J Med Syst (2014) 38:128 DOI 10.1007/s10916-014-0128-8
SYSTEMS-LEVEL QUALITY IMPROVEMENT
Distributed Denial of Service (DDoS) Attack in Cloud- Assisted Wireless Body Area Networks: A Systematic Literature Review Rabia Latif & Haider Abbas & Saïd Assar
Received: 6 February 2014 / Accepted: 17 August 2014 / Published online: 14 September 2014 # Springer Science+Business Media New York 2014
Abstract Wireless Body Area Networks (WBANs) have emerged as a promising technology that has shown enormous potential in improving the quality of healthcare, and has thus found a broad range of medical applications from ubiquitous health monitoring to emergency medical response systems. The huge amount of highly sensitive data collected and generated by WBAN nodes requires an ascendable and secure storage and processing infrastructure. Given the limited resources of WBAN nodes for storage and processing, the integration of WBANs and cloud computing may provide a powerful solution. However, despite the benefits of cloud-assisted WBAN, several security issues and challenges remain. Among these, data availability is the most nagging security issue. The most serious threat to data availability is a distributed denial of service (DDoS) attack that directly affects the all-time availability of a patient’s data. The existing solutions for standalone WBANs and sensor networks are not applicable in the cloud. The purpose of this review paper is to identify the most threatening types of DDoS attacks affecting the availability of a cloud-assisted WBAN and review the “This article is part of the Topical Collection on Systems-Level Quality Improvement” H. Abbas (*) King Saud University, Riyadh, Saudi Arabia e-mail:
[email protected] H. Abbas e-mail:
[email protected] R. Latif : H. Abbas National University of Sciences and Technology, Islamabad, Pakistan R. Latif e-mail:
[email protected] S. Assar Telecom Ecole de Management, Information System Department Institut Mines-Télécom, Paris, France e-mail:
[email protected]
state-of-the-art detection mechanisms for the identified DDoS attacks. Keywords Wireless body area networks . Cloud-assisted WBANs . Distributed denial of service attacks (DDoS) . Healthcare systems
Introduction Due to advancements in wireless technologies and emerging ideas such as wireless sensor networks, wireless body area networks, and other types of low power wireless communication, patient health monitoring and other related services are becoming more and more popular. These will reduce health monitoring costs and improve the quality of a patient’s life [1, 2]. However, the efficient management of the huge amount of monitored data collected by various WBAN nodes is a key problem for their large scale adaptation in healthcare services. Therefore, there is a need for innovative solutions to meet the growing challenges of handling the exponential growth in data generated by WBAN sensor nodes. WBAN nodes have limited power, energy, capacity, and computation and communication capabilities. Yet, at the same time, they need to be scalable and powerful, with secure storage and high-performance computation, and they require real time data processing and storage, especially for e-health applications [3, 4]. Integrating WBAN with cloud computing technology Cloud computing is a promising technology that is expected to play a significant role in achieving the aforementioned objectives [5] for healthcare management. The integration of a WBAN with cloud computing (WBAN-Cloud) introduces a viable and hybrid platform to process the enormous amount of data collected from multiple WBAN nodes. It must also be
128, Page 2 of 10
able to realize long term patient health monitoring and the analysis of his/her health records under different situations. In cloud computing, wireless devices do not need computing facilities, data storage, a powerful configuration such as a high speed CPU, and other software services, since their data and complicated computing operations can be shifted and processed on the cloud, which significantly reduces the operational and maintenance costs [6, 7]. The flawless integration of WBAN and cloud computing will provide several benefits to e-healthcare, including better patient care, reduced cost, a solution for resource scarceness, better health quality, and research and strategic planning support [8]. This cloud-assisted WBAN will enable medical servers and physicians to globally access the processing and storage infrastructure on a pay-as-you-go pricing model [9]. Figure 1 depicts the typical cloud-assisted WBAN conceptual architecture for the e-health monitoring solution being considered in this research. The architecture is multi-tiered and described below. Tier 1 represents WBANs and incorporates a set of small, intelligent, wireless in-body and on-body sensors that are placed purposely on the patient’s body. These sensors monitor, process, and store information about the patient’s physiological parameters. The mobile devices (PDAs and smartphones) serve as gateways for the WBAN, also known as the Body Control Unit (BCU). Because the WBAN application is related to human health, there is a need for a reliable packet delivery system for data from a WBAN node to the BCU, i.e., acknowledgments of delivered packets and the retransmission of lost packets. This tier will emphasize the communication channel used as a transport layer protocol. Tier 2 depicts the transmission medium, in which the mobile devices transmit the sensed data to the e-healthcare service provider over the cloud for performing Fig. 1 Cloud-assisted WBAN conceptual architecture for ehealth monitoring
J Med Syst (2014) 38:128
healthcare related tasks. The transport layer of the network stack specifies the protocol (TCP/UDP) through which the BCU and e-healthcare service provider communicate. Tier 3 shows cloud services in which the e-healthcare service provider categorizes the data based on the attributes chosen by the patient and transfers it to the health cloud storage. Here again, the transport layer protocol (TCP) is responsible for the reliable transmission of data from the e-healthcare service provider to cloud storage in the cloud environment. Nevertheless, the research into a cloud-assisted WBAN platform is still in its infancy. Current studies in this area focus on architectural design issues for a cloud-assisted WBAN to realize e-healthcare services, while they lack an emphasis on security issues. These issues could be malicious in nature especially the DDOS attack that might adversely affect the overall performance and reliability of the healthcare systems from secure record keeping to seamless accessibly and healthcare data transmission. In Fig. 1, the red circles show the path and area of emphasis for which the DDoS attack and available solutions will be analysed. Therefore, there is a need to put together all the studies and assess all the available knowledge on the subject. The rest of this paper is organized as follows: Next, the research methodology is described in the systematic mapping section. The results and discussion section presents the results obtained from a systematic review. The analysis of the results is presented after this. Finally, the conclusion section presents our conclusions, along with the future intention of this research work.
