A hybrid intrusion detection system for cloud computing environments
Click here to load reader
-
Upload
lazurens -
Category
Technology
-
view
66 -
download
4
Transcript of A hybrid intrusion detection system for cloud computing environments
![Page 2: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/2.jpg)
![Page 3: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/3.jpg)
Introduction
![Page 4: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/4.jpg)
4A Hybrid intrusion detection system for Cloud Computing Environments
Q: Please rate your level of overall security concern related to adopting public cloud computing?
91% organizations have security concerns.•4% not sure.•5% not at all concerned.•
Source : Cloud Passage survey report 2016
Cloud Security Conserns
![Page 5: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/5.jpg)
5A Hybrid intrusion detection system for Cloud Computing Environments
Q: What types of business applications is your organizationdeploying in the cloud?
46% Web Apps.•38% Collaboration and Communication Apps.•33% Productivity.•27% IT Operations•27% Custom Business Applications•
Most Popular Cloud Services
Source : Cloud Passage survey report 2016
![Page 6: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/6.jpg)
6A Hybrid intrusion detection system for Cloud Computing Environments
Main Question:How to protect the Cloud using Intrusion Detection
Systems (IDS) ?
Second Questions:How IDS best transformed to suit the Cloud ?
How may we increase the detection quality ?
How the Model is best Deployed ?
Research Question
![Page 7: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/7.jpg)
7A Hybrid intrusion detection system for Cloud Computing Environments
Aims and Objectives
Objective 1:Review the current literature about security issues related to the Cloud and proposed solutions to fully protect it.
Objective 2:Identify key solutions and Design the architecture.
Objective 3:Evaluate experimental results.
Aims and Objectives
![Page 8: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/8.jpg)
Cloud Computing and Security
![Page 9: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/9.jpg)
9A Hybrid intrusion detection system for Cloud Computing Environments
Cloud Computing
Virtualization
Vulnerabilities and attacks in Cloud Computing
Intrusion Detection Systems
Machine Learning
Background
![Page 10: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/10.jpg)
Virtualization
![Page 11: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/11.jpg)
11A Hybrid intrusion detection system for Cloud Computing Environments
Isolation.1. Interposition.2. Inspection.3.
VirtualizationVirtual Machine Monitor (VMM)
![Page 12: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/12.jpg)
12A Hybrid intrusion detection system for Cloud Computing Environments
VirtualizationApproaches of Virtualization
User Apps
VMM(Virtual Machine Monitor)
Host Hardware
Ring-0
Ring-1
Ring-2
Ring-3Direct Execution of User request
Binary Translation of OS requests
Guest OS
Full Virtualization
![Page 13: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/13.jpg)
Intrusion Detection Systems
![Page 14: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/14.jpg)
14A Hybrid intrusion detection system for Cloud Computing Environments
Intrusion Detection System
Intrusion Detection System vs Firewall•What IDS Can/Can’t Do?•Detection methods•
![Page 15: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/15.jpg)
15A Hybrid intrusion detection system for Cloud Computing Environments
Machine Learning
Supervised LearningUnsupervised Learning
Naive BayesDecision Tree
![Page 16: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/16.jpg)
Literature Review
![Page 17: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/17.jpg)
17A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewClassification of the Literature
How to study the Literature?
![Page 18: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/18.jpg)
18A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewHow to study the literature?
Where to detect? Network/Host/VM/Application
What to detect? Network packets/Processes/VMM/tasks
How to detect? Signature/Anomaly
Where?
What?How?
![Page 19: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/19.jpg)
19A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewHow to study the literature?
Layers of the CloudWhere
Audit source locationWhat
Detection methodHow
Literature
PerspectivesScope
![Page 20: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/20.jpg)
20A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewClassification of the Literature
Layers Of the Cloud
HostNetworkApplication Virtualization
![Page 21: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/21.jpg)
21A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewApplication Layer
AlQahtani et al. 2014 Metric to measure quality:- Vulnerability Detection- Avg Response time
Carmen et al. 2010
SQLInjection (SQLMap)Web Tra�c (XML+ModSecurity)
DetectionMetrics
?
“XML”- Better characterization of normal tra�c.
Felix et al. 2011
Heuristics
To Learn Algorithms and Keys
Encryption
?
