user breaks into a particular system and targets an assortment of frameworks, the honeypot will be wilfully ignorant of the movement except if it is condemned exactly. Availability issues of the cloud due to a DoS attack suggested in [12], in this work, authors presented a consolidated survey of security issues in a cloud environment. [6] presents an overview of DoS and DDoS attacks that are carried out in the cloud. In addition, various defensive methods, tools, and methods were discussed. But, this kind of approaches is difficult to implement in real time scenario. The main intention of this work is designing, examining the hash-based mechanism that is used for detecting and mitigating the Distributed Denial of Service attacks in VM’s.

3. Proposed mechanism for categorization of DDoS attack flow from the normal flow

In this work, we are performing an experimental study of the simulation of DDoS attacks on the virtual machine instance to analyse the impact on the computing time, performance cost and accumulated bandwidth of the virtual machine which is functioning under the ideal/normal environment as well as under attack environment. Evidently, cloud services are provided to cloud customers on demand (pay per use). All the cloud services that are provided to customers are responded by virtual machines which are shared in cloud infrastructure. If any kind of DDoS attacks takes place in the virtual machine then, certainly it will increase the cost, time and bandwidth to process the incoming task/request. However, this scenario leads to the denial of service to genuine/legitimate users to process their request or task. As cloud resources and services are available to cloud clients on pay per use provision, such malicious attacks cause the customer to pay more to avail the cloud resources or services. In addition, CSP is unable to satisfy its customers needs properly.

Figure 1.

Flowchart of the proposed mechanism.

Accordingly, we can find out virtualization technology in almost all the data centers. On the other hand, it remains strange whether virtual machines are more exposed and vulnerable to external malicious activities. If it is the case, up to which extent the performance of virtual machine degrades? We come up with a couple of hash-based mechanisms to identify, discriminate, analyse and examine the performance of virtual machines under a typical denial-of-service attack. The proposed DDoS attack detection mechanism is deployed in every virtual machine in the cloud environment. This secure approach can be proficient to perform suspicion-based traffic shaping by using hash mechanisms such as MD5 and SHA256. This approach is capable enough to prevent the illegitimate entries into the virtual machine and allows only the legitimate traffic. As a result, the performance of the VM increases and cost decreases. The basic pseudo code for identifying a DDoS attack in a VM with the assistance of hashing techniques is illustrated below.

For each cloudlet submitted to VM

//Hash based detection process accepts the cloudlet based on the following criterion

//Generate unique hash value for each and every cloudlet

=

(clientid

+

clientIP

+

time

+

length

+

fileSize). hashCode (); // MD5

=

SHA.hashValue (clientid

+

clientIp

+

time

+

length

+

fileSize); // SHA-256

// generate list of clientcloudlets (client requests)

For (String C: getclientcloudlets ( ). Keyset ( ) )

{

//If redundant hash code of client cloudlets is greater than predefined threshold then remove the cloudlets else allow the

requests (cloudlets) into the VM

If (clientcloudlets). REDUNhashkeys ( )

>

{

Cloudletlist.remove (clientcloudlets);

}

Else

Accept clientcloudlets;

}

Pseudo code for identifying DDoS attack in a VM

Here, each cloudlet is represented as a request from the client to VM to perform a particular task. The flow of the proposed mechanism is illustrated in Fig. 1. Whenever a client sends a request (cloudlet) to VM, each cloudlet contains distinct client ID, client IP, cloudlet arrival time, cloudlet length (size of cloudlet executed in cloud resource) and at last the file size. All these are considered as input parameters and for each and every incoming set of above parameters, MD5 and SHA mechanisms will generate a unique hash key (Fig. 1). If the malicious user submits the same cloudlet again and again, then the resources will be allocated to those cloudlets and consequently, the regular user will suffer for the unavailability of resources.

Figure 2.

Architecture of the attack mitigation mechanism in the virtual machine.