Systematic mapping This research involved a systematic review of the existing literature regarding security issues in a cloud-assisted WBAN.
J Med Syst (2014) 38:128
Work was done to not only summarize the existing security vulnerabilities and threats in relation to this subject, but also to identify and evaluate the present security state and most important security threats and attacks facing a cloud-assisted WBAN.
Question formalization The goal of this research was to identify the most relevant issues and challenges in a cloud-assisted WBAN, including security attacks, vulnerabilities, risks, requirements, and possible security solutions. This paper aims to answer the following research questions. RQ1: Which type of DDoS attack is more commonly addressed in the literature regarding the service availability of a cloud-assisted WBAN? RQ2: What are the current solutions/techniques being proposed for handling the attack identified in RQ1?
Page 3 of 10, 128
Selection of sources The identified search queries were used in digital libraries to obtain related contents. The search process covered journal articles and conference papers available in five of the most reliable electronic databases that are scientifically and technically peer reviewed: ACM Digital Library, IEEE Xplore, Springer Link, Science Direct, and Elsevier Journals. The search process also included grey literature, which consists of technical reports, system reports, white papers, articles, etc. The reason for the selection of these databases was the accessibility of high quality proceedings of key conferences and journals with reference to computer science and engineering. Since we were interested in recent articles in this research, we confined our search to articles published in the 2009 or later. The search was performed in January, 2014. Therefore, the papers that were published after the specified date have not been included in this research. Inclusion and exclusion criteria
In order to answer these questions, a systematic literature review based on the guidelines proposed by Kitchenham et al. [10] was conducted. This review focused on published peer-reviewed papers that explicitly considered the issues and challenges for both a WBAN and cloud computing from a security attack perspective. The following keywords and relevant initiatives for the research questions were used during the review protocol: Cloud Computing, WBAN, DDoS Attack, and TCP SYN Flooding Attack.
To be qualified for inclusion in this review, research articles had to have been published from 2009 to 2014, and had to clearly focus on discussing the security issues facing WBANs and cloud computing domains in general. The inclusion process was based on the following criteria: considering security attacks in a cloud-assisted WBAN as the key subject, the selected publications should have clearly addressed a DDoS attack among other security attacks, and the selected publications should have proposed a solution. The exclusion process was based on the following criteria: duplication of papers; publications related to attacks, but not specific to a cloudassisted WBAN; and non-English contributions.
Search strings
Quality Assessment Checklist (QAC)
The following search strings were designed by using keywords to look into published articles that particularly focused on the DDoS TCP SYN Flood attack and their defense mechanisms in a cloud-assisted WBAN. SYN Flooding is a type of DDoS attack that requires considerable attention because it floods the network with a huge amount of TCP packets and occupies the server with the intention to delay other users from accessing it. In a severe case, the server may need to be shut down, which wastes valuable resources, especially in critical real-time services such as health care services.
A quality assessment checklist was developed to assess the individual studies, based on Kitchenham [10]. This checklist included the following questions: a) Does the research paper clearly specify the research methodology? (b) Is the research methodology appropriate for the problem under consideration? (c) Is the analysis of the study properly done? If the study met the assessment criteria then it was given a “yes.”
Search String for RQ1:
Cloud-Assisted WBAN AND (Security Attacks OR DDoS Attacks). Search String for RQ2: TCP SYN flooding attack AND (Solutions OR Techniques) AND Cloud-Assisted WBAN.
