Tuesday, January 28, 2020

Intrusion Detection System Using Node-Predictive Attack

Intrusion Detection System Using Node-Predictive Attack Intrusion Detection System Using Node-Predictive Attack Graph Model for Cloud Ambikavathi C Dr.S.K.Srivatsa Abstract- The role of Intrusion Detection System (IDS) in security world is considered as a key requirement for any computing model. This traditional methodology can add its own contribution of security to the distributed Cloud environment. The purpose of this paper is to clarify the steps that are needed to be taken in order to efficiently implement the IDS in cloud environment. The proposed system uses node predictive attack graph to correlate the newly occurred attacks with known attacks. The prediction steps are used to later monitor the environment and control the attacks. Keywords-Attack Graph; Cloud Computing; IDS ,; I. INTRODUCTION A. What is Cloud computing? Cloud computing is â€Å"a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction†[1]. This cloud model is co mposed of three service models, four deploy ment models and five essential characteristics . The three service models are So ftware as a Service (SaaS), Platfo rm as a Se rvice (PaaS) and Infrastructure as a Service (IaaS). The four deployment models are private cloud, public cloud, hybrid cloud and community cloud. The five essential characteristics of cloud are on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. B. What is IDS? Intrusion detection systems are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for malicious activities or policy violations and produces reports to a management station. IDSs a rehost-based, network-based and distributed IDSs. Hos t based IDS (HIDS) monitors specific host machines, network-based IDS (NIDS) identifies intrusions on key network points and distributed IDS (DIDS) operates both on host as well as network [7]. IDS can be a valuable addition to the security arsenal. IDS performs the following functionalities : Monitoring and analyzing both user and system activities .Analyzing system configurations and vulnerabilities .Assessing system and file integrity.Ability to recognize patterns typical of attacks.Analysis of abnormal activity patterns.Tracking user policy violations.The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware. This introduces an additional layer virtualization that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or hypervisor. So virtual machine security is essential in cloud environment. C. Attack Graph Attack graphs are used to determine how vulnerable their systems are and to determine what security measures to deploy to defend their systems. In the predictive attack graph, a node represents a host and an edge represents vulnerability. The predictive attack graph representation accurately forecasts the effect of removing vulnerabilities by removing edges from the attack graph. The predictive attack graph is the full attack graph with redundant paths removed. A path is considered redundant if the path contains the same vulnerability-host pair in two or mo replaces along the same attack path. In node predictive attack graph, a node can be host or a group of hosts, and an edge can be vulnerability or a group of vulnerabilities. The node predictive attack graph is a simplified version of the predictive attack graph. The node predictive attack graph’s purpose is to mitigate the effects of â€Å"firewall explosion.† Firewall explosion causes redundancy in the predictive gr aph. Thus, the node predictive attack graph mitigates this issue by merging nodes of the attack graph. Two nodes are merged if the attacker can compromise the two hosts from all hosts the attacker has already compromised. [16] Rest of the paper is organized as follows. Section II discusses about the related work done. Proposed system is described briefly in section III. Section IV, presents the implementation part of EIDS and section V concludes with references at the end. II. RELATED WORK In this section, we present related research to our proposed work: Intrusion detection in cloud and attack graph models. A. Anomaly based IDS Anomaly or behavior based detection [7] refers to techniques that define and characterize normal or acceptable behaviors of the system (e.g., CPU usage, job execution time , system ca lls). Behaviors that deviate fro m the expected normal behavior are considered intrusions. Generation of high false alarms is the major drawback of this type which leads to low detection efficiency. But it is able to detect new attack patterns. Here, Input parameter selection and analysis of ciphered data are tedious processes . It attains low throughput but high cost. Metrics and frame work to evaluate this IDS and compare with alternate IDS techniques is in need. Also it is poor in defending themselves from attacks. To avoid false alarms in anomaly based systems the system must be trained to create the appropriate user profiles. It requires extensive training to characterize normal behavior patterns. B. Signature based I DS Signature or Misuse based detection refers to techniques that characterize known methods to penetrate