chapter 4 methodology 4.1 intrusion detection...
Post on 09-Jul-2020
12 Views
Preview:
TRANSCRIPT
68
CHAPTER 4
METHODOLOGY
4.1 INTRUSION DETECTION SYSTEM
Intrusion detection refers to the process of monitoring the events
happening in a computer system or network, examining them for signs of
security problems. The general meaning of intrusion detection reminds
the analogous monitoring systems in other areas, including burglar
alarms and video-monitoring systems found in banks and other renowned
stores. Even the warning systems in civil defense and military fall into
this functional category. Although the strategies employed are different
in the various monitoring systems, yet the basic idea remains the same.
But in this context [60] [76] [77], intrusion detection is defined as a
process of detecting and responding to malicious activity directed at
computing and networking resources.
Intrusion detection is defined as the process of observing the events
occurring in a computer system or network and analyzing the violations
or imminent threats of security policies or standard security practices
violation. These violations may be caused by malware such as worms,
spyware, virus, unauthorized access to the systems by some attacker, and
authorized users misusing their privileges or flaws resulting in granting
the attacker an elevated access to the network [62].
An Intrusion Detection System (IDS) is a software used for the
automation of intrusion detection process [62]. IDS monitor network or
system events for malicious activities that tend to compromise the
confidentiality, integrity, and availability of network and send a report to
69
the management station. An IDS gathers and analyses the information
within a network or a computer to perceive possible security fissures,
which includes both attacks from outside the organization and within the
organization. It uses a technology, known as vulnerability assessment or
scanning, for assessing the security of a computer or a network.
The intrusion detection system procures data about information
system to perform the analysis on the security status of that system. The
foremost goal of IDS is to detect the security breaches, including both
attempted breaches and potential breaches. A simple typical IDS is
shown in the Figure 4.1 [78].
Fig. 4.1. A Simple Intrusion Detection System.
An intrusion detection system is similar to a detector that processes
information coming from the system to be protected. This IDS has the
70
ability to launch probes that can trigger the audit process, such as
requesting version numbers for applications. It makes use of three
categories of information: long-term information associated with the
technique that is used to detect intrusions (such as a knowledge base of
attacks), configuration information that describes the present state of the
system, and audit information unfolding the events that are happening on
the system. IDS eliminates the surplus information from the audit trail. It
presents either a synthetic view of the security-related actions taken
during normal usage of the system, or a synthetic view of the current
security state of the system. Then the decision is taken to estimate the
probability that these actions or this state can be regarded as the
indications of an intrusion or vulnerabilities. At last, a countermeasure
component takes a counteractive action to either impede the actions from
being accomplished or modification of the state of the system back to a
secure state [78].
In order to ensure the proper functionality of the IDS, sensors are
used to detect data, analyzers to evaluate data, panels to monitor
activities, and user-interfaces to manipulate configuration settings. The
IDS items can be in the form of packets, audit records of system,
computed hash values or other data formats. Analyzers receive input
from sensors and then determine the intrusive activity.
According to Porras and Valdes [79], the efficiency of an intrusion
detection system depends on the following parameters:
• Accuracy: It deals with the proper discovery of attacks and the
nonoccurrence of false alarms.
• Performance: It is the rate at which audit events are processed.
• Completeness: It is the property of an intrusion detection system
to identify all attacks.
71
• Fault Tolerance: An intrusion detection system needs to be
resilient to attacks, especially denial-of-service attacks [80].
• Timeliness: An intrusion detection system has to accomplish and
thrive its analysis as quickly as possible in order to empower the
security administrator to respond before much damage has been
done, and also to inhibit the attacker from subverting the audit
source or the IDS itself [80].
Methods by which IDS automate the intrusion detection can be
classified are false positives and false negatives. False positives are those
sequences of innocuous events that IDS speciously classifies as intrusive,
while false negatives refer to intrusion attempts that IDS fails to report
[81]. Detection of hostile attacks depends on both the number and type of
suitable actions [77]. Figure 4.2 describes the series of activities
performed by an intrusion detection system.
Fig. 4.2. Intrusion Detection System Activities.
