Abstract
Hadoop serves as an essential tool in the rise of big data, it has insufficient security model. The internal attacks can bypass current Hadoop security mechanism, and compromised Hadoop components can be used to threaten overall Hadoop. This paper studies the vulnerabilities of Health Check Service in Hadoop/YARN and the threat of denial-of-service to a YARN cluster with multi-tenancy. We use theoretical analysis and numerical simulations to demonstrate the effectiveness of this DDoS attack based on health check service (DDHCS). Our experiments show that DDHCS is capable of causing significant impacts on the performance of a YARN cluster in terms of high attack broadness (averagely 85.6%), high attack strength (more than 80%). In addition, we developed a security enhancement for YARN, named SEYARN. We have implemented the SEYARN model, and demonstrated that SEYARN fixes the above vulnerabilities with extending 95% accuracy and minimal run-time overhead, and effectively resists related attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alarifi, S., Wolthusen, S.D.: Mitigation of cloud-internal denial of service attacks. In: IEEE 8th International Symposium on Service Oriented System Engineering (SOSE), pp. 478–483. IEEE (2014)
Barham, P., Donnelly, A., Isaacs, R.: Using magpie for request extraction and workload modelling. In: USENIX OSDI, vol. 6, pp. 259–272 (2004)
Chen, M.Y., Kiciman, E., Fratkin, E.: Pinpoint: problem determination in large, dynamic internet services. In: International Conference on Dependable Systems and Networks (DSN), pp. 595–604. IEEE (2002)
Criscuolo, P.J.: Distributed Denial of Service: Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht CIAC-2319. California Univ. Livermore Radiation Lab. (2000)
Durcekova, V., Schwartz, L., Shahmehri, N.: Sophisticated denial of service attacks aimed at application layer. In: ELEKTRO, pp. 55–60. IEEE (2012)
Ficco, M., Rak, M.: Stealthy denial of service strategy in cloud computing. IEEE Trans. Cloud Comput. 3(1), 80–94 (2015)
Girma, A., Garuba, M., Li, J.: Analysis of DDoS attacks and an introduction of a hybrid statistical model to detect DDoS attacks on cloud computing environment. In: 12th International Conference on Information Technology-New Generations (ITNG), pp. 212–217. IEEE (2015)
Gu, Z., Pei, K., Wang, Q.: LEAPS: detecting camouflaged attacks with statistical learning guided by program analysis. In: IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 57–68. IEEE (2015)
Hameed S., Ali, U.: On the Efficacy of Live DDoS Detection with Hadoop. arXiv preprint arXiv:1506.08953 (2015)
Huang, J., Nicol, D.M., Campbell, R.H.: Denial-of-service threat to Hadoop/YARN clusters with multi-tenancy. In: 2014 IEEE International Congress on Big Data (BigData Congress), pp. 48–55. IEEE (2014)
Karthik, S., Shah, J.J.: Analysis of simulation of DDOS attack in cloud. In: 2014 International Conference on Information Communication and Embedded Systems (ICICES), pp. 1–5. IEEE (2014)
Khattak, R., Bano, S., Hussain, S.: DOFUR: DDoS forensics using MapReduce. In: Frontiers of Information Technology (FIT), pp. 117–120. IEEE (2011)
Kholidy, H., Baiardi, F.: CIDS: A framework for intrusion detection in cloud systems. In: Ninth International Conference on Information Technology: New Generations (ITNG), pp. 379–385. IEEE (2012)
Kholidy, H., Baiardi, F., Hariri, S.: DDSGA: a data-driven semi-global alignment approach for detecting masquerade attacks. IEEE Trans. Dependable Secure Comput. 12(2), 164–178 (2015). IEEE
Kiciman, E., Fox, A.: Detecting application-level failures in component-based internet services. IEEE Trans. Neural Networks 16(5), 1027–1041 (2005)
Koskinen, E., Jannotti, J.: Borderpatrol: isolating events for black-box tracing. ACM SIGOPS Operating Syst. Rev. 42(4), 191–203 (2008). ACM
Lee, Y., Kang, W., Lee, Y.: A hadoop-based packet trace processing tool. In: Domingo-Pascual, J., Shavitt, Y., Uhlig, S. (eds.) TMA 2011. LNCS, vol. 6613, pp. 51–63. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20305-3_5
Lee, Y., Lee, Y.: Detecting DDoS attacks with hadoop. In: ACM CoNEXT Student Workshop, pp. 1–2. ACM (2011)
Mizukoshi, M., Munetomo, M.: Distributed denial of services attack protection system with genetic algorithms on hadoop cluster computing framework. In: 2015 IEEE Congress on Evolutionary Computation (CEC), pp. 1575–1580. IEEE (2015)
O’Malley, O., Zhang K., Radia, S.: Hadoop security design. Yahoo! Technical report (2009)
Sabahi, F.: Cloud computing security threats and responses. In: IEEE 3rd International Conference on Communication Software and Networks (ICCSN), pp. 245–249. IEEE (2011)
Specht, S.M., Lee R.B.: Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: ISCA PDCS, pp. 543–550 (2004)
Ulusoy, H., Colombo, P., Ferrari, E.: GuardMR: fine-grained security policy enforcement for MapReduce systems. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 285–296. ACM, New York (2015)
Vavilapalli, V.K., Murthy, A.C., Douglas, C.: Apache hadoop YARN: yet another resource negotiator. In: Symposium on Cloud Computing, pp. 1–16. ACM (2013)
Wu, H., Tantawi, A.N., Yu, T.: A self-optimizing workload management solution for cloud applications. In: IEEE 20th International Conference on Web Services (ICWS), pp. 483–490. IEEE (2013)
Acknowledgements
The authors gratefully acknowledge the support of the National High Technology Research and Development Program (“863” Program) of China under Grant No. 2015AA016009, the National Natural Science Foundation of China under Grant No. 61232005, and the Science and Technology Program of Shen Zhen, China under Grant No. JSGG20140516162852628. Specially thanks to Ziyao Zhu and Wenjun Qian for the support of experiments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Li, W., Shen, Q., Dong, C., Yang, Y., Wu, Z. (2017). SEYARN: Enhancing Security of YARN Clusters Based on Health Check Service. In: Camp, O., Furnell, S., Mori, P. (eds) Information Systems Security and Privacy. ICISSP 2016. Communications in Computer and Information Science, vol 691. Springer, Cham. https://doi.org/10.1007/978-3-319-54433-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-54433-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54432-8
Online ISBN: 978-3-319-54433-5
eBook Packages: Computer ScienceComputer Science (R0)