Global ETD Search

81	Reliability and security of vector routing protocols Li, Yan, doctor of computer science 01 June 2011 (has links) As the Internet becomes the ubiquitous infrastructure for various applications, demands on the reliability, availability and security of routing protocols in the Internet are becoming more stringent. Unfortunately, failures are still common in the daily operation of a network. Service disruption for even a short time can seriously affect the quality of real-time applications, such as VoIP and video on demand applications. Moreover, critical business and government applications require routing protocols to be robust against malicious attacks, such as denial of Service attacks. This dissertation proposes three techniques to address some reliability and security concerns in intra-domain (distance vector) routing protocols and inter-domain (path vector) routing protocols. The first technique addresses the problem of service disruption that arises from sudden link failures in distance vector routing protocols. We consider two types of link failures: single link failures and shared risk link group failures. For single link failures, we propose an IP fast reroute mechanism to reroute packets around the failed links. This fast reroute mechanism is the first that does not require complete knowledge of the network topology and does not require changing of the original routing protocol. This mechanism proactively computes a set of relay nodes that can be used to tunnel the rerouted packets immediately after the detection of a link or node failure. The mechanism includes an algorithm for a node to automatically identify itself as a candidate relay node for a reroute link and notify the source node of the reroute link of its candidacy. The source node can then decide the validity of a candidate relay node. The mechanism also includes an algorithm to suppress redundant notification messages. We then extend our IP fast reroute mechanism for single link failures to accommodate shared risk link group failures. We achieve this goal by introducing one more bit information. Through simulations, I show that the proposed mechanisms succeed in rerouting around failed links about 100% of the time, with the length of the reroute path being comparable to the length of the re-converged shortest path. The second technique addresses the problem that arises from allowing any node to route data packets to any other node in the network (and consequently allow any adversary node to launch DoS attacks against other nodes in the network). To solve this problem, we propose a blocking option to allow a node u to block a specified set of nodes and prevent each of them from sending or forwarding packets to node u. The blocking option intends to discard violating packets near the adversary nodes that generated them rather than near their ultimate destinations. We then discuss unintentionally blocked nodes, called blind nodes and extend the routing protocols to allow each node to communicate with its blind nodes via some special nodes called joint nodes. Finally, I show, through extensive simulation, that the average number of blind nodes is close to zero when the average number of blocked nodes is small. The third technique addresses the problem that arises when a set of malicious ASes in the Internet collude to hijack an IP prefix from its legitimate owner in BGP. (Note that none of previous proposals for protecting BGP against IP prefix hijacking is effective when malicious ASes can collude.) To solve this problem, we propose an extension of BGP in which each listed AS in an advertised route supplies a certified full list of all its peers. Then I present an optimization where each AS in an advertised route supplies only a balanced peer list, that is much smaller than its full peer list. Using real Internet topology data, I demonstrate that the average, and largest, balanced peer list is 92% smaller than the corresponding full peer list. Furthermore, in order to handle the dynamics of the Internet topology, we propose algorithms on how to issue certificates to reflect the latest changes of the Internet topology graph. Although the results in this dissertation are presented in the context of distance vector and path vector routing protocols, many of these results can be extended to link state routing protocols as well. / text Routing protocols Reliability Denial of service IP fast reroute Failure recovery Blocking option Computer security IP prefix hijacking Collusion-resistant Balanced peer lists