A common architecture for the structure of IDS comprises of a
detection module which gathers data that contains evidence of intrusions,
an analysis engine which processes the data for identification of intrusive
activity and a response component which produces report for intrusions.
Figure 4.3 illustrates the components of intrusion detection system.
72
Fig. 4.3. IDS Components.
Figure 4.4 describes the characteristics of IDS [78] as follows.
• The detection method defines the characteristics of analyzer. It is
categorized on the basis of information being used by IDS. It is
classified as,
o Behavior Based: When the information is about the normal
system behavior.
o Knowledge Based: When the information is in relation to
attacks.
• The behavior on detection defines the response of IDS to attacks.
The IDS is termed as,
o Active: When it reacts to the attack by taking either
corrective or pro-active actions.
o Passive: If it functions only to generate the alarms.
• The audit source location distinguishes the IDS on the basis of
the type of input information analyzed. This input information
can be,
o System log files on a host
o Network packets
73
o Application logs
o Intrusion detection alerts generated by other IDSs
• The detection paradigm illustrates the detection mechanism used
by IDS. IDS can evaluate as,
o States
o Transitions
• This evaluation can be performed in a non-obtrusive way or by
actively stimulating the system to obtain a response.
Fig. 4.4. Characteristics of IDS.
74
4.1.1 Types of IDS
IDS can be categorized into various types, on the basis of different
monitoring and analysis approaches. IDS can monitor events at three
levels:
• Network
• Host
• Application
IDS can analyze these events using,
• Signature Detection
• Anomaly Detection
Host-based IDS
Host-based Intrusion Detection System (HIDS) refers to the class of IDS
that resides on a host machine and monitor it. The analysis of activities
on the host is done at very fine granularity to determine precisely which
processes and users are performing malicious activities on the operating
system.
The system characteristics that can be used by HIDS for collection
of data [81] [82] are:
• File System
The activities conducted on the host can be indicated by the
changes done to a host’s file system. The irregular patterns of
file system access and changes to sensitive portions of file
system provide the clues in discovery of attacks.
75
• Network Events
To view the data exactly as it will be perceived by the end
process, IDS can intercept all the network communications after
being processed by the network stack before passing on to the
user-level processes. However, this is useless in detecting
attacks that are launched by a user with terminal access or
attacks on the network stack itself.
• System Calls
An IDS is positioned in such a way so as to observe all the
system calls, which will provide very rich data indicating the
behavior of the program.
Hence, choosing appropriate system characteristics is the critical
decision in any HIDS design.
Network-based IDS
Network-based IDS (NIDS), presently the most common commercial
product offering, detect attacks by capturing and analyzing the packets
that navigate in a given network link. NIDS consists of a set of single-
purpose hosts that sniff the network traffic and report the attacks to a
single management console. NIDS is secured against attack as no other
applications run on hosts are used by it. These NIDSs have “stealth”
modes [61] which make it almost impossible for an attacker to detect
their presence.
NIDS monitors the characteristics of network data and performs the
intrusion detection. Most NIDS operate by examining the IP and
transport layer headers of discrete packets, the contents of packets, or
some other combination [81].
76
Application-based IDS
Application-based IDS monitor the events transpiring within an
application. This IDS detects attacks by analyzing the application’s log
files. Application-based IDSs are likely to have a fine-grained view of
suspicious activity in the application by interfacing with an application
directly and having significant application knowledge.
Signature-based IDS
Signature-based IDS centers around the usage of expert system to
identify the intrusions based on a predetermined knowledge base. It can
be used to detect each known attack if properly programmed. This
technique is an effective method used in commercial products for
detecting attacks.
Anomaly-based IDS
Anomaly-based IDS finds an attack by identifying the anomalous (i.e.
unusual) behavior on a host or a network. The functionality of anomaly-
based IDS is based on the logic that some attackers behave differently
than normal users and hence the attacks can be easily detected by the
systems that identify these differences. These systems may generate an
overwhelming number of false alarms since the variation of normal user
and network behavior can vary haphazardly. Anomaly-based IDS can be
used to detect the never-before-seen attacks.
