IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

International Journal of Research in Information Technology (IJRIT) www.ijrit.com

ISSN 2001-5569

Host Based Intrusion Detection and Countermeasure Selection in Cloud Praveen Kumar A T1, Ramakrishna B B2 1

2

Student, Srinivasa Institute of technology, VTU Belgaum Valachil, Mangalore, Karnataka, India [email protected]

Assistent Professor, Srinivasa Institute of technology, VTU Belgaum Valachil, Mangalore, Karnataka, India [email protected]

Abstract Cloud System, virtual machine is considered as the security threat. This is because all cloud users install their applications in virtual machines. Particularly, intruders can exploit vulnerability to a cloud system and compromise virtual machines to deploy further large scale types of attack like distributed denial of service (DDOS). Mainly vulnerability arises in infrastructure as a service (laas) cloud where the infrastructure shared by millions of users. To prevent vulnerable virtual machine from being compromised in the cloud, the proposed framework introducing multiphase distributed vulnerability detection measurement and countermeasure selection mechanism. It built an attack graph analytical model which is used for identify the intruders possible way of exploit vulnerability. The model consist information about virtual topology and also about cloud servers. Based on the information provided by the analytical model then the system deploy an appropriate counter measures.

Keywords: Cloud Server, DDOS, Intruders, Virtual machine, zombie detection.

1. Introduction A recent Cloud Security Alliance (CSA) survey concludes that among all security issues, Data Breaches is considered as a top security threat, in which data loss and data leakage are serious threats to cloud computing. But the main reason behind this is losing control over the system, in which attackers tries to exploit vulnerabilities in clouds and uses cloud system resources to deploy attacks. Cloud users usually have the privilege to control software installed on their virtual machines, that installed software may affect the system security and can violate the service level agreement (SLA). Cloud users can install vulnerable software on their VMs unknowingly, which essentially contributes to create loopholes in cloud security. The challenge before cloud service provider (CSP) is to establish

Praveen Kumar A T,IJRIT

262

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

an effective vulnerability or attack detection and response system for accurately identifying attacks and minimizing the impact of security breach to cloud users [1]. In a cloud system especially in IAAS, the infrastructure is shared by millions of users, misuse and wicked use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks and use compromised part of the system to penetrate whole system. Such attacks are more effective in the cloud environment because cloud users usually share computing resources, e.g., many resources are being connected through the same switch, sharing file systems along with the same data storage, even with potential attackers. The similar setup for VMs in the cloud, e.g., VM OS, virtualization techniques, various installed software which may be vulnerable, networking, and so on, attracts attackers to compromise multiple VMs. It is usual practice to implement a firewall or a security policy, but experience has shown these to be dramatically insufficient. Simply, denial-of-service attacks are attacks to prevent users of a cloud service from being able to access their data or their applications. By forcing the zombie VMs to consume inordinate amounts of finite system resources such as processor power, memory, disk space or network bandwidth, the attacker or attackers, as is the case in distributed denial-of-service (DDoS) attacks causes an intolerable system slowdown and leaves all of the legitimate service users confused and angry as to why the service isn’t responding. While DDoS attacks take advantage of vulnerabilities in web servers, databases, or other cloud resources which allows a malicious individual to take out an application.

2. BACKGROUND In this paper, we are going to discuss about the actions of the attacks in the cloud. We presented NICE, which is proposed to detect and mitigate collaborative attacks in the cloud virtual networking environment. NICE utilizes the attack graph model to conduct attack detection and prediction. The proposed solution investigates how to use the programmability of software switches based solutions to improve the detection accuracy and defeat victim exploitation phases of collaborative attacks. NICE only investigates the network IDS approach to counter zombie explorative attacks. We devise NICE, a new multi-phase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting user’s applications and cloud services. NICE incorporates a software switching solution to quarantine and inspect suspicious VMs for further investigation and protection. Through programmable network approaches, NICE can improve the attack detection probability and improve the resiliency to VM exploitation attack without interrupting existing normal cloud services. NICE employs a novel attack graph approach for attack detection and prevention by correlating attack behavior and also suggests effective countermeasures. NICE optimizes the implementation on cloud servers to minimize resource consumption. We also proposed the effective technique to the find the vulnerable Virtual machines in the networks with the help of Enhanced host model. Host based detection systems can be generally classified into moreover anomaly detection or misuse detection. Host based methods are more popular due to the low, cost and processing overhead involved, as compared to other machinery like virtualization based detection. Due to its effectiveness, attackers now manipulate system calls for initiating an attack. Our study shows that NICE consumes less computational overhead compared to proxy-based network intrusion detection solutions. Praveen Kumar A T,IJRIT

263

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

Our proposed techniques are effective and efficient when compared to the previous approaches through our experimental and simulation analysis.