82	An aggregative approach for scalable detection of DoS attacks Hamidi, Alireza 22 August 2008 (has links) If not the most, one of the serious threats to data networks, particularly pervasive commercial networks such as Voice-over-IP (VoIP) providers is Denial-of-Service (DoS) attack. Currently, majority of solutions for these attacks focus on observing detailed server state changes due to any or some of the incoming messages. This approach however requires significant amount of server’s memory and processing time. This results in detectors not being able to scale up to the network edge points that receive millions of connections (requests) per second. To solve this problem, it is desirable to design stateless detection mechanisms. One approach is to aggregate transactions into groups. This research focuses on stateless scalable DoS intrusion detection mechanisms to obviate keeping detailed state for connections while maintaining acceptable efficiency. To this end, we adopt a two-layer aggregation scheme termed Advanced Partial Completion Filters (APCF), an intrusion detection model that defends against DoS attacks without tracking state information of each individual connection. Analytical as well as simulation analysis is performed on the proposed APCF. A simulation test bed has been implemented in OMNET++ and through simulations it is observed that APCF gained notable detection rates in terms of false positive and true positive detections, as opposed to its predecessor PCF. Although further study is needed to relate APCF adjustments to a certain network situation, this research shows invaluable gain to mitigate intrusion detection from not so scalable state-full mechanisms to aggregate scalable approach. Voice over IP Intrusion detection systems Denial of Service Attacks Scalability Partial completion attacks
83	Denial of service : prevention, modelling and detection Smith, Jason January 2007 (has links) This research investigates the denial of service problem, in the context of services provided over a network, and contributes to improved techniques for modelling, detecting, and preventing denial of service attacks against these services. While the majority of currently employed denial of service attacks aim to pre-emptively consume the network bandwidth of victims, a significant amount of research effort is already being directed at this problem. This research is instead concerned with addressing the inevitable migration of denial of service attacks up the protocol stack to the application layer. Of particular interest is the denial of service resistance of key establishment protocols (security protocols that enable an initiator and responder to mutually authenticate and establish cryptographic keys for establishing a secure communications channel), which owing to the computationally intensive activities they perform, are particularly vulnerable to attack. Given the preponderance of wireless networking technologies this research hasalso investigated denial of service and its detection in IEEE 802.11 standards based networks. Specific outcomes of this research include: - investigation of the modelling and application of techniques to improve the denial of service resistance of key establishment protocols; - a proposal for enhancements to an existing modelling framework to accommodate coordinated attackers; - design of a new denial of service resistant key establishment protocol for securing signalling messages in next generation, mobile IPv6 networks; - a comprehensive survey of denial of service attacks in IEEE 802.11 wireless networks; discovery of a significant denial of service vulnerability in the clear channel assessment procedure implemented by the medium access control layer of IEEE 802.11 compliant devices; and - design of a novel, specification-based intrusion detection system for detecting denial of service attacks in IEEE 802.11 wireless networks. denial of service resistance key establishment attack prevention specificationbased intrusion detection security modelling cost-based modelling mobile IP IEEE 802.11 wireless networks crypto-based identifiers.
84	Trust-based application grouping for cloud datacenters : improving security in shared infrastructures / Agrupamento de aplicações baseado em relações de confiança para datacenters de nuvens : aumentando a segurança em infraestruturas compartilhadas Marcon, Daniel Stefani January 2013 (has links) A computação em nuvem é um paradigma que tem atraído uma grande quantidade de clientes por meio do oferecimento de recursos computacionais através de um modelo de pagamento pelo uso. Entretanto, o compartilhamento da rede interna da nuvem por todos os locatários possibilita que usuários utilizem de forma egoísta ou maliciosa os recursos da rede, ocasionando ataques contra a privacidade e a integridade dos dados e a disponibilidade dos recursos. Os algoritmos de alocação atuais não impedem que a disponibilidade