Field of the Invention
This invention relates generally to distributed computing resources, and more particularly to systems and methods for distributed denial of service attack tree discovery and flood control.
Description of the Related Art
Distributed Denial of Service (DDoS) attacks are a critical issue for dynamic and stochastic task environments. The result of these attacks is often removal or degradation of one or a set of computation nodes within a dynamic task environment, and/or removal or degradation of one or a set of storage nodes within a distributed storage environment. A typical class of attacks could be initiated from a leaf processing node against a pervasive computing graph along the edges of the vertices. For example, a DDoS attack may apply a scanning operation throughout an entire grid environment (e.g., on all nodes) or may deploy a malicious agent on those nodes to consume memory and/or CPU resources.
Intrusion detection is a method of identifying attempts to compromise CIAA (confidentiality, integrity, availability and authenticity) of computational resources. Various data center operations may perform intrusion detection manually or automatically. Manual intrusion detection typically examines evidence from system calls, log files, audit trails or network packet flows. Systems that perform automated intrusion detection are sometimes referred to as intrusion detection systems (IDSs). Modern IDSs typically employ a combination of the above two classes of techniques. As probable attacks are discovered by IDSs, relevant information is typically logged to files or databases and alerts are generated. In addition, automatic responsive actions and/or even preventive rule-based controls may be implemented through access control systems.
Due to advances in information security techniques, intrusion preventive systems (IPSs) described in the literature may provide a practical mechanism to defend against intrusion attacks on computational graphs or prevent abuse of computational resources. These IPSs can be divided into two categories: misuse-prevention techniques and anomaly-prevention methods. Misuse-prevention tools are typically based on a set of signatures that describe known attack states and that are used to match a current state against a known attack state. If a current state corresponding to an actual attack matches one of attack classes listed in the database, then it is successfully identified. A disadvantage of this approach is that it cannot prevent previously unknown attacks (also called zero-day attacks). Anomaly prevention uses profiles about normal states to prevent intrusions by noting significant deviations between the parameters of the observed traffic of networks and those of normal states. Prevention against anomaly attacks has been an active research topic. However, it suffers from high false-positive error rates because unseen normal behaviors are often misclassified as attacks.
Current methods for intrusion detection and prevention (including some that use reinforcement learning) are built on static architectures and/or parameters (e.g., a fixed number of nodes, layers of computations, and number and type of parameters). These methods typically depend on supervised training with known attack types. However, in dynamic programming settings, there may be no available training set. Current methods for intrusion detection using machine learning typically require human interaction to improve rule-based binary classifications, and tuning is limited within a fixed architecture having fixed optimized weights and biased nodes that impact classification results. In addition, current methods typically return results as a classification (typically, a binary classification: attack yes or attack no). Evolution computing has been proposed improve learning networks. However, it inherits the memory bound problem in traditional artificial intelligence techniques.