Description:FIELD OF THE INVENTION

The present disclosure relates to data traffic monitoring and resource server security. In particular, a system and method for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices.

BACKGROUND OF THE INVENTION

Both critical business and non-critical business traffic is being carried by enterprise networks at an extremely rapid rate of growth. Cloud applications, video collaboration, and other business applications frequently, make use of the same techniques that are utilized by non-business-critical web traffic, such as HTTP and/or HTTPS. Because many applications use the same protocols, it is difficult to distinguish and select traffic flows for optimization, making it more difficult to optimize network performance for particular applications.

A Denial of Service (DoS) attack is one kind of network attack that is especially bad for a computer network. The general objective of a distributed denial-of-service (DoS) attack is to obstruct legitimate use of the network's services. A DoS jamming attack, for instance, may artificially introduce interference into the network, preventing message decoding and causing collisions with legitimate traffic. Another illustration of this would be a distributed denial of service (DoS) attack, in which legitimate requests are prevented from being processed in an effort to overwhelm the network's resources. In order to hide the attack's existence, a distributed DoS attack may also be used. A distributed denial of service (DDoS) attack, for instance, may involve multiple attackers sending malicious requests, making it harder to tell when an attack is underway. The discovery of DoS attacks is especially difficult when network assets are restricted, like on account of a low power and lossy organization (LLN).

In view of the foregoing discussion, it is clearly portrayed that there is a need to have a system and method for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices.

SUMMARY OF THE INVENTION

The present disclosure seeks to provide an online data security system and method for detecting and avoiding resource consumption-based attacks in IoT-enabled smart city devices.

In an embodiment, a system for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices is disclosed. The system includes a cloud server platform interconnected to a first storage resource and a second storage resource for transmitting data from one of the first storage resource and the second storage resource to another of the first storage resource and the second storage resource.
The system further includes a storage device provisioned with one or more of the storage resources and configured with a storage delivery management service running on a computing device inside either of the first or second storage resources, wherein the storage delivery management service is used for computing a list of storage resources associated with a user credential, wherein the list includes a second storage resource provisioned on at least one storage system comprising one or more hardware devices.
The system further includes a sensing node for employing aggregated metrics for a set of traffic data to identify a network attack in a network.
The system further includes a network-based clustering processor for clustering the traffic data into a set of traffic data clusters after spotting the network attack, wherein the network-based clustering processor uses the set of traffic data as input to a clustering process to produce the set of traffic data clusters.
The system further includes an indicator for indicating an attack type for the identified attack and generating a report for the set of traffic data.
The system further includes a clustering search engine for receiving reports for the set of traffic data and notification, which is configured to identify the clustering device for providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type.
The system further includes a network-based analysis processor for analyzing the traffic data clusters.
The system further includes a segregation processor for classifying the traffic data clusters into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.
The system further includes a controlling unit configured with a convolutional neural network for transmitting the set of one or more attack-related clusters for traffic cleaning, where the data traffic is cleaned by removing suspicious traffic using one or more of the technologies selected from flow limiting, null connection detection, synchronize (SYN), bounce Transmission Control Protocol (TCP), and proxy User Datagram Protocol (UDP) to prevent resource consumption-based attacks.

In another embodiment, a method for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices is disclosed. The method includes transmitting data from one of a first storage resource and a second storage resource to another of the first storage resource and the second storage resource upon interconnecting a cloud server platform to a first storage resource and a second storage resource.
The method further includes provisioning a storage device with one or more of the storage resources and configuring with a storage delivery management service running on a computing device inside either of the first or second storage resources, wherein the storage delivery management service is used for computing a list of storage resources associated with a user credential, wherein the list includes a second storage resource provisioned on at least one storage system comprising one or more hardware devices.
The method further includes identifying a network attack in a network using a sensing node upon employing aggregated metrics for a set of traffic data.
The method further includes clustering the traffic data into a set of traffic data clusters after spotting the network attack using a network-based clustering processor, wherein the network-based clustering processor uses the set of traffic data as input to a clustering process to produce the set of traffic data clusters.
The method further includes indicating an attack type for the identified attack and generating a report for the set of traffic data through an indicator.
The method further includes receiving reports for the set of traffic data and notification, which is configured to identify the clustering device for providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine using a clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type.
The method further includes analyzing the traffic data clusters by employing a network-based analysis processor.
The method further includes classifying the traffic data clusters into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device using a segregation processor.
The method further includes transmitting the set of one or more attack-related clusters for traffic cleaning using a controlling unit configured with a convolutional neural network, where the data traffic is cleaned by removing suspicious traffic using one or more of the technologies selected from flow limiting, null connection detection, synchronize (SYN), bounce Transmission Control Protocol (TCP), and proxy User Datagram Protocol (UDP) to prevent resource consumption-based attacks.

