Cloud Using Entropy Based Anomaly Detection System

Published Date: 02 Nov 2017

Cloud Computing is a recent computing model; provides consistent access to wide area distributed resources. It revolutionized the IT world with its services provision infrastructure, less maintenance cost, data and service availability assurance, rapid accessibility and scalability. Grid and Cloud Computing Intrusion Detection System (GCCIDS) detects encrypted node communication and find the hidden attack trial which inspects and detects those attacks that network based and host based can’t identify. It incorporates Knowledge and behavior analysis to identify specific intrusions. Signature based IDS will perform poor capturing in large volume of anomalies. Another problem is that Cloud Service Provider (CSP) hides the attack that is caused by intruder, due to distributed. Nature;cloud environment has high possibility for vulnerable resources. By impersonating legitimate users, the intruders can use a service’s abundant resources. In Proposed System we combine few concepts which are available with new intrusion detection techniques. Here we merge

Entropy based System with Anomaly detection System for providing multilevel Distributed Denial of Service (DDoS). This is done in two steps: First, Users are allowed to pass through router in network site in that it incorporates Detection Algorithm and detects for legitimate user. Second, again it pass through router placed in cloud site in that it incorporates confirmation Algorithm and checks for threshold value, if it’s beyond the threshold value it considered as legitimate user, else it’s an intruder found in environment. This System is represented and maintained by as third party. When attack happens in environment, it sends notification message for client and advisory report to Cloud Service Provider (CSP).

INTRODUTION

Cloud Computing is being changed and altered to a new model consisting of services that are delivered in a style similar to conventional utilities such as water, gas, electricity, and telephone service.Cloud computing which resembles the infrastructure as a "Cloud" in which businesses and customers are take part in it and capable to access applications from anywhere in the world according to their requirement.

The Cloud Computing Service Model consist of– Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). All IT functions such as applications, networking, security, storage and software working to provide users with a service based on the client-server model

ISSUES:

Majority of the threats in the existing system arises from Service Oriented Architecture (SOA) ie combination of SOA and cloud computing which causes security threats, and make controlling access to information potentially difficult. Low level of understanding can also generate threats.

Since Cloud computing supports distributed service oriented model, multi-domain and multi-users administrative infrastructure, it is more prone to security threats and vulnerabilities. Due to its distributed nature, cloud environment has high intrusion prospects and suspect of poor security. Large business organizations places there data into Cloud and get worry-free as a Cloud service provider (CSP), stores & maintains data, application or infrastructure of cloud user. The control over data and application poses the challenges of security like data integrity, confidentiality and availability.

DDoS: it is an attack where multiple compromised systems infected with a Trojans are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack with a high impact on the service provider than the clients.

And in this case both provider and user get much disturbed. These hazardous seriously affect the company reputation, client trust and interest.

I Related Work and Existing System:

Distributed Cloud Intrusion Detection Model

NIDS and HIDS are not suitable for security environment of cloud. Cloud as middleware layer, which having an audit system that design to cover an attacks that HIDS and NIDS can’t cover. Irfan Gul,et al.[2] have suggested So by means of using this model we able to bring the IDS as middle ware and any information from cloud user to CSP will reached through by means of it. This middleware is said to be as third party and it was fully maintained by service provider.

Intrusion detection in the cloud

Intrusion detection system plays an important role in the security and perseverance of active defense system against intruder. IDS implementation in cloud computing requires an efficient, scalable and virtualization-based approach. Sebastian Roschke et al[3].have proposed that cloud computing, user data and application is hosted on cloud service provider’s remote servers and cloud user has a limited control over its data and resources. Alerts generated are sent to "Event Gatherer" program. Event gatherer receives and convert alert messages in IDMEF standard and stores in event data base repository with the help of Sender, Receiver and Handler plug-ins.

Cloud QoS, High Availability & Service Security Issues with Solutions

Distributed Denial of Service (DDoS) poses as a potential intimidation and danger to this key technology of the expectations and future. Muhammad Zakarya et al.[4] have suggested a new Cloud Environment and Architecture and an Entropy based Anomaly Detection System (ADS) approach to mitigate the DDoS attack which further improves network performance in terms of computation time, Quality of Service (QoS) and High Availability (HA) under Cloud Computing environment. Entropy uses two algorithm to mitigate the intruders namely detection algorithm and confirmation algorithm.

