A METHOD OF APPLICATION PROFILING FOR DETECTING DOS/DDOS ATTACK LAUNCHING APPLICATIONS IN CLOUD COMPUTING

摘要

This invention pertains to the effective and efficient detection of DoS/DDoS attacks propagated by malicious users by utilizing hired compute resources from Cloud Service Providers (CSPs). This invention is designed for CSPs which need to ensure that their infrastructure is not used to propagate large-scale malicious attacks using the huge computing power on offer. The solution involves creating static (installation time) and dynamic (run-time) profiles of every application installed by the end-user on the virtual machine provisioned by the CSP. The static profile includes the number of files, their size and their checksum values, while the dynamic profile is essentially time-series data for CPU, Memory, Disk and I/O usage/utilization. The invention relies on matching the static and dynamic profiles with profiles available for known malicious applications in a database accessible by all CSPs. This is done through matching the run-time behavioral patterns and resource usage trends of the application with known malicious applications and involves comparison of time-series data. Detailed analysis of known malicious applications on well-known CSPs with varying number of threads forms the basis of classification and detection of malicious applications. The malicious application detection logic also factors in variations observed by executing the same application on different CSPs to improve effectiveness. Malicious applications are classified based on observed deviations in resource usage patterns/trends referring such applications to human cloud administrators for final classification. The decision making process is captured in an expert system to speed-up detection times for future cases.