An object of the present disclosure is to remove traffic from the networn upon applying a mitigation-specific attack detector using a machine-learning technique.

Another object of the present disclosure is to detect resource consumption-based attacks in IoT-enabled smart city devices.

Yet another object of the present invention is to deliver an expeditious and cost-effective system to prevent resource consumption-based attacks in IoT-enabled smart city devices.

To further clarify advantages and features of the present disclosure, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings.

BRIEF DESCRIPTION OF FIGURES

These and other features, aspects, and advantages of the present disclosure will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:

Figure 1 illustrates a block diagram of a system for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices in accordance with an embodiment of the present disclosure;
Figure 2 illustrates a flow chart of a method for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices in accordance with an embodiment of the present disclosure;
Figure 3 illustrates an exemplary architecture for segregating attack-related traffic data in accordance with an embodiment of the present disclosure;
Figure 4 illustrates an exemplary network device/node in accordance with an embodiment of the present disclosure; and
Figure 5 illustrates a block diagram of a system in which the storage delivery management service includes a fabric management component in accordance with an embodiment of the present disclosure.

Further, skilled artisans will appreciate that elements in the drawings are illustrated for simplicity and may not have necessarily been drawn to scale. For example, the flow charts illustrate the method in terms of the most prominent steps involved to help to improve understanding of aspects of the present disclosure. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the drawings by conventional symbols, and the drawings may show only those specific details that are pertinent to understanding the embodiments of the present disclosure so as not to obscure the drawings with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein.

DETAILED DESCRIPTION:

For the purpose of promoting an understanding of the principles of the invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated system, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.

It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the invention and are not intended to be restrictive thereof.

Reference throughout this specification to “an aspect”, “another aspect” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, appearances of the phrase “in an embodiment”, “in another embodiment” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.

The terms "comprises", "comprising", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such process or method. Similarly, one or more devices or sub-systems or elements or structures or components proceeded by "comprises...a" does not, without more constraints, preclude the existence of other devices or other sub-systems or other elements or other structures or other components or additional devices or additional sub-systems or additional elements or additional structures or additional components.

Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The system, methods, and examples provided herein are illustrative only and not intended to be limiting.

Embodiments of the present disclosure will be described below in detail with reference to the accompanying drawings.

Referring to Figure 1, a block diagram of a system for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices is illustrated in accordance with an embodiment of the present disclosure. The system 100 includes a cloud server platform 102 interconnected to a first storage resource and a second storage resource for transmitting data from one of the first storage resource and the second storage resource to another of the first storage resource and the second storage resource.

In an embodiment, a storage device 104 is coupled to the cloud server platform 102 and provisioned with one or more of the storage resources and configured with a storage delivery management service running on a computing device 106 inside either of the first or second storage resources, wherein the storage delivery management service is used for computing a list of storage resources associated with a user credential, wherein the list includes a second storage resource provisioned on at least one storage system comprising one or more hardware devices.

In an embodiment, a sensing node 108 is coupled to the storage device 104 for employing aggregated metrics for a set of traffic data to identify a network attack in a network 110.

In an embodiment, a network-based clustering processor 112 is connected to the sensing node 108 for clustering the traffic data into a set of traffic data clusters after spotting the network attack, wherein the network-based clustering processor 112 uses the set of traffic data as input to a clustering process to produce the set of traffic data clusters.

In an embodiment, an indicator 114 is connected to the network-based clustering processor 112 for indicating an attack type for the identified attack and generating a report for the set of traffic data.

In an embodiment, a clustering search engine 116 is connected to the indicator 114 for receiving reports for the set of traffic data and notification, which is configured to identify the clustering device for providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine 116, wherein the clustering search engine 116 selects the clustering device based on the attack type.

In an embodiment, a network-based analysis processor 118 is used for analyzing the traffic data clusters.

In an embodiment, a segregation processor 120 is used for classifying the traffic data clusters into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.

In an embodiment, a controlling unit 122 is configured with a convolutional neural network 124 for transmitting the set of one or more attack-related clusters for traffic cleaning, where the data traffic is cleaned by removing suspicious traffic using one or more of the technologies selected from flow limiting, null connection detection, synchronize (SYN), bounce Transmission Control Protocol (TCP), and proxy User Datagram Protocol (UDP) to prevent resource consumption-based attacks.