3. CLOUD SERVICE MODELS About the services, which are served over cloud computing systems there is a definition as anything as a Service (XaaS). The word anything defines the service, and it can take part as the type of the service like; Communication as a Service (CaaS), Network as a Service (NaaS) or Monitoring as a Service (MaaS). However, there are three fundamental service types to describe and define the service contents. They are Infrastructure as a Service (IaaS), Platform as a Service(PaaS) and Software as a Service (SaaS). These three main service models/actors of the cloud computing are shown in Figure 1 and detailed as follows.

3.1 Infrastructure as a Service (IaaS) With this ability, users can access processing power, storage area, network and other computing resources through opportunity and ability of the provider, also use every kind of software including operating system (OS) and applications. Users are not responsible for controlling and managing the cloud infrastructure, they only have authority on OS, storage, distributed software and network components which are going to be used. 3.2 Platform as a Service (PaaS) Users can develop and run software over cloud computing infrastructure via programming languages, libraries, services and with the tools that are supported by provider. Users are not responsible for controlling and managing network, server, OS and storage areas which are founded in cloud computing infrastructure, they can only interfere limited configuration changes. 3.2 Software as a Service (SaaS) All the infrastructure, platform and software utilities are supported and provided by the provider. Users can access to service based applications via different devices and interfaces as thin clients and network browsers. There are only some limited configuration authorities over the service based applications that can be made by users.

Praveen Kumar A T,IJRIT

264

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

Fig. 1. Cloud Service Models.

4. EXISTING SYSTEM The aim of Intrusion Detection is Detecting and reacting to an attack. But the current solution by IDS as well as firewall does not work very well in real life. For any IDS implementations the large volume of raw alerts from IDS and false alarms are two major problems. For signature-based IDSs (one of the method of IDS) there will be gag between a new threat discovery and its signature being used by the IDS. But in meanwhile the IDS will be unable to identify the threat whose signature is not available with current IDS. Alert correction tool plays an important role in identify the source or target of the intrusion in the network and also specially to detect multistep attack. Many attack graph-based alert correlation techniques have been proposed recently. Roschke proposed an AG based correlation algorithm that overcomes the limitations in applying the nested loop-based correlation methods and proposed a QG called queue graph approach to remove this limitation. The algorithm is able to identify multiple attack scenarios of the same anatomy by using an attack graph. Once any exploit is examined QG is used to trace alerts matching each exploit in the attack graph. But the algorithm needs some computing power to consume and algorithm needs to be tested using larger data sets. Wang extend the basic QG approach to a unified method to hypothesize missing alerts and to predict future alerts and propose a compact representation for the result of alert correlation. But the limitations of this method are overcome in. Once we know the possible attack scenarios, selecting and then applying countermeasure is the next important step. Selecting optimal countermeasures depends on attack path and cost benefit analysis so that final solution cost can be optimal as much as possible. Poolsappasit proposed a Bayesian attack graph (BAG) model of the network which enables to better understand the causal relationships between pre-conditions, vulnerability exploitations, and post-conditions. He proposed a genetic algorithm capable of performing both single and multi objective optimization of the system administrators objectives. Using a BAG, the system administrator performs risk assessment and risk mitigation and uses genetic algorithm for giving solution to the countermeasure optimization Praveen Kumar A T,IJRIT

265

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

problem. Roy et al. proposed an attack countermeasure tree (ACT) which is considering both attacks and its countermeasures. He used greedy and branch and bound techniques to minimizing the number of countermeasures. This approach aims for minimizing security investment cost and maximizing the benefit from implementing a certain countermeasure set in the ACT.

Fig. 2. NICE architecture within one cloud server cluster.

5. PROPOSED METHOD Host Based IDSs analyze the suspicious activities like system call, processes or thread, asset and configuration access by observing the situation of host. It is especially used to protect valuable and private information on server systems. HIDSs are able to assign as NIDS if they are installed on a single host and configured to detect network activities. HIDS is composed of sensors located on servers or workstations which are made to prevent the attacks to a host. An HIDS is not just monitor network traffic, it can also trace more and settle with local settings of an OS and log records. The basic structure of a HIDS is shown in Figure 3.