77
4.1.2 Role of IDS in Infrastructure Security
Infrastructure security is the security provided to safeguard the
infrastructure, predominantly critical infrastructure (infrastructure related
to network). Intrusions and disruptions in one infrastructure can result in
unexpected failures to others [83]. A simple example can be used as an
illustration for this scenario. Suppose one has a system managed by a
person with a high rank in an organization. And this system describes the
list of all the tasks to be performed by the sub-ordinates working under
that person at different locations. The failure of such a system will affect
the working of that whole group.
Each hardware device in an organizational system, such as firewalls,
routers, switches, servers, workstations, modems etc., has security
challenges associated with it. Securing all such components is quite
essential as the security of network depends on its weakest link. So if that
weakest link gets affected then it has an impact on the functionality of the
entire system. Another harsh reality is that the devices within the
infrastructure are most likely to be accessible by the remote devices in
some or the other way. The problem is that every access path to the
devices within infrastructure architecture has inherent vulnerabilities.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems
(IPS) are a set of software or hardware devices designed to address the
challenges of infrastructure security.
IDS have both passive as well as active components, yet IDS
devices are most usually passive. The packets are observed moving
through the network from a monitoring port, comparison is made
between traffic and already configured rules, and at last in case anything
suspicious is detected then a suitable alert is raised [34]. IDS can detect
78
several types of malicious traffic that would pass through a typical
firewall, comprising network attacks against services, host-based attacks
like unauthorized logins, data-driven attacks on applications, and
malware like viruses, Trojans, and worms. The detection methods used
by IDS can be signature-based detection or anomaly-based detection
[81]. Passive procedures can be used for the inspection of system
configuration files in order to render the inadvisable settings, inspection
of password files to point out the imprudent passwords, and inspection of
system areas to detect whether policies are violated. Whereas the active
procedures usually include mechanisms to discover known techniques
used to attack, mechanisms to reprogram the firewall, mechanisms to
log-off users, and mechanisms to log system responses.
4.1.3 Attacks Commonly Detected by IDSs
Three types of attacks [84] detected and reported by IDSs are,
• Scanning Attacks
• Denial of Service (DOS) Attacks
• Penetration Attacks
4.1.4 Limitations of Intrusion Detection System
One must be cognizant of the restrictions of intrusion detection systems
before undertaking an IDS deployment [61] [81] [84].
• Poor scalability of IDSs. Problems associated include lack of
proper integration with other security tools and sophisticated
network management systems, the issues arising due to
79
investigation of numerous alarms generated by different IDS
sensors, and the inability to visualize threats at enterprise level.
• Many IDSs create an enormous number of false positives that
waste administrator’s precious time and may initiate damaging
automated responses.
• During the heavy network activity or host activity, the IDSs
which are supposed to be used as real time systems, may take
several minutes before reporting and automatically responding to
an attack.
• IDSs usually cannot detect recently published attacks or any
deviations of existing attacks. So once a new attack gets posted
on the web, the attacker may hastily make use of it to breach a
target network.
• IDSs may be able to stop the novice attackers, but automated
responses generated by IDSs are often ineffective against erudite
attackers. If these IDSs are not configured properly then they
have the capability to interrupt the network by disturbing the
legitimate traffic in the network.
• It is mandatory to monitor the IDSs by some skilled computer
security personnel to accomplish maximum performance and to
cognize the implication of what is detected by the IDSs.
• An ample amount of personnel resources is essential for the
maintenance and analysis of IDS.
• IDSs cannot be well protected from attack, hence they are not
failsafe.
• The detection of coordinated or cooperative attacks is not
possible by the intrusion detection systems as the user interfaces
are not offered by these systems.
80
• IDSs must be part of a framework of computer security
measures. It can never be used in isolation.
4.2 MACHINE LEARNING
Machine Learning is a scientific discipline that is geared towards finding
the solution to the question “Can systems be programmed in such a way
that they learn by themselves and improve with experience?” [35]. This
question applies to almost all the real life aspects, such as how to predict
which jobs users will apply to, how to design autonomous mobile robots
which learn to move from their own experience, how to develop search
engines that customize themselves automatically according to user’s
preferences, etc.