In another embodiment, a storage adapter is used for one or more of the storage resources, wherein the storage adapter is associated with the user credential, wherein the clustering device is recognized as an attack detection device by the availability notification, hosting one or more attack detectors.

In another embodiment, the segregation process is configured to collect labels applied to the traffic data clusters by the clustering device, wherein the labels recognize a particular traffic data cluster as an attack or a normal traffic. Then, combine the traffic data clusters into the set of one or more attack-related clusters and into the set of one or more clusters related to normal traffic.

In another embodiment, the cloud server platform 102 includes an access port for establishing a connection between the first storage resource and second storage resource.

In one embodiment, a transmitter and a receiver are deployed for allowing the first storage resource and second storage resource to exchange the data.

In another embodiment, the list of storage resources is calculated that is associated with the storage adapter, wherein the storage delivery management service calculated the list of storage resources associated with the storage adapter responsive to invoking the storage adapter, wherein the storage delivery management service calculated the list of access ports in the second storage resource responsive to invoking the storage adapter.

In another embodiment, analyzing the server resource response message data and determining a second indicator 114 of compromise, initiating a second security response that includes either transmitting data corresponding to the second indicator 114 of compromise from the security server to the access control server or a second instruction instructing the access control server not to transmit to the resource server at least one server resource request message received from the client or not transmitting to the client at least one server resource response message provided by the resource server in response to a server resource request message received from the client.