![Page 22: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/22.jpg)
22A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewHost Layer
Firkhman et al. 2011
Chirag et al. 2013
Host IDSs
?
Signatures for known attacks
Top down approach & Bottom up approach
To place IDS on host, gests or hypervisors
SamanTaghavi et al. 2011
Cloud speci�c design
Log �e correlation
Hybrid solution
Unknown attacks
Log �e correlation
Cloud speci�cdesign
Several IDS methods (NIDS, HIDS, ...)Hybrid solution
![Page 23: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/23.jpg)
23A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewComparative Summary
Ref Deployment Layers of interest Detection approachVikas Mishra et al. 2016 IaaS Network Signature-based
Sivakami Raja et al. 2016 IaaS Network Anomaly-based
K h a m k o n e S e n g a p h a y e t al.2016
IaaS NetworkSignature-basedAnomaly-based
Zahraa Al-Mousa et al. 2015 IaaS Network Anomaly-based
Partha Ghosh et al. 2015 IaaS Network, Host Anomaly-based
Ming-Yi Liao et al. 2015 IaaS Network, VM Signature-based
Sangeetha et al. 2015 SaaS Applocation Signature-based
Manthira et al. 2014 IaaS, SaaS Network, HostSignature-basedAnomaly-based
Omar Al-Jarrah et al. 2014 IaaS Network Anomaly-based
Felix Gröbert et al. 2011 SaaS HostHeuristic-basedSignature-based
Nathaniel et al. 2011 SaaS Application Anomaly-based
Malek Ben Salem et al. 2011 IaaS Host, VM Anomaly-based
Cristina Abad et al. 2003 IaaS Network, VMSignature-basedAnomaly-based
![Page 24: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/24.jpg)
24A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewMain Detection methods
Signature-based IDS
Known attacks.•Easy to implement.•Frequent updates•Slow reaction to new Attacks•
![Page 25: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/25.jpg)
25A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewMain Detection methods
Anomaly-based IDS
Malicious network behaviour is noticeably different to •regular behaviour.Able to detect unknown/new attacks.•High Alarm Rates.•Requires a system-training period.•Greater implementation complexity.•
![Page 26: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/26.jpg)
26A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewSummary
Deployment locations• and detection methods.
Partial• Detection On the Cloud.
No Detection Model can protect the • entire Cloud.
Less • distinction of attacks/layer.
Less Focus on the significant attributes.•
![Page 27: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/27.jpg)
Model Design
![Page 28: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/28.jpg)
28A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignProposed Architecture
NIDS
Vypervisor VM-IDS
Internet
Lab Router
Cloud Infrastructure
Guest A Guest B Guest C
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Placement of IDSs.•Layered Security •design.Combining detection •methods.Event Correlation.•
Model design parameters:
![Page 29: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/29.jpg)
29A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignSignature IDSs Positions
NIDS
VypervisorVM-IDS
Internet
Lab Router
Cloud Infrastructure
First Detection Line
Second Detection Line
Third Detection Line
Guest A
Web-IDS
Guest B
Web-IDS
Guest C
Web-IDS
Hacker Position
ModSecuritySnortOssec
AnomalyDetectionSguil/ELK
Implementation preferences
![Page 30: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/30.jpg)
30A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignDifferent zones of detection
Modsecurity (WIDS)
Snort (NIDS)
OSSEC (HIDS)
OSSEC (VMIDS)
Hacker
Detection Level
Visualization Level
Log Correlation:-Logstash
Logs Centralized:-Syslog
Visualization Module:-Kibana-SnorBy-Sguil
Anomaly Detection:(Train - Test - Prediction)
Recommended for Rule Adding
![Page 31: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/31.jpg)
31A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignFrom Signature zone to Anomaly zone
Knowledge BasedDetection
Anomaly BasedDetection
Administrator
Training Dataset
> Normal> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended toadmin
Test
ModSecurity
MachineLearningAnomaly Detection
![Page 32: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/32.jpg)
Evaluation
![Page 33: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/33.jpg)
33A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCollected data for evaluation
Real traffic from the network.
Web vulnerability scanner (W3af) implemented by OWASP.
Simulated attacks on the host.
