Possible Ids Deployment In Cloud

Published Date: 02 Nov 2017

Snort is a light weight modern network security application based on Libpcap which serves as a packet sniffer, a packet logger and NIDS.

Figure 1 Components of Snort

Snort consists of following components,

Packet Decoder: Packet decoder takes the packet for network interfaces and sends it to Pre-processor after preparing.

Pre-Processor: Prepare packet for detection engine. Detects anomalies in packet header. Perform defragmentation of separate packet.

The Detection Engine: Detection engine matches rules against all the packets to identify intrusion or suspicious data. If packet did not match any rule, it is dropped or otherwise appropriate action is performed such as alert generation.

Logging and Alerting system: a suspicious packet will be logged and system alert may be generated

Output Modules: Set of plug-ins which control the type of output generation.

Bayesian Classifier is a probabilistic classifier based on Baye�s theorem. It predicts the probability of a given network event to classify whether it is normal or an intrusion.

In a cloud environment Intrusion Detection System can be deployed on User end or Server end. IDS can also be deployed on each VM but it makes management very complex. IDS deployed on user end can only identify and detect external threats. But in cloud computing environment both internal and external threats are needed to be considered. IDS deployed on processing servers solve this problem.

Figure 2 Possible IDS Deployment in Cloud

Our proposed system is a distributive and cooperative IDS. In the system each node is responsible for intrusion detection but neighbouring nodes also cooperate in the process. IDS are placed on each and every node which will individually monitor the local activity. If an IDS 1 detects an Intrusion it will send an alert to IDS modules at other processing servers. IDSs on the receiving end will immediately evaluate the trustworthiness of the alert on the basis of judgement criteria. Once a packet is identified as an intrusion a new blocking rule is added to the block table.

Figure 3 Architecture of Proposed IDS

Detection Engine

Detection engine consists of Snort Classifier and alert cluster. It applies detection techniques on the packets for signature. Our IDS use two types of detection to accomplish the desired level of protection.

Signature/Knowledge based Detection: Signature/Knowledge detection system match rules (patterns of known attacks or weak spots) stored in the knowledge/signature base to identify intrusions. This detection technique can accurately and efficiently detect known attacks but lack the capability to detect new attacks.

Anomaly Detection: in this technique normal usage profiles (anomalies) of legitimate users are collected in the anomaly base. When a user deviates significantly from observed activities it applies a statistical test to identify the legitimacy of the behaviour. This system does not need any prior knowledge of intrusion for the detection of new intrusions.

In the proposed system we first apply signature based detection on the packet to detect known attacks and then anomaly detection for unknown attacks detection.

In the proposed system intrusion detection component collects network packets and analyse them. NIDS uses two types of detection techniques to achieve high level security. Snort is used for signature based intrusion detection and remaining packets are preprocessed for anomaly detection. If the packet does not match a rule in Signature base or in anomaly base than it is considered safe and will be accepted, otherwise it will be sent to the next component.

Alert Classification /Threshold computation

Once a packet is identified as a possible threat then it will be evaluated by this component to determine the level of threat. Three alert levels are used to classify the threats are High, Moderate and low. If a node or intrusion is detected which is affecting the entire network is classed high. Any packet identified as a high level threat will be dropped immediately and an alert notification will be sent to other IDSs, which will store the information in the database. Threshold check by Data clustering method will be applied to moderate level threats to reduce the possibility of the false alarms. During the process if the packet is identified to be of higher level threat than it will be dropped. Alerts about low level threats are ignored by the system. State of Intrusion detection will be shared with other IDS

Cooperative operations

Each IDS will have a cooperative agent. This agent will propagate the intrusion detection state information among other IDS and will receive messages about the alerts.

IDS-1 has detected an intrusion and sends an alert to IDS-2 IDS-3. When cooperative agent in IDS-2 IDS-3 will receive the message it will not immediately drop the packet, but instead it will apply majority vote formula to make a decision of dropping or accepting a packet. If more than half of the IDS in cloud send an alert than the packet will be dropped, otherwise accepted.

If the result of the calculation is more than 0.5 than the packet alert level will be classed high, otherwise IDS will accept the packet and ignore the alert messages. Using this approach any node which detects an intrusion can initiate a response.

Using this approach if any of the deployed IDS suffer from attack, an alert message from will be received by all the IDS except the one under attack. If with this proposed system we configure a third party Monitoring and Advisory service, which will be alerted as soon the attack starts will further improve the efficiency of the system.

Figure 4 Workflow of The Proposed System when Packet is High level threat

Intrusion Response

This module will block the packets if the level of the threat is classified by this node high or on the majority vote basis.