In another embodiment, the data traffic of the cloud server platform 102 is monitored to detect the data traffic in normal of attack by receiving statistics on the data traffic to be inputted into the controlling unit 122, wherein the data traffic is classified into the attack if the statistics show that the data traffic inputted into the controlling unit 122 within the preset duration exceeds a preset threshold.
Figure 2 illustrates a flow chart of a method for detecting and preventing resource consumption-based attacks in IoT-enabled smart city devices in accordance with an embodiment of the present disclosure. At step 202, method 200 includes transmitting data from one of a first storage resource and a second storage resource to another of the first storage resource and the second storage resource upon interconnecting a cloud server platform 102 to a first storage resource and a second storage resource.
At step 204, method 200 includes provisioning a storage device 104 with one or more of the storage resources and configuring with a storage delivery management service running on a computing device 106 inside either of the first or second storage resources, wherein the storage delivery management service is used for computing a list of storage resources associated with a user credential, wherein the list includes a second storage resource provisioned on at least one storage system comprising one or more hardware devices.
At step 206, method 200 includes identifying a network attack in a network 110 using a sensing node 108 upon employing aggregated metrics for a set of traffic data.
At step 208, method 200 includes clustering the traffic data into a set of traffic data clusters after spotting the network attack using a network-based clustering processor 112, wherein the network-based clustering processor 112 uses the set of traffic data as input to a clustering process to produce the set of traffic data clusters.
At step 210, method 200 includes indicating an attack type for the identified attack and generating a report for the set of traffic data through an indicator 114.
At step 212, method 200 includes receiving reports for the set of traffic data and notification, which is configured to identify the clustering device for providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine 116 using a clustering search engine 116, wherein the clustering search engine 116 selects the clustering device based on the attack type.
At step 214, method 200 includes analyzing the traffic data clusters by employing a network-based analysis processor 118.
At step 216, method 200 includes classifying the traffic data clusters into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device using a segregation processor 120.
At step 218, method 200 includes transmitting the set of one or more attack-related clusters for traffic cleaning using a controlling unit 122 configured with a convolutional neural network 124, where the data traffic is cleaned by removing suspicious traffic using one or more of the technologies selected from flow limiting, null connection detection, synchronize (SYN), bounce Transmission Control Protocol (TCP), and proxy User Datagram Protocol (UDP) to prevent resource consumption-based attacks.
In another embodiment, the method further comprises analyzing a server resource request message data ensuing identification of a first indicator 114 of compromise or the client being identified within a blacklist and initiating a security response including transmitting at the security server, from the security server to the access control server, wherein information corresponding to the first indicator 114 of compromise or a first instruction that causes the access control server to not transmit to the resource server at least one server resource request notification is received from a client.
In another embodiment, the method further comprises analyzing the identifying a network attack in the network 110 comprises creating a server resource metrics. Then, creating a blocked connection metrics. Then, creating a back end error code metrics. Thereafter, recognizing the network attacks at the security side of the cloud server platform 102 based on the server resource request message data.
Figure 3 illustrates an exemplary architecture for segregating attack-related traffic data in accordance with an embodiment of the present disclosure. Traffic records is provided to the traffic aggregation process in a detailed records cache (e.g., within data structures). As a result, the traffic aggregation process may produce aggregated metrics for the set of traffic records, such as average flow durations, average traffic sizes (such as in bytes), and proportions of various types of traffic (such as HTTP, UDP, etc.). or similar information. After that, any number of attack detectors that have been trained to evaluate the aggregated traffic metrics resulting from the traffic aggregation process can make use of the aggregated metrics as input features.
The attack indicators 114 might be arranged to utilize various arrangements of result names. One attack detector, for instance, might be set up to just check to see if the gathered traffic data points to a network attack. Notwithstanding, another of attack indicators might be arranged to group the amassed traffic information as by the same token "typical," "UDP flooding attack," or "other attack." A classification finalizer that selects one of the outputs as the final classification may, in some instances, receive the outputs of attack detectors. In one execution, order finalizer may utilize a bunch of result name conditions from attack finders, to choose last grouping. For instance, the "attack" label from the other attack detector may be required for the "UDP flooding attack" label to appear above. The probability of the "UDP flooding" label being applied as a whole could be calculated by the classification finalizer in this scenario.
The attack detection process may use clustering to initiate additional traffic record analysis when attack detectors identify a network attack based on the entire aggregated set of records. In particular, the clustering process may divide the traffic records in the set that triggered the attack detectors into various data clusters and supply the clusters to one or more cluster-based attack detectors. In contrast to attack detectors that only analyze the entire aggregated traffic, attack detectors, which are in charge of performing attack detection on a per-cluster basis, take a significantly different kind of information as input. This is something that should be noted. Specifically, since bunching by its tendency isolates data of interest in light of their likeness (where the thought of closeness relies upon a custom distance definition), the synthesis of the traffic in each group from the bunching process is possibly totally different from that of a total traffic total from the traffic collection process.
In the first place, expect that a traffic total from the records in store incorporates DNS traffic, HTTP traffic, and UDP continuous traffic. Each kind of traffic might be divided up into its own cluster by a clustering method, and a clustering process might compute aggregated statistics for each of these subsets. Now, even if the traffic in each cluster is perfectly normal, the aggregated statistics for each cluster might be very different from the aggregated statistics produced by the traffic aggregation process for the entire set of traffic data. UDP traffic, on the other hand, may account for close to 100% of a DNS cluster's flows, while UDP traffic will likely make up between 20% and 80% of normal overall traffic. Therefore, the classifier output may very well be undetermined if the features computed on a traffic cluster are provided as input to any of the attack detectors, which have only been trained with aggregated features computed on complete sets of attack traffic and normal traffic.
Notably, the preceding training procedure may be based on first establishing a ground truth (such as the fact that the attack set contains at least some attack traffic and that the normal set only contains normal traffic). There are many ways to establish such a ground truth. A user may manually label the flow cluster in one incarnation. To determine whether the traffic flows are normal or related to an attack, an exhaustive search may be carried out in another incarnation. In particular, a standard attack detector that has been trained to recognize aggregate traffic rather than clusters can be used, and all possible combinations of clusters can be tested until the largest cluster combination is found to not cause the classifier to detect an attack. This can be done until the classifier is unable to detect the attack. The clusters in the best combinations are marked as normal traffic once the solution is found, while the others are marked as "attack." Pay attention to the fact that, despite the fact that this method requires a lot of computational power, it might still be an option for generating training data for attack detectors.