Therefore, in this mechanism, whenever the attacker creates duplicate cloudlets to flood the virtual machine, subsequently redundant hash keys can be generated as specified in Fig. 1. Whenever the redundant entries (cloudlets) are crossing the limit of the predefined threshold function then those can be treated as an illegitimate entry and that will be avoided from entering into the VM. Figure 2 depicts the architecture of a mitigation mechanism which is deployed in every virtual machine in the cloud and here input specifies incoming request of cloudlet. Each and every cloudlet encompasses unique client ID, client IP, cloudlet arrival time and size. This architecture illustrates the typical DDoS attack mitigation framework which is deployed in VM at the time of VM launching. This mechanism chiefly identifies suspicion-based incoming traffic shaping with the assistance of the secure generation of unique hash-keys of each and every request to the VM. Here, each and every cloudlet This approach can be able to identify malicious traffic and protects the VM from harmful resource consumption. This work also evaluates the performance of the virtual machine under attacks from multiple sources and inputs by examining different computational parameters like network bandwidth, computational cost, processing time and network bandwidth. By considering the obtained outcomes, it is proven that our proposed system is efficient enough to classify the legitimate and illegitimate entries into the system.

The effect of DDoS attack and consequent performance degradation of a virtual machine is measured by considering the parameters like computational time which is usually defined as measure of time for which a processing unit (CPU) was utilized for processing a cloudlet (task), processing cost which is referred as the cost per second a cloud resource (cost per unit of storage, cost per unit of memory, cost per unit of used bandwidth) charge to execute a particular cloudlet. Moreover, network bandwidth. Here, cloudlet is nothing but a client request to VM to perform a particular task. Moreover, Cloud clients (SaaS suppliers) need to pay for the expenses of memory and capacity when they make and instantiate VMs, though the expenses for system utilization are just acquired in case of transfer of data. The processing time of the cloudlet managed by a virtual machine is given by

$\displaystyle\text{pt}(\text{c})=\text{ct}+\frac{\text{rl}}{\text{capacity}% \times\text{cores}(\text{p})}$ (1)

where pt is processing time of a particular cloudlet (c), ct is nothing but current simulation time, cores (p) is a number of cores (processing elements) required by the cloudlet and capacity are defined as processing strength of individual elements.

3.1 Algorithms used

3.1.1 MD5 (Message-Digest) algorithm

Message Digest 5 (MD5) algorithm is commonly used for the secure hash algorithm. This algorithm takes input as a message of arbitrary length and produces a fixed length output which is used for authenticating the original input message. However, MD5 is designed to be utilized as a cryptographic hash function.

Here, client Id, client Ip, cloudlet arrival time, cloudlet length and file size are the inputs and message digest for this input need to find out.

The processing involves the following steps:

Step 1:
Append the padded bits.

The input message is padded so that the length of the message is congruent to 448, modulo 512. It means that it extended to 64 bits shy of being of 512 bits long. (At this point, single “1” bit is appended to the input message, and the remaining “0” bits are appended such that the length of the total bit equals 448 modulo 512).
Step 2:
Append length.

A 64-bit representation of input message is appended to the outcome (result) of step1 (The resultant message has a length that is an accurate multiple of 512 bits.
Step 3:
Initialize Message Digest buffer.

To calculate the message, digest a four-word buffer is used and here each of the words is a 32 bit register. These registers are initialized as a certainly fixed constant as follows:

Word A: 01 23 45 67 Word B: 89 ab cd ef Word C: fe dc ba 98 Word D: 76 54 32 10

Step 4:
Process message in 16-word blocks.

Four auxiliary functions which receive as input message, three 32-bit words and generates as output one 32-bit word.

F (X, Y, Z) = XY v not (X) Z

G (X, Y, Z) = XZ v Y not (Z)

H (X, Y, Z) = X xor Y xor Z

I (X, Y, Z) =Y xor (X v not (Z))

(If the bits of X,Y AND Z are unbiased, the each bit of F (X, Y, Z), G (X, Y, Z), H (X, Y, Z) and I (X, Y, Z) will be unbiased and independent.)
Step 5:
Output.

The message digest produced as output is A, B, C and D. That is, output begins with the low-order byte of A and ends with a high-order byte of D.

3.1.2 SHA (secure hash algorithm)

SHA-256 is a cryptographic hash function with a length of 256 bits. In this function, a message is handled/processed by blocks of 512 $=$ 16 $\times$ 32 bits and each and every individual block requiring 64 rounds.