Results and discussions Based on the aforementioned structured research questions, search strings were constructed to use in the electronic databases (ACM, IEEE Xplore, etc.), and the resulting studies were evaluated according to the established criteria. Fig. 2a and b depict the steps involved in the selection of papers for
128, Page 4 of 10
Fig. 2 a RQ1: Paper selection. b RQ2: Paper selection
RQ1 and RQ2, respectively. First, the search strings were executed on the selected sources to get a set of studies, which were then filtered with the inclusion and exclusion criteria. The resulting papers were again filtered based on the keywords. Finally, after performing the full text screening, the resulting papers were used as primary proposals in this study. Based on the reviewed publications and to answer the research questions, the cloud-assisted WBAN conceptual architecture was analyzed for different types of DDoS attacks, and the most complex and deceptive attack was identified, which would severely affect the capacity and performance of a cloud WBAN network and make it unavailable for legitimate users at a critical time. In Fig. 1, the red circles show the path over which the DDoS attack was analyzed and over which the intended solution (as ultimate objective of this research) was developed.
J Med Syst (2014) 38:128
a) Jamming/Tempering Attack: This involves interference with the radio frequencies of WBAN nodes. The attacker can use a few sensor nodes to block the entire network. This method is weak in blocking larger networks like a cloud-assisted WBAN. Since the WBAN itself is a small network, there is a high risk of network blocking. A tempering attack may destroy, replace, and electronically interrogate the WBAN nodes to obtain a patient’s health information [13, 18, 32]. b) Collision/Exhaustion Attack: A collision attack occurs at a data link layer where an adversary corrupts the frame header such that a checksum mismatch occurs, which results in discards of the data frame at the receiving side. An exhaustion attack occurs when self-denying nodes always keep the channel busy to exhaust the battery resources [13, 18, 26]. c) Routing Attacks: Cloud-assisted WBAN communication is based on routing. The most common routing attacks are spoofing and selective forwarding. In spoofing, an adversary complicates the entire network by creating routing loops, whereas in selective forwarding, an adversary stops packet forwarding by inserting a node in a data flow path [12, 14, 15, 18, 22, 23, 26]. d) TCP SYN Flooding Attack: This type of attack is used to exhaust memory resources by sending control information repetitively [12–14, 16, 17, 19–23, 25, 27–31, 33–36]. From Table 1 it can be seen that this attack by far is the most cited and studied. e) De-synchronization Attack: The adversary forges messages between sensor nodes, which leads the complete network to an infinite cycle [21]. f) Path- Based DDoS Attack: Forwards packets all the way to the base station to utilize network bandwidth and node energy [23–25, 34, 36]. g) Motion Detection Based Attack: Attack by sending large amounts of alerts for motion detection, which causes large amounts of network traffic [23, 34, 36]. The next section presents the most frequently addressed attack found in the literature study performed by this research. Why TCP SYN flooding attack
RQ1: Most commonly used DDoS attacks related to service availability of cloud-WBAN In order to answer RQ1, we thoroughly reviewed the selected studies and identified the most vulnerable and frequently addressed DDoS attacks. A DDoS is an attack on the service availability of a cloud-assisted WBAN, which severely affects its capacity and performance [11]. In the succeeding section, we briefly discuss the most important DDoS attacks that occur in a cloud-assisted WBAN. Table 1 lists the frequencies of occurrence of these attacks in the current literature
The transmission control protocol (TCP) layer is a very common target for DDoS. There are numerous forms of attacks at this layer, but they all have one aspect in common: the capacity and performance of the framework to support and maintain concurrent TCP connections. One of the most prevalent forms of this is the well-known TCP SYN flooding attack, in which an attacker or compromised node disrupts the communication through flooding the victim by initiating adequate connection opening requests “SYNs” without completing the TCP threeway handshake to exhaust the capacity and adversely affect
J Med Syst (2014) 38:128
Page 5 of 10, 128
Table 1 Frequencies of occurrence of DDoS attacks in current literature Attack Reference [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36]
Jamming/ Tempering
Collision/ Exhaustion
X
X
Routing
TCP SYN Flooding
X
X X X
X X
De-synchronization
Path- Based
Motion Detection
X X X
X
X
X
X
X
X X X
X
X
X X
X X X X X X
X
X
X X X X X X
X X X
X X X
the performance of the whole network. This prevents the victim from providing services to legitimate users [17]. The main focus of the intended research is on a cloudassisted WBAN. Therefore, the analysis of an attack only considers the path of communication from a WBAN sensor node to an e-health service provider via a body control unit (BCU), and then from the e-health care service provider to the health cloud storage. On the given path shown in Fig. 1, the following attacks are possible: An attacker may capture the sensor nodes in the WBAN and send a huge amount of connection opening requests to other legitimate nodes in the WBAN. ii. Similarly, the attacker may capture sensor nodes in the WBAN and launch a DDoS SYN flooding attack against the BCU. iii. An attacker may control many BCUs, which are local processing units in the WBAN, and launch a DDoS TCP SYN flooding attack against the e-health service provider by initiating numerous connection opening requests from both BCUs and WBAN sensor nodes. The aim of the
attack is to flood the e-healthcare service provider with a huge amount of connection opening requests. iv. The same attack can be launched against the health cloud storage. An attacker may control the e-healthcare service provider and flood the health cloud storage provider with a huge amount of SYN requests. The consequence of this DDoS attack is that the cloud storage provider cannot communicate with the e-healthcare service provider to verify and authenticate the data request.
i.
