8/6/2019 05232794

http://slidepdf.com/reader/full/05232794 1/638 IT Pro July/August 2010 P u b l i s h e d b y t h e I E E E C o m p u t e r S o c i e t y 1520-9202/10/$26.00 © 2010 IEEE

CYBERSEC RITY

Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall,Federal University of Santa Catarina, Brazil

Providing security in a distributed system requires more than userauthentication with passwords or digital certificates and confidentialityin data transmission. The Grid and Cloud Computing Intrusion DetectionSystem integrates knowledge and behavior analysis to detect intrusions.

Because of their distributed nature,grid and cloud computing environ-ments are easy targets for intruderslooking for possible vulnerabilities to

exploit. By impersonating legitimate users, theintruders can use a service’s abundant resourcesmaliciously.

To combat attackers, intrusion-detection sys-tems (IDSs) can offer additional security mea-sures for these environments by investigatingconfigurations, logs, network traffic, and useractions to identify typical attack behavior. 1 How-ever, an IDS must be distributed to work in a gridand cloud computing environment. It must mon-itor each node and, when an attack occurs, alertother nodes in the environment. This kind of communication requires compatibility betweenheterogeneous hosts, various communicationmechanisms, and permission control over system

maintenance and updates—typical features ingrid and cloud environments. 2 Cloud middleware

usually provides these features, so we propose anIDS service offered at the middleware layer (asopposed to the infrastructure or software layers).

An attack against a cloud computing systemcan be silent for a network-based IDS deployed inits environment, because node communicationis usually encrypted. Attacks can also be invisi-

ble to host-based IDSs, because cloud-specificattacks don’t necessarily leave traces in a node’soperating system, where the host-based IDS re-sides. In this way, traditional IDSs can’t appro-priately identify suspicious activities in a grid andcloud environment 3 (see the “Related Work inIntrusion Detection” sidebar).

Here, we take a careful look at the cloudcase in particular. We propose the Grid andCloud Computing Intrusion Detection System(GCCIDS), which has an audit system designed tocover attacks that network- and host-based sys-

tems can’t detect. GCCIDS integrates knowledgeand behavior analysis to detect specific intrusions.

Intrusion Detectionfor Grid and CloudComputing

8/6/2019 05232794

http://slidepdf.com/reader/full/05232794 2/6computer.org/ ITPro 3 9

Our Proposed ServiceIn our solution, each node identifies local eventsthat could represent security violations and alertsthe other nodes. Each individual IDS coopera-tively participates in intrusion detection. Figure 1depicts the sharing of information between theIDS service and the other elements participatingin the architecture: the node, service, event audi-tor, and storage service.

The node contains the resources, which are

accessed homogeneously through the middle- ware. The middleware sets the access-control

policies and supports a service-orientedenvironment.

The service provides its functionality in theenvironment through the middleware, whichfacilitates communication.

The event auditor is the key piece in the sys-tem. It captures data from various sources,such as the log system, service, and node mes-sages. The IDS service analyzes this data andapplies detection techniques based on user be-

havior and knowledge of previous attacks. If itdetects an intrusion, it uses the middleware’s

Related Work in Intrusion Detection

Here we present some of the relevant research onintrusion detection for grids, discussing in par-

ticular the techniques they apply and the source of

the data they analyze.Table A classifies related work according to the audit

data source (host, network, or grid), the analysis tech-nique (knowledge- or behavior-based), and if therewas a proper evaluation. Fang-Yie Leu, Jia-Chun Lin,Ming-Chang Li, Chao-Tung Yang, and Po-Chi Shih’swork, 1 along with Stuart Kenny and Brian Coghlan’s 2 solutions, are based on analyzing data from a grid’snetwork, although these approaches can’t detectgrid-specific attacks, because they don’t capture anyhigh-level data. Guofu Feng, Xiaoshe Dong, WeizheLiu, Ying Chu, and Junyang Li integrate a host-basedintrusion-detection system (IDS) into a grid environ-ment, providing protection against typical operatingsystem attacks, but not the ones that might targetmiddleware vulnerabilities. 3

Mohamed Tolba 4 and Alexandre Schulter 5 andtheir colleagues view a computational grid as onebig host of resources, and the audit data is collected

from the operating systems as in typical host-basedIDSs. Their solutions focus on analyzing high-levelinformation regarding grid usage by its users, and

they apply behavior-based techniques in the analy-sis. In comparison, we conclude that the availablesolutions approach the problem in a different way,

especially in regards to the threats we try to de- fend against by combining two distinct auditingtechniques.