Basic operations

In this algorithm, boolean operations AND, XOR and OR are used. Respectively, Bitwise complement operator and Integer addition modulo 2 ${}^{32}$ . Every one of them works on 32-bit words. For the last operation, binary words are interpreted as numbers written in base 2. RotR (X, n) indicates the circular right shift/move of n bits of the binary word X, ShR (X, n) indicates the right shift of n bits of the binary word X and X $||$ Y indicates the concatenation of the binary words X and y.

Functions and constants

The algorithm uses following functions C (X, Y, Z) $=$ (X $\wedge$ Y) $\oplus$ ( $\sim$ X $\wedge$ Z), M (X, Y, Z) $=$ (X $\wedge$ Y) $\oplus$ (X $\wedge$ Z) $\oplus$ (Y $\wedge$ Z), $\Sigma 0$ (X) $=$ RotR (X, 2) $\oplus$ RotR (X, 13) $\oplus$ RotR (X, 12), $\Sigma 1$ (X) $=$ RotR (X, 6) $\oplus$ RotR (X, 11) $\oplus$ RotR(X, 25), $\sigma$ 0 (X) $=$ RotR (X, 7) $\oplus$ RotR (X, 18) $\oplus$ ShR (X,3), $\sigma$ 1(X) $=$ RotR (X, 17) $\oplus$ RotR (X, 19) $\oplus$ ShR (X, 10), furthermore, the 64 binary words k ${}_{\text{i}}$ given by the 32 first bits of the fractional parts of the cube roots of the initial 64 prime numbers

Padding

To guarantee that the input message has a length of 512 bits, a bit1 is appended then, k bits 0 are appended, with k being the smallest positive number to such an extent that l $+$ 1 $+$ k $\equiv$ 448 mod 512, where l is the length in bits of the initial message. Finally, the length l $<$ 2 ${}^{64}$ of the initial message is represented with precisely 64 bits, and these bits are included at the end of the message. The message will dependably be padded, regardless of whether the initial length is already multiple of 512.

Block decomposition

For each block M {0, 1} ${}^{512}$ , 64 words of 32 bits each are formed as follows:

The first 16 are obtained by dividing M into 32-bit squares.

$\displaystyle\text{M}=\text{W1}||\text{W2}||\ldots\text{kW15}||\text{W16}$ (2)

The remaining 48 are attained with the formula:

$\displaystyle\text{Wi}=\sigma 1(\text{Wi}-2)+\text{Wi}-7+\sigma 0(\text{Wi}-15% )+\text{Wi}-16,17\leqslant\text{i}\leqslant 64$ (3)

Hash computation

Initial, eight factors are set to their initial values, given by the first 32 bits of the fractional part of the square root of the first 8 prime numbers and the blocks M ${}^{(1)}$ , M ${}^{(2)}$ …M ${}^{(\text{N})}$ are processed one at a time.

Input and output

The input and output of this function are described as follows:

Input: M is a chain of bytes of arbitrary length

Output: a positive integer in the interval {0, 2 ${}^{256}$ }, the value of the hash of M

4. Similation environment and experimental analysis

4.1 Cloudsim and its basic model

Cloudsim is software developed by “The cloud computing and distributed systems (CLOUDS) laboratory, University of Melbourne”. For this work, we use version 3.03. This software provided cloud framework for modelling and simulation of cloud services and infrastructures. So, under cloudsim, simulation of the virtualized data center and the creation of virtual machines can be done. This simulator allows us to create and schedule the simulated jobs. Figure 3 shows that the basic entities which are included in the cloudsim framework and the interactions among them. Initially, the cloudsim framework creates one entity named as Cloud Information Service (CIS) which is nothing but a kind of registry which contains the resources that are available on the cloud. Here, the resources are nothing but the data center and each data center contains some hosts and each host contains some virtual machine. Subsequently, the data center will be created and once it is created it must be registered in the CIS. The registration process will be done by the CIS. Each data center is having some characteristics those are nothing but the properties of the resource like resource ID, operating system, management policies (space shared or time shared), etc. Every data center may have at least one host and each host may have some hardware configurations, those are nothing but, a number of processing elements, RAM, bandwidth, etc.