RQ2: Existing techniques for handling DDoS SYN flooding attack To answer RQ2, a thorough review was performed on the studies selected in RQ1 to identify those studies that had techniques/solutions to handle this attack over the path shown with circles in Fig 2b. Because our research was based on the integration of the cloud with the recently established WBAN standard, i.e., IEEE 802.15.6, less work was done with respect to RQ2. The purpose of this study was to evaluate the state-of-
128, Page 6 of 10
the-art detection techniques for a DDoS SYN flooding attack as it appears in the seven papers that were included in this review (Fig. 2b). Cooperative intrusion detection system technique for cloud computing Chi-Chun et al. [30] proposed a scheme based on federation defense in a cloud environment, in which IDSs are placed at different locations within the cloud space. These IDSs collaborate with each other by sharing alerts in order to reduce the impact of a DoS/DDoS attack. The author implemented the same concept as the Snort-based IDS [37], in which three modules are attached to the system: a blocking module, communication module, and cooperation module. A cooperative module gathers message alerts from the surrounding IDSs and executes a majority vote on them. Based on these votes, the accuracy of the alerts can be calculated. Finally, if the alerts are accepted by the agent, a new blocking rule is written and added to the block table against this type of attack packet. By implementing this scheme, an attack can be blocked for other cloud regions in addition to the victim. Framework to detect and prevent DDoS attack in cloud environment To mitigate a flooding-based DDoS attack in a cloud environment, Ismail et al. [20] proposed an approach for both the detection and prevention of a DDoS attack in a cloud environment. In the attack detection stage, a statistical method for a covariance matrix is applied, in which the covariance matrix produced from new captured traffic is compared with the profile of normal traffic. Whenever the resulting matrix is all zeros, there is no attack, and whenever the resulting matrix has non-zero values and the anomaly degree values exceeds a predefined threshold, an attack has occurred. Thus, the detection signal appears, and the system moves into the stage of network protection by finding the IP address of the attack source. To find the attack source IP address, the number of nodes that the attacker passes through before reaching the victim is counted by counting the TTL (Time_to_Life) Value. After determining the source of the attack, all the IP addresses used by the attacker are blocked using a honeypot network. This pings all the IP addresses used by attackers, and whenever there is a replay, the responding IP address is blocked. Finally, when the attack is detected, the legitimate traffic to the victim’s Virtual Machine (VM) is shifted to the same virtual machine but on another physical machine, because a cloud computing environment is located on multiple copies for one virtual machine to strengthen the reliability of computing.
J Med Syst (2014) 38:128
Packet monitoring approach to prevent DDoS attack in cloud computing To prevent DDoS attack in cloud environment Vikas et al. [16] proposed a packet monitoring approach based on hop count filtering method. The proposed approach is independent of any network and can be available readily for the prevention of DDoS attack. This method helps providing continuous cloud services to other legitimate users while under attack and consume less communication and computation time. The simulation is done using CloudSim toolkit and the corresponding results are then produced. Detecting DDoS attacks in cloud environment based on Dempster-Shafer theory This paper [38] focuses on detecting and analyzing the DDoS attacks that disrupt cloud services to legitimate users. The proposed mechanism incorporates the results acquired from IDSs installed on VMs with a data fusion technique at the facing. The attack detection process is carried out inside the VMs with the help of IDSs, whereas the attack analysis is done inside the cloud fusion unit (CFU) of the facing server. In case of attack occurrence, the IDS generates alerts and are recorded into CFU MySQL database that will be further analyzed using Dempster–Shafer Theory (DST) for flooding attack using fault tree analysis. At the end, Dempster’s combination rule is applied in order to maximize the true positive rate and minimize the false positive alarms. Confidence-Based Filtering (CBF): A packet filtering method for DDoS attack defense in cloud environment Chen et al. [31] investigated a Confidence-Based Filtering method, called CBF. In this research, the CBF method is installed at two intervals, i.e., a non-attack interval and an attack interval. Legitimate packets are collected during the non-attack phase to extract attribute value pairs to create a nominal profile. By using this nominal profile, the CBF method is again stimulated by computing the score of each individual packet during an attack phase in order to determine whether to discard it or not. To analyze the feasibility of the CBF method, the author performed extensive simulations. The results indicated that the CBF method has a high scoring speed with minimal memory requirement and acceptable filtering accuracy. Thus, it is appropriate for the real-time filtering of attack packets in a cloud environment. To overcome the flaw of the CBF technique, Priyanka et al. proposed an enhanced CBF packet filtering method for the detection of a DDoS attack based on a correlation pattern, which shows the amount of occurrence of the attribute value pair. The term confidence is introduced to depict the distribution of the attribute value pair and then decrease the server
J Med Syst (2014) 38:128
Page 7 of 10, 128
Table 2 Results of review and analysis of current solutions Reviews Cooperative Intrusion Detection System Technique For Cloud Computing [30]
