2016 International Conference on Networking and Network Applications
Design Issues of Enhanced DDoS Protecting Scheme under the Cloud Computing
Environment
Shin-Jer Yang and Yu-Zhan Li
Dept. of Computer Science & Information Management
Soochow University
Taipei, Taiwan
e-mail: sjyang@csim.scu.edu.tw;02356005@scu.edu.tw
AbstractDu to the growth of the Internet and the increase of
data, many companies have begun to migrate their data
services from the Web to the Cloud, but it comes with many
security issues, such as Distributed Denial of Service (DDoS)
attacks and Zero-day attacks. DDoS is a critical threat under
cloud computing environment, it attempts to make a machine
or network unavailable to their users. Confidence Based
Filtering (CBF) is one of the conventional approaches to
defending against DDoS. The CBF method is to collect the
packets and extract attribute pairs for calculating the score of
each packet, then it decides to discard it or not. However, the
weight of each attribute pair and the threshold value in the
calculation is static in the CBF method. Therefore, we propose
a novel method called N-CBF that improves these drawbacks
of the CBF method. First, the N-CBF scheme can dynamically
adjust the weight values of each attribute pair. Second, each
packet will have the unique threshold value. Third, we
performed simulations to compare and analyze the
effectiveness and efficiency of N-CBF scheme according to the
KPIs. Then, the simulation results indicate that the proposed
N-CBF scheme can obtain higher detection ratios on average of
9.02% and a little overhead in average processing time than
CBF. Finally, the N-CBF can support more refined and robust
protection mechanisms against DDoS attacks and also provide
a more secure cloud computing environment.
Keywords-Cloud Computing; DDoS; N-CBF; CBF; Detection
ratio
I. INTRODUCTION
Cloud computing is a resource optimization and
measured pricing of service platform, in which the
computing, storage, network resources, hardware, software
or other IT resources are virtualized. The cloud service has
an on-demand utility computing delivered over the network
anytime and anywhere [20]. The ability of cloud computing
to process large amounts of data and increase computing
speeds is based on resource sharing and the provider
consolidating massive resources for the use of multiple users.
This in turn leads to concerns over information security.
Distributed Denial of Service (DDoS) attacks is one of the
major threats under the cloud environment. DDoS is a
malicious network attack that previous researchers have
found to be mainly aimed at exhausting network and
computing resources in order to prevent them from providing
normal services to users. [2, 9].
Previous studies have found three main approaches to
defending against DDoS attacks such as attack detection,
978-1-4673-9803-9/15 $31.00 2015 IEEE 178
DOI 10.1109/NaNA.2016.68
attack trace-back, and attack filtering [2, 4]. This paper
examines the attack filtering approaches and the detection of
cyber-attacks. A number of past research have proposed
ways of filtering out DDoS attacks. The consuming cost
involved in most of these methods indicate that they are
inefficient at processing a high volume of packets, or are
only confined to spoofed IP attacks and not against
distributed attacks. The current Confidence Based Filtering
(CBF) method extracts a packet and looks at the attribute of
the packet header to determine its legitimacy. But the CBF
method does not adjust the attribute weight and threshold
during processing the current packet. This increases the
chance of packets being misidentified, leading to a reduced
detection ratio, and accuracy ratio. Therefore, this paper is
focused on the following purposes:
x Since the weight of each attribute pair and the threshold
value in the calculation is static on the CBF method, we
propose a novel method called N-CBF that improves
upon several deficiencies in the CBF method among
existing DDoS defense mechanisms.
x Propose a weight reference table for calculating the N-
CBF score in each packet. The confidence value of each
attribute can then be used to find the corresponding
weight.
x When designing the threshold, adjust the threshold based
on the confidence value assigned to that packet attribute
in order to deal with different packet attributes.
x The N-CBF method proposed in this paper is to design a
simulator for carrying out simulation experiments.
Performance was also compared against the existing CBF
method and analyzed to prove that real-time dynamic
adjustment of the weight and threshold used for
calculations did not waste computing resources but
instead, achieved a more effective use of resources while
also improving the detection ratio.
x Two key performance indicators will be proposed:
detection ratio and average processing time. Simulation
experiments and results analysis can be used to indicate
that the proposed N-CBF scheme can refine the CBF.
This paper is organized as follows. Section I, this paper
introduces the research background and purpose. Section II,
we will survey and describe the review of related literature
and current issues in DDoS defense. Section III will explain
our research process and methods. Section IV comprises the
building of simulation experiments and results analysis. A
conclusion will be drawn in Section V.
 II. RELATED WORK
A. Cloud Computing and Its Service Models
Unlike past forms of data processing, cloud computing
integrates the processing power of multiple computers to
form one large processing center and complete computing
tasks. The rapid development of the Internet has seen the
application of cloud computing grow in scope as well to
become a technology found in everyday life [6]. In the
National Institute of Standards and Technology (NIST)
defines cloud computing as a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., servers, storage,
networks, applications and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction. However, information security