Figure 3.

Cloudsim basic framework.

In the virtualized environment, the host will be virtualized into a number of virtual machines. Eventually, every data center has some host, every host has some virtual machines. Each virtual machine again has hardware configurations like bandwidth, RAM, etc. Moreover, in this simulator, it is possible to construct the virtual machine configurations based upon the user needs. User can able to configure the critical characteristics of a virtual machine-like storage and memory. As per the cloudsim framework, whenever the data center is created then it just needs to register with the CIS. Once the registration process is done then, the broker is created which is nothing but a data center broker class and it is responsible for submitting tasks to the data entered. This broker basically retrieves the resource information which is registered with the CIS. Whenever the data center is registered with CIS then the broker retrieves the data center characteristics. Once, broker retrieves the data center characteristics subsequently, the set of cloudlets (tasks) will be submitted to the broker. Eventually, the broker is having all the details of the registered data center then, it will directly interact with the data center and assign the cloudlets to the VMs which are running on a particular host. Hence the three entities like CIS, data center and broker plays a major role in this cloud simulation model. So, this is the basic framework that cloudsim tool provides. Here, more than one task can be submitted to the virtual machines based on scheduler policies. This simulation framework provides three different kinds of policies those are nothing but, VM allocation policy, VM scheduler policy, and Cloudlet scheduler policy. All the policies are either time shared or space shared. Therefore, the above specified policies and entities will govern the cloudsim framework.

4.2 Results and discussions

The effectiveness of the proposed secure hash mechanisms could be evaluated over simulator named as CloudSim. The simulation environment is intel core i5, 2.10 GHz and 8 GB memory. This work additionally brings out tentative comparisons upon computational resources of two hashing approaches such as MD5 and SHA-256 independently. In this work, we analyse the degradation of performance experienced by the virtual machine. Evidently, the performance degradation is evaluated by considering the variations of time and cost in attack and non-attack scenarios.

Figure 4.

Performance evaluation of computation time in attack and non-attack scenario.

Figure 5.

Performance evaluation of processing cost in attack and non-attack scenario.

Figure 6.

Performance evaluation of accumulated bandwidth cost in attack and non-attack scenario.

Primarily, a random set of cloudlets (client requests to VM) (100, 300, 500, 1000, 1500, 2000, 2500, 3000) were submitted to the virtual machine then, processing time (time taken to process a particular cloudlet) and cost (total cost for running the cloudlet in the cloud resource) for each set of cloudlets to be calculated in attack as well as non-attack scenarios. Tables 2–4 show the difference in processing time, cost as well as accumulated bandwidth when a virtual machine is operating under attack/non-attack environments as well as the secured environment. As we observed, the computation time, cost and bandwidth are significantly affected and increased by the DDoS attack. Subsequently, our proposed hash-based mechanisms were applied to the set of cloudlets individually and according to the predefined threshold, redundant or illegitimate entries can be able to identify.

The proposed mechanism considers five parameters of the cloudlet such as client id, client IP, requesting time, cloudlet length and file size which are used to classify the incoming cloudlets. Here, we analyze and compare the fluctuations of computational time, processing cost and accumulated bandwidth with legitimate as well as an increasing number of incoming illegitimate cloudlets. Later, we analyze the time and cost of the virtual machine after applying the MD5 and SHA algorithms. As the results are shown in Tables 2–4 the proposed dynamic hashing mechanism is the potential to detect the incoming illegitimate entries into the system. This method is stable enough to resist the DDoS attacks in a virtual environment with maximum accuracy. Moreover, the observations of this work were compared with the computational overheads of two hashing strategies, i.e., MD5 and SHA-256. However, the running time of MD5 is faster than SHA256 because of output hash key size. The comparison of computation time between MD5 and SHA-256 algorithms. However, when considering the performance cost and accumulated bandwidth, SHA256 is more efficient then MD5. The execution comparisons between MD5 and SHA algorithms proves that SHA is more efficient and secure than MD5 on the other hand MD5 is faster than SHA.