Analysis
The proposed scheme is based on Snort [37], a This technique increases computation effort, because signature- based IDSs, in which a new signature is it may take some time for a new attack to become written for every new exploit that makes it known. After the attack is known; a new blocking computationally intensive, especially in case of rule is written for it and added in the table and then DDoS. distributed. This leaves many systems vulnerable to unknown attack for a certain period of time. In the proposed scheme, intrusion detection is done only at cloud service provider’s end and not at user’s end. A Framework to Detect and Prevent For detection, the covariance matrix statistical method The proposed framework is simulated at conceptual DDoS Attack in Cloud Environment is used which has high statistical computational level, using class and sequences UML diagrams. [20] complexity as well as high computational cost [30]. No simulation and implementation is done in the real cloud environment. When the proposed To determine the attack source IP address, TTL value framework is done in the real cloud environment is used in which the number of nodes the attacker there will be online detects constraints which are pass through until reach victim side is counted by not discussed a priori. Also there are different hop counting method. For calculating the hop constraints in detecting the attack in different cloud count, the hop counting methods depends upon the environment such as private, public and hybrid initial TTL values which are different for different environment. operating systems. This methods fails when the difference between initial TTL values are less than the average hop counts between end nodes. [31]. DDoS attack prevention is based on honeypot which presume that the attack must be detectable using signature based detection tools. If the attack is not detected, the packet is forwarded to the destined node in the network. The limitation of this approach is that the attacker can easily thwart the honeypot’s static and passive nature. The Prevention approach increase the security of the framework but cannot completely mitigate the effect of DDoS attack thus making it vulnerable to new type attacks for which the signatures and patches do not available in the database. [32]. Packet Monitoring Approach to Prevent The proposed approach is based on Hop Count The proposed method incorrectly identifies those DDoS Attack in Cloud Computing Filtering (HCF) which suffers from high false systems as having spoofed source IP addresses [16] positives and false negatives rates [11]. which uses odd initial TTL values. In HCF method [16], filtering is carried out based on the correlation between source IP address and TTL value. After the mapping of IP to hop- count, the spoofed IP packets are detected and discarded. It is not an effective approach for detecting DDoS attack because of the assumptions it makes regarding spoofed IP traffic. Detecting DDoS Attacks in Cloud The proposed solution aims to use VM based IDS. For In the proposed solution, the DDoS attack is detected Environment based on Dempstereach IDS sensor, a DST procedure in three valued and analysed in a private cloud environment only. Shafer theory (DST) [38] logic and fault tree analysis is applied. The key In practice, defending against DDoS attacks is concept of this technique is to gather alerts from proving to be harder in public cloud than in a various IDS sensors deployed in each VM at private cloud. different cloud regions. The drawback of this technique is that VM based IDS sensors produce huge amount of alerts which results in high false positive and negative rates [20, 41]. One of the disadvantages of DST is its computational complexity, which increases rapidly with the number of discriminating elements in the frame. This weakness affects the efficiency requirement of the proposed approach in terms of increased computation time and decreased attack detection rate. Another disadvantage is that it is unable to detect multiple attacks. This was due to the
128, Page 8 of 10
J Med Syst (2014) 38:128
Table 2 (continued) Reviews
Analysis
simultaneously assumed mutually exclusive set of system states [21, 41]. Confidence-Based Filtering: A Packet The proposed method is based on correlation patterns The proposed schemes increases overhead at server Filtering Method for DDoS Attack mining. These patterns are found in the network side and thus consume more processing speed and Defense in Cloud Environment [31] and transport layer. But in this approach, numbers network bandwidth. of single attributes are not defined that have to be selected. The server side maintains a database in the form of three-dimensional array which affects the processing speed of a cloud server [23]. Enhanced CBF Packet Filtering Method The author claims that the proposed work overcomes The proposed work is not simulated in real cloud to Detect DDoS Attack in Cloud the weaknesses of CBF approach. The term environment against DDoS attack. The results are Computing Environment [39] confidence is proposed to calculate the frequency of based on assumptions after calculating the appearances of a single attribute and pair of correlation pattern between an attribute pair. attributes which is very simple and easy to exploit. It becomes more complex if the proposed approach uses a set of attributes or set of single attributes to find the correlation pattern [23]. Cloud Computing Security: Threats & The limitation of both approaches is that they cannot Both approaches produce high false alarm rates for Existing IDS/ IPS Techniques for detect new or variants of known attacks unknown attacks. DDoS Attack [17] Anomaly detection, requiring no knowledge base of attack features, learns how a user and the system usually behave. However, inaccurate and/or incomplete profiling can lead to false alarms. Therefore, profiles must be frequently maintained.
