A scheme for DDoS attacks mitigation in IdM systems through reorganizations

Abstract

Identity management (IdM) systems employ Identity Providers (IdPs), as guardians of users' critical information. However, Distributed Denial-of-Service (DDoS) attacks can make IdPs operations unavailable, compromising legitimate users. In the literature, the main countermeasures against DDoS attacks are based on either the application of external resources to extend the system lifetime (replication) or on the DDoS attacks detection. The first approach increases the solutions cost, and in general the second one is prone to high rates of false negatives and/or false positives. This work presents SAMOS, a first scheme to mitigate DDoS attacks in IdM systems through a novel approach: organizations of IdP clustering using optimization techniques. SAMOS is started based on the monitoring of processing and memory resources, differently from the solutions in the literature that are started based on the attack detection by the network traffic analysis. SAMOS minimizes the DDoS attacks effects using operational IdPs in the system, differently from the works that employ external computer resources. Results considering data from real IdM systems indicate the scheme viability.