4.2.1 Comparative analysis between MD5 and SHA-256 algorithms

Hash collisions occur whenever those two given inputs give a similar hash output. It is simple to generate collisions in MD5. Comparatively, MD5 offers poor security against collisions than SHA256. Contrarily, SHA 256 it is not simple to produce a collision in SHA256 (collision resistant) and this algorithm is currently unbroken or in other words “massive” (a greater number of operations than SHA-1, yet with a similar structure).

Table 1
Comparison between MD5 and SHA-256

Features	MD5	SHA-256
Length of message digest	128-bit length	256-bit length
Speed	Faster, 60 iterations	Slower, 80 iterations
Attacks to attempt and identify two messages	2 ${}^{64}$ operations required	2 ${}^{256}$ operations required
creating a similar MD
Security	Less secure than SHA-256	More secure
Hash collisions	Easy to produce collisions	Not easy to produce collisions
Collisions found	Yes	Theoritical
Output performance	335 MiB/s	192 MiB/s

SHA256 is considerably more secure as it does not currently have any known attacks against hash collisions. Generally, Hash collisions demonstrate that two unique entries (cloudlets) that have the same hash values compromise the respectability of incoming data. Comparatively, SHA-256 offers longer hashes and therefore increased difficulty in finding collisions. MD5 approach no longer measured cryptographically protected as hash collisions and disruptions have been initiate. In contrast, SHA-256 begins by depicting by padding the incoming message with its possible length a 1 and 0’s preceding at that point part it into 32-bits. This approach incorporates rightward moves in the bits as one of its activities extending the collection of tasks past those in the SHA-1 series. Moreover, SHA256 has more rounds i.e, these rounds have an additional rotation of bits and the combining of state terms/words are somewhat distinct. This comparative study of MD5 and SHA-256 algorithms is helped to understand the proper way and different methods to secure cloud resources from unauthorized access and guarantee integrity over the incoming traffic.

4.2.2 Usage of computation time during DDoS

We first measure the effect of DoS activity on the usage of computation time while the virtual machine sits out of idle. To this end, the measurements were performed by observing the time consumption of the different set of cloudlets as shown in Table 2. To outline the impact of enabling DDoS flooding on a virtual machine, Table 2 depicts the usage of computational time when DDoS attacks are enabled and in addition when they are disabled. Under the DDoS attack, the virtual machine consumes more computational time. The proposed hash-based mechanism provides a promising solution to categorize the malicious entries from genuine ones and keeps the attack packets before they extend and gives more accurate results. This paper is an early work to discuss mitigating DDoS attacks in a virtual machine and analysing the performance of virtual machines under DDoS attacks. As a new research field, there are numerous issues to be additionally explored and improved. There are many promising avenues to be investigated further. We show some of them here in view of our comprehension. Initially, a couple of hash-based mechanisms such as MD5 and SHA256 to mitigate DDoS attacks in a cloud environment are implemented, which simplifies as well as improves our analysis and makes our experiments feasible by filtering malicious entries into the system.

Table 2
Performance evaluation based on computational time

Number of cloudlets	Computational time (msec)
	Non-attack environment	Attack environment	Using MD5 algorithm	Using SHA algorithm
100	1687.45	8537.95	1687.47	4678.65
300	4567.06	15794.65	4596.12	11794.65
500	6744.02	37361.37	6776.12	15361.37
1000	13469.62	56947.45	14469.62	30345.55
1500	31350.07	64475.04	32400.11	56879.66
2000	41378.65	70345.33	41379.85	62465.67
2500	49345.34	80432.33	52534.56	71432.54
3000	52438.34	87345.67	53243.45	75645.34

As we increase the attack rate the relating increment in CPU use show that the virtual machine will keep on degrading as they are uncovered to higher attack rates. The obtained results show that the proposed hash-based mitigation mechanism facilitates to reduce malicious entries into the system. Moreover, comparison of computation time between MD5 and SHA-256 algorithm is analysed. Resultantly, the running time of the Secure Hashing Algorithm is slower than MD5 algorithm.

4.2.3 Usage of computation cost and bandwidth during DDoS

In this work, we also focused on the processing cost as a chief parameter to analyze the performance evaluation of a virtual machine. Cloud computing offers the dynamic provision of resources. Because of DDoS attacks considerable resource utilization experienced by the virtual machines. As can be seen, high resource utilization is available for VM in the DDoS case (Table 3).