overhead by computing the confidence value of the whole packet within the packet header and storing it in an optional field of the packet header (IPv4). The proposed technique is further improved by introducing the nominal additional bandwidth in order to increase the processing speed of a victim node [39]. The nominal profile is updated if the current value in the nominal profile is greater than the confidence value stored in the packet header. The result shows that the packets with higher confidence value are more legitimate. Cloud computing security: Threats & existing IDS/IPS techniques for DDoS attack In this paper [17], the author surveyed different threats to cloud computing and different IDS/IPS techniques to mitigate the effects of these threats. Among the identified attacks, the TCP SYN flooding-based DDoS attack is an attack that causes a loss of availability of the cloud to legitimate users. According to the author, one possible solution to overcome this type of attack is to deploy IDS and IPS in the cloud. Signature-based detection Signature-based intrusion detection aims to define a set of rules stored in a database that can be used later to determine the pattern of an attacker. These systems are efficient to attain a high level of accuracy with a smaller false positive ratio or the identification of intrusions in a network. In the cloud environment, these techniques can be
helpful in detecting known attacks. The advantages of using this approach are as follows: it identifies an intrusion by matching captured patterns with a pre-configured knowledge base, it has a high detection accuracy for previously known attacks, and it has a low computational cost. Anomaly based detection Anomaly detection is about the identification of the events that behave abnormally with respect to system’s normal flow. This helps to detect attacks that have not been previously identified. This approach can be used efficiently by setting up the rules that generate fewer alarm rate for known/unknown attacks. In cloud environment, this technique can be used to detect unknown attacks in various cloud regions where a large numbers of network level and system level events occur, which makes it difficult to monitor or control intrusions using an anomaly detection technique [40]. This technique has the same advantages as the signature-based approach.
Analysis The aim of the proposed research is to thoroughly review the selected studies in relation to the defined research questions and identify the attacks that were most frequently addressed in the literature regarding the security in a cloud-assisted WBAN
J Med Syst (2014) 38:128
(RQ1). Then, we studied and analyzed the solutions proposed to counter the attacks identified by RQ1 within a WBAN, as well as during the transmission of data over the cloud. Table 2 lists the results of the review and analysis of the current solutions for handling a SYN flooding attack. After thoroughly reviewing the studies, we found that the current solutions have some drawbacks, which should be mitigated in order to make a cloud-assisted WBAN available for legitimate users at critical times. Among these, intrusion detection techniques are the most widely used techniques for detecting DDoS attacks. However, it is difficult to configure an IDS for the detection of internal attacks. At the same time, the challenge lies in writing a good rule set for the internal IDS. If these challenges are not handled appropriately, an IDS will produce a high false alarm rate for unknown attacks. As shown in Table 2, a number of solutions have been available for handling DDoS attacks in traditional wired/ wireless networks, but they have certain limitations when applied in a real-time environment. At the same time, these approaches are inappropriate for a cloud-assisted WBAN because of their resource scarcity in terms of memory, power, computation, and communication. Hence, there is a need to propose a solution that takes these issues into account. The future intention of this research is to develop a framework that analyzes and detects increasingly complex and deceptive DDoS SYN flooding attacks at the transport layer and mitigates the effects of these attacks to ensure the resource availability and business continuity in cloud-assisted WBAN ehealth monitoring. The framework should be computationally efficient, maintain the maximum reliability, and provide resilience against TCP SYN flooding attacks in order to provide better patient healthcare in a cloud-assisted WBAN.
Page 9 of 10, 128
networks. From the survey reports [42], it was observed that more than 85% of DDoS attacks use TCP. Regarding RQ2 From the Systematic Literature Review, we conclude that the current techniques to counter DDoS TCP SYN flooding attacks have various flaws, which affect the continuous availability of publicly accessible cloud environments and e-health cloud services. Therefore, there is a need to develop a complete framework for the detection, prevention, and mitigation of these attacks in a cloud-assisted WBAN environment to ensure the continuous availability of patient information for better health monitoring. Another important aspect is that the existing WBAN security approaches were based on the old WBAN standards. Therefore, there is a need to develop solutions that are in accordance with the requirements of the newly created WBAN standard, i.e., IEEE 802.15.6. The survey result indicated that the rigorously chosen techniques can be very useful for the detection of DDoS attack and help the victim for decision making and to devise future security measures.
Acknowledgments The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for its funding of this research through the Research Group Project no. RG-1435-048. The authors would also like to thank the National University of Sciences and Technology, Islamabad, Pakistan, for its support during this research.