dos recursos de rede seja afetada por ataques ou resultam em subutilização de recursos. Nessa dissertação, é proposta uma estratégia para a alocação de recursos que aumenta a segurança no compartilhamento da rede da nuvem entre as aplicações de locatários. Esse objetivo é alcançado por meio do agrupamento de aplicações provenientes de usuários mutuamente confiáveis em domínios logicamente isolados, compostos por um conjunto de máquinas virtuais interconectadas por uma rede virtual (infraestruturas virtuais – VIs), além de considerar-se a quantidade de tráfego gerada pela comunicação entre VMs da mesma aplicação. Devido à complexidade do problema de alocação de recursos em nuvens computacionais, a estratégia é decomposta em duas etapas. Na primeira, dado um conjunto pre-estabelecido de VIs, alocam-se as mesmas no substrato físico, enquanto a segunda distribui e mapeia as aplicações no conjunto de infraestruturas virtuais. O uso de VIs provê um maior nível de isolamento entre locatários e, consequentemente, maior segurança. Contudo, o agrupamento pode resultar em fragmentação e afetar negativamente o grau de utilização dos recursos. Dessa forma, estuda-se esse compromisso e a factibilidade da abordagem proposta. Os resultados mostram os benefícios da estratégia de alocação proposta, que oferece maior proteção aos recursos de rede com baixo custo extra. Em particular, a segurança aumenta logaritmicamente de acordo com o número de VIs, enquanto a fragmentação de recursos cresce linearmente de acordo com o aumento do número de VIs oferecidas pelo provedor. / Cloud computing can offer virtually unlimited resources without any upfront capital investment through a pay-per-use pricing model. However, the shared nature of multi-tenant cloud datacenter networks enables unfair or malicious use of the intra-cloud network by tenants, allowing attacks against the privacy and integrity of data and the availability of resources. Recent research has proposed resource allocation algorithms that cannot protect tenants against attacks in the network or result in underutilization of resources. In this thesis, we introduce a resource allocation strategy that increases the security of network resource sharing among tenant applications. This is achieved by grouping applications from mutually trusting users into logically isolated domains composed of a set of virtual machines as well as the virtual network interconnecting them (virtual infrastructures - VIs), while considering the amount of traffic generated by the communication between VMs from the same application. Due to the hardness of the cloud resource allocation problem, we decompose the strategy in two steps. The first one allocates a given set of VIs onto the physical substrate, while the second distributes and maps applications into the set of virtual infrastructures. The use of VIs provides some level of isolation and higher security. However, groups may lead to fragmentation and negatively affect resource utilization. Therefore, we study the associated trade-off and feasibility of the proposed approach. Evaluation results show the benefits of our strategy, which is able to offer better network resource protection against attacks with low additional cost. In particular, the security can be logarithmically increased according to the number of VIs, while internal resource fragmentation linearly grows as the number of VIs offered by the provider increases. Redes : Computadores Seguranca : Redes : Comunicacao : Dados Computação em nuvem Cloud computing Resource allocation Intra-cloud network sharing Security Performance interference Denial of service
85	Trust-based application grouping for cloud datacenters : improving security in shared infrastructures / Agrupamento de aplicações baseado em relações de confiança para datacenters de nuvens : aumentando a segurança em infraestruturas compartilhadas Marcon, Daniel Stefani January 2013 (has links) A computação em nuvem é um paradigma que tem atraído uma grande quantidade de clientes por meio do oferecimento de recursos computacionais através de um modelo de pagamento pelo uso. Entretanto, o compartilhamento da rede interna da nuvem por todos os locatários possibilita que usuários utilizem de forma egoísta ou maliciosa os recursos da rede, ocasionando ataques contra a privacidade e a integridade dos dados e a disponibilidade dos recursos. Os algoritmos de alocação atuais não impedem que a disponibilidade dos recursos de rede seja afetada por ataques ou resultam em subutilização de recursos. Nessa dissertação, é proposta uma estratégia para a alocação de recursos que aumenta a segurança no compartilhamento da rede da nuvem entre as aplicações de locatários. Esse objetivo é alcançado por meio do agrupamento