![Page 34: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/34.jpg)
34A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQuantitative analysis
Number of resources Targeted layers Datasets total size Dataset/Tools Number of sessions
70 Network, Host, Web More than 235 MB Pcap Files and W3af 88
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
36 Network
Exploit Kit Snort 53Angler Exploit KitFiesta Exploit Kit
Neutrino Exploit KitAngler Exploit Kit
Magnitude Exploit KitNuclear Exploit Kit
RIG Exploit KitUpatre downloader
Malspam
Snort 53
![Page 35: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/35.jpg)
35A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQuantitative analysis
Number of resources Targeted layers Host/Guest IDS Total Number of sessions
10 Host LUbuntu 15 OSSEC 10
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
24 Web
Blind_sqliBuffer_overflow
csrfdaveval
file_uploadformat_string
frontpagegeneric
global_redirecthtaccess_methods
ldapilfi
mx_injectionos_commandingphishing_vector
preg_replace...
ModSecurity 24
![Page 36: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/36.jpg)
36A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQuantitative analysis
Distribution of attacks per layers
PercentageNumber of attacksTP/FN91.43%64True Positives
8.57%6False Negatives
%ofdetectioninSignaturedetectionzone
![Page 37: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/37.jpg)
37A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
ObfuscationFragmentation
EncryptionDenial of Service
![Page 38: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/38.jpg)
38A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
In 2014: "IntelCor_8" (Windows)1. MAC address : 00:1b:21:ca:fe:d7 2. IP : 192.168.137.62. 3. "www.earsurgery.org" (216.9.81.189) --> "qwe.mvdunalterableairreport.net" 4. (192.99.198.158) exploit kit EK and malware payload to «IntelCor_8».
Manual Analysis using «Wireshark»
>>
![Page 39: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/39.jpg)
39A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
![Page 40: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/40.jpg)
40A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
Opening the malicious file using HexEditorChar XOR with String
![Page 41: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/41.jpg)
41A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)ET TROJAN Bedep SSL Cert (sid:2019645)
ModSecurity (WEBIDS)Snort (NETIDS)NOYES
![Page 42: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/42.jpg)
42A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
ModSecurity (WEBIDS)Snort (NETIDS)YESNO
![Page 43: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/43.jpg)
43A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
Passing Tra�cNIDS HIDS WIDS AD
Undetected Attacks (Evasion)
ObfuscationFragmentationEncryptionDenial of Service
ObfuscationApplication HijackingFile locations and Integrity
xx
xx
xx
xx
Detected attacks
![Page 44: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/44.jpg)
44A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
. . . [Wed Jun 01 16:14:11.413715 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within %{tx.allowed_methods}» against «REQUEST_METHOD» required. [file «/usr/share/modsecuri-ty-crs/activated_rules/modsecurity_crs_30_http_policy.conf»] [line «31»] [id «960032»] [rev «2»] [msg «Method is not allowed by policy»] [data «GET»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [ma-turity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/METHOD_NOT_ALLOWED»] [tag «WASCTC/WASC-15»] [tag «OWASP_TOP_10/A6»] [tag «OWASP_AppSensor/RE1»] [tag «PCI/12.1»] [host-name «localhost»] [uri «/DVWA-master/login.php»] [unique_id «V077w38AAQEAAAYZ2K0AAAAA»]
[Wed Jun 01 16:14:11.494197 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within %{tx.allowed_http_versions}» against «REQUEST_PROTOCOL» required. [file «/usr/share/modsecurity-crs/ac-tivated_rules/modsecurity_crs_30_http_policy.conf»] [line «78»] [id «960034»] [rev «2»] [msg «HTTP protocol version is not allowed by policy»] [data «HTTP/1.1»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [maturity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED»] [tag «WASCTC/WASC-21»] [tag «OWASP_TOP_10/A6»] [tag «PCI/6.5.10»] [hostname «localhost»] [uri «/DVWA-master/login.php»]...
Showing that obfuscated SQL Injection was detected by Modsecurity
![Page 45: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/45.jpg)
45A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
...** Alert 1464865058.166: mail - ossec,syscheck, 2016 Jun 02 11:57:38 cidslayer-VirtualBox->syscheck Rule: 550 (level 7) -> ‘Integrity checksum changed.’ Integrity checksum changed for: ‘/etc/alternatives/gnome-text-editor.1.gz’ Size changed from ‘32’ to ‘30’ Old md5sum was: ‘2e8d9e791f0d21b5b32fe15b76b41749’ New md5sum is : ‘f9c516214d25862e629c53a005ad8642’ Old sha1sum was: ‘97b7bfbfbe0465dc8f4c44f1ba375a4766bf6f39’ New sha1sum is : ‘31f025817c004ef13679ceb3ab82259a310d92d3’...