Praveen Kumar A T,IJRIT

266

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

Fig. 3 System Architecture of Host based IDS in Cloud

2.1 Host based Intrusion Detection Algorithm: Step 1: Select the 4 modules needed for the whole HIDS. Step 2: Build Sensor module to detect Host Systems. Step 3: Build Detection module based on Misuse and Anomaly detection technique. Step 4: Classify various types of alerts. (For example alert for System level intrusion or process level intrusion) Step 5: Code the system for detecting various types of attacks and alerts for respective attacks. Step 6: Integrate the system with Mobile device to get alerts from the proposed IDS. Step 7: Specify each type of alert on which category it falls, so that user can easily recognize the attack type. Step 8: Build Reaction module with various options so that administrator/user can have various options to select or react on any type of intrusion. Step 9: Test the system using Attack Simulation module, by sending different attacks to the proposed IDS. Step 10: Build a log file, so that all the reports generated can be saved for future references

Praveen Kumar A T,IJRIT

267

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

6. IMPLEMENTATION OVERVIEW The cloud user successfully stored data in cloud server Virtual machine. Then the cloud server consist all the data which is stored by cloud user. From the server side HIDS scans each time when the user comes stored in particular VM. If any intruder modifies any data means it will sent alert message to a particular cloud user. After the NICE-A analyze the attack and Attack analyzer construct an attack graph to provide information about which VM consist vulnerability then it send to Network Controller to provide appropriate counter measures and block the particular attacker in the cloud server. Countermeasure such as Network reconfiguration, Traffic redirection, IP address change. Network reconfiguration denotes that configuring the settings of Particular virtual machine. The anomalous traffic raised by attacker means automatically transfers the data from one VM to another VM. Topology setting changed by the intruders means it takes packet filtering countermeasure for analyzing reach packet and block a particular VM in a server change the IP address. Algorithm: CountermeasureSelection Require: Alert;G(E,V); CM 1: Let vAlert = Source node of the Alert 2: if Distance to Target vAlert > threshold then 3: Update ACG 4: return 5: end if 6: Let T = Descendant vAlert U vAlert 7: Set Pr(vAlert) = 1 8: Calculate_Risk_Prob(T) 9: Let benefit[|T|.|CM|]=0 10: for each t do 11: for each cm < CM do 12: if cm
268

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 5, May 2014, Pg: 262-269

19: Let ROI{|T| |CM|=0 20: for each t < T do 21: for each cm< CM do 22: end for 23: end for 24: Update SAG and Update ACG 25: return Select Optimal CM (ROI)

7. CONCLUSION AND FUTURE WORK This paper we are having host-based IDS. HIDS is appropriate for protecting an individual cloud servers and the information it contains as the name itself indicates. However it doesnt provide data security on the network as a whole. Also the security systems take on considerable processing resource of the host like RAM, CPU and storage. To overcome the limitations of HIDS we can combine the strength of HIDS and NIDS systems by forming hybrid systems that is HyIDS.But as per the protection model above discussed we need to work for reducing false alarms and the large volume of raw alerts generated by IDS system. So, as per need we can go for HIDS, NIDS or hybrid IDS

REFERENCES [1] NICE (July/August 2013), Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems, IEEE transactions on dependable and secure computing, vol. 10, no.4. [2] Top Treats to cloud computing v1.0 https://cloudsecurityalliance.org/topthreats/csathreats. v1.0.pdf, Mar. 2010. [3] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. toica, and M. Zaharia, A View of Cloud Computing, ACM Comm., vol. 53, no. 4, pp. 50-58, Apr. 2010. [4] H. Takabi, J.B. Joshi, and G. Ahn, Security and Privacy Challenges in Cloud Computing Environments, IEEE Security and Privacy, vol. 8, no. 6, pp. 24-31, Dec. 2010. [5] Open vSwitch project, http://openvswitch.org, May 2012. [6] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, Detecting spam zombies by monitoring outgoing messages, IEEE Trans. Dependable and Secure Computing, vol.9, no. 2, pp. 198 210, Apr. 2012. IEEE TRANSACTIONS ON DEPEDABLE AND SECURE COMPUTING [7] S. Roschke, F. Cheng, and C. Meinel, A new alert correlation algorithm based on attack graph, Computational Intelligence in Security for Information Systems, LNCS, vol. 6694, pp. 5867. Springer, 2011. [8] A. Roy, D. S. Kim, and K. Trivedi, Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees, Proc. IEEE Intl Conf. on Dependable Systems Networks (DSN 12), Jun. 2012. [9] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan, A survey of intrusion detection techniques in Cloud, Journal of Network and Computer Applications, vol. 36, no. 1, pp. 4257, January 2013 Praveen Kumar A T,IJRIT

269

Host Based Intrusion Detection and Countermeasure Selection in Cloud

Particularly, intruders can exploit vulnerability to a cloud system and compromise virtual machines to deploy further large scale types of attack like distributed ...
Download PDF
134KB Sizes 2 Downloads 247 Views
Report