has long been the great concern of businesses and the general
public [13] In 2013, the Cloud Security Alliance reported
that the nine most serious security threats including Data
Breaches, Data Loss, Account or Service Traffic Hijacking,
Insecure Interfaces and APIs, Denial of Service, Malicious
Insiders, Abuse of Cloud Services, Insufficient Due
Diligence and Shared Technology Vulnerabilities under
cloud computing [14].
As compared to the traditional IT environment, most of
the services in the cloud platform are managed and
maintained by a cloud provider so there are some risks
involved in such a setup. Cloud computing also makes use of
new technologies such as virtualization. This means
traditional IT problems become far more complex in a cloud
computing environment [18]. Also, the attacks can be
transferred to different strategies such as locking the
application layer. The application layer attack is focused on
designing the vulnerabilities of Web services and making the
application layer packets to avoid attacks. It's more efficient
than ever before [19]. When the companies are ready to
transfer the IT resources to the cloud, it is required to clearly
think about the risks to the information security policy itself.
Hence, they are able to solve the essential security issues in
cloud computing.
B. Types of DDoS Attacks
In a Denial of Service (DoS) attack, the emphasis is on
preventing the legitimate use of network services [7]. By
preventing the normal operation of the target's machine or
network resources, the attacker is able to interrupt its ability
to provide services to users [17]. The DDoS attack is an
extension of the DoS attack. They differ in that DDoS is
launched by two or more attackers or a so-called Botnet.
Servers spread over different locations send large amounts of
spoofed packets to the target machine in order to paralyze the
target server. For example, the financial industry is one of
the attack targets from hackers, a hacker can lock the servers
to make the system unable to provide on-line normal trading
activities. Thus, this causes enterprises and consumers a huge
loss of money and reputation damage [8]. In a cloud
environment, the problems facing DDoS defense
mechanisms are different to that of the traditional web
architecture. In addition, network environments are changing
179
at a relatively fast rate today. Defense mechanisms against
DDoS attacks must therefore be capable of dynamic
adjustment in order to maintain their high detection rates and
ability to react [11].
Statistics from 2014 suggest that there were on average
28 DDoS attacks per hour [15]. The United States Computer
Emergency Readiness Team (US-CERT) defined six
symptoms that may indicate a DoS attack [16]:
x Unusually slow network performance (opening files or
accessing web sites)
x Unavailability of a particular web site
x Inability to access any Web site
x Dramatic increase in the number of spam emails
received(this type of DoS attack is considered an e-
mail bomb)
x Disconnection of a wireless or wired Internet connection
x Long-term denial of access to the Web or any Internet
services
DDoS attacks can be divided into two types: Bandwidth
Depletion and Resource Depletion [3]. The Bandwidth
Depletion type of DDoS attack uses a flood of malicious
traffic to deplete the bandwidth resources and prevent
legitimate traffic from entering the victim system. UDP
Flood [5] and ICMP Flood [21] are the most common attack
types. As the name suggests, the Resource Depletion type of
DDoS attack aims to take up the resources of the target
system. TCP SYN Floods [21] and Land Attack are
examples of this method.
C. DDoS Defense Mechanisms
Past studies produced the following defense mechanisms
against DDoS attacks:
x Packet Score Filtering: The Packet Score Filtering
method is used to calculate the IP and TCP header
attributes of the packet then decide whether the packet
comes from a legitimate channel [4]. However, it takes
up too many resources to compute. It is therefore less
efficient and not suitable for filtering higher packet flows.
x ALPi: ALPi is an extension of the Packet Score Filtering
method described above that makes use of the Leaky
Bucket Theory. Its application means ALPi offers more
simplified calculation and faster execution compared to
Packet Score Filtering [1]. But there are some DDoS
attacks that the ALPi cannot defend against including:
Ping-of-Death and Teardrop as these do not use large
amounts of packets to paralyze the target server.
x Hop-Count Filtering: Hop-Count Filtering (HCF) uses
the relationship between the packet's source IP address
and Time-to-Live (TTL) as the basis for filtering [10].
HCF has been proven to be an effective and easily
deployed method. It is however only effective against
attacks with spoofed IPs and does not defend against
DDoS attacks.
D. CBF Method
The CBF method proposes a filtering method based on
confidence values that is an improvement upon the
weaknesses described above [2]. In past research, user
behavior while browsing the website was used to detect
DDoS attacks [12]. The CBF method therefore uses the
packet IP and TCP header attributes as the basis for
correlation. By finding and quantifying the attribute pairs
within the packet, a CBF score can be calculated to
determine whether the packet is from legitimate access or
illegitimate access.
CBF calculations are in two parts. The first is the
calculation of the confidence value. The confidence value is
the frequency of attribute pairs with the same values divided
by the total number of packets in the packet flow over a set
time interval. A higher frequency of identical values means a
higher confidence value. In a packet, each attribute pair has
one confidence value. The second part is the calculation of
the CBF score. In this method, each attribute pair is assigned
a weight. The CBF score is based on a weighting of the
attribute confidence values on each packet. Finally, the CBF
score is compared with the pre-defined threshold. If it is
 