Tom M. Mitchell [85] defines machine learning as “A computer
learns from experience E with respect to some tasks T and performance
measure P, if it’s performance at tasks T improves with experience E as
measured by the performance factor P”. In a situation where a system is
developed that classifies emails as spam or not spam. Task T will classify
the emails in those two categories and experience E watches the user
labeling the email as spam or non-spam. And based on that learning by
watching the user, the system will try to label the new emails. So the
performance P is the number of emails it correctly classifies as spam.
Figure 4.5 [86] shows the architecture of a typical AI. This AI agent
perceives the environment and finds which actions it can take, perhaps by
proper logical reasoning and calculating their outcomes. Whenever any
change is reflected in any of the component in the figure, it is termed as
learning. Different learning mechanisms are used depending upon the
subsystem on which changes are reflected.
81
Fig. 4.5. A Simple Architecture of AI.
In computer science, every action that has to be performed is
modeled as a function with sets of inputs and outputs. A machine
learning task estimates this function by observing the sets of inputs and
outputs.
The pictorial representation of machine learning’s general execution
flow is shown in Figure 4.6.
With the rapid growth rate of Internet and the ever increasing
complex nature of communication protocols security has become a
critical issue these days. New and complex attack methods are being
developed by attackers at a warning rate. CERT has reported 8064 new
susceptibilities in the year 2006 and this number is increasing constantly
over the past few years. We need to analyze how these machine learning
(or data mining) methodologies can be used to enhance the security of
the computer.
82
Fig. 4.6. Machine Learning – A General Execution Flow.
Although various intense ways for achieving security are available,
these approaches help to tackle only known attacks. New attacks are
always posing a big problem in the computer field. The prevalent
security software require a lot of human touch to spot threats, select
characteristics from the threats, and encode them into the application to
catch the threats. This labor demanding process can be made efficient by
algorithms of machine learning.
Another critical issue in the field of security that is prevalent these
times are of insider attacks. An organization’s employee is assumed to be
a credible user. However, a study by CERT [87] showed that insider
attacks are a reason of a lot of concrete and abstract losses to various
organizations in the recent past.
Machine learning has been one of the promising improvements in IT
and has found achievement in solving complex data classification
problems. It constructs programs that improve themselves with
observation and experience. The experience E is fed in the form of raw
data inputs and the actual learning happens with the help of algorithms.
83
The two main issues that are solved by machine learning are the ability to
learn about the given data input and second are to make various
predictions about new data based on learning that has happened from the
experience, both of which are difficult as well as time consuming for
human analysts. Machine learning is thus, well-suited to problems that
depend on expensive, rare and unreliable human experts.
The task of detecting network intrusions also come under machine
learning as it involves the classification data into normal and abnormal
behavior. Thus, for intrusion detection [87], we have,
• Task: To detect the intrusions in an accurate and precise manner.
• Experience: A dataset with instances representing normal and
attack data.
• Performance Measure: Accuracy in the correct classification of
intrusion events and normal events and other statistical metrics
including precision, recall, F- measure and kappa statistic.
4.2.1 Types of Machine Learning Algorithms
Machine learning algorithms can be classified based on
• Outcome of the algorithm
• Type of input fed during training
Supervised Learning
It is a process by which a function is deduced with the help of labelled
data also known as training data. The training data consist of numerous
training examples. Each training example contains a pair of input vector
84
and desired output value. The algorithm analyzes the training data and
produces a function, which will be used for mapping the new examples.
An optimal solution will be reached when the algorithm correctly
determines the labels for unknown instances. Figure 4.7 describes the
graphical representation of supervised learning.
Fig. 4.7. Supervised Learning.
The data can be represented as pairs of {X, Y} where Ys are labels of
different data elements in X. For example, each element xi Є X can be an
image (a 400 X 400 pixels black and white image) and yi Є Y is a binary
indicator showing for instance if there is a difference in the image xi or
not. The main goal would then be prediction of labels Ynew for a new
dataset of data Xnew which are without labels. Hence the experience of the
full pair’s dataset is used to predict other labels.
Lot of supervised learning algorithms are available, each with its
strength and weaknesses. There is no unique learning algorithm that
works best on all scenarios.
