distributed intrusion detection system using mobile agents in cloud computing environment
DESCRIPTION
Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment. Yasir Mehmood 2011-NUST-MS-CCS-31. Supervisor:. Dr. Abdul Ghafoor, Dr. Adnan Kiani, Ms. Hirra Anwar. Dr. Awais Shibli. Committee Members:. 1. Agenda. Overview - PowerPoint PPT PresentationTRANSCRIPT
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Distributed Intrusion Detection System using Mobile Agents in Cloud
Computing Environment
Yasir Mehmood2011-NUST-MS-CCS-
31Supervisor: Dr. Awais Shibli
Committee Members: Dr. Abdul Ghafoor, Dr. Adnan Kiani,
Ms. Hirra Anwar
1
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Agenda
Overview
Introduction
Challenges & Motivations
Literature Survey
Problem Statement
Architecture & Workflow
Standard & Technologies
Roadmap
References
2
What is Intrusion Detection System
software or hardware IDS
Intrusion is detected
Reported to SysAdmin
Intruder
System Admin who takes appropriate
action
Traffic is analyzed
Traffic is monitored
3
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Introduction
The open and distributed architecture of Cloud Computing paradigm is vulnerable to intruders who may threaten the security of Cloud Service Providers (CSPs) and Cloud Service Consumers (CSCs).
4
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Where to deploy IDS in Cloud
In Cloud environment, IDS may be deployed at any of the three layers:
Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)
The deployment of IDS at IaaS layer is the most flexible model.
5
Reference: P. Cox , Intrusion detection in a cloud computing environment, http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Cloud??
6
“Comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us”– Kevin Marks, Google
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Challenges to Cloud based IDS
Scalability
Distributed and Large Scale Attacks
Mobility
Single Point of Failure
False Positive Rate
Network load
7
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Literature Survey
8
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Distributed Intrusion Detection in Clouds using Mobile Agents
Problem: The increased number of security issues in public cloud
Motivation: Flexibility Mobility Scalability
Reference: A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.
9
Paper 1
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Solution
Reference: A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.
Pros: Can detect both known and variants of known attacks
Cons: Limited number of VMs to be visited
10
Paper 1
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents
Problem: Large size of network traffic Creation of Signatures Cooperation among Small Signature Database (SSD) and
Complementary Signature Database (CSD)
Reference: M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.
11
Paper 2
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Solution
Pros: Ability to handle large volume of network traffic Fast processing due to match with a small set of signatures
Cons: Vulnerable to attacks whose signatures are missing at SSD
Reference: M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.
12
Paper 2
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
A Distributed Intrusion Detection System based on Mobile Agents
Problem: Intrusions from inside and outside the network
Motivation: Protection of network from distributed intrusions
Reference: M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.
13
Paper 3
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Solution
Pros: Distributed Intrusions Can detect new attacks
Cons: Single Point of Failure
Reference: M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.
14
Paper 3
Literature Survey Findings
15
Literature Survey Findings (cont..)
16
Industrial Motivation
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Industrial Survey
http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
18
Source Fire is being bought by Cisco for ~$2.7b. The Suricata Engine is an Open Source Next
Generation Intrusion Detection and Prevention Engine.
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Community Response
http://mail-archives.apache.org/mod_mbox/cloudstack-users/201311.mbox/browser
19
Suricata is multithreaded against snort which is single threaded. Performance is one big issue with snort.
Adding a new extension to snort EX: APPID detection is equally not easy.
The engine structure for suricata assumably is far better to add new plugin EX: APP detection at various layers.
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Problem Statement
The large-scale and distributed intrusions causing mainly due to the open and distributed architecture of Cloud threaten both Cloud Service Providers (CSPs) and Cloud Service Consumers (CSCs).
20
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Proposed Solution
A Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment
Correlation of intrusion alerts from multiple locations in order to identify distributed intrusions.
OSSIM, Stable release: 4.2.3 / June 5, 2013
21
Proposed System Architecture and Workflow
Signature Database
Alert Correlation
Management Server
Management Station
MA MA MAAlert Console
22VM 1 VM 2 VM 3
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Related Standards and Technologies
23
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Roadmap
Milestones Duration
Preliminary study and Research Done
Implementation
Cloud Configuration 2 week
Installation and Configuration of Suricata
1 week
Development of Mobile Agents 2 month
Signature Creation and Correlation 2 month
Testing and Evaluation 1 month
Final Documentation 1 month
24
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
25
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
References
[1]. C. C. Lo, C. C. Huang, J. Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks”, 39th International Conference on Parallel Processing Workshops 2010, pp. 280-284.
[2]. C. N. Modi, D. R. Patel, A. Patel, R. Muttukrishnan, “Bayesian Classifier and Snort based Network Intrusion Detection System in Cloud Computing”, Third International Conference on Computing, Communication and Networking Technologies, 26th-28th July 2012.
[3]. C. Mazzariello, R. Bifulco and R. Canonico, “Integrating a Network IDS into an Open Source Cloud Computing Environment”, 2010 Sixth International Conference on Information Assurance and Security, pp. 265-270.
[4]. A. Bakshi, Yogesh B, “Securing cloud from DDOS Attacks using Intrusion Detection System in Virtual Machine”, 2010 Second International Conference on Communication Software and Networks, pp. 260-264.
[5]. Ms. P. K. Shelke, Ms. S. Sontakke, Dr. A. D. Gawande, “Intrusion Detection System for Cloud Computing”, International Journal of Scientific & Technology Research Volume 1, Issue 4, May 2012, pp. 67-71.
26
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
References[6]. A. Patel, Q. Qassim, Z. Shukor, J. Nogueira, J. Júnior and C. Wills,
“Autonomic Agent-Based Self-Managed Intrusion Detection and Prevention System”, Proceedings of the South African Information Security Multi-Conference (SAISMC 2010), pp. 223-234.
[7]. J. H. Lee, M. W. Park, J. H. Eom, T. M. Chung, “Multi-level Intrusion Detection System and Log Management in Cloud Computing”, ICACT, 2011, pp. 552-555.
[8]. A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.
[9]. K. Vieira, A. Schulter, Carlos B. Westphall, and C. M. Westphall, “Intrusion Detection for Grid and Cloud Computing”, IEEE Computer Society, (July/August 2010), pp. 38-43.
[10]. S. N. Dhage, B. B. Meshram, R. Rawat, S. Padawe, M. Paingaokar, A. Misra , “Intrusion Detection System in Cloud Computing Environment”, International Conference and Workshop on Emerging Trends in Technology (ICWET 2011), pp. 235-239.
27
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
References
[11]. S. Bharadwaja, W. Sun, M. Niamat, F. Shen, “Collabra: A Xen Hypervisor based Collaborative Intrusion Detection System”, Eighth International Conference on Information Technology: New Generations, 2011, pp. 695-700.
[12]. M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.
[13]. M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.
[14]. Suricata: The Snort Replacer (Part 1: Intro & Install), Jul 24, 2013, http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
[15]. cloudstack-users mailing list archives: November 2013,
http://mail-archives.apache.org/mod_mbox/cloudstack- users/201311.mbox/browser
[16]. P. Cox , Intrusion detection in a cloud computing environment, http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment
28