() ,  ()
greater than the threshold then the packet came from a

legitimate channel and if not, the packet may be from a
DDoS attack. The weakness of the CBF method is that the
attribute weight and threshold used in its calculations are
fixed and cannot be adjusted based on the circumstances of
each packet. Although fixed data is convenient for
computation and improves processing speed, its accuracy
ratio may be affected. Hence, this paper can further improve
the CBF method by proposing a method named N-CBF for
dynamically adjusting the attribute weight and the threshold
value based on the circumstances of each packet.
III. N-CBF OPERTIONS ISSUE AND ALGORITHM DESIGN
The emphasis of this paper was to take the existing
DDoS defense mechanism known as the CBF method and
 
() , 
(3)
verify the problems during handling of packet filtering in
order to enhance the key performance indicators such as
detection ratio and average processing time. So the N-CBF
method will be proposed as a way of solving the original
CBF method's problem of being unable to adjust its filtering
mechanism for each packet attribute. Simulation experiments
will also be conducted to prove that processing speed can be
improved without wasting computing resources.
The N-CBF method is based on the following principles:
x Automatically adjust the weight of each attribute's
confidence value for calculating the N-CBF score.
x Dynamic adjustment of threshold value to enable correct
identification of legitimate or malicious packets.
The algorithm of this paper followed the procedure
below: First, read the packet attributes in order to extract the
six necessary attribute types then pair them together to derive
fifteen different attribute pairs. Calculate their confidence
values using Equation (1):
The confidence value is the frequency of associated values
appearing in two attributes divided by the total packet count.
To facilitate access for subsequent calculations, we
establish a data set called the Nominal Profile (NP) for
storing the confidence values that attribute pairs correspond
to. If the confidence value is greater than NP or this field in
NP is empty, then NP is updated. Conversely, if the
confidence value is less than NP then NP is not updated. If
there are still unread packets, then go back to the first step
and keep reading. If all packets have been read then proceed
to calculating the N-CBF score. Using the attribute pairs in
the packet to look up the corresponding confidence value in
NP, then use the confidence value to find the corresponding
weight ratio in the weight reference table. Then each
confidence value is calculated with each attribute weight to
derive the N-CBF score. The calculation method for the N-
CBF score is as shown in Equation (2):