References Conclusion The paper, systematically reviewed the literature concerning cloud-assisted WBAN security in order to answer the research questions. Regarding RQ1 From the systematic literature review and survey, we conclude that TCP SYN flooding is the most commonly addressed complex and deceptive attack. It consists of a continuous stream of spoofed TCP SYN packets directed to a listening TCP port of the victim (sensor node, BCU, e-health service provider, or health cloud storage). Any system connected to the internet community using TCP protocol is susceptible to this type of attack and may be unable to provide TCP services under attack. In extreme cases, the system may exhaust memory, crash or become inoperative. This type of attack prevents people from the intended use of such affected system or
1. Latif, R., Abbas, H., Assar, S., Latif, S., Analyzing Feasibility for Deploying Very Fast Decision Tree for DDoS Attack Detection in Cloud Assisted WBAN. Proceedings of 10th International Conference, ICIC 2014, Taiyuan, China. pp: 507–519. 2. Irum, S., Ali, A., Aslam, F. K., Abbas, H., A Hybrid Security Mechanism for intra-WBAN and inter-WBAN Communication. International Journal of Distributed Sensor Networks. Volume 2013 (2013), Article ID 842608, 11 pages 3. Ali, A., Aslam, F. k., A Broadcast-Based Key Agreement Scheme using Set Reconciliation for Wireless Body Area Networks. Journal of Medical Systems (Springer), Volume: 38. Issue: 5. May 2014. 4. Latif, R., Abbas, H., and Assar, S., Cloud Computing Risk Assessment: A Systematic Literature Review. Future Information Technology. Future Tech 276:285–295, 2013. 5. Jiafu, W., Caifeng, Z., Ullah, S., Chin-Feng, L., Ming, Z., and Xiaofei, W., IoT Sensing Framework with Inter-cloud Computing Capability in Vehicular Networking. Journal of IEEE Network. 27: 56–61, 2013. 6. Waqar, A., Raza. A., Abbas. H., Khurram, M. K., A framework for preservation of cloud users’ data privacy using dynamic reconstruction of metadata. Journal of Network and Computer Applications, Vol. 36, Iss. 1, January 2013, Pages 235–248, ISSN 1084–8045
128, Page 10 of 10 7. Moshaddique, A. A., Jingwei, L., and Kyungsup, K., Security and Privacy Issues in Wireless Sensor Networks for Healthcare Applications. J. Medical Systems. 36(1):93–101, 2012. 8. AbuKhousa, E.; Najati, H.A. UAE-IHC: Steps towards Integrated EHealth Environment. Proceedings of the 4th e-Health and Environment Conference in the Middle East, Dubai, UAE, 30 January 2012–2 February 2012. 9. Foster, I.; Zhao, Y.; Raicu, L.; Lu, S. Cloud Computing and Grid Computing 360-Degree Compared. Proceedings of the Grid Computing Environments Workshop (GCE), Austin, TX, USA, pp. 1–10, 12–16 November 2008 10. Kitchenham, B., Brereton, O. P.,Systematic literature reviews in software engineering –A systematic literature review. Journal of Information and Software Technology, pp:7–15 2009. 11. Shahnaz, S., Sana Ullah, Kwak, K. S., A Study of IEEE 802.15.4 Security Framework for Wireless Body Area Networks, Journal of Sensor (Basel). Vol- 11, Iss. 2. Jan 2011 12. Akash, M., Shrivastava, A. K., Manish, M., A Review of DDOS Attack and its Countermeasures in TCP Based Networks. International Journal of Computer Science & Engineering Survey (IJCSES) Vol.2, No.4, pp:177–187, November 2011 13. Upma, G., Gayatri, B., Sandeep, M., A Dual Mechanism for defeating DDoS Attacks in Cloud Computing Model, International Journal of Application or Innovation in Engineering & Management (IJAIEM), Vol- 2, Issue 3, pp:34–39, March 2013 14. Fasheng, Y., Shui, Y., Wanlei, Z., Jing, H., and Alessio, B., Source-Based Filtering Scheme against DDOS Attacks. International Journal of Database Theory and Application 1(1):9–20, 2009. 15. Fang-Yie, L., Intrusion Detection, Forecast and Traceback Against DDoS Attacks. Journal of Information, Technology and Society 2009. Vol. 9, pp: 19–44, December 2009. 16. Vikas, C., Sateesh, K. P., Packet Monitoring Approach to Prevent DDoS Attack in Cloud Computing. International Journal of Computer Science and Electrical Engineering (IJCSEE). Vol-1 Iss1, 2012. 17. Krunal, P., Security survey for cloud computing: threats & existing IDS/ IPS techniques. Proceedings of International Conference on Control, Communication and Computer Technology, IEEE. pp. 88– 92, March 2013. 18. Ullah, S., Henry, H., Bart, B., Benoit, L., Chris, B., and Ingrid, M., A Comprehensive Survey of Wireless Body Area Networks On PHY, MAC, and Network Layers Solutions. Journal of Medical Systems 36(3):1065–1094, 2012. 19. Mitko, B., Analysis of the SYN Flood DoS Attack. International Journal of Computer Network and Information Security 8:1–11, 2013. 20. Ismail, M. N., Aborujilah, A., Shahrulniza M., AAmir, S., New Framework to Detect and Prevent Denial of Service Attack in Cloud Computing Environment. International Journal of Computer Science and Security (IJCSS), Vol. 6, Issue. 4, pp. 226–237, May 2012. 21. Sanchika, G., Padam, K., Ajith, A., A Profile Based Network Intrusion Detection and Prevention System for Securing Cloud Environment. International Journal of Distributed Sensor Networks, Hindawi Publishing Corporation. Vol. 2013, Article ID 364575, 12 pages, 2013. 22. Gulshan, S., Kavita, S., Swarnlata, R., A Technical Overview Dos and DDos Attack. Proceeding of International Conference in Computing 2010, pp 274–282, December 2010 23. Christos, D., and Aikaterini, M., DDoS attacks and defense mechanisms: classification and state-of-the-art. Journal of Computer Networks 44:643–666, 2004. 24. Asha, D., Chitra, R., Securing cloud from DDoS attacks using intrusion detection system in virtual machine. International Journal
J Med Syst (2014) 38:128
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37. 38.