a system. These penetrations are characterized as a ‘pattern’ or a ‘signature’ that the IDS looks for. The pattern/signature might be a static string or a set sequence of actions[9]. It can only detect known attacks. Frequent updation is needed in the database for signatures of new attacks. The advantages of this IDS are, it generates less number of false alarms. A single signature can detect a group of attacks. It does not require extensive training. C. Fuzzy based IDS Fuzzy logic can be used to deal with inexact description of intrusions. It provides some flexibility to the uncertain problem of intrusion detection. Fuzzy logic techniques[5] are used for classification techniques. The classification algorithm is applied to audit data collected which learns to classify new audit data as normal or abnormal data. It allows greater complexity for IDS while it provides some flexibility to the uncertain problem of IDS. Most fuzzy IDS require human intervention to determine fuzzy sets and set of fuzzy rules . D. Artificial Neural Network based The goal of using ANNs for intrusion detection[5] is to be able to generalize data from incomplete data and to be able to classify data as being normal or intrusive. It is best because of it’s self learning capabilities , quick processing and can find small behaviour deviations. But it’s downside is it requires more tra ining sa mples and time consuming. E. Data Mining based IDS Some intrusion attacks are formed based on known attacks or variant of known attacks. To detect such signatures or attacks, signature apriori algorithm can be used, which finds frequent subset (containing some features of original attack) of given attack set. In Cloud, association rules can be used to generate new signatures. Using newly generated signatures, variations of known attacks can be detected in real time[5]. F. Profile based IDS In VM profile based IDS[12], a profile is created for each virtual machine in cloud that describes network behavior of each clouduser. The behavior gathered is then used for detection of network attacks on cloud. It detects the attacks early with robustness and minimum complexity. G. Entropy based IDS Entropy is, in general, used for measuring the data’s degree of impurity using a Threshold value. Entropy based anomaly detection system[14] is mainly proposed to prevent DDoS attacks. This is done in two steps. First users are allowed to pass through a router in network site. It detects for legitimate user using detection algorithm. Second again it passes through a router in cloud site. In this methodology confirmation algorithm is incorporated to detect the intruder by checking a threshold value. H. Multithreaded IDS Multithreading technique improves IDS performance within Cloud computing environment to handle large number of data packet flows. The proposed multi-threaded NIDS[8][4] is based on three modules named: capture module, analysis module and reporting module. The first one is responsible of capturing data packets and sending them to analysis part which analyzes them efficiently through matching against pre-defined set of rules and distinguishes the bad packets to generate alerts. Finally, the reporting module can read alerts and immediately prepare alert report. The authors conducted simulation experiments to show the effectiveness of their proposed method and compared it with single thread which presented high performance in terms of processing and execution time. However, the problem of detecting new types of attacks still needs many works to be done. I. Integrated model IDS It uses the combination two or more o f above techniques. It is advantageous since each technique has some advantages and drawbacks. Grid and Cloud Computing Intrusion Detection System (GCCIDS)[10] proposed the integration of knowledge and behavior analysis to detect specific intrusions. However, the proposed prototype cannot discover new types of attacks or create an attack database which must be considered during implementing IDS. A new integrated intrusion detection approach, called FCA NN[13] is proposed based on ANN and fuzzy clustering. Through fuzzy clustering technique, the heterogeneous training set is divided to several homogenous subsets. Thus complexity of each sub training set is reduced and consequently the detection performance is increased. J. Graph based IDS A graph is constructed in which nodes represent state of attack and edges represent the correlations between attacks. Queue graph, Dependency graph and Attack graph are the existing works done on IDS. To prevent vulnerable virtual machines from be ing compromised in the cloud, a multiphase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE[2] is proposed, which is built on attack graph-based analytical models and reconfigurable virtual network-based countermeasures. III. PROP OSED WORK In this section, we describe how to construct and utilize node predictive attack graph model to handle vulnerabilities in cloud environ ment. Any attack has some set of predefined steps to incorporate it. An attack can only be accomplished when all its pre-conditions are met [11]. So that by keen monitoring