1 Introduction
2 Related work
2.1 Economic denial of sustainability detection and defence
2.2 Click fraud
2.3 API targeted attacks
2.4 Training of mitigation systems using machine learning
-
Supervised - Linear Regression, Support vector machines w/ Linear, polynomial and radial basis function kernels, Decision Tree, Naïve Bayes and Random Forest
-
Unsupervised - K-Means and Gaussian Mixture Model for Expectation Maximisation
3 Denial-of-wallet on serverless functions
3.1 Possible attack methods
3.2 Motivation for DoW
3.3 Current safeguards in big cloud providers
-
AWS IAM authorisation – Only allow users within AWS environments access with IAM credentials (protect against internal attack by a compromised user). Always give least amount of access
-
Cognito user Pools – Built in user management or integration with socials login. Uses Oauth scopes.
-
API Gateway Lambda authoriser – Use a lambda function to interact with some Identity Provider
-
Resource policies – Resource policy can block/allow specific AWS accounts, IP ranges, Classless Inter-Domain Routing (CIDR) Blocks, virtual private clouds etc via JavaScript Object Notation (JSON) policy file
-
Identity and Access - Implement some form of authentication to hide function interaction endpoints from the public facing web.
-
Code - Use of secrets to maintain privacy of credentials and business critical data. Input validation to minimise risks associated with API requests. Vigilance in monitoring and dependency vulnerabilities.
-
Data - Encryption in Transit, such as Secure Sockets Layer (SSL).
-
Infrastructure - Configuration of usage plans to help against effects of DoW. Implementation of a WAF for protection against other forms of cyber attack.
-
Logging and Monitoring - Appropriate usage of both to detect suspicious usage on application.
4 DoWTS - Denial-of-wallet test simulator
4.1 Serverless platform emulator
4.2 Usage generator
4.2.1 Dataset based traffic generator
4.2.2 Synthetic traffic generator
-
User base size - The total number of users that access an application
-
Botnet size - The number of bots attacking the application
-
Time step - The granularity of time for the simulation run (seconds, minutes, hours, days, weeks, months). This will affect the data logs generated
-
Number of time steps - The length of the simulation
-
Users per time step - The number of users accessing the application in a given time step
-
Requests per time step - The number of function requests in a given time step
4.2.3 Attack traffic generator
4.3 Execution example
-
User base size - 1,000,000
-
Time step - 1 hour
-
Number of time steps - 730 (1 month)
-
Users per time step - 1,500
-
Requests per time step - 61,000
-
POST Question: PostQuestions \(\rightarrow\) ProcessQuestion \(\rightarrow\) Publish
-
POST Answer: PostAnswers \(\rightarrow\) ProcessStarAnswers
or
ProcessGeoAnswers \(\rightarrow\) Aggregation \(\rightarrow\) Publish -
GET Answer: GetAnswers \(\rightarrow\) Aggregation \(\rightarrow\) Publish
-
GET Question: GetQuestions \(\rightarrow\) Publish
AWS | Google | Azure | IBM | |
---|---|---|---|---|
No attack | $20.69 | $26.62 | $20.02 | $17.15 |
Constant rate | $77.40 | $85.92 | $74.71 | $68.44 |
Exponential rate | $49.49 | $56.65 | $47.78 | $43.25 |
Random rate | $79.18 | $87.74 | $76.42 | $70.07 |
5 Synthetic normal data evaluation
-
Quantitative Comparison - calculation of useful statistical values such as: Mean, Standard Deviation, Min/Max, Inter-quartile Range and Median. These values are useful for initial comparison of real and synthetic datasets in order to determine they are similar in scale (number of data entries).
-
Kolmogorov Smirnov (KS) Test Statistic Scipy (2022a) - calculates the maximum difference between the cumulative distribution functions of the traffic count in the real and synthetic datasets. If the returned statistic is small, then it can be said that the datasets come from the same distribution.
-
Wasserstein Distance Scipy (2022b) - or Earth Mover’s distance, can be thought of as calculating the amount of work required to move from the distribution of the synthetic data to the distribution of the real data. The distance is zero if the distributions are identical, and increases as they become less alike. We compare the Wasserstein distances between multiple months of real data and compare the distance between real and synthetic data with that.
-
Jensen Shannon Divergence Scipy (2022c) - describes the difference between the real and synthetic distributions of the traffic count in terms of entropy. We can think of the Jensen Shannon divergence as the amount of information, or entropy, encoded in the difference between the real and synthetic distributions of the traffic count. The distance is zero if the distributions are identical, and is bounded above by one if they are nothing alike.
