Detecting and Mitigating HX-DoS attacks against Cloud Web Services Ashley Chonka, Member, IEEE and Jemal Abawajy, Senior Member, IEEE ——————————  —————————— Abstract— Cyber-Physical Systems allow for the interaction of the cyber world and physical worlds using as a central service called Cloud Web Services. Cloud Web Services can sit well within three models of Cyber- Physical Systems, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a- Service (IaaS). With any Cyber-Physical system use Cloud Web Services it inherits a security problem, the HX-DoS attack. HX-DoS attack is a combination of HTTP and XML messages that are intentionally sent to flood and destroy the communication channel of the cloud service provider. The relevance of this research is that TCP/IP flood attacks are a common problem and a lot of research to mitigate them has previously been discussed. But HTTP denial of service and XML denial of service problem has only been addressed in a few papers. In this paper, we get closer to closing this gap on this problem with our new defence system called Pre- Decision, Advance Decision, Learning System (ENDER). In our previous experiments using our Cloud Protector, we were successful at detecting and mitigate 91% with a 9% false positive of HX-DoS attack traffic. In this paper, ENDER was able to improve upon this result by being trained and tested on the same data, but with a greater result of 99% detection and 1% false positive. Index Terms— Cyber-Physical Systems, Cloud Security, HX-Denial of Service Attacks. 1. Introduction PS can integrate computing and communication capabilities with monitoring and control of entities in the physical world. These systems are usually composed by a set of networked agents, including: sensors, actuators, control processing units, and communication devices (see Figure 1.). For example, CPS applications include those that: sense and respond to change in the environment such as forest fires, earthquakes and glacial slides. CPS can also be used to help utilities services such as water and traffic management systems. Cloud computing systems can be characterized as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) [1]. PaaS and IaaS are viable architectures that can be implemented and applied to CPS. IaaS applications provide system infrastructure as a service, which can allocate physical resources to serve their application’s needs through programs. An example of IaaS applications can be found in Amazon’s Elastic Compute Cloud (EC2). EC2 allows developers to allocate any number of systems to their applications through API calls. PaaS applications provide a platform environment rather then Infrastructure environment. PaaS applications are best shown using the Google App Engine (GAE). GAE allows for an instance of a machine that is not a physical machine. For example, Java Virtual Machine (JVM) can be run on a particular server that can be spread through google’s multiple physical systems. SaaS are not actually compatible with CPS system without a framework and so can be currently applied [2]. A Distributed Denial of Services (DDoS) attack is usually defined as two or more machines attacking another machine with a flood of messages to a point where it can only handle a few requests at a time or alternatively the system totally collapses [3-11]. The main thrust of current research on DDoS defence has been in detection [5][6][7], mitigation [8][9] and filtering [10][11][12] at the TCP/IP layer. But defences at the Application layer, where majority of communication between cloud web services is taken place has only minimal area of research [13][24][25][29]. In our previous work [13], we started to close this gap on this problem by exploring a new form of DDoS attacks called a HyperText Transport Protocol (HTTP) and Extensible Mark-up Language (XML) Denial of Service (DoS) attack or HX-DoS attack. Our results show that we were able to detect and mitigate 91% of these attack messages with our cloud protector. C ———————————————— A. Chonka and J.Abawajy are with the School of Information Technology, Deakin University, Waurn Ponds, VIC, 3220, Australia, E-mail: chonka@deakin.edu.au and jemal.abawajy@deakin.edu.au 2012 15th International Conference on Network-Based Information Systems 978-0-7695-4779-4/12 $26.00 © 2012 IEEE DOI 10.1109/NBiS.2012.146 429