Detecting Malicious Cloud Bandwidth Consumption using Machine Learning

— One of the most difficult and unsolved issues in network is the security issue, because of continuous evolving nature of both threats and the measures used to detect and avoid threats. Among different types of attacks, one of the most vulnerable attacks in network security are bots that consume the resources maliciously and exhaust them. Malicious Cloud Bandwidth Consumption (MCBC) attack is a new type of attack, where the aim of the attacker is to consume the bandwidth maliciously, in turn causing the financial burden to the cloud service host. MCBC is generally vulnerable to the internet based web services in public cloud. MCBC mainly aims at frequently consuming the bandwidth in a slow manner, hence affecting the pay-as-you-go utility model, causing the consumer in the form of monetary loss. Unlike DDOS attack which is short lived and makes the resource unavailable to the user, MCBC attack is a long term attack which slowly attacks the target for an extended period and remains undetectable. As this attack does not affect the availability issue immediately, it is not discussed much as DDOS attack. This paper discuss about how machine learning technique can be used to detect the MCBC attack in the form of request per second, any traffic violating this range are classified as MCBC attack. The proposed system consists of using semi supervised machine learning which uses labeled network traffic for building model and unlabeled traffic to classify using the built model.


I. INTRODUCTION
Network security is affected by different types of attack such as DDOS, zero day attack, http attacks. Different types of IDS have been developed to prevent these attacks. DDOS attack which is one of the most vulnerable attacks mainly aims at making the resources unavailable to the user. The network traffic generated by the attacker is in such a huge amount that it makes the resources unavailable to the legitimate user. Different techniques have been developed to prevent this attack. DDOS attack is easily detectable as the number of traffic is generally high and the behavior of DDOS traffic is similar to the normal traffic. A new type of attack which generally affects the utility model of the internet facing web services is the MCBC attack. Unlike DDOS attack which attack the target for a short period and hence making a huge loss in the form of resources or money, MCBC attack clients targets the utility model for an extended period and hence affecting the consumer in the form of monetary loss. As the web services are hosted on the cloud server, the consumer has to pay on the basis of usage. For each data sent and received from the web services, certain amount is charged to the consumer. Although the loss is not so high if calculated for a small period but as the day increases the amount to be paid also increases. The behaviour of MCBC attack is different from DDOS attack as MCBC request mingles with normal behaviour. In the paper we have proposed a technique which is used to detect MCBC attack. A threshold is given to different types of attacks such as the request per second for normal traffic is 10-19, request per second for MCBC traffic is 20-50 and any traffic above 50 is detected as DDOS. Machine learning technique with supervised and semi-supervised learning is used to detect the network traffic as MCBC. Further the monetary loss for one month period is calculated and shown.
II. RELATED WORK Cloud Computing is a technology that is based on the utility pricing model which is pay as you go service for the resources consumed. As we pay for gas and electricity, similarly cloud consumer has to pay for the resources consumed such as storage, bandwidth [1]. Unlike other attack such as DDOS which is vulnerable to the cloud utility model and is monitored by Cloud Service Provider (CSP), CSPs do not monitor attacks which affect cloud consumer application; hence cloud consumer has to take action to prevent such attacks [2]. The main aim of MCBC attack is not to affect the resources utilization by consumer but to slowly affect the utility model. The nature of MCBC attack is subtle and goes undetectable [3]. Much cloud computing adopter has utilized different services such as search engines, application hosting and web hosting [4]. Due to pay as you go service it is easy for consumer to utilize the services. Many high CSP such as Google, Amazon has gone through the loss of availability due to different attacks such as DDOS [5] [6]. Current detection techniques mainly focus on excessive HTTP request over a short period of time , hence MCBC attack goes undetected [7].The dataset used in this paper is from Honeynet dataset. This website is attacked by various clients over a period of one month. So many methods have been developed to detect MCBC attack. Machine learning technique which uses supervised and semi-supervised learning is used to detect MCBC attack in the paper. Machine learning tool called WEKA is used to create a model which is used to detect MCBC attack [8].

III. MCBC ATTACK
The main aim of attacker is to frequently consume the resources such that it does not affect the availability of resources but affect the utility model in a slow manner. Unlike DDOS attack this attack is not for short period and does not massively affect the user. This type is attack is extended to a long period so that the attacker may benefit for a long period and the consumer is affected in the form of monetary loss. The attack scenario of MCBC attack consists of attacker and a normal user. The attacker generates request in such a way that it is blended with normal request and remains undetectable. Such type of attack does not affect the consumer in the form of resource availability but incurs a monetary loss. As most of the web services in cloud are based on pay as you go model this attack directly affect the consumer in form of monetary loss at the end of month. A threshold is given to detect this type of attack. Any normal user can only generate a maximum request of 10-19 per second. Any request between 20 to 50 can be considered as MCBC attack if it is continued for a particular day. For the proposed technique request per second is considered as main criteria to detect the attack.

IV. DATASET DESCRIPTION
The dataset taken in this paper is a log file from Honeynet. Honeynet is a network setup to invite attacks so that attacker's activities can be observed and data can be used for improving the network security. The dataset is collected for one month from Feb 1 to Feb 27.The dataset consist of 28 fields [9] [10].

A. Dataset Analysis and Pre-processing
The log file collected for one month consist of different information and is analysed for the paperwork. Highest traffic was originated from the following IP addresses. The Algorithm for pre-processing of dataset is as follows: Step1: Convert log file to CSV file.
Step3: Adding an attributes called request/second.
Step4: CountNumber of request for each second.
Step5: Add an attribute called class.
Step6: If req/sec <19 name the class as Normal Else if 50<req/sec<19 name the class as MCBC

V. NORMAL AND MCBC CLIENT BEHAVIOUR
Normal client who request a particular site only generate a request of 5 to 10 per second. Sometimes the request may be as high as equal to 19. If a request/sec is more than 20 then, the traffic is considered to be generated by a bot or some intruder. An intruder can generate a traffic of 1000 request/sec for DDOS attack with the help of thousands bot under the control of a botmaster. As MCBC attacker mingle with the behavior of normal traffic it can be considered as 20 to 50 request/sec. VII.

RESULT ANALYSIS
From the experiment it is observed that the new traffic given is automatically labeled as normal or MCBC based on the range of request/sec. The traffic having request/sec between 1 to 19 is labeled as normal and the traffic having request/sec between 20 to 50 is labeled as MCBC automatically by the model that we developed in experiment. As observed, figure 10 consist of unlabeled data which is given to the model and figure 11 consist of the data which is labeled as normal or MCBC by the model.

CONCLUSION
The proposed system is able to detect the traffic as normal and MCBC using machine learning technique. The data from the website is preprocessed in the form that can be used by model. The future work can be attack cost calculation and representation of the attack traffic in dashboard form which can be used by the administrator for decision making.