N CBF Score =
(2)

In Equation (2), 15 is the total number of attribute pairs,
 is the confidence value's corresponding weight,
!"#$ = %(&1) ,  = %(&2) is the confidence value
of the attribute pair, while the N-CBF score is calculated by
using the pairing of the fifteen-packet attribute types then
using the derived confidence value and corresponding weight
value to do the weighting calculation. Finally, the N-CBF
score is compared with the threshold value. If the score is
higher than the threshold value, then the packet is legitimate
and can be accepted. If the value is lower than the threshold
value, then it is determined to be a malicious packet and
discarded. Threshold value is calculated as shown in
Equation (3):

 ()
Threshold_VAL = 
'
In Equation (3), the threshold value (Thrshold_VAL) is
the average of the fifteen confidence values in each packet.
The six packet attributes extracted in this paper are as
shown in Table I. The two attributes Source IP address and
Flag used in the CBF method have been replaced because the
packet source is usually spoofed and the type of service is
used instead to track the type of service requested. Window
size is faster to calculate compared to the Flag attribute so
it is used here instead as well.
TABLE I. DESCRIPTION OF THE PACKET ATTRIBUTES
Attributes Details
IP Total length Length of entire IP Packet.
header Time to live Tell the network how many routers
(hops) this packet can cross to avoid
looping in the network.
Protocol type The type of transport packet being
carried.


,
, , Type of service Define the way routers should queue
Conf = , ,  = , =

(1) packets while they are waiting to be
forwarded.
In Equation (1),  is the packet attribute, , is the value
TCP Destination port The destination port number.
of attribute  ,  = , ,  = , is the header number
frequency that when attribute  equals , and attribute Window size Indicated in the acknowledgment field
which the sender of this segment is
 equals , both appears,  is the total packet count. willing to accept.