References1. F-Y. Leu et al., “Integrating Grid with Intrusion Detection,”

Proc. Int’l Conf. Advanced Information Networking and Applications (AINA 05), vol. 1, IEEE CS Press, 2005,pp. 304–309.

2. S. Kenny and B. Coghlan, “Towards a Grid-WideIntrusion Detection System,” Proc. European Grid Conf. (EGC 05), Springer, 2005, pp. 275–284.

3. G. Feng et al., “GHIDS: Defending Computational Gridsagainst Misusing of Shared Resource,” Proc. Asia-Pacific Conf. Services Computing (APSCC 06), IEEE CS Press,2006, pp. 526–533.

4. M. Tolba et al., “Distributed Intrusion Detection System for Computational Grids,” Proc. 2nd Int’l Conf. Intelligent Computing and Information Systems (ICICIS 05), 2005.

5. A. Schulter et al., “Intrusion Detection for ComputationalGrids,” Proc. 2nd Int’l Conf. New Technologies, Mobility,and Security , IEEE Press, 2008, pp. 1–5.

Table A. Features of related works concerning intrusion detection for grids.

Author Host-basedIDS

Network-based IDS

Data froma grid

Knowledge-basedtechnique

Behavior-basedtechnique Validation

Tolba Yes No Yes No Yes YesSchulter Yes Yes No No Yes YesChoon No Yes N/A No No NoKenny No Yes No Yes No YesLeu No Yes No Yes No YesFeng Yes No No Yes No Yes

8/6/2019 05232794

http://slidepdf.com/reader/full/05232794 3/6

8/6/2019 05232794

http://slidepdf.com/reader/full/05232794 4/6computer.org/ ITPro 4 1

capabilities, and can tolerate small behaviordeviations. These features help overcome some

IDS limitations. 4Using this method, we need to recognize ex-

pected behavior (legitimate use) or a severe be-havior deviation. Training plays a key role in thepattern recognition that feed-forward networksperform. The network must be correctly trainedto efficiently detect intrusions. For a given intru-sion sample set, the network learns to identify theintrusions using its retropropagation algorithm.However, we focus on identifying user behav-ioral patterns and deviations from such patterns.

With this strategy, we can cover a wider range of unknown attacks.

Knowledge AnalysisKnowledge-based intrusion detection is themost often applied technique in the field be-cause it results in a low false-alarm rate and highpositive rates, although it can’t detect unknownattack patterns. It uses rules (also called signa-tures) and monitors a stream of events to findmalicious characteristics.

Using an expert system, we can describe amalicious behavior with a rule. One advantageof using this kind of intrusion detection is that

we can add new rules without modifying exist-ing ones.

In contrast, behavior-based analysis is per-formed on learned behavior that can’t bemodified without losing the previous learn-ing. Generating rules is the key element in thistechnique—it helps the expert system recognizenewly discovered attacks. Creating a rule con-sists of defining the set of conditions that repre-sent the attack.

Increasing Attack CoverageThe two intrusion detection techniques are dis-tinct. The knowledge-based intrusion detectionis characterized by a high hit rate of known at-tacks, but it’s deficient in detecting new attacks.

We therefore complemented it with the behavior-based technique, which can discover deviationsfrom acceptable use and thus help identify privi-lege abuse.

The volume of data in a cloud computing en-vironment can be high, so administrators don’t

observe each user’s actions—they observe onlyalerts from the IDS.

Results We developed a prototype to evaluate the pro-

posed architecture using Grid-M, a middlewareof our research group developed at the FederalUniversity of Santa Catar ina. 5

We created data tables to perform the experi-ments with audit elements coming from both thelog system and from data captured during nodecommunications. We prepared three types of simulation data to test.

First, we created data representing legitimateaction by executing a set of known services simu-lating a regular behavior.