Simulation Results and Performance Evaluation

Our proposed systems simulation results and performance evaluation is discussed in this section.

Simulation Results

Our experiment shows the resistance of our proposed system against Dos attacks. For this experiment we used eucalyptus which is an open source cloud to test our snort based Intrusion Detection System. We customized snort and added a block module to the pre-processor of snort. A communication module and cooperation module are also added with a plug-in. Our test environment simulates 3 cloud computing sections. In every section we setup an intrusion detection system. An attack is initiated from IP address 192.168.1.23 against two different regions. Now there are two out of three nodes under attack. Cooperation agent communicates with all the nodes in the environment. In the result of this communication the packet dropped by all three IDSs Figure 3

Figure 5 Simulation Result

Evaluation and comparison

We evaluate our Proposed IDS with pure Snort based Intrusion detection system. In the figure our proposed system is identified as SAIDS (Signature and Anomaly based intrusion detection System).

True Positive Rate

The True Positives Rate �TPR� evaluates the IDS effectiveness when an intrusion is detected. And it is determined by:

TPR= TP/(TP+FN) .100%

While FN tends to zero, TPR tends to 100% and the system is effective.

Figure 6 True Positive Rate

More than 90% of intrusion was detected by both IDS but the percentage of pure Snort IDS was higher than our proposed system.

False Positives Rate

The False Positives Rate �FPR� evaluates the IDS effectiveness when an intrusion is detected. And it is determined by:

FRP= TP/(TP+FP) .100%

While FN tends to zero, TPR tends to 100% and the system is effective.

Figure 7 False Positive Rate

More than 70% of the false positive traffic was effectively and correctively handled by our proposed system.

Effectiveness on Attacks Containing

IDS effectiveness on attacks containing is based on TPR and FPR . The variable is determined by:

Effectiveness= (TP+TN)/(TP+TN+FP+FN) .100%

While FP and FN tend to zero, IDS effectiveness on attacks containing tends to 100%.

Results in the following table are obtained by solving the equation for Effectiveness for both IDS, where TP+FN represents the total number of generated attacks and TN+FP corresponds to the total transmitted traffic.

Effectiveness of the IDSs on attack containing based on true and false positives is as follows.

Figure 8 Effectiveness on Attack Containing

SAIDS decisions for logging or dropping packets are 92 % and Snort 82%.

Found Vulnerabilities

The found vulnerabilities �FV� evaluation variable corresponds to the total quantity of vulnerabilities found for each assessed IDS.

Figure 9 IDS Vulnerabilities

SAIDS has more number of vulnerabilities as compared to Snort.

Risk Value

The risk value �RV� is a variable that takes a value between 1 and 4. It evaluates the IDS vulnerabilities risk, by analyzing the damage produced by the intrusion. A low-risk level is represented by a RV of 1, and is presented when an intrusion occurs and the system is identified. A RV of 2 means that trough the intrusion the attacker is able to access the network services. A risk is evaluated 3 when the attacker not only accesses the servers but also gets privileges to manipulate the information within the servers. A high-risk level, represented by a RV of 4, is presented when the intrusion causes a denial of service (DoS).

TRV= ?_(i=1)^n�?RV_i ?

The total risk value �TRV� is the addition of the N found vulnerabilities risk values, as represented above.

Figure 10 Risk Value

Snort had 9 vulnerabilities with TRV of 26 where as SAIDS had 13 vulnerabilities found with TRV of 21.

Nearness Value

The nearness value �NV� is a variable that evaluates the network damage produced by the found IDS vulnerabilities as a whole. The NV is mathematically represented by:

NV= TRV/(?_(i=1)^N�?Max_RV_i ?).100%

Where N is the total number of vulnerabilities found for a certain IDS, TRV is the total risk value and Max_RV represents the maximum risk value for the vulnerability i. In fact, Max_RV is always 4.

Snort and SAIDS both have nearly 70% nearness value which means they are exposed.

Strength Value

IDS solutions offer several extra benefits that do not make part of the intrusion detection and prevention capacities. These characteristics are known as found strengths �FS� when they make the difference in comparison with other existing solutions. The IDS total strength value �TSV� is determined by the variables Attacks Containing Capacity �ACC�, Innovation Technology Level �ITL� and Ease of Use �EU� as represented by:

TSV=?_(i=1)^N�?[0.6 ACC_i+ 0.3 ITL_i ?+ 0.1 EU_i]

Where N represents the total quantity of strengths found for the IDS. ACC, ITL and EU are low, medium or high measured with corresponding values between 1 and 3.

The above given TSV process summary in the table presnts the found strength of both IDSs.