de aplicações provenientes de usuários mutuamente confiáveis em domínios logicamente isolados, compostos por um conjunto de máquinas virtuais interconectadas por uma rede virtual (infraestruturas virtuais – VIs), além de considerar-se a quantidade de tráfego gerada pela comunicação entre VMs da mesma aplicação. Devido à complexidade do problema de alocação de recursos em nuvens computacionais, a estratégia é decomposta em duas etapas. Na primeira, dado um conjunto pre-estabelecido de VIs, alocam-se as mesmas no substrato físico, enquanto a segunda distribui e mapeia as aplicações no conjunto de infraestruturas virtuais. O uso de VIs provê um maior nível de isolamento entre locatários e, consequentemente, maior segurança. Contudo, o agrupamento pode resultar em fragmentação e afetar negativamente o grau de utilização dos recursos. Dessa forma, estuda-se esse compromisso e a factibilidade da abordagem proposta. Os resultados mostram os benefícios da estratégia de alocação proposta, que oferece maior proteção aos recursos de rede com baixo custo extra. Em particular, a segurança aumenta logaritmicamente de acordo com o número de VIs, enquanto a fragmentação de recursos cresce linearmente de acordo com o aumento do número de VIs oferecidas pelo provedor. / Cloud computing can offer virtually unlimited resources without any upfront capital investment through a pay-per-use pricing model. However, the shared nature of multi-tenant cloud datacenter networks enables unfair or malicious use of the intra-cloud network by tenants, allowing attacks against the privacy and integrity of data and the availability of resources. Recent research has proposed resource allocation algorithms that cannot protect tenants against attacks in the network or result in underutilization of resources. In this thesis, we introduce a resource allocation strategy that increases the security of network resource sharing among tenant applications. This is achieved by grouping applications from mutually trusting users into logically isolated domains composed of a set of virtual machines as well as the virtual network interconnecting them (virtual infrastructures - VIs), while considering the amount of traffic generated by the communication between VMs from the same application. Due to the hardness of the cloud resource allocation problem, we decompose the strategy in two steps. The first one allocates a given set of VIs onto the physical substrate, while the second distributes and maps applications into the set of virtual infrastructures. The use of VIs provides some level of isolation and higher security. However, groups may lead to fragmentation and negatively affect resource utilization. Therefore, we study the associated trade-off and feasibility of the proposed approach. Evaluation results show the benefits of our strategy, which is able to offer better network resource protection against attacks with low additional cost. In particular, the security can be logarithmically increased according to the number of VIs, while internal resource fragmentation linearly grows as the number of VIs offered by the provider increases. Redes : Computadores Seguranca : Redes : Comunicacao : Dados Computação em nuvem Cloud computing Resource allocation Intra-cloud network sharing Security Performance interference Denial of service
86	Modèles et mécanismes pour la protection contre les attaques par déni de service dans les réseaux de capteurs sans fil / Mechanisms and modeling tools for protection against denial of service attacks in wireless sensor networks Monnet, Quentin 17 July 2015 (has links) Composés d'appareils fortement limités en ressources (puissance de calcul, mémoire et énergie disponible) et qui communiquent par voie hertzienne, les réseaux de capteurs sans fil composent avec leurs faibles capacités pour déployer une architecture de communication de manière autonome, collecter des données sur leur environnement et les faire remonter jusqu'à l'utilisateur. Des « transports intelligents » à la surveillance du taux de pollution environnemental, en passant par la détection d'incendies ou encore l'« Internet des objets », ces réseaux sont aujourd'hui utilisés dans une multitude d'applications. Certaines d'entre elles, de nature médicale ou militaire par exemple, ont de fortes exigences en matière de sécurité. Les travaux de cette thèse se concentrent sur la protection contre les attaques dites par « déni de service », qui visent à perturber le fonctionnement normal du réseau. Ils sont basés sur l'utilisation de capteurs de surveillance, qui sont périodiquement renouvelés pour répartir la consommation en énergie. De nouveaux mécanismes sont introduits pour établir un processus de sélection efficace de ces capteurs, en