85
Unsupervised Learning
It deals with how systems can learn themselves to represent particular
input vectors in such a way that it reflects the statistical structure or
pattern of collection of inputs. In contrast with supervised learning, there
are no explicit target output labels or environmental evaluations
associated with each input. Many methods related to unsupervised
learning are based on data mining methods which are used to preprocess
data. Figure 4.8 describes the graphical representation of unsupervised
learning.
Fig. 4.8. Unsupervised Learning.
The most common type included in unsupervised learning is
clustering. The goal is to find resemblances in the training data. The
notion goes that the clusters discovered will match reasonably well with
an intuitive classification. The algorithm won't have names to give to
these clusters; it will produce them and then use those clusters to assign
new examples into one or the other of the clusters. This data oriented
approach works well when there is appropriate data; for example, social
information filtering algorithms, like Amazon.com uses to recommend
books, is based on the norm of finding similar groups of people and then
allocating new users to groups [88].
86
Approaches to unsupervised learning include clustering (e.g. k-
means, mixture models), blind signal separation using the feature
extraction techniques by dimensionality reduction (e.g. Principal
component analysis), self-organizing maps etc.
4.2.2 Supervised Machine Learning Algorithms
Support Vector Machines (SVM)
SVM are one among the best supervised machine learning algorithms.
SVM are used for classification and regression analysis. SVMs deliver
state of the art performance in almost every kind of real world
applications such as image classification, text categorization, bio
sequence analysis, hand written character recognition etc. and thus are
now established as one of the standard tool for machine learning as well
as data mining. The basic SVM takes as input a set of data and for each
given input predicts, which of two possible classes will be the output,
making it a non-probalistic binary linear classifier [90]. The essence of
SVM classification centers around four basic concepts [91]. They are,
• Separating hyper plane
• Maximum margin hyper plane
• Soft margin
• Kernel function
87
K Nearest Neighbors (K-NN)
It is a method built around classifying objects based on the closest
training examples in a given feature space. K-NN is a type of lazy
learning technique where the function is first approximated locally and
all other computation is deferred until classification. Because induction is
delayed until run time, it is considered as Lazy Learning technique
classification or Case Based classification. Since the training examples
need to be in memory at run time; it is sometimes called Memory-Based
classification. An object is classified by a majority of votes of its
neighbors, and the object is assigned to the class which is most common
amongst its k nearest neighbors [92].
In K Nearest Neighbors, the learning step is trivial; one simply
stores the dataset in system’s memory. In K-NN, the steps to be followed
to find the class of instance q whose attributes are q.Ai is as follows:
1. Find the k input instances in the given dataset that are closest to
q
2. These k instances then vote which helps to determine the class of
q
88
Fig. 4.9. Representation of K-NN, with two classes – triangle and circle,
a query point q and the value of k (number of nearest neighbors) as 4.
The naive version of the algorithm is very easy to implement by
computing the distances from the test examples to all stored examples,
but the loophole is that it is computationally intensive for large training
sets.
Artificial Neural Networks (ANN)
An artificial neural network (ANN) is a programmed computational
model that replicates the functioning and neural structure of the human
brain. Artificial neural networks are used in pattern and sequence
recognition systems, data processing, robotics network, etc. Multilayer
perceptron (MLP) is a feed forward neural network algorithm with one or
multiple layers between the input and output layer. The meaning of feed
forward is that data flows in one direction only from input layer to output
layer (forward). This type of network uses the back propagation learning
algorithm for training. MLPs are widely used for pattern recognition,
89
classification, prediction and approximation. Multilayer Perceptron can
solve problems which aren’t linearly separable [93] [94].
Fig. 4.10. Artificial Neural Network.
4.2.3 Unsupervised Machine Learning Algorithms
Self-Organizing Maps (SOM)
The Self-Organizing Map is a neural network based model for analyzing
and visualizing data which is high dimensional. The SOM outlines a
mapping from high dimensional input data space onto a two-dimensional
array of neurons. It is a competitive network where the objective is to
convert an input data set of any arbitrary dimension to a one- or two-
dimensional topological map. The model was first pronounced by the
Finnish professor Teuvo Kohonen and is thus referred to as a Kohonen
Map. It aims to discern the underlying structure, e.g. feature map, of the
input data set by constructing a topology preserving map which tells
neighborhood relations of the points in the data set [95] [96].
