distributed intrusion detection system using mobile agents in cloud computing environment

28
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad KTH Applied Informati on Security Lab Detection System using Mobile Agents in Cloud Computing Environment Yasir Mehmood 2011-NUST-MS-CCS- 31 Supervisor: Dr. Awais Shibli Committee Members: Dr. Abdul Ghafoor, Dr. Adnan Kiani, Ms. Hirra Anwar 1

Upload: melita

Post on 13-Jan-2016

111 views

Category:

Documents


3 download

DESCRIPTION

Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment. Yasir Mehmood 2011-NUST-MS-CCS-31. Supervisor:. Dr. Abdul Ghafoor, Dr. Adnan Kiani, Ms. Hirra Anwar. Dr. Awais Shibli. Committee Members:. 1. Agenda. Overview - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Distributed Intrusion Detection System using Mobile Agents in Cloud

Computing Environment

Yasir Mehmood2011-NUST-MS-CCS-

31Supervisor: Dr. Awais Shibli

Committee Members: Dr. Abdul Ghafoor, Dr. Adnan Kiani,

Ms. Hirra Anwar

1

Page 2: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Agenda

Overview

Introduction

Challenges & Motivations

Literature Survey

Problem Statement

Architecture & Workflow

Standard & Technologies

Roadmap

References

2

Page 3: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

What is Intrusion Detection System

software or hardware IDS

Intrusion is detected

Reported to SysAdmin

Intruder

System Admin who takes appropriate

action

Traffic is analyzed

Traffic is monitored

3

Page 4: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Introduction

The open and distributed architecture of Cloud Computing paradigm is vulnerable to intruders who may threaten the security of Cloud Service Providers (CSPs) and Cloud Service Consumers (CSCs).

4

Page 5: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Where to deploy IDS in Cloud

In Cloud environment, IDS may be deployed at any of the three layers:

Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)

The deployment of IDS at IaaS layer is the most flexible model.

5

Reference: P. Cox , Intrusion detection in a cloud computing environment, http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment

Page 6: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Cloud??

6

“Comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us”– Kevin Marks, Google

Page 7: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Challenges to Cloud based IDS

Scalability

Distributed and Large Scale Attacks

Mobility

Single Point of Failure

False Positive Rate

Network load

7

Page 8: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Literature Survey

8

Page 9: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Distributed Intrusion Detection in Clouds using Mobile Agents

Problem: The increased number of security issues in public cloud

Motivation: Flexibility Mobility Scalability

Reference: A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.

9

Paper 1

Page 10: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Solution

Reference: A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.

Pros: Can detect both known and variants of known attacks

Cons: Limited number of VMs to be visited

10

Paper 1

Page 11: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents

Problem: Large size of network traffic Creation of Signatures Cooperation among Small Signature Database (SSD) and

Complementary Signature Database (CSD)

Reference: M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.

11

Paper 2

Page 12: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Solution

Pros: Ability to handle large volume of network traffic Fast processing due to match with a small set of signatures

Cons: Vulnerable to attacks whose signatures are missing at SSD

Reference: M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.

12

Paper 2

Page 13: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

A Distributed Intrusion Detection System based on Mobile Agents

Problem: Intrusions from inside and outside the network

Motivation: Protection of network from distributed intrusions

Reference: M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.

13

Paper 3

Page 14: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Solution

Pros: Distributed Intrusions Can detect new attacks

Cons: Single Point of Failure

Reference: M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.

14

Paper 3

Page 15: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Literature Survey Findings

15

Page 16: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Literature Survey Findings (cont..)

16

Page 17: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Industrial Motivation

Page 18: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Industrial Survey

http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/

18

Source Fire is being bought by Cisco for ~$2.7b. The Suricata Engine is an Open Source Next

Generation Intrusion Detection and Prevention Engine.

Page 19: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Community Response

http://mail-archives.apache.org/mod_mbox/cloudstack-users/201311.mbox/browser

19

Suricata is multithreaded against snort which is single threaded. Performance is one big issue with snort.