optimisant la simplicité de déploiement (sélection aléatoire), la répartition de la charge énergétique (sélection selon l'énergie résiduelle) ou encore la sécurité du réseau (élection démocratique basée sur un score de réputation). Sont également fournis différents outils pour modéliser les systèmes obtenus sous forme de chaines de Markov à temps continu, de réseaux de Petri stochastiques (réutilisables pour des opérations de model checking) ou encore de jeux quantitatifs / Memory and little energy available), communicating through electromagnetic transmissions. In spite of these limitations, sensors are able to self-deploy and to auto-organize into a network collecting, gathering and forwarding data about their environment to the user. Today those networks are used for many purposes: “intelligent transportation”, monitoring pollution level in the environment, detecting fires, or the “Internet of things” are some example applications involving sensors. Some of them, such as applications from medical or military domains, have strong security requirements. The work of this thesis focuses on protection against “denial of service” attacks which are meant to harm the good functioning of the network. It relies on the use of monitoring sensors: these sentinels are periodically renewed so as to better balance the energy consumption. New mechanisms are introduced so as to establish an efficient selection process for those sensors: the first one favors the ease of deployment (random selection), while the second one promotes load balancing (selection based on residual energy) and the last one is about better security (democratic election based on reputation scores). Furthermore, some tools are provided to model the system as continuous-time Markov chains, as stochastic Petri networks (which are reusable for model checking operations) or even as quantitative games Réseaux de capteurs sans fils Énergie Sécurité Déni de service Détection d'intrusion Modélisation Wireless Sensor Networks Energy Security Denial of Service Intrusion detection Modeling
87	Trust-based application grouping for cloud datacenters : improving security in shared infrastructures / Agrupamento de aplicações baseado em relações de confiança para datacenters de nuvens : aumentando a segurança em infraestruturas compartilhadas Marcon, Daniel Stefani January 2013 (has links) A computação em nuvem é um paradigma que tem atraído uma grande quantidade de clientes por meio do oferecimento de recursos computacionais através de um modelo de pagamento pelo uso. Entretanto, o compartilhamento da rede interna da nuvem por todos os locatários possibilita que usuários utilizem de forma egoísta ou maliciosa os recursos da rede, ocasionando ataques contra a privacidade e a integridade dos dados e a disponibilidade dos recursos. Os algoritmos de alocação atuais não impedem que a disponibilidade dos recursos de rede seja afetada por ataques ou resultam em subutilização de recursos. Nessa dissertação, é proposta uma estratégia para a alocação de recursos que aumenta a segurança no compartilhamento da rede da nuvem entre as aplicações de locatários. Esse objetivo é alcançado por meio do agrupamento de aplicações provenientes de usuários mutuamente confiáveis em domínios logicamente isolados, compostos por um conjunto de máquinas virtuais interconectadas por uma rede virtual (infraestruturas virtuais – VIs), além de considerar-se a quantidade de tráfego gerada pela comunicação entre VMs da mesma aplicação. Devido à complexidade do problema de alocação de recursos em nuvens computacionais, a estratégia é decomposta em duas etapas. Na primeira, dado um conjunto pre-estabelecido de VIs, alocam-se as mesmas no substrato físico, enquanto a segunda distribui e mapeia as aplicações no conjunto de infraestruturas virtuais. O uso de VIs provê um maior nível de isolamento entre locatários e, consequentemente, maior segurança. Contudo, o agrupamento pode resultar em fragmentação e afetar negativamente o grau de utilização dos recursos. Dessa forma, estuda-se esse compromisso e a factibilidade da abordagem proposta. Os resultados mostram os benefícios da estratégia de alocação proposta, que oferece maior proteção aos recursos de rede com baixo custo extra. Em particular, a segurança aumenta logaritmicamente de acordo com o número de VIs, enquanto a fragmentação de recursos cresce linearmente de acordo com o aumento do número de VIs oferecidas pelo provedor. / Cloud computing can offer virtually unlimited resources without any upfront capital investment through a pay-per-use pricing model. However, the shared nature of multi-tenant cloud datacenter networks enables unfair or malicious use of the intra-cloud network by tenants, allowing attacks against the privacy