The cluster-based attack detector can label each cluster as either "attack-related" or "normal traffic" after it has been trained. To put it another way, one of the attack detectors might separate the analyzed clusters into a group of attack-related clusters, such as the ones that indicated an attack, and a group of normal traffic clusters, such as the ones that the attack detector thought to be safe. For instance, suppose that the final classification indicates that the aggregated set of traffic data has identified an HTTP Slow Loris attack. The clustering process may provide aggregated metrics for these clusters to an attack detector that has been specifically set up to detect HTTP Slow Loris attacks if it divides the set of traffic data into clusters A-D using mean-shift clustering. As a result, the attack detector may analyze and label each cluster in accordance to form sets (for instance, clusters A-C contain normal traffic, whereas cluster D is related to an HTTP Slow Loris attack).
Figure 4 illustrates an exemplary network device/node in accordance with an embodiment of the present disclosure. The system further includes at least one organization interface, a power supply in addition to at least one processor, memory, and a system bus.
The mechanical, electrical, and signaling circuitry necessary to transmit data over links connected to the network 110 are all part of the network interface(s). Several different communication protocols can be used to transmit and/or receive data through network interfaces. Also, keep in mind that the view presented here is merely illustrative and that the nodes may have either wireless or wired or physical network connections. Also, even though the power supply and the network interface are shown separately, the power supply and network interface may communicate with the PLC or may be an integral part of the power supply. The PLC signal can be coupled to the power line that connects to the power supply in some specific configurations.
The processor and the network interfaces can access a number of storage locations in the memory to store software programs and data structures related to the embodiments described here. Keep in mind that some devices might only have a small amount of memory or none at all—for instance, they might not have any memory at all for storage other than for the programs and processes that are running on the device and the caches that are associated with them. Hardware logic or hardware elements can be used to run software programs and manipulate data structures in the processor. The device is functionally organized by an operating system, which invokes operations to support software processes and/or services running on the device and is typically executed by the processor. As described here, these software processes and/or services may include a traffic aggregation process, an attack detection process, a clustering process, or both.
Experts will know that other processor and memory types, as well as a variety of computer-readable media, can be used to store and carry out program instructions for the methods described here. Likewise, while the portrayal shows different cycles, it is explicitly pondered that different cycles might be encapsulated as modules designed to work as per the methods in this (e.g., as per the usefulness of a comparative cycle). In addition, despite the fact that the processes have been presented separately, those who are skilled in the art will be aware that processes may be modules or routines that are part of other processes.
In one embodiment, the routing process (services) consists of computer-executable instructions executed by the processor to carry out functions provided by one or more routing protocols, such as proactive or reactive routing protocols. On devices that are capable, these functions can be set up to manage a routing/forwarding table—a data structure that contains, for example, data used to make routing/forwarding decisions. Link state routing, such as Open Shortest Path First (OSPF), Intermediate-System-to-Intermediate-System (ISIS), or Optimized Link State Routing (OLSR), in particular, requires connectivity to be discovered and known prior to computing routes to any network destination. In contrast, reactive routing discovers neighbors and sends a route request into the network in response to a required route to a destination to determine which neighboring node can be used to reach the desired destination. This method does not have an a priori knowledge of the topology of the network 110. Ad-hoc On-Demand Distance Vector (AODV), Dynamic Source Routing (DSR), Dynamic MANET On-Demand Routing (DYMO), and others are examples of reactive routing protocols. Notably, the routing process may only consist of providing mechanisms for source routing techniques on devices that are not configured to store routing entries. That is, for source routing, the less capable devices in the network simply forward the packets in the direction that has been instructed by other network devices.
The attack detection process consists of executable computer instructions that are carried out by the processor to carry out a variety of tasks, including attack detection and reporting. Machine learning may be used to detect an attack in various embodiments of the attack detection process. In general, machine learning is concerned with the design and development of methods that recognize complex patterns in empirical data (such as performance indicators and network statistics) as input. The use of an underlying model M whose parameters are optimized to minimize the cost function associated with M given the input data is one machine learning technique pattern that is very common. For instance, in the context of classification, the cost function might be the number of misclassified points, and the model M might be a straight line that divides the data into two classes, as in M=a*x+b*y+c. The parameters a, b, and c are then adjusted so that the number of misclassified points is kept to a minimum during the learning process. After this enhancement stage (or learning stage), model M can be utilized effectively to arrange new data of interest. Given the input data, the cost function is inversely proportional to the likelihood of M, which is frequently a statistical model. As a result, an attack detection classifier that divides network traffic or conditions into an "attack" or "normal operation" category based on the network's learned behavior may be an attack detection process. It is also possible to use additional categories that represent specific types of attacks, such as the label "UDP flooding attack." To put it another way, the attack detection process can be set up to assign one of a number of output labels, such as "normal," "attack," etc. to an input set of network metrics or observations. In different cases, an applied mark may likewise not be set in stone by the learning machine (e.g., a certainty score related to an applied name, and so on.).
Learning machines (LMs), as previously mentioned, are computational entities that perform a task for which they have not been explicitly programmed by relying on one or more machine learning processes. Specifically, LMs are equipped for changing their way of behaving to their current circumstance. This capability will be very important in the context of LLNs and, more broadly, the Internet of Things (or Internet of Everything, IoE), as the network 110 will be subject to shifting conditions and requirements and will grow too large for a network operator to effectively manage.
The underlying mathematical models of Artificial Neural Networks (ANNs), a type of machine learning technique, were developed in response to the hypothesis that electrochemical activity between interconnected neurons accounts for the majority of mental activity. Directed weighted links connect a set of computational units (neurons) in an ANN. ANNs are able to perform highly non-linear operations on input data by combining the operations performed by neurons and the weights applied by the links. However, the interesting feature of ANNs is not their ability to produce highly nonlinear input outputs but rather their ability to learn to replicate a predefined behavior through a training process. As a result, an ANN can be trained to spot changes in a network's behavior (such as a change in packet losses, link delays, requests, etc.) that could point to a network attack. In some situations, ANN classifiers may be hierarchical in the sense that a classifier with more power validates a classifier with less power's conclusion. Support vector machines (SVMs), naive Bayesian models, decision trees, and other similar methods from machine learning can also be used in an attack detection classifier.