5.1 Quantitative comparison
Month | Mean | StD | Min | 25% | 50% | 75% | Max |
---|---|---|---|---|---|---|---|
October | 5544.091346 | 2824.513974 | 673.0 | 3010.25 | 6081.0 | 7492.25 | 15201.0 |
November | 6245.689103 | 3601.325623 | 694.0 | 2970.25 | 6626.5 | 8212.75 | 23257.0 |
December | 5131.977564 | 2555.463735 | 675.0 | 2702.75 | 5649.0 | 7126.25 | 10912.0 |
January | 5533.810897 | 2858.003096 | 415.0 | 2637.25 | 6054.0 | 7902.50 | 11473.0 |
February | 5986.722756 | 3011.134544 | 94.0 | 3136.25 | 6672.0 | 8429.75 | 14427.0 |
Mean | StD | Min | 25% | 50% | 75% | Max | |
---|---|---|---|---|---|---|---|
Synthetic | 5415.012821 | 2685.997338 | 771.0 | 2578.00 | 5937.5 | 7633.50 | 10750.0 |
Month | Mean | StD | Min | 25% | 50% | 75% | Max |
---|---|---|---|---|---|---|---|
October | 210.346154 | 107.983838 | 21.0 | 104.5 | 225.0 | 296.00 | 450.0 |
November | 270.397436 | 134.136591 | 0.0 | 133.0 | 299.0 | 380.25 | 548.0 |
December | 208.987179 | 101.698607 | 8.0 | 110.0 | 236.5 | 289.00 | 428.0 |
January | 253.105769 | 122.933362 | 23.0 | 130.5 | 280.5 | 354.25 | 545.0 |
February | 251.246795 | 111.162065 | 30.0 | 136.0 | 284.5 | 339.00 | 460.0 |
Month | Mean | StD | Min | 25% | 50% | 75% | Max |
---|---|---|---|---|---|---|---|
Synthetic | 235.451923 | 118.611568 | 33.0 | 111.0 | 260.5 | 331.0 | 494.0 |
5.2 Statistical testing
KS Test | Wasserstein | Jensen Shannon | ||
---|---|---|---|---|
statistic | p-value | Distance | Divergence | |
Oct - Nov | 0.1202 | 0.0002 | 730.4824 | 0.0264 |
Nov - Dec | 0.1875 | < 0.0001 | 1113.7660 | 0.0546 |
Dec - Jan | 0.1218 | 0.0002 | 427.7308 | 0.0218 |
Jan - Feb | 0.0946 | 0.0075 | 464.5721 | 0.0091 |
KS Test | Wasserstein | Jensen Shannon | ||
---|---|---|---|---|
statistic | p-value | Distance | Divergence | |
Oct - Synth | 0.1073 | 0.0014 | 393.5753 | 0.0467 |
Nov - Synth | 0.1153 | 0.0004 | 948.3461 | 0.0517 |
Dec - Synth | 0.1137 | 0.0006 | 435.7339 | 0.0451 |
Jan - Synth | 0.0961 | 0.0062 | 271.7403 | 0.0280 |
Feb - Synth | 0.125 | 0.0001 | 710.1907 | 0.0290 |
KS Test | Wasserstein | Jensen Shannon | ||
---|---|---|---|---|
statistic | p-value | Distance | Divergence | |
Oct - Nov | 0.2932 | < 0.0001 | 60.1891 | 0.0757 |
Nov - Dec | 0.3509 | < 0.0001 | 61.4647 1 | 0.1123 |
Dec - Jan | 0.2644 | < 0.0001 | 44.1185 | 0.0799 |
Jan - Feb | 0.0785 | 0.0426 | 13.0929 | 0.0155 |
KS Test | Wasserstein | Jensen Shannon | ||
---|---|---|---|---|
statistic | p-value | Distance | Divergence | |
Oct - Synth | 0.1378 | < 0.0001 | 25.6730 | 0.0376 |
Nov - Synth | 0.1778 | < 0.0001 | 36.1410 | 0.0269 |
Dec - Synth | 0.1826 | <0.0001 | 27.6826 | 0.0573 |
Jan - Synth | 0.0865 | 0.0186 | 18.0961 | 0.0130 |
Feb - Synth | 0.0929 | 0.0090 | 19.1153 | 0.0104 |
5.3 Visual analysis
5.4 Evaluation
-
KS Test Statistic - The KS Test is utilised to determine goodness of fit between two samples. It produces two results both bounded between 0 and 1: the KS statistic and the p-value. The null hypothesis of the KS Test is that the distributions of datasets are identical if the statistic value is low and the p value is high. In our tests we observe both values to be low. This suggests that we reject the null hypothesis as the distribution of the datasets in not identical. DoWTS does not aim to over fit the data it produces to the two real datasets utilised in this paper, in order to ensure a good variety of produced data. This coupled with the large sample size used in our tests will lead to the KS Test performing overly strict when calculating the p-value, which results in the recorded low values. However, the calculated statistic of the KS Test (the maximum difference between the distributions) suggests that the recorded values in the datasets are at least similarly distributed, although not exact. The KS Test statistic on each month of real data returns values between 0.09 and 0.19 in dataset 1. DoWTS produces datasets with similar KS Test statistics when compared to each month of real data. This suggests that the data generated by DoWTS is no less believable than any other sample of real data. When coupled with the additional tests, we believe the KS Test statistic to be a valuable marker of the suitability of the data DoWTS produces.
-
Wasserstein Distance - The value obtained from calculating the Wasserstein Distance has no upper limit. As such, interpretation of the results presented should be in relation to each dataset independently. The values calculated when comparing real data are similar to those comparing real to synthetic data.
-
Jensen Shannon Divergence - The range for Jensen Shannon Divergence is between 0 and 1. The results of our tests demonstrate with suitably low values that DoWTS produces synthetic data similar to the real datasets used for comparison in this paper. No comparison of our synthetic data with real data yielded a Jensen Shannon Divergence greater than 0.06.