Then, we created data representing behavioranomalies. To represent anomalous sequencesof actions, we altered the services and their us-age frequency. For example, for a teaching depart-ment that posts grades electronically, if two out of every 100 grades are typically corrected later be-cause of a mistake, then an anomalous behavior

would be correcting 10 consecutive grades. Thisaction would deserve special attention to deter-mine whether it constituted an abuse of privileges.

Finally, we created data representing policyviolation. This was prepared with a set of auditpackages containing a series of elements violat-ing base rules.

Evaluating the Event AuditorThe event auditor captures all requests receivedby a node and the corresponding responses,

which is fundamental for behavior analysis.For each action a node performs, a log entry

is generated to register the methods and param-eters invoked during the action.

In the experiments with the behavior-basedIDS, we considered using audit data from both a

log and a communication system. Unfortunately,data from a log system—with the exception of the message element—has a limited set of values

with little variation. This made it difficult to findattack patterns, so we opted to explore communi-cation elements to evaluate this technique.

We evaluated the behavior-based techniqueusing artificial intelligence enabled by a feed-forward neural network. 6 In the simulation en-vironment, we monitored five intruders and fivelegitimate users.

We initiated the neural-network training with

a data set representing 10 days of usage simula-tion. Using this data resulted in a high number

8/6/2019 05232794

http://slidepdf.com/reader/full/05232794 5/642 IT Pro July/August 2010

CYBERSEC RITY

of false negatives and a high level of uncertainty.Increasing the sample period for the learningphase improved the results.

Evaluating the Behavior-Based SystemTo measure IDS efficiency, 1 we considered ac-curacy in terms of the system’s ability to de-tect attacks and avoid false alarms. A systemis imperfect if it accuses a legitimate action of being malicious. So, we measured accuracyusing the number of false positives (legitimateactions marked as attacks) and false negatives(the absence of an alert when an attack hasoccurred).

The performance test we designed also eval-uated the analysis technique’s cost. We per-formed a load test where the program analyzed1 to 100,000 actions. The simulation involving100,000 actions is hypothetical. It surpassesthe usual data volume and served as a base forunderstanding system behavior in an overload-ing condition. An action took approximately0.000271 seconds to be processed with oursetup.

The training time for an input of 30 days of sample behavior took 1.993 seconds. However,the training was sporadic—we had to plan up-dates to the behavior profile database accordingto a routine in the execution environment (sincea user’s behavior tends to change with time).This helped us identify a convenient period of days for determining the profile of a legitimateuser. Artificial neural networks aren’t determin-istic, so the number of false positives and falsenegatives didn’t represent a linear decreasingprogression.

Figure 2 shows the results. The neural net- work tended to avoid identifying legitimate

actions as attacks—there were alwaysmore false negatives than false posi-

tives when using the same quantity of input data.

No false alarms occurred when we started the training with 16 daysof simulation, although the uncer-tainty level was still high, with sev-eral outputs near zero. With inputperiods of 28, 29, and 30 days, thealgorithm showed a low number of false positives, but after several repe-titions, the quantity of false positives

varied, again representing the nondeterministicnature of neural networks.

Evaluating the Knowledge-Based SystemIn contrast to the behavior-based system, we usedaudit data from both a log system and the com-munication system to evaluate the knowledge-based system. We created a series of rules toillustrate security policies that the IDS shouldmonitor.

We collected audit data referring to a route-discovery service, service discovery, and servicerequest and response. The series of policies wecreated tested the system’s performance, al-though our scope didn’t include discovering newkinds of attacks or creating an attack database.Our goal was to evaluate our solution’s function-ality and the prototype’s performance.

The rule below characterizes an attack in anymessage related to the storage service. The func-tions of the rule are as follows:

1. At start-up, the rules stored in an XML fileare loaded into a data structure.

2. The auditor starts to capture data from thelog and communication systems.3. The data is preprocessed to create a data

structure dividing log data from communi-cation data to provide easy access to eachelement.

4. The corresponding policy for the audit pack-age is verified.

5. An alert is generated if an attack or violationoccurred.

We performed a load test for this algorithm

simulating the analysis of 10 to 1,000,000rules for an action. We verified the textual or

Figure 2. The behavior score results. The algorithm had the lowestnumber of false positives for input periods with 28 –30 days.