and integrity of data and the availability of resources. Recent research has proposed resource allocation algorithms that cannot protect tenants against attacks in the network or result in underutilization of resources. In this thesis, we introduce a resource allocation strategy that increases the security of network resource sharing among tenant applications. This is achieved by grouping applications from mutually trusting users into logically isolated domains composed of a set of virtual machines as well as the virtual network interconnecting them (virtual infrastructures - VIs), while considering the amount of traffic generated by the communication between VMs from the same application. Due to the hardness of the cloud resource allocation problem, we decompose the strategy in two steps. The first one allocates a given set of VIs onto the physical substrate, while the second distributes and maps applications into the set of virtual infrastructures. The use of VIs provides some level of isolation and higher security. However, groups may lead to fragmentation and negatively affect resource utilization. Therefore, we study the associated trade-off and feasibility of the proposed approach. Evaluation results show the benefits of our strategy, which is able to offer better network resource protection against attacks with low additional cost. In particular, the security can be logarithmically increased according to the number of VIs, while internal resource fragmentation linearly grows as the number of VIs offered by the provider increases. Redes : Computadores Seguranca : Redes : Comunicacao : Dados Computação em nuvem Cloud computing Resource allocation Intra-cloud network sharing Security Performance interference Denial of service
88	Um esquema de segurança para quadros de controle em redes IEEE 802.11 FRANÇA NETO, Ivan Luiz de 14 August 2015 (has links) Submitted by Haroudo Xavier Filho (haroudo.xavierfo@ufpe.br) on 2016-03-11T14:34:26Z No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) DissertacaoIvanFranca.pdf: 1367108 bytes, checksum: 8ceed302b395b606d9ac49b5a05987db (MD5) / Made available in DSpace on 2016-03-11T14:34:26Z (GMT). No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) DissertacaoIvanFranca.pdf: 1367108 bytes, checksum: 8ceed302b395b606d9ac49b5a05987db (MD5) Previous issue date: 2015-08-14 / Os quadros de controle IEEE 802.11 desempenham funções importantes na rede sem fio. Dentre elas estão o controle de acesso ao meio de comunicação, a recuperação de quadros armazenados no Ponto de Acesso e a confirmação do recebimento de blocos de quadros ou de certos tipos de quadros. Apesar da importância dos quadros de controle, eles são vulneráveis a ataques de forjação, manipulação e reinjeção devido a inexistência de mecanismos de proteção. Este trabalho propõe um esquema de segurança para quadros de controle em redes IEEE 802.11 a fim de evitar esses ataques. A proposta se diferencia dos trabalhos relacionados por prover um alto grau de segurança em todos os seus módulos com baixo impacto na vazão da rede. Além disso, a proposta não incorre nas fraquezas que eles possuem na contenção dos ataques de reinjeção e no processo de geração e distribuição de chaves. / IEEE 802.11 control frames play important role in the wireless network. Among them are the medium access control, the retrieving of buffered frames in the Access Point, and the acknowledgment of block of frames or certain types of frames. Despite their importance, control frames remain vulnerable to forging, tampering, and replay attacks due to lack of protection mechanisms. This work proposes a security scheme for IEEE 802.11 control frames to prevent such attacks. Our proposal differs from related work by providing a high level of security in all modules along with low impact on network throughput. Furthermore, the proposal avoid the weaknesses that they have in the restraint the replay attacks and in the key generation and distribution process. Redes sem fio Quadros de controle Geração e distribuição de chave Negação de Serviço Ataque de replicação Wireless network Control frame Denial of service Key generation and distribution Replay attack