Table 3
Performance evaluation based on processing cost

Number of cloudlets	Processing cost (bp/s)
	Non-attack environment	Attack environment	Using MD5 algorithm	Using SHA algorithm
100	2600.53	5494.14	8281.89	1098.56
300	4324.39	7723.66	4478.84	2034.32
500	8211.73	16839.03	8281.89	3236.02
1000	19299.1	35732.34	20386.76	10546.99
1500	43434.82	68765.56	45567.57	25009.05
2000	48543.67	75564.87	50464.66	32564.09
2500	52564.87	88598.09	58962.45	35765.03
3000	62564.85	92564.76	69543.45	41234.04

This reveals that high resource consumption phenomenon is experienced at whatever point the VM encounters a DDoS stream that contains malicious entries at a high rate. We likewise tried a various set of cloudlet bundles and found that this flooding of cloudlets sent at a high rate achieving the end system prompts these phenomena. In addition, these attacks look to devour the accessible data transfer capacity (bandwidth) of the virtual network, to such an extent that legitimate traffic can’t achieve its destination. Table 4 shows the bandwidth consumption when an attack is taken place. The high saturation of bandwidth leads to large performance degradation as well as unavailability of resources to genuine clients. Additionally, a comparison of parameters like computation cost and accumulated bandwidth between MD5 and the SHA-256 algorithm is analysed. Subsequently, SHA256 is efficient and more secure than MD5 algorithm.

Table 4

Performance evaluation based on accumulated bandwidth cost

Number of cloudlets	Accumulated bandwidth (kbps)
	Non-attack environment	Attack environment	Using MD5 algorithm	Using SHA algorithm
100	2.45	5.22	2.07	2.05
300	3.01	7.08	3.31	3.06
500	4.03	4.03	4.03	4.03
1000	7.13	11.23	8.19	7.09
1500	9.01	13.11	10.76	9.04
2000	12.14	16.24	13.31	12.11
2500	16.55	20.22	17.32	15.45
3000	18.54	23.65	18.64	17.03

We systematically analyzed the individual efficiency of MD5 and SHA256 for concern parameters in the system, such as computation time, performance cost, network bandwidth and prominently, the obtained results showed that SHA256 is more efficient and secure then MD5. From this, the performance degradation of virtual machines under DDoS attacks are illustrated. parameter-based analysis and simulation confirm that one can identify and mitigate DDoS attacks in a virtual environment. Considering more number of parameters would certainly improve the efficiency and robustness of the proposed approach. The identification and incorporation of additional parameters for the detection of DDoS attacks are needed.

5. Conclusion and further discussions

VMs are very commonly used resources in a cloud environment. However, DDoS attacks degrade the performance of the virtual machine and make its services unavailable to the intended users. In this scenario, it is essential to develop a system which is based on the categorization to ensure cloud security and availability. This work provides a secure framework that incorporates a couple of cryptographic hash functions such as MD5 and SHA256 which are used to produce unique hash keys for each and every entry into the virtual machines. The obtained result shows both mechanisms are proficient to identify the attacks accurately and it results in performance improvement as well as a reduction of cost. Moreover, comparative analysis of computational overheads of both MD5 and SHA-256 approaches is done in this work. Noticeably, SHA256 is more efficient and secure then MD5. This comparison provides appropriate ways and various techniques to secure virtual resources from unauthorized access and assurance the integrity over the insecure networks. As a part of our future work, we want to explore this hash-based model for malicious attack resource consumption in a real cloud environment.

Footnotes

Authors’ Bios

Damai Jessica Prathyusha is a Research Scholar in School of Computing Science and Engineering at VIT University, Vellore. She earned degrees in Bachelor of Technology (B.Tech) from Annamacharya Institute of Technology and Sciences, Tirupati, Master of Technology (MTech) from Sree Vidyanikethan Engineering College, Tiruapti. She has published four papers in international journals. Her research interest is Cloud security and Computer networks.

