Detection System For Cloud Computing

Published Date: 02 Nov 2017

Security in cloud computing is a major challenge. Protecting the infrastructure from intrusions is very important because it will affect the privacy, accessibility and reliability of the infrastructure and services provided by the Cloud environment. One of the security issue faced is from Denial of Service (DOS) and Distributed Denial of Service attacks. Intrusion Detection system have been used in the networking environment to detect malicious behaviours. To counter the malicious intrusions and DOS/DDOS kind of attacks in the cloud environment we propose a IDS system. This system is a snort based IDS which Identifies and prevents Signature and Anomaly based Intrusion. This system aims to detect network intrusions in the cloud environment using cooperative agents. Using this technique our objective is deploy a system which can identify threats more accurately with less computational costs.

Keywords- Cloud Computing, Intrusion Detection System, DDos Attacks, DOS Attacks,

Introduction

Cloud Computing has evolved and grown rapidly for providing easily accessible utility computing by providing configurable computer resources which have less management effort or interaction with service provider. Cloud environment provides three types of services which are Software as Service (SaaS), Platform as Service (PaaS) and Infrastructure as Service (Iaas).

In a cloud environment uses are not provided physical access to hardware. All clouds services are delivered through internet which raises concerns for the security, privacy. Cloud computing environment inherits all the security concerns or problems from other type of environments plus new threats and security issues caused by the Cloud environment itself. Cloud at network layer suffers from traditional attacks like IP spoofmg, Address Resolution Protocol (AR P) spoofmg, Routing Information Protocol (RIP) attack, DNS poisoning, man- in-the-middle attack, port scanning, Insider attack, Denial of Service (DoS), Distributed Denial of Service (DDoS) etc. These attacks compromise the security, privacy, reliability and availability of the cloud. Many cloud providers use Firewalls to address such security issues. But the problem with using firewalls is, it only can detect the traffic on the boundary of the networks, and there is no detection available for internal threats. For this reason only firewalls cannot provide sufficient security for Cloud Environment.

Another solution is to to deploy an Intrusion Detection System in cloud. IDS play the role of alert system and add another security layer by detecting attacks. The efficiency of the IDS depends upon the techniques used for detection and deployment. Intrusion Detection Systems have been proposed for years and are widely used nowadays in IT infrastructures as an efficient security measure. IDS are classified into host-based IDS and Network-based IDS based on the deployment.

Our proposed model is a network based IDS system which uses cooperation technique to identify and block the threats. In the system we used Signature based detection as well as Behaviour/Anomaly based detection. The need to use both detections is to identify and detect external and internal both kind of threats. Signature based detection can detect already known attack patterns accurately by matching the information in the database. Anomaly based detection keeps log of legitimate users normal activity and detects an unusual behaviour from the user which can be an internal attack. IDS based on Signature based detection tend to have high false negatives and high false positives, which create a problem, by raising false alarms. Our proposed system is designed to solve this problem and to provide a more reliable and efficient Intrusion Detection System.

Related Works

Jong-Sung Y, Hyoung-Kee C [1] has proposed an architecture which can classify and manage VM�s (Virtual Machine) traffic in Virtual Network based on the IP level. Architecture proposed by Jong-Sung Y, Hyoung-Kee C is composed of a screen server and a secuirty module. By implementing the proposed architecture security module will classify the same traffic from VM1 as external traffic. Once the traffic is identified as external, security module will change the destination web servers MAC address to an external switch address via which the traffic is than routed to the screen. The traffic from one VM will not affect other user groups. All the internal traffic in this architecture is encrypted and bypasses the screen server, therefore protected from passive attacks. This approach will increase network load.

Y. HE and M. CHE [3]have presented a security based architecture based on isolation concept to secure the core layer. One way data transmission architecture for data transmission is designed to prevent the core resource layer from invasion, which in case of two way communication between core facilities and upper structure is vulnerable. To achieve desired isolation 2 one-way data trasnmission euipments are used one to send data and another for receiver end. This architecture enhances the security of core layer but it cannot detect intruders.