180
 Using the six separate attributes for pairing gives a total The pseudo code for designing N-CBF is expressed as
of 15 possible different attribute pairs. Hence, the goal is to follows:
highlight how the confidence value for the paired values Algorithm N-CBF(){
increases as well when the probability of two different Input:
attribute values appearing together increases. In summary, #define Packet[1...i] i = 1...N;
the process flow of N-CBF operations is shown in Figure 1. #define Packet[].TL[]; //Total Length
#define Packet[].TTL[]; //Time to Live
START
#define Packet[].PT[]; //Protocol Type
#define Packet[].ToS[]; //Type of Service
Read the incoming packet
#define Packet[].DP[]; //Destination Port
#define Packet[].WZ[]; //Window Size
Use the Packet Attributes to calculate the confidence value(CV)
#define NP[][];
#define NPCV[];
Yes
If the CV bigger than Update the CV to NP #define CV_Comp();
Nominal Profile(NP)
#define N-CBF_Comp();
No
#define Threshold_Comp();
Yes Double CV_VAL;
If there
is still have
the incoming packet Double N-CBF_Score;
No Double Threshold_VAL;
Int N;
According to each packet attribute pairs look-up the NP to find the correspond CV
Output: To complete Filtering packet Process;
Method:
Use the correspond CV and the weight to calculate the N-CBF value and Threshold value
BEGIN{
Int N = 0
If the N-CBF
value bigger Incoming Packet
than Threshold value No For(int i = 1; i <= N; i ++){
Yes Packet[i] = input.Packet;
Accept the Packet Discard the packet N++;}
For each Packet do
For(int i = 1; i <= N; i ++){
If there is still have the
packet not distinguish?
NP[i][1] = Packet[i].TL[i];
NP[i][2] = Packet[i].TTL[i];
No
NP[i][3] = Packet[i].PT[i];
Yes
END NP[i][4] = Packet[i].ToS[i];
NP[i][5] = Packet[i].DP[i];
Figure 1. The operational flow of N-CBF. NP[i][6] = Packet[i].WZ[i];
For(int j = 1; j <= 6; j ++){
The Table II shows that compares the features between CV_Comp( NP[i][j] );
the CBF and the N-CBF methods. The weight of each If (CV_VAL > NPCV[i]) then
attribute pair and the threshold value is static on the CBF Update NPCV[i] with CV_VAL;
method, the N-CBF method we proposed that improves upon End if}}
several deficiencies in the CBF method among existing For(int i = 1; i <= N; i ++){
DDoS defense mechanisms. Therefore, the N-CBF will N-CBF_Comp(NPCV[i]);
enhance the detection ratio. Threshold_Comp(NPCV[i]);
If (N-CBF_Score > Threshold_VAL) then
TABLE II. DIFFERENCES BETWEEN THE CBF AND THE N-CBF
Accept the packet;
DDoS Scheme CBF N-CBF Else if (N-CBF_Score <= Threshold_VAL) then
Features
Packet attributes Total length, Time to live, Protocol type,
Discard the packet;
Destination port number End if}}
Source IP Type of service, Window End
address, Flag size Procedure CV_Comp(NP[i][j]){
The weight ratio Static According to each packets
attribute pair, it will be
Int Count = 0;
adjusting dynamically. For(int z = 1; z < =N; z ++){
The threshold value Static According to each packet , it If(NP[i][j] == NP[z][j])
will be adjusting Count ++;
dynamically.
End if}

181
 CV_VAL = Count / N; In our simulations, we can capture the data from the Web
Return CV_VAL;} of MAWI Traffic Archive (http://mawi.wide.ad.jp/mawi/)
End into the testing packets for our experiments. Also, all our
Procedure N-CBF_Comp(NPCV[i]){ testing data to be simulated in N-CBF is similar to the CBF
Int CV = 0; method.
Int W = 0;
B. Results Analysis
For(int i = 1; i <= 15; i ++){
CV +=  * NPCV[i]; Our simulations using two virtual machines to perform
W +=  ;} N-CBF and CBF source code in the cloud environment. The
N-CBF_Score = CV / W; numbers of packets each in 1000, 2000, 5000, 10000 and
50000 are to be performed simulations, and then executed
Return N-CBF_Score;}
ten times, respectively in order to obtain the average
End
processing time. The simulation results are shown in Figure
Procedure Threshold_Comp(NPCV[i]){ 2, Figure 3 and Table V.
Int CV = 0;
For(int i = 1; i <= 15; i ++){
Detection Ratio
CV += NPCV[i];}
Threshold_VAL = CV / 15;
100%
Return Threshold_VAL;}
End}
End N-CBF. 50%
1000 2000 5000 10000 50000
IV. SIMULATIONS SETUP AND RESULTS ANALYSIS
Packet Numbers
A. Simulation Setup N-CBF CBF
The experiments of this paper will build up the
simulation environment of clouds through virtual machines
and physical machines; whereas all virtual machines use Figure 2. The Detection Ratio of the Simulations.
Oracle VM Virtual Box 5.0.10 to be installed on the Ubuntu
system, the JDK version is 1.8.0 and the Hadoop version
used is 2.7.1. The hardware and software specifications of Average Processing Time
the experimental environment arelisted in Table III. 10
Second