90
Fig. 4.11. Self-Organizing Map.
The SOM is usually used in the fields of data compression and
pattern recognition. The SOM is a single feed forward network, in which
each source node has connection to all output neurons. The input
dimension is generally higher than the output dimension.
K-means Clustering
According to Hartigan, each of k-clusters can be denoted by the mean of
documents assigned to that cluster, which is often termed as the centroid
of that cluster [97]. According to Berkhin, two versions of k-means
algorithm exist [62].
The first version, also known as Forgy’s algorithm [77], is the batch
version. The major iterations involved in it are:
• Reassigning all the data sets to their nearest centroids.
91
• Recompilation of centroids of newly assembled groups.
Before the starting of iterations, firstly k documents are selected as
initial centroids. Iterations continue until some stopping criterion is
achieved.
The second version of k-means algorithm is termed as online or
incremental version. According to Steinbach et al., the second version of
k-means offers better performance in comparison to the batch version in
domain of text documents [62]. Initially, k documents are selected
randomly as initial centroids. After that, iteratively documents are
allocated to their nearest centroid and centroids are updated after each
assignment of document. Iteration stops, when no more reassignments
occur.
The centroid vector c of cluster C of documents is defined as
average of weights of the terms of documents in C.
Divisive Hierarchical Clustering
Divisive algorithms begin with a single cluster of all documents. At each
iteration the most suitable cluster is fragmented until a stopping criterion
such as a pre-decided number k of clusters is achieved. Kaufman and
Rousseeuw devised a method to implement this algorithm [98] [99]. In
this technique, at each step the cluster with largest diameter is split. This
largest diameter cluster comprises of the most distant pair of documents
i.e. the least similar pair of documents. Within this cluster the document
with the least average similarity to other documents is removed to form a
new singleton cluster. The algorithm continues by iterative assignment of
the documents in the cluster being split to a new cluster, if they have
92
greater average resemblance to the documents in the new cluster. As the
clustering quality of this cluster is not comparable with the other
algorithms, so a minor modification is made. The least similar pair of
documents in the cluster being split is removed to form two new
singleton clusters. Rest of the documents in the cluster is iteratively
assigned to one of the new clusters depending upon the average
similarity.
4.3 IDENTITY MANAGEMENT
4.3.1 Digital Identity Lifecycle
Digital identity is said to be at the heart of many contemporary strategic
modernizations and innovations, ranging from crime, misconduct,
offence, internal and external security, business models etc. This
necessitates disclosing the personal information within ubiquitous
environment [100]. This raises serious security concerns and discomfort
and worry to users and creates the requirements of an Identity
Management (IM) within ubiquitous environments.
In the digital world an individual or a person can be represented by
sets of data (attributes) which can be managed and handled by technical
means, so-called digital identities. Depending on the condition and the
context only, the subsets of these attributes are required to represent an
individual or an identity both in the physical and the digital world, so-
called (digital) partial identities [101]. An identity management system
helps by providing the tools for managing and handling these partial and
restricted identities in the digital world.
93
The processes and technology used for creating, deleting and
managing account and entitlement changes and track policy agreement,
including some or all of the following [102]:
• Provisioning/de-provisioning. Here the accounts in multiple
systems are automatically created and are expired based on data
that is acquired from authoritative data sources, thereby reducing
the effort for creating the accounts and managing the accounts
manually, and also by reducing security risk by the automatic
application of policies.
• Workflow. The mechanization of steps within the identity
lifecycle management process comprising, approval,
notification, escalation and creation of audit data.
• Administration. The simplification of the administration of
identities, regularly through the deployment of a web-based user
administration console. Such interfaces are frequently used for
delegated administration and also possibly even user self-
service, in conjunction with workflow.
• Credential management. Passwords, certificates and smart cards.