Adding a new extension to snort EX: APPID detection is equally not easy.

The engine structure for suricata assumably is far better to add new plugin EX: APP detection at various layers.

Page 20: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Problem Statement

The large-scale and distributed intrusions causing mainly due to the open and distributed architecture of Cloud threaten both Cloud Service Providers (CSPs) and Cloud Service Consumers (CSCs).

20

Page 21: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Proposed Solution

A Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Correlation of intrusion alerts from multiple locations in order to identify distributed intrusions.

OSSIM, Stable release: 4.2.3 / June 5, 2013

21

Page 22: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Proposed System Architecture and Workflow

Signature Database

Alert Correlation

Management Server

Management Station

MA MA MAAlert Console

22VM 1 VM 2 VM 3

Page 23: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Related Standards and Technologies

23

Page 24: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Roadmap

Milestones Duration

Preliminary study and Research Done

Implementation

Cloud Configuration 2 week

Installation and Configuration of Suricata

1 week

Development of Mobile Agents 2 month

Signature Creation and Correlation 2 month

Testing and Evaluation 1 month

Final Documentation 1 month

24

Page 25: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

25

Page 26: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

References

[1]. C. C. Lo, C. C. Huang, J. Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks”, 39th International Conference on Parallel Processing Workshops 2010, pp. 280-284.

[2]. C. N. Modi, D. R. Patel, A. Patel, R. Muttukrishnan, “Bayesian Classifier and Snort based Network Intrusion Detection System in Cloud Computing”, Third International Conference on Computing, Communication and Networking Technologies, 26th-28th July 2012.

[3]. C. Mazzariello, R. Bifulco and R. Canonico, “Integrating a Network IDS into an Open Source Cloud Computing Environment”, 2010 Sixth International Conference on Information Assurance and Security, pp. 265-270.

[4]. A. Bakshi, Yogesh B, “Securing cloud from DDOS Attacks using Intrusion Detection System in Virtual Machine”, 2010 Second International Conference on Communication Software and Networks, pp. 260-264.

[5]. Ms. P. K. Shelke, Ms. S. Sontakke, Dr. A. D. Gawande, “Intrusion Detection System for Cloud Computing”, International Journal of Scientific & Technology Research Volume 1, Issue 4, May 2012, pp. 67-71.

26

Page 27: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

References[6]. A. Patel, Q. Qassim, Z. Shukor, J. Nogueira, J. Júnior and C. Wills,

“Autonomic Agent-Based Self-Managed Intrusion Detection and Prevention System”, Proceedings of the South African Information Security Multi-Conference (SAISMC 2010), pp. 223-234.

[7]. J. H. Lee, M. W. Park, J. H. Eom, T. M. Chung, “Multi-level Intrusion Detection System and Log Management in Cloud Computing”, ICACT, 2011, pp. 552-555.

[8]. A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.

[9]. K. Vieira, A. Schulter, Carlos B. Westphall, and C. M. Westphall, “Intrusion Detection for Grid and Cloud Computing”, IEEE Computer Society, (July/August 2010), pp. 38-43.

[10]. S. N. Dhage, B. B. Meshram, R. Rawat, S. Padawe, M. Paingaokar, A. Misra , “Intrusion Detection System in Cloud Computing Environment”, International Conference and Workshop on Emerging Trends in Technology (ICWET 2011), pp. 235-239.

27

Page 28: Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

References

[11]. S. Bharadwaja, W. Sun, M. Niamat, F. Shen, “Collabra: A Xen Hypervisor based Collaborative Intrusion Detection System”, Eighth International Conference on Information Technology: New Generations, 2011, pp. 695-700.

[12]. M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.

[13]. M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.

[14]. Suricata: The Snort Replacer (Part 1: Intro & Install), Jul 24, 2013, http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/

[15]. cloudstack-users mailing list archives: November 2013,

http://mail-archives.apache.org/mod_mbox/cloudstack- users/201311.mbox/browser

[16]. P. Cox , Intrusion detection in a cloud computing environment, http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment

28