TABLE III. HARDWARE AND SOFTWARE SPECIFICATIONS

5
Hadoop
Cloud 1 Cloud 2 0
Master
Operating
Ubuntu 15.10 Ubuntu 15.10 Ubuntu 15.10 1000 2000 5000 10000 50000
System
Packet Numbers
2 Cores 2 Cores 2 Cores
CPU
2.5 GHz 2.5 GHz 2.5 GHz
Memory 2 GB 2 GB 2 GB N-CBF CBF
Disk 50 GB 50 GB 50 GB
Figure 3. The Average Processing Time of the Simulations.
Hadoop
Hadoop 2.7.1 Hadoop 2.7.1 Hadoop 2.7.1
Version
Fig. 2 shows the detection ratio that the N-CBF method
We will set the first virtual machine to be the master
in each test are higher than the CBF method. Also, the
node server of the cloud environment architecture, and then
set the rest two to build the cloud computing platform and increases in the number of packets will further improve the
execute the N-CBF simulator, respectively, to evaluate the detection rate upward. Therefore, it found that the greater
key performance indicators (KPIs). In this paper, we can list the number of test packets, the packets confidence value
two kinds of KPIs to compare and analyze the simulation will be higher to enhance the detection ratio. In contrast the
results, the content of the two KPIs are shown in Table IV. CBF method under different numbers of test packets, the
detection ratio is more unstable. Also, Fig. 3 presents the
TABLE IV. TWO KEY PERFORMANCE INDICATORS average processing time for the numbers of the test packets
KPIs Propose of analysis with two methods. The N-CBF method will be longer than
Detection Ratio For the malicious packets, we can detect them by the CBF method in the large number of packets in this
the N-CBF method to reduce the chance of being simulation. The reason is that it should calculate the weight
attacked.
values and the threshold values which are considered to be
Average The time of processing the packet filtering, in
Processing Time order to evaluate the efficiency of the N-CBF dynamically adjusting, and it may result in a little more
method. processing time.