M. A. ALZAIN, B. SOH and E. PARDEDE [4] has propsed a new model Multi-Clouds Databae(MCDB) which is comprises of multiple service providers and a a secret sharing algorithm. The purpose defined by the authors of the proposed model is to avoid the failing of cloud services. Suggested model will replicate the data among multiple clouds to preserve security and privacy and deal with the Database Management System to manage and control the operations between consumers and service providers. MCDB data model data is not encrypted before storing and the approach used is similar to cluster computing, which is more time consuming and costly. In case of a successful DOS/DDOS attack data availability will be at risk without implementing an Intrusion Detection and Prevention System.

B. JOSHI, A. S. VIJAYAN and B. K. JOSHI [5]in thier work have introduced Cloud Trace Back model and Cloud Protector. The Cloud Trace Back Model (CTB) is based upon Deterministic Packet Marking (DPM) algorithm. Proposed Model is �to offer a solution to Trace Back the source of the DDOS attacks and introduce the use of a back Propagation neutral network, called Cloud Protector, which was trained to detect and filter such attack traffic�[5]. For the identification of the source of a DDos attack CTB uses Deterministic Packet. Marking(DPM) algorithm which marks the ID field of all the incoming packets in the IP header whcih remain unchanged untill the packet crosses the network. After the discovery of attack the victim will ask for reconstruction to and extract the mark by using which the origin and traffic from the attack can be identified and filtered. Elimination and filtration of attack messages is done by the Cloud protector which is a back propagation neural network. Proposed model is capable of marking and identifying the source of intrusion after the but it lacks the ability to identify and prevent attack.

A. Bakshi et al. in [11] proposed an approach to detect DDoS attack in VM. In this approach, Snort is installed in virtual switch to log network traffic into database. To detect attack, logged packets are analyzed by Snort. Snort detennines nature of attack and notifies virtual server. Then virtual server drops packets coming from the specified IF address. If attack type is DDoS, all the zombie machines are blocked. The virtual server then transfers targeted application to other machines hosted by separate data center and updates routing tables. Firewall placed at new server, blocks all the packets coming from identified IF address. This approach secures services running on VMs. However, it cannot detect Anomaly based intrusions.

Proposed System Design

Our proposed framework is based on anomaly and signature based intrusion detection system. In our proposed framework we used Snort for signature based intrusion detection and Bayesian Classifier for anomaly based intrusion detection.

Snort is a light weight modern network security application based on Libpcap which serves as a packet sniffer, a packet logger and NIDS.

Figure 1 Components of Snort

Snort consists of following components,

Packet Decoder: Packet decoder takes the packet for network interfaces and sends it to Pre-processor after preparing.

Pre-Processor: Prepare packet for detection engine. Detects anomalies in packet header. Perform defragmentation of separate packet.

The Detection Engine: Detection engine matches rules against all the packets to identify intrusion or suspicious data. If packet did not match any rule, it is dropped or otherwise appropriate action is performed such as alert generation.

Logging and Alerting system: a suspicious packet will be logged and system alert may be generated

Output Modules: Set of plug-ins which control the type of output generation.

Bayesian Classifier is a probabilistic classifier based on Baye�s theorem. It predicts the probability of a given network event to classify whether it is normal or an intrusion.

In a cloud environment Intrusion Detection System can be deployed on User end or Server end. IDS can also be deployed on each VM but it makes management very complex. IDS deployed on user end can only identify and detect external threats. But in cloud computing environment both internal and external threats are needed to be considered. IDS deployed on processing servers solve this problem.

[12] Figure 2 Possible IDS Deployment in Cloud

Our proposed system is a distributive and cooperative[14] IDS. In the system each node is responsible for intrusion detection but neighbouring nodes also cooperate in the process. IDS are placed on each and every node which will individually monitor the local activity. If an IDS 1 detects an Intrusion it will send an alert to IDS modules at other processing servers. IDSs on the receiving end will immediately evaluate the trustworthiness of the alert on the basis of judgement criteria. Once a packet is identified as an intrusion a new blocking rule is added to the block table.

Figure 3 Architecture of Proposed IDS

Detection Engine

Detection engine consists of Snort Classifier and alert cluster. It applies detection techniques on the packets for signature. Our IDS use two types of detection to accomplish the desired level of protection.