K. Govinda in an Associate Professor in VIT from 2005 to till date, he received the degree in computer science and engineering from Nagarjuna University in 1998, Master of Technology (MTech) from JNTU, Hyderabad. He is a life member in CSI, IEEE and ACM. Published 100

+

papers and participated in 50

+

conferences. His interest area includes Database, Data Mining, Cloud Computing, IOT and Big Data.

References

Bhardwaj

Sharma

Mangat

Kumar

and Vig

, Experimental Analysis of DDoS Attacks on OpenStack Cloud Platform, in: Proceedings of 2nd International Conference on Communication, Computing and Networking, Springer, Singapore, 2019, pp. 3–13.

Sahi

et al., An Efficient DDoS TCP Flood Attack Detection and Prevention, 2017.

Wani

A.R.

Rana

Q.P.

and Pandey

, Performance Evaluation and Analysis of Advanced Symmetric Key Cryptographic Algorithms for Cloud Computing Security, in: Soft Computing: Theories and Applications, Springer, Singapore, 2019, pp. 261–271.

Taravat

Del Frate

Cornaro

and Vergari

, Neural networks and support vector machine algorithms for automatic cloud classification of whole-sky ground-based images, IEEE Geoscience and Remote Sensing Letters 12(3) (2015), 666–670.

Varghese

and Buyya

, Next generation cloud computing: new trends and research directions, Future Generation Computer Systems 79 (2018), 849–861.

Stergiou

Psannis

K.E.

Kim

B.G.

and Gupta

, Secure integration of IoT and cloud computing, Future Generation Computer Systems 78 (2018), 964–975.

Wang

Miu

T.T.

Luo

and Wang

, SkyShield: a sketch-based defense system against application layer DDoS attacks, IEEE Transactions on Information Forensics and Security 13(3) (2018), 559–573.

Grzonka

Jakobik

Kołodziej

and Pllana

, Using a multi-agent system and artificial intelligence for monitoring and improving the cloud performance and security, Future Generation Computer Systems 86 (2018), 1106–1117.

Prathyusha

D.J.

and Naseera

, A study on cloud security issues, Multiagent and Grid Systems 13(2) (2017), 69–95.

10.

Somani

et al., Service resizing for quick DDoS mitigation in cloud computing environment? Annales des telecommunications/annals of telecommunications. Annals of Telecommunications 72(5–6) (2017), 237–252.

11.

Samy

G.N.

Albakri

S.H.

Maarop

Magalingam

Hooi-Ten Wong

Shanmugam

and Perumal

, Novel Risk Assessment Method to Identify Information Security Threats in Cloud Computing Environment, in: International Conference of Reliable Information and Communication Technology, Springer, Cham, 2018 june, pp. 566–578.

12.

Tian

Nan

Jiang

Chang

C.C.

Ning

and Huang

, Public auditing for shared cloud data with efficient and secure group management, Information Sciences 472 (2018), 107–125.

13.

Bhushan

and Gupta

B.B.

, Security challenges in cloud computing: state-of-art, International Journal of Big Data Intelligence 4(2) (2017), 81–107.

14.

Bhushan

and Gupta

B.B.

, Hypothesis test for low-rate DDoS attack detection in cloud computing environment, Procedia Computer Science 132 (2018), 947–955.

15.

Kalkan

and Alagöz

, A distributed filtering mechanism against DDoS attacks: ScoreForCore, Computer Networks 108 (2016), 199–209.

16.

Kritikos

Kirkham

Kryza

and Massonet

, Towards a security-enhanced PaaS platform for multi-cloud applications, Future Generation Computer Systems 67 (2017), 206–226.

17.

Lai

Rasmusson

Adar

Zhang

and Huberman

B.A.

, Tycoon: an implementation of a distributed, market-based resource allocation system, Multiagent and Grid Systems 1(3) (2005), 169–182.

18.

Wang

Maharjan

and Sun

, Strategic honeypot game model for distributed denial of service attacks in the smart grid, IEEE Transactions on Smart Grid 8(5) (2017), 2474–2482.

19.

Zhou

Guo

and Deng

, A fog computing based approach to DDoS mitigation in IIoT systems, Computers & Security 85 (2019), 51–62.

20.

Ahmed

and Litchfield

A.T.