Anomaly detection methods may also be used in the attack detection process to classify network conditions as indicating an attack. Anomaly Detection (AD) is a method for data mining and machine learning that involves identifying the parts of a flow of data that do not follow the same pattern as the others. Particularly, AD techniques can use a model of normal behavior to identify data points that are unlikely to fit the model. Model Promotion procedures incorporate, however, are not restricted to, k-NN strategies, one-class SVM methods, replicator NN methods, and so on. Notably, learning machine processes can make use of these methods to identify new types of attacks.
The traffic aggregation process, which will be discussed in greater detail below, consists of computer-executable instructions that are carried out by the processor to carry out tasks pertaining to the aggregation of traffic data into inputs for the attack detection process. An average flow duration, the average number of bytes in a flow, the average number of packets, a proportion of traffic attributable to a specific application, other statistical properties, or any other aggregated traffic metrics may be determined by the traffic aggregation process for analysis by the attack detection process.
The clustering process consists of computer-executable instructions that are carried out by the processor to carry out tasks pertaining to the clustering of traffic data for use as input into the attack detection process. The term "clustering" generally refers to a group of methods whose goal is to group objects according to a predetermined notion of similarity. For example, in recommender systems (RS), clustering is a popular method for grouping items that people like in similar ways. Based on this particular user's previous choices, the system can thus suggest new products that the user is likely to like. Mean-Shift, k-means, density-based special clustering of applications with noise (DBSCAN), and others are typical clustering techniques. In the attack detection process, such clusters may occasionally be used as input to one or more cluster-centric attack detectors. To put it another way, the attack detection process may consist of one or more attack detectors that are set up to specifically analyze clustered records or one or more attack detectors that are set up to detect an attack based on aggregated metrics for a set of traffic records.
Figure 5 illustrates a block diagram of a system in which the storage delivery management service includes a fabric management component in accordance with an embodiment of the present disclosure. On at least one switch in a switch fabric, the fabric management component, which is carried out by the storage delivery management service, generates an access control list that includes the identification of at least one networking port on the identified storage system and at least one networking port on a host computing device 106. The texture of the executives part speaks with the switch texture. The switch fabric is a component of the storage area network in some incarnations. The switch fabric and one or more networked storage systems make up one of these embodiments' storage area network. The switch fabric is a separate network from the storage area network and the storage area network is a network of storage systems in other emphases. The switch fabric is a network that connects the storage area network to a host computing device 106 or a network on which the host computing device 106 is located in one of these embodiments. The capacity region network is a solitary organization including both a majority of capacity frameworks and a majority of switches shaping a switch texture. Network-attached storage is provided by the storage area network in some examples.
The switch fabric may include one or more Fibre Channel switches in one conceivable configuration. The Internet Small Computer System Interface (iSCSI) protocol is used to communicate among the switches in another exemplary embodiment of the switch fabric. Switches that communicate using either Internet Small Computer System Interface (iSCSI) protocols or Fibre Channel protocols are examples of heterogeneous switch fabrics. Data from servers or other computing devices 106 that are associated with one or more storage systems is routed to a network port on a particular storage system by a switch in the switch fabric in another embodiment.
A switch fabric controller is included in the switch fabric in some incarnations. The fabric management component or the storage system communication component, for example, can communicate with components outside of the storage area network through a storage system adapter in one of these embodiments of the switch fabric controller. The storage system adapter is located on the storage system in another of these embodiments. In different exemplifications, the switch texture incorporates a texture name server with which the texture the board part conveys.
A fabric communication adapter is included in the fabric management component in some instances. Fibre Channel Host Bus Adapters (HBAs) are included in the fabric manager component of one of these embodiments. Using onboard Application-Specific Integrated Circuits (ASICs), the Fibre Channel HBA handles the processing of the Fibre Channel stack in one of these embodiments. In other incarnations, the fabric management component alters the switch fabric's stored zoning information. A zone control interface provided by a fabric management component embedded in the switch fabric enables the creation and modification of zoning information in other embodiments. To access data that can also be formatted and retrieved in accordance with a standard like CIM OM, the fabric management component communicates with a switch in the switch fabric in accordance with a standard like the Storage Management Initiative Specification (SMI-S). The switch in the switch fabric executes a management service in one of these embodiments, providing an application programming interface with which the fabric management component can communicate.
Device identifiers like storage systems and host computing devices that are authorized to access data stored by one or more storage systems are included in zones. Unique identifiers of the device itself, such as its unique World Wide Name (WWN), or of a port on the device, such as a network port for a storage system, can be used to identify devices. A zone list, which may also be referred to as an access control list, typically identifies devices that communicate with one another, such as a storage system and the host computing devices authorized to access data stored by the storage system. In certain epitomes, in the event that a gadget isn't recognized on the zone show, it won't be permitted to get to information put away by different gadgets on the zone list. A logical unit, virtual disk, or other virtual storage resource may be provided on one of a plurality of partitions on the storage system, and a port is assigned to each such partition for use in identifying the partition in an access control list, for example, in other embodiments of the zone list. LUN masking is typically used to refer to this kind of functionality. When a host computer or server communicates with or about a storage system, for instance to request an identification of the storage system, modify an access control list that identifies the storage system, or access data provided by one or more storage systems, one embodiment states that the computing device 106 requests an identification of each of the devices listed on any access control list that also identifies the requesting computing device 106. This is done in order to identify the storage system.
The fabric management component has the capability of dynamically modifying access control lists to include virtual machine identifiers that are authorized to access a storage system in some examples. The fabric management component offers functionality for dynamically modifying access control lists to include identifications of host computing devices granted access to a storage system in another of these embodiments. The fabric management component offers functionality for dynamically modifying access control lists to include identifications of host computing devices that execute virtual machines that are authorized to access a storage system in another of these embodiments. The fabric management component offers functionality for modifying an access control list that specifies a network port on a first computing device 106 that is running a virtual machine to include a network port on a second computing device 106 to which the virtual machine has migrated in yet another of these embodiments.
The fabric management component is optional in other emphases. Because the storage delivery management service and host computing devices communicate directly with storage systems without requiring modification to or management of a switch fabric, fabric management is not required in one of these embodiments, for instance, when the storage delivery management service interacts with a storage area network that provides functionality according to the iSCSI protocol instead of Fibre Channel standards.