Signature/Knowledge based Detection: Signature/Knowledge detection system match rules (patterns of known attacks or weak spots) stored in the knowledge/signature base to identify intrusions. This detection technique can accurately and efficiently detect known attacks but lack the capability to detect new attacks.

Anomaly Detection: in this technique normal usage profiles (anomalies) of legitimate users are collected in the anomaly base. When a user deviates significantly from observed activities it applies a statistical test to identify the legitimacy of the behaviour. This system does not need any prior knowledge of intrusion for the detection of new intrusions.

In the proposed system we first apply signature based detection on the packet to detect known attacks and then anomaly detection for unknown attacks detection.

In the proposed system intrusion detection component collects network packets and analyse them. NIDS uses two types of detection techniques to achieve high level security. Snort is used for signature based intrusion detection and remaining packets are preprocessed for anomaly detection. If the packet does not match a rule in Signature base or in anomaly base than it is considered safe and will be accepted, otherwise it will be sent to the next component.

Alert Classification /Threshold computation

Once a packet is identified as a possible threat then it will be evaluated by this component to determine the level of threat. Three alert levels are used to classify the threats are High, Moderate and low. If a node or intrusion is detected which is affecting the entire network is classed high. Any packet identified as a high level threat will be dropped immediately and an alert notification will be sent to other IDSs, which will store the information in the database. Threshold check by Data clustering method will be applied to moderate level threats to reduce the possibility of the false alarms. During the process if the packet is identified to be of higher level threat than it will be dropped. Alerts about low level threats are ignored by the system. State of Intrusion detection will be shared with other IDS

Cooperative operations

Each IDS will have a cooperative agent. This agent will propagate the intrusion detection state information among other IDS and will receive messages about the alerts.

IDS-1 has detected an intrusion and sends an alert to IDS-2 IDS-3. When cooperative agent in IDS-2 IDS-3 will receive the message it will not immediately drop the packet, but instead it will apply majority vote formula to make a decision of dropping or accepting a packet. If more than half of the IDS in cloud send an alert than the packet will be dropped, otherwise accepted.

If the result of the calculation is more than 0.5 than the packet alert level will be classed high, otherwise IDS will accept the packet and ignore the alert messages. Using this approach any node which detects an intrusion can initiate a response.

Using this approach if any of the deployed IDS suffer from attack, an alert message from will be received by all the IDS except the one under attack. If with this proposed system we configure a third party Monitoring and Advisory service, which will be alerted as soon the attack starts will further improve the efficiency of the system.

Figure 4 Workflow of The Proposed System when Packet is High level threat

Intrusion Response

This module will block the packets if the level of the threat is classified by this node high or on the majority vote basis.

Simulation Results and Performance Evaluation

Our proposed systems simulation results and performance evaluation is discussed in this section.

Simulation Results

Our experiment shows the resistance of our proposed system against Dos attacks. For this experiment we used eucalyptus which is an open source cloud to test our snort based Intrusion Detection System. We customized snort and added a block module to the pre-processor of snort. A communication module and cooperation module are also added with a plug-in. Our test environment simulates 3 cloud computing sections. In every section we setup an intrusion detection system. An attack is initiated from IP address 192.168.1.23 against two different regions. Now there are two out of three nodes under attack. Cooperation agent communicates with all the nodes in the environment. In the result of this communication the packet dropped by all three IDSs Figure 3

Figure 5 Simulation Result

Evaluation and comparison [13]

We evaluate our Proposed IDS with pure Snort based Intrusion detection system. In the figure our proposed system is identified as SAIDS (Signature and Anomaly based intrusion detection System).

True Positive Rate

The True Positives Rate �TPR� evaluates the IDS effectiveness when an intrusion is detected. And it is determined by:

TPR= TP/(TP+FN) .100%

While FN tends to zero, TPR tends to 100% and the system is effective.

Figure 6 True Positive Rate

More than 90% of intrusion was detected by both IDS but the percentage of pure Snort IDS was higher than our proposed system.