Lifecycle management includes an integrated and comprehensive
solution for managing the complete lifecycle of user identities and their
related credentials and entitlements. The lifecycle of an individual in an
organization must be managed in such a method that it should confirm
the security of the organization’s confidential and secured data. The
functionality of the Identity lifecycle management is mainly divided in to
two components. They are provisioning component and administrative
component. The administrative rule mainly specifies delegation rules,
providing self-service components for changing the personal details or
making request to the user. Delegating the rights of an administrator to a
94
second person is a critical for an instable and lively cloud based
situations [10].
The cautious and alert design of the digital identity’s complete
lifecycle will provide an effective solution for identity management.
Currently, the life cycle is demonstrated as a sequential multiphase
process, which moves from a creation to a termination phase and also it
provides support for updating and maintenance but such kind of
sequential process do not actually encounter the requirements that
multiple dependable identities pose [103].
4.3.2 Access-Control Lists
Access Control List which is also called as “ACL” rules the ability of a
role to perform and execute actions such a read, delete or update the files.
Access Control List provide the mechanism for defining network security
that restricts and control the access between the users and the network
resources based on some specified rules. Access Control lists are
developed using individual rules and regulations that applies to the
receiving packet. Identity Driven Manager (IDM) ACLs are unique in
which they are applied to the individual user as they connect to the
network and are then removed when the user is not linked or connected
to the network. Using the IDM ACLs the administrators who control the
network can provide access permissions for users and groups directly to
the network resources to which they need the access [104].
In access control systems there is a clear separation between
mechanisms and policies. Policies are a high-level guideline which
decides how the accesses are to be controlled and access decisions are
determined. On the other hand mechanisms are low-level hardware and
95
software functions that can be constructed to implement a policy.
Security researchers are required to create mechanisms associated with
access controls that are free and independent of the policy for which they
can be used. This is an anticipated objective in order to permit the reuse
of mechanisms that helps in a variety of security purposes. The choice of
access control policy relies on the specific features of the environment
that is to be secured and protected. This is because not every system will
have the requirement for the same protection. For example; access
control policies which are strict and critical to some systems may be
inapt for environments where the user requires greater flexibility. Access
matrix is a theoretical and a conceptual model that clearly explains the
rights and permissions that every subject possesses for each object. The
access matrix comprises of rows and columns. Each row in the access
matrix is for each subject and column is for each object. Each cell of the
access matrix specifies and explains the access authorized for the subject
which is in the row to the object which is in the column. The main task
that is to be accomplished by the access control is to confirm that only
operations which are specified and authorized by the access matrix
actually get executed. Here it is to be noticed that the access matrix
clearly separates authentication from that of the authorization.
Access Control List (ACL) is the most popular approach to
implement access matrix. Each object is associated with an ACL which
indicates that for each and every subject in the system that accesses the
subject, is authorized and approved to execute on the system. ACL
provides suitable access review with respect to an object. The access to
the object which is in the column can be revoked by just emptying the
existing ACL. If all the access of a subject is to be revoked then all ACLs
essentially are visited one by one [105].
96
4.3.3 Components of Identity Management
Identity management is a broad administrative zone that deals with
identifying and recognizing individuals in a system such as an enterprise,
a network and controlling or restricting their access to resources within
that system by correlating user rights and limitations with the established
identity. The passport is a best example of identity management: citizens
are identified by their passport number and nationality and user
specifications such as not permitted to a particular country after the
expiry or the validity date of the passport of that particular individual.
Identity management denotes to the process of employing emerging
and evolving technologies to manage and handle information about the
identity of users and restrict access to company resources. The main
objective of identity management is to expand productivity and security
while dropping costs connected with managing and dealing users and
their attributes, identities, and credentials [106].
Traditionally, identity management has been given more
concentration and is concerned with managing an organization’s
employees to confirm that their authentication and authorization
information is reliable, consistent and up to date within the organization’s
information systems. This traditional approach continues to pose several
challenges and issues for security architects and designers, predominantly
given the large base of legacy systems. However, the true price of
identity management comes into play with consumers and business
partners [107].
The identity management infrastructure has many different
components and authoritative source, a directory component, an
administration component, a directory integration component, a
97
provisioning component, an access control component, and a generalized
application interfaces component [100].