0

1

2

3

4

5

6

10 12 14 16 18 20 22 24 26 28 30

Number of training examples

N u m

b e r o

f f a l s e p o s

i t i v e s

a n

d f a l s e n e g a t i v e s

False positiveFalse negative

8/6/2019 05232794

http://slidepdf.com/reader/full/05232794 6/6computer.org/ ITPro 4 3

numerical field in comparison to the rules.The analyzer performed two primary func-

tions: it searched for improper content, andit compared numerical intervals. Comparing100,000 rules for an action consumed 0.361seconds; comparing a million rules consumed2.7 seconds. This suggests that real-time anal-

ysis is possible up until a certain limit in thenumber of rules.

In testing our prototype, we learned that ithas a low processing cost while still provid-ing a satisfactory performance for real-time

implementation. Sending data to other nodes forprocessing didn’t seem necessary. 7 The individ-ual analysis performed in each node reduces thecomplexity and the volume of data in compari-son to previous solutions, where the audit data isconcentrated in single points.

In the future, we’ll implement our IDS, help-ing to improve green (energy-efficient), white(using wireless networks), and cognitive (usingcognitive networks) cloud computing environ-ments. We also intend to research and improvecloud computing security.

References1. H. Debar, M. Dacier, and A. Wespi, “Towards a Tax-

onomy of Intrusion Detection Systems,” Int’l J. Com- puter and Telecommunications Networking , vol. 31, no. 9,1999, pp. 805–822.

2. I. Foster et al., “A Security Architecture forComputational Grids,” Proc. 5th ACM Conf. Com-

puter and Communications Security, ACM Press, 1998,pp. 83–92.

3. S. Axelsson, Research in Intrusion-Detection Systems: ASurvey, tech. report TR-98-17, Dept. Computer Eng.,Chalmers Univ. of Technology, 1999.

4. A. Schulter et al., “Intrusion Detection forComputational Grids,” Proc. 2nd Int’l Conf. NewTechnologies, Mobility, and Security, IEEE Press, 2008,pp. 1–5.

5. H. Franke et al., “Grid-M: Middleware to IntegrateMobile Devices, Sensors and Grid Computing,” Proc.3rd Int’l Conf. Wireless and Mobile Comm.(ICWMC 07),IEEE CS Press, 2007, p. 19.

6. N.B. Idris and B. Shanmugam, “Artificial IntelligenceTechniques Applied to Intrusion Detection,” Proc.

2005 IEEE India Conf. (Indicon) 2005 Conf., IEEE Press,2005, pp. 52–55.

7. P.F. da Silva and C.B. Westphall, “Improvements inthe Model for Interoperability of Intrusion Detec-

tion Responses Compatible with the IDWG Model,” Int’l J. Network Management , vol. 17, no. 4, 2007,pp. 287–294.

Kleber Vieira is a team leader for a softwaredevelopment company in Brazil and is a member of the

Networks and Management Laboratory at the Federal University of Santa Catarina, Brazil. His researchinterests include information systems, software engi-neering, distributed systems, and security. Vieira re-ceived his MSc in computer science from the Federal University of Santa Cataria. Contact him at kleber@inf.ufsc.br.

Alexandre Schulter is an IT analyst for a Brazilian government company. Previously, he was a researcher and software developer at several laboratories in theTechnological Centre at the Federal University of SantaCatarina, Brazil. His research interests include infor-mation systems, component-based systems, softwareengineering, distributed systems, and security. Schulter received his MSc in computer science from the Federal University of Santa Cataria. Contact him at schulter@inf.ufsc.br.

Carlos Becker Westphall is a full professor in theDepartment of Informatics and Statistics at the Fed-eral University of Santa Catarina, Brazil, where heis the leader of the Networks and Management Labo-ratory. His research interests include network man-agement, security, and grid and cloud computing.Westphall received his DSc in computer science fromthe Paul Sabatier University, France. Contact him at westphal@inf.ufsc.br.

Carla Merkle Westphall is a professor in theDepartment of Informatics and Statis tics at the Federal University of Santa Catarina, Brazil. Her researchinterests include distributed security, identity manage-ment, and grid and cloud security. Westphall received her PhD in electrical engineering from the Federal University of Santa Cataria. Contact her at carlamw@inf.ufsc.br.

Selected CS articles and columns are availablefor free at http://ComputingNow.computer.org.