Recommend Documents

Network-Based Intrusion Detection in Eucalyptus ...
the working of an NIDS system and Snort, in a Eucalyptus private cloud environment. ... get into the system. Without a suitable intrusion detection mechanism, cloud users may not be able to assure that the service is thoroughly secure which may, in t
Host based Attack Detection using System Calls
Apr 3, 2012 - This calls for better host based intrusion detection[1]. ... Intrusion detection is the process of monitoring the events occurring in a ... System Call in Linux ... Rootkits[2] are a set of software tools used by an attacker to gain.
Feature Selection for Intrusion Detection System using ...
Key words: Security, Intrusion Detection System (IDS), Data mining, Euclidean distance, Machine Learning, Support ... As the growing research on data mining techniques has increased, feature selection has been used as an ..... [4] L. Han, "Using a Dy
signature based intrusion detection system pdf
signature based intrusion detection system pdf. signature based intrusion detection system pdf. Open. Extract. Open with. Sign In. Main menu. Displaying ...
Property Based Intrusion Detection to Secure OLSR - Semantic Scholar
the network. This is achieved through periodic message exchanges. OLSR [4] is an example of a. Proactive MANET routing protocol. A significant issue in the ... In this section, we will describe the elements of OLSR, required for the purpose of invest
Hypervisor-based Intrusion Detection by Lionel Litty A ...
an enormous 137,529 reported incidents in 2003 [7]. To address this ..... Intrusion Detection Systems (IDSs) and define what an IDS is: an expert system that.
Hypervisor-based Intrusion Detection by Lionel Litty A ...
The following people also contributed, in one way or another, to the completion ... 2.2.1 Host-based IDS . ...... access remote services through a network, or both.
Storage-based Intrusion Detection: Watching storage ...
Section 5 describes a prototype storage IDS embedded in an NFS server. Sec- ..... For small numbers of dedicated servers in a machine room, either approach is ...
Property Based Intrusion Detection to Secure OLSR
Abstract—In this paper, we examine security issues related to proactive routing protocols for Mobile Ad-hoc NETworks. (MANETs). Specifically, we investigate ...
MULTI-NODE MONITORING AND INTRUSION DETECTION
attractors, as they are discerned pre-attentively [1], this leads to a very effective monitoring environment. Given our goal is to provide an additional tool to system.
MULTI-NODE MONITORING AND INTRUSION DETECTION
We must be able to monitor all of these systems simul- ... on the screen and to differentiate remote nodes as we ..... International Conference On Visualization,.
Intrusion Detection Visualization and Software ... - Semantic Scholar
fake program downloads, worms, application of software vulnerabilities, web bugs, etc. 3. .... Accounting. Process. Accounting ..... e.g., to management. Thus, in a ...
Intrusion Detection Visualization and Software ... - Semantic Scholar
fake program downloads, worms, application of software vulnerabilities, web bugs, etc. 3. .... Accounting. Process. Accounting ..... e.g., to management. Thus, in a ...
MULTI-NODE MONITORING AND INTRUSION DETECTION
attractors, as they are discerned pre-attentively [1], this leads to a very effective monitoring environment. Given our goal is to provide an additional tool to system.
Intrusion and Misuse Detection in Large-Scale Systems
G. Grinstein and supported by the US National Institute of ... 7. E.E. Koutsofios et al., “Visualizing Large-Scale Telecommunica- ... lect or analyze any data related to Microsoft- or ... merged the log files for all systems under consideration.
a traffic-based intrusion detection system in ipv6 / 4 ...
problems under the large-scale high-speed network .... effort-consuming operation, but check the value of ... is whether the internal network IP addresses, and.
Intrusion Detection: Detecting Masquerade Attacks Using UNIX ...
While the majority of present intrusion detection system approaches can handle ..... In International Conference on Dependable Systems and Networks (DSN-. 02), 2002 ... Sundaram, A. An Introduction to Intrusion Detection [online]. URL:.
Intrusion Behavior Detection Through Visualization
0-7803-7952-7/03/$17.00 _ 2003 IEEE. Intrusion Behavior Detection Through Visualization. Robert F. Erbacher. Department of Computer Science, LI 67A. University at Albany-SUNY. 1400 Washington Avenue. Albany, NY 12222, USA [email protected]. Abst
Composite Intrusion Detection in Process Control ...
degrees to which network traffic normalcy and abnormality hypotheses are ...... of radiation, reflection of energy, computers, etc., while examples of administrative.
Visualisation for Intrusion Detection
We have chosen to take the access log file of a small personal web server, that has ... of requesting a username–password pair from the originating web browser. .... one parameter choice, the x–y position of the subplot within the trellis plot.
Intrusion Detection Systems: A Survey and Taxonomy - CiteSeerX
Mar 14, 2000 - the Internet, to attack the system through a network. This is by no means ... latter approach include its reliance on a well defined security policy, which may be absent, and ..... and compare the observed behaviour accordingly.
Modelling Risk and Identifying Countermeasure in Organizations
Yudistira Asnar and Paolo Giorgini. Department of Information and Communication Technology ... associated risks to the organization where the system will operate. The ..... Suppose, we are the managers of a vehicle testing plant (Fig. 5) and ...