False Positives Rate

The False Positives Rate �FPR� evaluates the IDS effectiveness when an intrusion is detected. And it is determined by:

FRP= TP/(TP+FP) .100%

While FN tends to zero, TPR tends to 100% and the system is effective.

Figure 7 False Positive Rate

More than 70% of the false positive traffic was effectively and correctively handled by our proposed system.

Effectiveness on Attacks Containing

IDS effectiveness on attacks containing is based on TPR and FPR . The variable is determined by:

Effectiveness= (TP+TN)/(TP+TN+FP+FN) .100%

While FP and FN tend to zero, IDS effectiveness on attacks containing tends to 100%.

Results in the following table are obtained by solving the equation for Effectiveness for both IDS, where TP+FN represents the total number of generated attacks and TN+FP corresponds to the total transmitted traffic.

Effectiveness of the IDSs on attack containing based on true and false positives is as follows.

Figure 8 Effectiveness on Attack Containing

SAIDS decisions for logging or dropping packets are 92 % and Snort 82%.

Found Vulnerabilities

The found vulnerabilities �FV� evaluation variable corresponds to the total quantity of vulnerabilities found for each assessed IDS.

Figure 9 IDS Vulnerabilities

SAIDS has more number of vulnerabilities as compared to Snort.

Risk Value

The risk value �RV� is a variable that takes a value between 1 and 4. It evaluates the IDS vulnerabilities risk, by analysing the damage produced by the intrusion. A low-risk level is represented by a RV of 1, and is presented when an intrusion occurs and the system is identified. A RV of 2 means that trough the intrusion the attacker is able to access the network services. A risk is evaluated 3 when the attacker not only accesses the servers but also gets privileges to manipulate the information within the servers. A high-risk level, represented by a RV of 4, is presented when the intrusion causes a denial of service (DoS).

TRV= ?_(i=1)^n�?RV_i ?

The total risk value �TRV� is the addition of the N found vulnerabilities risk values, as represented above.

Figure 10 Risk Value

Snort had 9 vulnerabilities with TRV of 26 where as SAIDS had 13 vulnerabilities found with TRV of 21.

Nearness Value

The nearness value �NV� is a variable that evaluates the network damage produced by the found IDS vulnerabilities as a whole. The NV is mathematically represented by:

NV= TRV/(?_(i=1)^N�?Max_RV_i ?).100%

Where N is the total number of vulnerabilities found for a certain IDS, TRV is the total risk value and Max_RV represents the maximum risk value for the vulnerability i. In fact, Max_RV is always 4.

Snort and SAIDS both have nearly 70% nearness value which means they are exposed.

Strength Value

IDS solutions offer several extra benefits that do not make part of the intrusion detection and prevention capacities. These characteristics are known as found strengths �FS� when they make the difference in comparison with other existing solutions. The IDS total strength value �TSV� is determined by the variables Attacks Containing Capacity �ACC�, Innovation Technology Level �ITL� and Ease of Use �EU� as represented by:

TSV=?_(i=1)^N�?[0.6 ACC_i+ 0.3 ITL_i ?+ 0.1 EU_i]

Where N represents the total quantity of strengths found for the IDS. ACC, ITL and EU are low, medium or high measured with corresponding values between 1 and 3.

The above given TSV process summary in the table presnts the found strength of both IDSs.

Conclusion

Detecting DOS/ DDOS attacks or any other malicious activity in the cloud by using only firewalls is not an efficient Solution. In this paper we proposed a IDS framework based on Snort and Bayesian classifier. Our proposed system uses signature and anomaly based detection, so that it can detect both known and unknown attacks in a cloud environment. It also uses a cooperative response once an intrusion is detected. If IDS detects a threat, it sends an alert message to neighbouring nodes and drops the packet. All IDS nodes are capable of identifying the threat, but a cooperation based response decrease the false alarm rate significantly. IDS nodes on the message receiving end apply majority vote method to judge the trustworthiness of alert and make decision. Simulation results and evaluation of the proposed system against pure snort based IDS suggest that the proposed IDS has improved probability under DOS attacks.

In the cloud environment security techniques used on other networks cannot be successfull due to a complex architecture of cloud. Combining multiple techniques/strategies and frameworks can provide better security Architecture for the Cloud.