2016/02/09 14:38:41 ossec-rootcheck: INFO: Started (pid: 1665). 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/etc’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/bin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/sbin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/bin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/sbin’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/auth.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/syslog’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/dpkg.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/error.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/access.log’.
![Page 46: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/46.jpg)
46A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
Difference NIDS HIDS WIDS
Needto protect and moni-
tor the Networkto protect and
monitor the Hostto protect and moni-
tor the Web
Design Network based Host based Web based
SourceNetwork Flow and
packets
system log files, programs and
processes
Web log files and web protocols
![Page 47: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/47.jpg)
47A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAnomaly Detection Zone
Knowledge BasedDetection
Anomaly BasedDetection
Administrator
Training Dataset
> Normal> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended toadmin
Test
ModSecurity
MachineLearningAnomaly Detection
![Page 48: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/48.jpg)
48A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAnomaly Detection Steps
Data CollectionPreprocessing
TrainingTest
![Page 49: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/49.jpg)
49A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationData Collection & Preprocessing
CSIC Information Security Institute (Spanish Research National Council)
«CSIC 2010 HTTP Dataset» in CSV format (for Weka Analysis) (2010) dataset
Normal requests36,000Anomalous requests25,000
SQL injection, buffer overflow, information gathering, files disclosure, CRLF injec-tion, XSS, server side include, parameter tampering and so on.
![Page 50: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/50.jpg)
50A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCleaning Data - Removing Noisy Attributes
![Page 51: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/51.jpg)
51A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCleaning Data-Step01, Step02 and Step03
Ranked attributes:
Non significant attributesSignificant attributes0 6 pragma0 4 protocol0 5 userAgent0 7 cacheControl0 13 connection0 11 acceptLanguage0 10 acceptCharset0 8 accept0 9 acceptEncoding
Ranked attributes:0.99649 16 cookie0.42637 17 payload0.29471 1 index0.12669 3 url0.10206 14 contentLength0.01273 2 method0.00892 12 host0.00492 15 contentType
Set of Significant attributes = {cookie, payload, index, url, contentLength, method, host, contentType}Set of Noisy attributes = {pragma, protocol, userAgent, cacheControl, connection, acceptLanguage,acceptCharset, accept, acceptEncoding}
Repeat Step 01 and Step 02Set of Significant attributes = {payload}
![Page 52: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/52.jpg)
52A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCleaning Data-Step04 and Step05
GET Replaced by 1POST Replaced by 2PUT Replaced by 3localhost:8080 Replaced by 5...
payload label4 anom... ...20 norm
![Page 53: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/53.jpg)
53A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationTraining and Testing
Learning Configuration%
Classifier Detection%Model creation
(sec)Cleaning
Data70% C4.5 62.0097% 25.8 Seconds Before
70% Naive Bayes 61.9709% 0.12 Seconds Before
70% C4.5 62.1334% 14.56 Seconds After
70% Naive Bayes 50.3377% 0.22 Seconds After
![Page 54: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/54.jpg)
54A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationROC Before and After Cleaning
![Page 55: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/55.jpg)
55A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAdministration
![Page 56: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/56.jpg)
56A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAdministration
![Page 57: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/57.jpg)
57A Hybrid intrusion detection system for Cloud Computing Environments
ConclusionMeeting the Objectives
Gap in the Literature Proposed SolutionPartial Detection On the Cloud. Full Detection in the CloudLess distinction of attacks/layer. Deploy IDSs specificaly to protect
strategic layers.Less Focus on the significant at-tributes.
Cleaning the Dataset by removing insignificant and less significant attributes
![Page 58: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/58.jpg)
58A Hybrid intrusion detection system for Cloud Computing Environments
Prototype Optimization: • Better performance and accuracy.Additional Protection: • The use of Honeypots with more Intelligent techniques for analysis and detec-tion.
Future ResearchPerspectives
![Page 59: A hybrid intrusion detection system for cloud computing environments](https://reader037.fdocuments.us/reader037/viewer/2022100307/58ef7b1d1a28ab85668b45d1/html5/thumbnails/59.jpg)
Thank You..