39.
40.
41.
42.
of Research in Engineering & Advanced Technology, IJREAT, Volume 1, Issue 1, March, 2013 Nisha H., Bhandari, Survey on DDoS Attacks and its Detection & Defence Approaches, International Journal of Science and Modern Engineering (IJISME). Volume-1, Issue-3, February 2013 Xin, X., Yongqiang, S., Zunguo, H., Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning. C.C. Yang et al. (Eds.): PAISI 2007, LNCS 4430, pp. 196– 207, 2007 Saman, T. Z., James. J., David, T., A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. Communications Surveys & Tutorials, IEEE, Volume:15, Issue: 4, pp: 2046–2069. October 2013. Lonea, A.M., Popescu, D.E., Tianfield, H., Detecting DDoS Attacks in Cloud Computing Environment. International Journal of Computers, Communications and Control. Vol. 8, Issue. 1, pp:70– 78, February, 2013. Gavaskar, S., Surendiran, R., Ramaraj, E., Three Counter Defense Mechanism for TCP SYN Flooding Attacks. International Journal of Computer Applications. Volume 6– No.6, September 2010. Chi-Chun, L., Chun-Chieh, H., Joy, K., A Cooperative Intrusion Detection System Framework for Cloud Computing Networks. Proceedings of 39th International Conference on Parallel Processing Workshops, IEEE Computer Society, 2010. Chen, Q., Wenmin, L., Wanchun, D., Shui, Y., CBF: A Packet Filtering Method for DDoS Attack Defense in Cloud Environment. Proceedings of the 2011, IEEE 9th International Conference on Dependable, Autonomic and Secure Computing. Pp: 427–434, IEEE Computer Society Washington DC, USA 2011. Ahmad, Y. O., Noor Elaiza, A. K., Saadiah, Y., A Novel Framework for Jamming Detection and Classification in Wireless Networks 2012 8th International Conference on Computing and Networking Technology (ICCNT 2012), Gyeongju, South Korea August 2012 Technical report by CISCO, December 2006,http://www.cisco.com/ web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_ attacks.html. Accessed 12 Jan 2014 DDoS attacks in 2014: Smarter, bigger, faster, stronger. Technical Report. April 2014. http://venturebeat.com/2014/04/20/ddos-attacksin-2014-smarter-bigger-faster-stronger/. Accessed 26 July 2014 Distributed Denial of Service Attack Protection Services, June 2014. http://www.incapsula.com/ddos/ddos-attacks/. Accessed 26 July 2014 2014 White paper, The Danger Deepens, Neustar Annual DDoS Attacks and Impact Report. http://www.neustar.biz/resources/ whitepapers/ddos-protection/2014-annual-ddos-attacks-and-impactreport.pdf. Accessed 21 July 2014 Martin, R., Snort – Light Weight Intrusion Detection for Networks. http://www.snort.org. Accessed 20 Dec 2013 Chen, Q., Aickelin, U., Dempster-Shafer for Anomaly Detection. Proceedings of the International Conference on Data Mining (DMIN 2006), IEEE, pp: 232–238, USA 2008 Priyanka, N., Anupama, M., Gupta, B., Enhanced CBF Method to Detect DDoS Attack in Cloud Computing Environment. International Journal of Computer Science Issues, IJCSI. Vol. 10, Issue 2, No 1, pp 142–146, March 2013 (Science direct) Modi, C., Patel, D., Patel, H., Borisaniya, B., Patel, A., and Rajarajan, M., A survey of intrusion detection techniques in Cloud. Journal of Network and Computer Applications 36(1):42–57, 2013. Lonea, A., M., Popescu, D., E., Tianfield, H., Detecting DDoS Attacks in Cloud Computing Environment, INT J COMPUT COMMUN, 8(1):70–78, February, 2013 Keromytis, A., Misra, V., Rubenstein, D., SOS: an architecture for mitigating DDoS attacks, Selected Areas in Communications, IEEE Journal, Volume:22, Issue: 1, pp: 176 – 188, January 2004