TY - GEN
T1 - Microservices made attack-resilient using unsupervised service fissioning
AU - Baarzi, Ataollah Fatahi
AU - Kesidis, George
AU - Fleck, Daniel
AU - Stavrou, Angelos
N1 - Publisher Copyright:
© 2020 Association for Computing Machinery.
PY - 2020/4/27
Y1 - 2020/4/27
N2 - Application-layer DoS attacks are increasing as the number of cloud-deployed microservice applications is increasing. The attacker tries to exhaust computing resources and brings the nominal applications down by exploiting application-layer vulnerabilities. As traditional solutions for volumetric DoS attacks will not be able to handle these attacks, new approaches are required to detect and respond to application-layer attacks. In this work, we propose an unsupervised, non-intrusive and application-agnostic detection approach and fissioning-based response mechanism. We built our prototype on kubernetes, the state of the art container orchestrator for microservices, and show its effectiveness through experimental evaluation. Our preliminary results show that using our detection and defense mechanism, we are able to a) efficiently identify the attacks and b) reduce the effect of the attack on legitimate users by 3× compared to a case where there is no detection/defense in place.
AB - Application-layer DoS attacks are increasing as the number of cloud-deployed microservice applications is increasing. The attacker tries to exhaust computing resources and brings the nominal applications down by exploiting application-layer vulnerabilities. As traditional solutions for volumetric DoS attacks will not be able to handle these attacks, new approaches are required to detect and respond to application-layer attacks. In this work, we propose an unsupervised, non-intrusive and application-agnostic detection approach and fissioning-based response mechanism. We built our prototype on kubernetes, the state of the art container orchestrator for microservices, and show its effectiveness through experimental evaluation. Our preliminary results show that using our detection and defense mechanism, we are able to a) efficiently identify the attacks and b) reduce the effect of the attack on legitimate users by 3× compared to a case where there is no detection/defense in place.
UR - http://www.scopus.com/inward/record.url?scp=85088316884&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85088316884&partnerID=8YFLogxK
U2 - 10.1145/3380786.3391395
DO - 10.1145/3380786.3391395
M3 - Conference contribution
AN - SCOPUS:85088316884
T3 - Proceedings of the 13th European Workshop on Systems Security, EuroSec 2020
SP - 31
EP - 36
BT - Proceedings of the 13th European Workshop on Systems Security, EuroSec 2020
PB - Association for Computing Machinery, Inc
T2 - 13th European Workshop on Systems Security, EuroSec 2020
Y2 - 27 April 2020
ER -