The drawings and the forgoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, orders of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts necessarily need to be performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples. Numerous variations, whether explicitly given in the specification or not, such as differences in structure, dimension, and use of material, are possible. The scope of embodiments is at least as broad as given by the following claims.

Benefits, other advantages, and solutions to problems have been described above with regard to specific embodiments. However, the benefits, advantages, solutions to problems, and any component(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential feature or component of any or all the claims. , Claims:1. A system for detecting and preventing resource consumption-based attacks in IoT-enabled smart cities devices, the system comprises:

a cloud server platform (102) interconnected to a first storage resource and a second storage resource for transmitting data from one of the first storage resource and the second storage resource to another of the first storage resource and the second storage resource;
a storage device (104) provisioned with one or more of the storage resources and configured with a storage delivery management service running on a computing device (106) inside either of the first or second storage resources, wherein the storage delivery management service is used for computing a list of storage resources associated with a user credential, wherein the list includes a second storage resource provisioned on at least one storage system comprising one or more hardware devices;
a sensing node (108) for employing aggregated metrics for a set of traffic data to identify a network attack in a network (110);
a network-based clustering processor (112) for clustering the traffic data into a set of traffic data clusters after spotting the network attack, wherein the network-based clustering processor (112) uses the set of traffic data as input to a clustering process to produce the set of traffic data clusters;
an indicator (114) for indicating an attack type for the identified attack and generating a report for the set of traffic data;
a clustering search engine (116) for receiving reports for the set of traffic data and notification, which is configured to identify the clustering device for providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine (116), wherein the clustering search engine (116) selects the clustering device based on the attack type;
a network-based analysis processor (118) for analyzing the traffic data clusters;
a segregation processor (120) for classifying the traffic data clusters into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device; and
a controlling unit (122) configured with a convolutional neural network (124) for transmitting the set of one or more attack-related clusters for traffic cleaning, where the data traffic is cleaned by removing suspicious traffic using one or more of the technologies selected from flow limiting, null connection detection, synchronize (SYN), bounce Transmission Control Protocol (TCP), and proxy User Datagram Protocol (UDP) to prevent resource consumption-based attacks.