4.3.4. Identity Management Objectives
Identity management system is a technology developed mainly for
enhancing security by providing security in the identification,
authentication and giving authorization to users of the system and
monitoring them by logging the user identity and the data that they try to
authorize. The need for the identity management rose when the attacks
on sensitive and vulnerable data started occurring. After the development
of cloud, there is a gradual shift from traditional environment to cloud
computing environment. The attacks on the system by estimation, comes
majorly from insider rather than from outsiders. The identity manager is
built on cloud to uniquely identify the user of application. The objective
and role of the identity manager in the cloud environment will be
discussed in the following sections [108].
The objectives of identity management are:
• Uniqueness of Identity: In an organization, identity manager is
used to give unique identity to the users, employees and
customers [108]. Any sensitive records accessed will enable the
admin to easily identify the user accessing the resource.
• Having Online Privacy: The users using the system can ensure
privacy while accessing the resource, interactive with people and
saving files online [109].
• Manage Personal Data: The user will be able to manage the level
of publicity of personal data. The data managed by the users will
98
not be affected by the other users. The user can also hide their
data from other users [109].
• Delegation: The process of securely allocating one person to a
role with a priority higher or equal to the user’s authority [109].
Delegation is easily done with identity management in use.
• Management of Identity System in a Federated Environment: In
a federated environment, many organization establish a trust
relation and let the identity of users of organizations working
together to be federated. In this case [109], many issues like
conflicting identities, same user-id, different login interfaces
arise. For this a federated identity manager should be stabled in
this federated environment, which implements the organizations
identity manager rules.
4.3.5. Role of Identity Management in Cloud Environment
In a cloud environment, the resources which are to be published to
everyone will be in public domain by default. When a resource is put in
public cloud where no restriction is present, the resource is accessible by
everyone inside the cloud. When a user wants to add a resource to a
cloud and wants to keep it private, then the resource should be kept in a
space where only identified and authorized users can have access to it.
For the privacy or hiding or securing data in a cloud environment,
identity manager is introduced in cloud computing [110].
Recently a new architecture is introduced, namely Security as a
Service. The service provides security for users and providers [111]. The
new architecture may include in it many security measures among which
identity and access management is also present. The service enables one
99
cloud to work with another cloud, where the service is itself on a
different cloud. The security is provided from one cloud which can be
called as security provider to the cloud environment which would use the
security service on its cloud.
Unlike a traditional environment, in cloud environment many
operating systems will be established on a single hypervisor. The identity
manager in a traditional environment can manage identities on all the
system in the organizational network by creating a main active directory.
This active directory will be used to map users to their system or their
identification and authentication on a system in the network. In a cloud
environment since many operating system could be found on a single
hypervisor and maintaining a parent active directory of the users in the
hypervisors in the cloud is not yet established, the flexibility for the user
to use the same identity on different hypervisors is not present. For this
an identity manager is required for the global maintenance of identities.
This identity manager should solve the problem of identity issues
between the hypervisors and between applications [112].
The identity manager also helps in protecting private data of users
by enabling a lock on their data. This lock can be a password, finger-print
reader, barcode reader or retina identification, etc. In any cloud
environment which is not secured with any security for private
information, sensitive information like bank account number, credit card
number, etc. should not be stored on it. When identity manager is
implemented, every data stored in the cloud has its own storage space
[113]. This storage space could be public domain, user’s private storage,
an organization’s storage area (accessible only by the users from the
organization), or cloud manager’s storage area, etc. Each storage area in a
100
cloud has its own level of accessibility. This can ensure protection or
privacy of data.
Identity manager has a feature known as delegating administration
[113]. With this feature, a user in the management system can delegate
authority for a role temporarily or permanently. Along with the authority,
privilege is also granted during delegation.
4.4 SUMMARY
Cloud computing being a modern infrastructure technology, it has
utmost advancements involved with it. To design a security system for
cloud, it really needs the integration of many modern technologies.
Hence, a new state-of-the-art cloud security framework named
eCloudIDS has been designed with intrusion detection system (IDS),
machine learning, and identity management (IDM).
top related