AN ANOMALY DETECTION SYSTEM FOR DDOS ATTACK IN GRID COMPUTING

Grid computing is fast rising field for wide area distributed computing. Grid computing is a collection of mixed computers and resources across multiple organizations and delivers computing and resources as services to its users.. Distributed Denial of Service attack (DDoS) is one of the major problems to grid computing services. Sumit kar et al.[6] have proposed the method to secure system for DDoS attack is made through 3 methods: (i) Attack prevention, (ii) attack detection and recovery, and (iii) attack identification. This paper speaks about weakness of Grid computing in presence of DDoS attack. And this is based upon attack detection and recovery, and uses an Entropy based anomaly detection system to detect DDoS attack. A grid topology model is used to express how to implement the entropy based anomaly detection system in grid environment

Integrating a Network IDS into an Open Source Cloud Computing Environment

The analyzed data source, IDS can be classified in network and host based. Network based IDS analyze traffic flowing through a network segment, by capturing packets in real time, and analyzing and checking them against some "classification" criteria. Claudio Mazzariello et al.[8] have suggested that IDS can be further characterized with respect to the type of detection mechanism implemented. Namely, IDS can explicitly model attacks, anomalies and unwanted behavior, thus implementing the misuse-based detection paradigm, or conversely model normal and expected events, consequently detecting as anomalous what doesn’t conform to such "normality" model.

ANOMALY

Maintaining security in Cloud Environment is a real challenge and most tough part in security management of large high speed networks like Grid and Cloud is the detection of suspicious anomalies in network traffic patterns due to DoS and DDoS attacks. To secure Cloud from DoS attack its must be detected before it affects the cloud user with high detection rate and low false rate, So that attack traffic will be discarded, without affecting legitimate traffic.Intrusion detection systems are widely used for DDoS attack detection.. The use of entropy for analyze the changes in traffic distribution which has two advantage i) Using entropy for anomaly detection which will increases the detection capability when compared with volume based methods. ii) Entropy method will provide additional information to categorize among dissimilar types anomaly (worms, DDoS attack scanning). The anomaly detection system discussed in this paper is based on by analyzing the change in entropy of above two traffic distributions.

ENTROPY BASED APPROACH

Entropy or Shannon-Wiener index is an important concept of information theory, which is a measure of the uncertainty or randomness associated with a random variable or in this case data coming over the network. If it was more random it contains more entropy. The value of sample entropy lies in range [0, logn]. The rate of entropy is lesser when the class distribution is pure i.e.it belongs to one class. The rate of entropy is larger when the class distribution is impure i.e. class distribution belongs to many class. Hence comparing the rate of entropy of some sample of packet header fields to that of another sample of packet header fields provides a mechanism for detecting changes in the randomness.

The entropy shows its minimum value 0 when all the items (IP address or port) are same and its maximum value logn when all the items are different. We use change of entropy of traffic distributions (IP address, port) for DDoS detection. If we are interested in measuring the entropy of packets over unique source or destination address then maximum value of n is 232 for ipv4 address. If we want to calculate entropy over various applications port then n is the maximum number of ports.

The entropy H (X) of a random variable X with possible values {x1, x2…, xn} and distribution of probabilities P = {p1, p2, . . . , pn} with n elements, where 0 <= pi <= 1 and

Here p (xi) where xi belongs to X is the probability that X takes the value xi. Suppose we randomly observe X for a fixed time window w, then p (xi) = mi/m, where mi is the frequency or number of times we observe X taking the value xi

When we want calculate probability of any source (destination) address then,

Number of pkts with x as src (dst) address

P(x) = -----------------------------------------------------------------

Total number of packets

mi = number of packets with xi as source (Destination) address ,m = total number of packets

Here total number of packets is the number of packets seen for a time window T.

Similarly we can calculate probability for each source (destination) port as

Number of pkts with X as src (dst) port

P(x) = -----------------------------------------------------------------------

Total number of pkts

Normalized entropy = (H / log n0)

If NE<th1, th1 is threshold value1, Mark flow as suspected and raise an alert

Here nois the number of distinct xi values in the given time window

In a DDoS attack from the captured traffic in time window T, the attack flow dominates the whole traffic, as a result the normalized entropy of the traffic decreased in a detectable manner. But it is also possible in a case of enormous genuine network accessing. To confirm the attack we have to again calculate the entropy rate. Here flow is packages which share the same destination address/port.

Projected Entropy: According to for a stochastic processes the entropy rate H (x) of two random processes are same.

If H(x) <=th2, th2 is the threshold value2,Mark the flow as attacked, raise a final alert, discard the attack flow