2. The system as claimed in claim 1, comprises a storage adapter for one or more of the storage resources, wherein the storage adapter is associated with the user credential, wherein the clustering device is recognized as an attack detection device by the availability notification, hosting one or more attack detectors.

3. The system as claimed in claim 1, wherein the segregation process is configured to:
collect labels applied to the traffic data clusters by the clustering device, wherein the labels recognize a particular traffic data cluster as an attack or a normal traffic; and
combine the traffic data clusters into the set of one or more attack-related clusters and into the set of one or more clusters related to normal traffic.

4. The system as claimed in claim 1, wherein the cloud server platform (102) comprises:
an access port for establishing a connection between the first storage resource and second storage resource; and
a transmitter and a receiver for allowing the first storage resource and second storage resource to exchange the data.

5. The system as claimed in claim 1, wherein the list of storage resources is calculated that is associated with the storage adapter, wherein the storage delivery management service calculated the list of storage resources associated with the storage adapter responsive to invoking the storage adapter, wherein the storage delivery management service calculated the list of access ports in the second storage resource responsive to invoking the storage adapter.

6. The system as claimed in claim 1, wherein analyzing the server resource response message data and determining a second indicator (114) of compromise, initiating a second security response that includes either transmitting data corresponding to the second indicator (114) of compromise from the security server to the access control server or a second instruction instructing the access control server not to transmit to the resource server at least one server resource request message received from the client or not transmitting to the client at least one server resource response message provided by the resource server in response to a server resource request message received from the client.

7. The system as claimed in claim 1, wherein the data traffic of the cloud server platform (102) is monitored to detect the data traffic in normal of attack by receiving statistics on the data traffic to be inputted into the controlling unit (122), wherein the data traffic is classified into the attack if the statistics show that the data traffic inputted into the controlling unit (122) within the preset duration exceeds a preset threshold.

8. A method for detecting and preventing resource consumption-based attacks in IoT-enabled smart cities devices, the method comprises:

transmitting data from one of a first storage resource and a second storage resource to another of the first storage resource and the second storage resource upon interconnecting a cloud server platform (102) to a first storage resource and a second storage resource;
provisioning a storage device (104) with one or more of the storage resources and configuring with a storage delivery management service running on a computing device (106) inside either of the first or second storage resources, wherein the storage delivery management service is used for computing a list of storage resources associated with a user credential, wherein the list includes a second storage resource provisioned on at least one storage system comprising one or more hardware devices;
identifying a network attack in a network (110) using a sensing node (108) upon employing aggregated metrics for a set of traffic data;
clustering the traffic data into a set of traffic data clusters after spotting the network attack using a network-based clustering processor (112), wherein the network-based clustering processor (112) uses the set of traffic data as input to a clustering process to produce the set of traffic data clusters;
indicating an attack type for the identified attack and generating a report for the set of traffic data through an indicator (114);
receiving reports for the set of traffic data and notification, which is configured to identify the clustering device for providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine (116) using a clustering search engine (116), wherein the clustering search engine (116) selects the clustering device based on the attack type;
analyzing the traffic data clusters by employing a network-based analysis processor (118);
classifying the traffic data clusters into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device using a segregation processor (120); and
transmitting the set of one or more attack-related clusters for traffic cleaning using a controlling unit (122) configured with a convolutional neural network (124), where the data traffic is cleaned by removing suspicious traffic using one or more of the technologies selected from flow limiting, null connection detection, synchronize (SYN), bounce Transmission Control Protocol (TCP), and proxy User Datagram Protocol (UDP) to prevent resource consumption-based attacks.

9. The method as claimed in claim 8, further comprises analyzing a server resource request message data ensuing identification of a first indicator (114) of compromise or the client being identified within a blacklist and initiating a security response including transmitting at the security server, from the security server to the access control server, wherein information corresponding to the first indicator (114) of compromise or a first instruction that causes the access control server to not transmit to the resource server at least one server resource request notification is received from a client.

10. The method as claimed in claim 8, further comprises analyzing the identifying a network attack in the network (110) comprises:
creating a server resource metrics;
creating a blocked connection metrics;
creating a back end error code metrics; and
recognizing the network attacks at the security side of the cloud server platform (102) based on the server resource request message data.