182
TABLE V. THE EXCUTION RESULTS BETWEEN N-CBF AND CBF [2] Wanchun Dou, Qi Chen and Jinjun Chen, A Confidence-Based
filtering method for DDoS attack defense in cloud environment,
Features Packet Difference Future Generation Computer Systems, Vol. 29, No. 7, pp. 1838-1850,
N-CBF CBF
KPIs Numbers ratio September 2013.
1000 78% 77% 1.2% [3] Christos Douligeris and Aikaterini Mitrokotsa, DDoS attacks and
2000 80% 76% 5.2% defense mechanisms: classification and State-of-the-Art, Computer
Detection ratio 5000 84% 80% 5% Networks, Vol. 44, No. 5, pp. 643-666, April 2004.
10000 88% 74% 18.9%
50000 93% 81% 14.8% [4] Yoohwan Kim, Wing Cheong Lau, Mooi Choo Chuah and Chao H. J,
1000 0.085 0.082 -3.6%
PacketScore: a Statistics-Based packet filtering scheme against
Distributed Denial-of-Service attacks, IEEE Transactions
Average Processing 2000 0.1811 0.1724 -5.%
on Dependable and Secure Computing, Vol. 3, No. 2, pp. 141-155,
Time 5000 1.02 0.983 -3.7%
April-June 2006.
(unit: Sec.) 10000 3.85 3.65 -5.4%
50000 6.453 5.89 -9.5% [5] Felix Lau, Stuart H. Rubin, Michael H. Smith and Ljiljana Trajkovicl,
Distributed Denial of Service attacks, In Proc. of the 2000 IEEE
International Conference on Systems, Man, and Cybernetics, Vol. 3,
The N-CBF method is proposed with more accurate pp. 2275-2280, October 2000.
filtering capabilities through the validation and improvement [6] Shamsul Anuar Mokhtar, Siti Haryani Shaikh Ali, Abdulkarem Al-
on the CBF method. After using the N-CBF method, the Sharafi and Abdulaziz Aborujilah, Cloud computing in academic
institutions, In Proc. of the 7th International Conference on
detection ratio is enhanced. Although the average processing Ubiquitous Information Management and Communication, January
time is a little overhead owing to the calculation of the 2013.
dynamic adjustment process, we will make some [7] Jelena Mirkovic and Peter Reiher, A taxonomy of DDoS attack and
improvements on this indicator in the future. DDoS defense mechanisms, ACM SIGCOMM Computer
Communication Review, Vol. 34, No. 2, pp. 39-53, April 2004.
V. CONCLUSION [8] Turner Rik, Tackling the DDoS threat to banking in 2014, White
This paper proposed an N-CBF method that is an Paper of Alamai, 2014.
improved version of the existing CBF method among DDoS [9] Peng Tao, Christopher Leckie and Kotagiri Ramamohanarao, Survey
of network-based defense mechanisms countering the DoS and DDoS
defense mechanisms. In the original CBF method, a problem problems, ACM Computing Surveys (CSUR), Vol. 39, No. 1,
with the filtering process is that the weight used for Article 3, April 2007.
calculating the CBF score is not modified for different [10] Haining Wang, Cheng Jin and Kang G. Shin, Defense against
packet attributes. Its threshold is not adjusted according to spoofed IP traffic using Hop-Count filtering, IEEE/ACM
the content of the current packet either. This increases the Transactions on Networking, Vol. 15, No. 1, pp. 40-53, February
chance of packets being misidentified, reducing the detection 2007.
ratio. By using the weight reference table proposed in this [11] Bing Wang, Yao Zheng, Wenjing Lou and Y. Thomas Hou, DDoS
attack protection in the era of cloud computing and software-defined
paper to dynamically adjust the attribute weight needed for networking, Computer Networks, Vol. 81, pp. 308-319, April 2015.
calculating the N-CBF score and adjusting the threshold
[12] Xie Yi and Shun-Zheng Yu, A large-scale hidden Semi-Markov
based on the confidence value of each packet, the detection Model for anomaly detection on user browsing behaviors,
ratio can be improved. Also, we can perform experiments to IEEE/ACM Transactions on Networking, Vol. 17, No. 1, pp. 54-65,
compare the N-CBF and CBF methods. The simulation February 2009.
results indicate that the proposed N-CBF method can obtain [13] Peter Mell and Timothy Grance, The NIST definition of cloud
a higher detection ratio by about an average of 9.02% and computing, 2011.
with little overhead in processing time over CBF. In the [14] Top Threats Working Group, The notorious nine: cloud computing
future, we will find other KPIs such as the accuracy ratio to top threats in 2013, Cloud Security Alliance, 2013.
further prove that the proposed N-CBF scheme can offer a [15] Chris Preimesberger, DDoS attack volume escalates as new methods
emerge,
more refined and robust protection mechanism against DDoS
http://www.eweek.com/security/slideshows/ddos-attack-volume-
attacks and also provide a more secure cloud computing escalates-as-new-methods-emerge.html
environment.
[16] US-CERT Understanding Denial-of-Service Attacks,
ACKNOWLEDGEMENTS https://www.us-cert.gov/ncas/tips/ST04-015
[17] WiKi Denial-of-Service Attack,
The partial work of this paper is funded and supervised by
https://en.wikipedia.org/wiki/Denial-of-Service_attack#cite_note-
the Ministry of Science and Technology in Taiwan under preimesberger2014-1
Grant MOST 104-2410-H-031 -036 -. [18] http://ics.stpi.narl.org.tw/html/rept_content.jsp?id=1390205301659
[19] http://www.informationsecurity.com.tw/article/article_detail.aspx?tv=
REFERENCES &aid=7695&pages=1
[1] Paulo E. Ayres, Huizhong Sun, H. Jonathan Chao and Wing Cheong [20] http://www.uis.com.tw/edm/uisnews/uisnews042/learning.aspx
Lau, ALPi: a DDoS defense system for high-speed networks, IEEE
[21] http://newsletter.ascc.sinica.edu.tw/news/read_news.php?nid=1869
Journal on Selected Areas in Communications, Vol. 24, No. 10, pp.
1864-1876, October 2006.

183