the attack can be prevented. An attack graph is an abstraction that represents the ways an attacker can violate a security policy by leveraging interdependencies among discovered vulnerabilities. An attack graph can be generated from network configuration details and known vulnerabilities within the network. An attack path is a sequence of steps that starts from an attacker’s initial state to the attacker’s goal state (security policy violation) in an attack graph. Every virtual machine has it’s own logfile for recording the actions of that virtual machine. Th is logfile along with the knowledge base provides information for constructing attack graph. Fig. 1. Proposed Architecture IV. IMPLEMENTATION EIDS is implemented using Openebula[15] and OSSIM (Open Source – Security Information Management)[3] which comprises of traffic analyzers, vulnerability scanners. OS-SIM is embedded as a virtual mach ine in the c loud environment. The ro le of this virtual machine is to monitor all other virtual machines running in the environment. OSSIM provides a Security Information and Event Management (SIEM) solution. It is a one-stop solution and integrated the open source software’s NTOP, Mrtg, Snort, Open VAS, and Nmap. OSSIM is a cost effective solution in the area of monitoring network health and security of network/hosts compared to other propriety products[6]. A. Attack Analyzer Attack Analyzer is built on the top the traffic Analyzer of OS-SIM. It uses each virtual machine’s logfile to analyze and extract attack trace steps. Whenever an attack occurs it is added to the attack graph as a node along with its state and correlation function is invoked. Attack Graph Attack Graph Generator Alert System Knowledge Base Attack Analyzer B. Correlation function Correlation function correlates this new attack with known attacks and gives the prediction steps for this attack. These prediction steps for each attack are used to monitor the further attacks in future. C. Attack Graph Generator Each node in the graph defines an attack and the edge between nodes represent the correlation between that two attacks. V. CONCLUSION Defending distributed environment is difficult. Always prevention is better than cure. Prediction of Intrusions in prior enhances the security of cloud environment. So that predictive attack graph model is chosen for providing security to the distributed cloud environment. At any point the known attacks are correlated with each other to predict new attacks. REFERENCES: [1] NIST (National Institute of Standards and Technology ) http://csrc.nist.gov/p ublications/nistp ubs/800-145/SP800-145.p df [2] Chun-Jen Chung, Pankaj Khatkar, Tiany i Xing Jeongkeun Lee, Dijian g Huan g, â€Å"NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems†, IEEE Transactions On Dependable And Secure Computing, Vol. 10, No. 4, pp. 198 – 211, July /August 2013. [3] â€Å"OSSIM †, https://www.alienvault.com/ [4] Ms. Parag K. Shelke, M s. Sneha Sontakke, Dr. A. D. Gawande, â€Å"Intrusion Detection Sy stem for Cloud Comp uting†, International Journal of Scientific Technology Research Volume 1, Issue 4, M ay 2012. [5] M odi, C., Patel, D., Patel, H., Borisaniy a, B., Patel, A. Rajarajan, M ., â€Å"A survey of intrusion detection techniques in Cloud†, Journal of Network and Computer App lications. [6] â€Å"OSSIM †, http ://www.op ensourceforu.com/2014/02 /top -10-op en-source-security -tools/ [7] Amirreza Zarrabi, Alireza Zarrabi, â€Å"Internet Intrusion Detection Sy stem Service in a Cloud† IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 5, No 2, Sep tember 2012. [8] I. Gul and M . Hussain, â€Å"Distributed Cloud Intrusion Detection M odel†, International Journal of Advanced Science and Technology, vol. 34, pp. 71-82, 2011. [9] R. Bhadauria, R. Chaki, N. Chak i, and S. Sany al â€Å"A Survey on Secur ity Issues in Cloud Comp uting†, Available at: http ://arxiv.org/abs/1109.5388 [10] K. Vieira, A. Schulter, C.B. Westp hall, and C.M . Westphall, â€Å"Intrusion Detection for Grid and Cloud comp uting†, IT Professional, Volume: 12 Issue: 4, p p. 38-43, 2010. [11] X. Ou and A. Singhal, â€Å"Quantitative Secur ity Risk Assessment of Enterp rise Networks†, Sp ringerBriefs in Comp uter Scien ce, DOI 10.1007/978-1-4614-1860-3_2,  © The Author(s) 2012 [12] Sanchik a Gupta, Padam Kumar and Ajith Abraham, â€Å"A Profile Based Network Intrusion Detection and Prevention System for Secur in g Cloud Env ironment†, International Journal of Distributed Sensor Networks, Feb 2013 [13] Swati Ramteke, Rajesh Dongare, Ko mal Ramteke, â€Å"Intrusion Detection System for Cloud Network Using FC-ANN Algorithm†, Int. Journal of Advanced R esearch in Comp uter and Communication En gineeringVo l. 2, Issue 4, April 2013. [14] A.S.Sy ed Navaz, V.San geetha, C.Prabhadevi, â€Å"Entropy based Anomaly Detection System to Prevent DDoS Attacks in Cloud†, Int. Journal of Computer Applications (0975 – 8887) Volume 62– No.15, January 2013 [15] â€Å"Op ennebula†, http ://opennebula.org [16] Nwokedi C. Idika, â€Å"Characterizin g and A ggregating Attack Grap h-based Security M etrics†, CERIAS Tech Rep ort 2010

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.