NAVIGATE

Table of Contents

STATISTICS

Viewed433

Downloads366

ReDoS Defense Method Based on Moving Target Defense in Cloud-native Environment
[HTML]   PDF下载 (366)
[1]HU Hongchao,ZHANG Shuaipu,CHENG Guozhen,et al.ReDoS Defense Method Based on Moving Target Defense in Cloud-native Environment[J].Journal of Zhengzhou University (Engineering Science),2024,45(02):72-79.[doi:10.13705/j.issn.1671-6833.2023.05.009]
Copy
Journal of Zhengzhou University (Engineering Science)[ISSN 1671-6833/CN 41-1339/T] Volume: 45 Number of periods: 2024 02 Page number: 72-79 Column: Public date: 2024-03-06
Title:
ReDoS Defense Method Based on Moving Target Defense in Cloud-native Environment
Author(s):
HU Hongchao 1 ZHANG Shuaipu 2 CHENG Guozhen 3 HE Weizhen 3
1. Zhongyuan Network Security Research Institute, Zhengzhou University, Zhengzhou 450001,China; 2. School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou 450001,China; 3. Information Technology Research Institute, University of Information Engineering, Zhengzhou 450001, China
Keywords:
microservices ReDoS moving target defenseheterogeneous regular expression
CLC:
-
DOI:
10.13705/j.issn.1671-6833.2023.05.009
Abstract:
In addressing the inefficiencies and limitations in proactive defense against Regular Expression Denial of Service (ReDoS) attacks in cloud-native environments, we have developed a defense method based on Moving Target Defense (MTD) technology. Initially, we analyzed the behaviors of both attackers and defenders within microservice applications characteristic of cloud-native environments. Subsequently, leveraging Kubernetes, we designed an MTD-based defense system. This system incorporates dynamic and static multi-dimensional microservice weight indices based on topology information and request arrival rates, as well as service efficiency judgment indices based on queue theory. It also includes a method for selecting the timing of key microservice rotations to guide the selection and rotation timings of critical microservices. Finally, we introduced a multi-dimensional MTD heterogeneous rotation algorithm, grounded in heterogeneity and service efficiency, and conducted simulations using Python. Experimental results indicate that our proposed algorithm reduces defense latency by approximately 50% compared to dynamic scaling and that defense costs stabilize after the initial defense against an attack, preventing continuous growth.
References:
[1] 岳猛, 王怀远, 吴志军, 等. 云计算中DDoS攻防技术研究综述[J]. 计算机学报, 2020, 43(12): 2315-2336.
YUE M, WANG H Y, WU Z J, et al. A survey of DDoS attack and defense technologies in cloud computing[J]. Chinese Journal of Computers, 2020, 43(12): 2315-2336.
[2] 辛园园, 钮俊, 谢志军, 等. 微服务体系结构实现框架综述[J]. 计算机工程与应用, 2018, 54(19): 10-17.
XIN Y Y, NIU J, XIE Z J, et al. Survey of implementation framework for microservices architecture[J]. Computer Engineering and Applications, 2018, 54(19): 10-17.
[3] 张宇鹏, 吴自力, 陈鸣, 等. 面向交叉微服务链的任务调度优化[J]. 西安电子科技大学学报, 2021, 48(6): 32-39.
ZHANG Y P, WU Z L, CHEN M, et al. Optimization of task scheduling oriented to cross microservice chains[J]. Journal of Xidian University, 2021, 48(6): 32-39.
[4] LI Z, JIN H, ZOU D Q, et al. Exploring new opportunities to defeat low-rate DDoS attack in container-based cloud environment[J]. IEEE Transactions on Parallel and Distributed Systems, 2019, 31(3): 695-706.
[5] LI Y, SUN Y, XU Z, et al. RegexScalpel: regular expression denial of service (ReDoS) defense by localize-and-fix[C]∥31st USENIX Security Symposium (USENIX Security 22). Atlanta:USENIX Association, 2022: 4183-4200.
[6] KIRRAGE J, RATHNAYAKE A, THIELECKE H. Static analysis for regular expression denial-of-service attacks[C]∥International Conference on Network and System Security. Cham: Springer, 2013: 135-148.
[7] YU S, TIAN Y H, GUO S, et al. Can we beat DDoS attacks in clouds?[J]. IEEE Transactions on Parallel and Distributed Systems, 2014, 25(9): 2245-2254.
[8] YUAN B, ZHAO H, LIN C, et al. Minimizing financial cost of DDoS attack defense in clouds with fine-grained resource management[J]. IEEE Transactions on Network Science and Engineering, 2020, 7(4): 2541-2554.
[9] 沈宇桔. 正则表达式复杂度攻击自动化检测技术研究[D]. 南京: 南京大学, 2019.
SHEN Y J. Research on automatic detection technology of regular expression complexity attack[D]. Nanjing: Nanjing University, 2019.
[10] LI Y T, CHEN Z X, CAO J L, et al. ReDoSHunter: a combined static and dynamic approach for regular expression DoS detection[C]∥USENIX Security Symposium.Atlanta:USENIX Association,2021: 3847-3864.
[11] The Cloudflare Blog. Details of the cloudflare outage[EB/OL].(2019-07-02)[2022-12-11]. https:∥blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/.
[12] 张晓玉, 李振邦. 移动目标防御技术综述[J]. 通信技术, 2013, 46(6): 111-113.
ZHANG X Y, LI Z B. Overview on moving target defense technology[J]. Communications Technology, 2013, 46(6): 111-113.
[13] OLIVO O, DILLIG I, LIN C. Detecting and exploiting second order denial-of-service vulnerabilities in web applications[C]∥Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015: 616-628.
[14] LEI C, ZHANG H Q, TAN J L, et al. Moving target defense techniques: a survey[J]. Security and Communication Networks, 2018, 2018: 1-25.
[15] PAHL C, BROGI A, SOLDANI J, et al. Cloud container technologies: a state-of-the-art review[J]. IEEE Transactions on Cloud Computing, 2019, 7(3): 677-692.
[16] FREEMAN L C. A set of measures of centrality based on betweenness[J]. Sociometry, 1977, 40(1): 35.
[17] KANG M S, GLIGOR V D. Routing bottlenecks in the internet: causes, exploits, and countermeasures[C]∥Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2014: 321-333.
[18] MAGONI D. Tearing down the internet[J]. IEEE Journal on Selected Areas in Communications, 2003, 21(6): 949-960.
[19] 贾洪勇, 潘云飞, 刘文贺, 等. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245.
JIA H Y, PAN Y F, LIU W H, et al. Executive dynamic scheduling algorithm based on high-order heterogeneity[J]. Journal on Communications, 2022, 43(3): 233-245.
[20] 曾威, 扈红超, 李凌书, 等. 容器云中基于Stackelberg博弈的动态异构调度方法[J]. 网络与信息安全学报, 2021, 7(3): 95-104.
ZENG W, HU H C, LI L S, et al. Dynamic heterogeneous scheduling method based on Stackelberg game model in container cloud[J]. Chinese Journal of Network and Information Security, 2021, 7(3): 95-104.
[21] 刘海芳. 两服务台串联排队系统[D]. 长沙: 中南大学, 2007.
LIU H F. Two service stations in series queuing system[D]. Changsha: Central South University, 2007.
Similar References:
Memo

-

Last Update: 2024-03-08
Copyright © 2023 Editorial Board of Journal of Zhengzhou University (Engineering Science)