89	Vers une détection à la source des activités malveillantes dans les clouds publics : application aux attaques de déni de service / Toward a source based detection of malicious activities in public clouds : application to denial of service attacks Hammi, Badis 29 September 2015 (has links) Le cloud computing, solution souple et peu couteuse, est aujourd'hui largement adopté pour la production à grande échelle de services IT. Toutefois, des utilisateurs malveillants tirent parti de ces caractéristiques pour bénéficier d'une plate-forme d'attaque prête à l'emploi dotée d'une puissance colossale. Parmi les plus grands bénéficiaires de cette conversion en vecteur d’attaque, les botclouds sont utilisés pour perpétrer des attaques de déni de service distribuées (DDoS) envers tout tiers connecté à Internet.Si les attaques de ce type, perpétrées par des botnets ont été largement étudiées par le passé, leur mode opératoire et leur contexte de mise en œuvre sont ici différents et nécessitent de nouvelles solutions. Pour ce faire, nous proposons dans le travail de thèse exposé dans ce manuscrit, une approche distribuée pour la détection à la source d'attaques DDoS perpétrées par des machines virtuelles hébergées dans un cloud public. Nous présentons tout d'abord une étude expérimentale qui a consisté à mettre en œuvre deux botclouds dans un environnement de déploiement quasi-réel hébergeant une charge légitime. L’analyse des données collectées permet de déduire des invariants comportementaux qui forment le socle d'un système de détection à base de signature, fondé sur une analyse en composantes principales. Enfin, pour satisfaire au support du facteur d'échelle, nous proposons une solution de distribution de notre détecteur sur la base d'un réseau de recouvrement pair à pair structuré qui forme une architecture hiérarchique d'agrégation décentralisée / Currently, cloud computing is a flexible and cost-effective solution widely adopted for the large-scale production of IT services. However, beyond a main legitimate usage, malicious users take advantage of these features in order to get a ready-to-use attack platform, offering a massive power. Among the greatest beneficiaries of this cloud conversion into an attack support, botclouds are used to perpetrate Distributed Denial of Service (DDoS) attacks toward any third party connected to the Internet.Although such attacks, when perpetrated by botnets, have been extensively studied in the past, their operations and their implementation context are different herein and thus require new solutions. In order to achieve such a goal, we propose in the thesis work presented in this manuscript, a distributed approach for a source-based detection of DDoS attacks perpetrated by virtual machines hosted in a public cloud. Firstly, we present an experimental study that consists in the implementation of two botclouds in a real deployment environment hosting a legitimate workload. The analysis of the collected data allows the deduction of behavioural invariants that form the basis of a signature based detection system. Then, we present in the following a detection system based on the identification of principal components of the deployed botclouds. Finally, in order to deal with the scalability issues, we propose a distributed solution of our detection system, which relies on a mesh peer-to- peer architecture resulting from the overlap of several overlay trees Informatique dans les nuages Attaques par déni de service Expériences Cloud computing Computer networks -- Security measures Denial of service attacks Experimental approach 005.8
90	Service Availability in Cloud Computing : Threats and Best Practices Adegoke, Adekunle, Osimosu, Emmanuel January 2013 (has links) Cloud computing provides access to on-demand computing resources and storage space, whereby applications and data are hosted with data centers managed by third parties, on a pay-per-use price model. This allows organizations to focus on core business goals instead of managing in-house IT infrastructure. However, as more business critical applications and data are moved to the cloud, service availability is becoming a growing concern. A number of recent cloud service disruptions have questioned the reliability of cloud environments to host business critical applications and data. The impact of these disruptions varies, but, in most cases, there are financial losses and damaged reputation among consumers. This thesis aims to investigate the threats to service availability in cloud computing and to provide some best practices to mitigate some of these threats. As a result, we identified eight categories of threats. They include, in no particular order: power outage, hardware failure, cyber-attack, configuration error, software bug, human error, administrative or legal dispute and network dependency. A number of systematic mitigation techniques to ensure constant availability of service by cloud providers were identified. In addition, practices that can be applied by cloud customers and users of cloud services, to improve service availability were presented. service availability high availability service failure service disruption cloud computing cloud outage denial of service security disaster recovery. Computer Sciences Datavetenskap (datalogi)

Search results