, Taxonomy for identification of security issues in cloud computing environments, Journal of Computer Information Systems 58(1) (2018), 79–88.

21.

Hawedi

Talhi

and Boucheneb

, Security as a service for public cloud tenants (SaaS), Procedia Computer Science 130 (2018), 1025–1030.

22.

Stillwell

et al., Resource allocation algorithms for virtualized service hosting platforms? Journal of parallel and distributed computing, Elsevier Inc 70(9) (2010), 962–974. System in a cloud environment? IEEE Access 5, 6036–6048.

23.

Ficco

and Palmieri

, Introducing fraudulent energy consumption in cloud infrastructures: a new generation of denial-of-service attacks, IEEE Systems Journal 11(2) (2017), 460–470.

24.

Bharot

Verma

Sharma

and Suraparaju

, Distributed denial-of-service attack detection and mitigation using feature selection and intensive care request processing unit, Arabian Journal for Science and Engineering 43(2) (2018), 959–967.

25.

Karger

P.A.

and Safford

D.R.

, I/O for virtual machine monitors: security and performance issues, IEEE Security & Privacy (5) (2008), 16–23.

26.

Yan

et al., Software-defined networking (SDN) and distributed denial of service (DDOS) attacks in cloud computing environments: a survey, some research issues, and challenges? IEEE Communications Surveys and Tutorials 18(1) (2016), 602–622.

27.

Kemp

, Legal aspects of cloud security, Computer Law & Security Review 34(4) (2018), 928–932.

28.

Iqbal

et al., On cloud security attacks: a taxonomy and intrusion detection and prevention as a service? Journal of Network and Computer Applications, Elsevier 74 (2016), 98–120.

29.

Khan

Gani

Wahab

A.W.A.

and Singh

P.K.

, Feature selection of denialof-service attacks using entropy and granular computing, Arabian Journal for Science and Engineering 43(2) (2018), 499–508.

30.

Mansfield-Devine

, The growth and evolution of DDoS, Network Security 2015(10) (2015), 13–20.

31.

et al., Can we beat DDoS attacks in clouds? IEEE Transactions on Parallel and Distributed Systems 25(9) (2014), 2245–2254.

32.

Tsai

S.C.

Liu

I.H.

C.T.

Chang

C.H.

and Li

J.S.

, Defending cloud computing environment against the challenge of DDoS attacks based on software-defined network, in: Advances in Intelligent Information Hiding and Multimedia Signal Processing, Springer, Cham, 2017, pp. 285–292.

33.

S.H.

Yen

D.C.

Chen

S.C.

Chen

P.S.

W.H.

and Cho

C.C.

, Effects of virtualization on information security, Computer Standards & Interfaces 42 (2015), 1–8.

34.

Majhi

S.K.

and Dhal

S.K.

, Threat modelling of virtual machine migration auction, Procedia Computer Science 78 (2016), 107–113.

35.

Tuzel

Bridgman

Zepf

Lengyel

T.K.

and Temkin

K.J.

, Who watches the watcher? Detecting hypervisor introspection from unprivileged guests, Digital Investigation 26 (2018), S98–S106.

36.

Gilad

Herzberg

Sudkovitch

and Goberman

, CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds, In NDSS, 2016.

37.

Han

Chan

Alpcan

and Leckie

, Using virtual machine allocation policies to defend against co-resident attacks in cloud computing, IEEE Transactions on Dependable and Secure Computing 14(1) (2017), 95–108.

Securing virtual machines from DDoS attacks using hash-based detection techniques

Abstract

Keywords

1. Introduction

3. Proposed mechanism for categorization of DDoS attack flow from the normal flow

3.1.1 MD5 (Message-Digest) algorithm

Basic operations

Functions and constants

Padding

Block decomposition

Hash computation

Input and output

4.1 Cloudsim and its basic model

Table 1 Comparison between MD5 and SHA-256

Table 2 Performance evaluation based on computational time

Table 3 Performance evaluation based on processing cost

Footnotes

Authors’ Bios

References

Table 1
Comparison between MD5 and SHA-256

Table 2
Performance evaluation based on computational time

Table 3
Performance evaluation based on processing cost