Chirag N. Modi and Prof. Dhiren R. PatelNIT Surat, India

cnmodi.956@gmail.com

dhiren29p@gmail.com

Ph. D Colloquium, CSI-2011

Signature Apriori based Network Intrusion Detection System in Cloud

Outline IntroductionProblem StatementProposed Work Goals of Proposed Work Proposed Framework Design of NIDS Module Signature GenerationTheoretical Analysis SummaryReferences

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/232

IntroductionCloud Computing: providing convenient, on-demand

network access to a shared pool of configurable computing resources via Internet [1].

Services: SaaS, PaaS, IaaS.Cloud-Integration of many technologies. Each has some bugs or vulnerabilities [2][3]. Exploitation of existing vulnerabilities affects

confidentiality, availability and integrity of Cloud resources as well as services.

Most of the intrusion activities are attempted over network.

Well known intrusions: Insider attacks, flooding attack, DoS/DDoS attacks [4][5], User to Root Attacks (U2R), Scan, VM

level attacks etc.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/233

IntroductionFor preventing cloud from such attacks, use of

only traditional firewall is not an efficient solution [6].

Another solution is to incorporate an efficient network based intrusion detection system (NIDS) module in Cloud computing.

It should have following properties: Completeness, Scalability and Compatibility.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/234

Problem StatementTo incorporate an efficient NIDS module in

Cloud, in such a way that it can detect intrusions from external as well as internal network of Cloud.

Challenges to NIDS in Cloud: Detection of known as well as unknown network attacks

on each layer (front end, back end or VM) of Cloud Low computational cost High detection rate Low false positive and false negative alarm rate Scalability Compatibility

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/235

Goals of Proposed Work Detection of known attacks as well as variation of

known attacks at front end and back end of Cloud.Variation of known attack- examples [7][8]:

Content: "|2F646566 1756C74 2E696461 3F4E4E4E|" (Code Red-I)Content: "|2F646566 1756C74 2E696461 3F585858|" (Code Red-II)

Same pattern: 2F646566 1756C74 2E696461. Content: "/iisadmpwd/aexp2.htr". (WEB-IIS access)

Content: "scripts/iisadmin/default.htm". (WEB-IIS/scripts/iisadmin/default.htm access)

Same pattern: /iisadm.Low computational cost than other anomaly techniquesLow false positive alarm rateScalability

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/236

Proposed Framework Three possibilities for

positioning NIDS in cloud.On cloud front point:On each server:On each VM:

Each has some advantages and drawbacks.

Figure 1: Positioning NIDS in Cloud.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/237

Design of NIDS ModuleNetwork

External networkInternal network

Snort [9]Used to capture packets.Detects intrusions based on

configured rules.Known signature DB

Contains known attacks patterns or part of them.

Signature Apriori [8]For snort, generates new

signatures from captured packets and part of known signatures.

Figure 2: Design of our NIDS module.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/238

Working of NIDS Module in Cloud

Capture Packets

Snort

Known Signature DB

Known Signature

Signature Apriori

New Signatures

Update Snort Rules

Network

Any match found?

Allow or deny packet

Figure 3: Working of NIDS module.C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/239

Signature Generation

IDPacket Contents

1A B C D E F G Q

2M N A B C D F G

3M A B C E F G P Q

4N A B C D E F G Q

5 J B C D E F G6 P Q I

C D E AC D E BC D E CC D E DC D E EC D E FC D E G

Part of Known Sig.- “C D E” & 0.7 thresholdFrequent content set: {A, B, C, D, E, F, G}

Frequent content set: {C D E F}

C D E F AC D E F BC D E F CC D E F DC D E F EC D E F FC D E F G Frequent

content set: {C D E F G}

C D E F G AC D E F G BC D E F G CC D E F G DC D E F G EC D E F G FC D E F G G

A C D E F GB C D E F GC C D E F GD C D E F GE C D E F GF C D E F GG C D E F G

Frequent content: {}

Frequent content set: {B C D E F G}

A B C D E F GB B C D E F GC B C D E F GD B C D E F GE B C D E F GF B C D E F GG B C D E F G

Signature:{A B C D E F G}

Table 1: Captured Packets.

Table 2: First iteration.

Table 3: Second iteration.

Table 4: Third iteration.

Table 5: Fourth iteration.

Table 6: Fifth iteration.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2311

Signature GenerationThe possible number of attack signatures are

as follows:C D E FC D E F GB C D E F GA B C D E F G

Use of longer string as a signature for snort have greater detection accuracy than shorter string [8]. So, “A B C D E F G” can be used as a new derivative signature.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2312

Theoretical AnalysisDetection of known attacks as well as variation of attacks:

Since combination of snort and signature apriori algorithm used, proposed framework can detect known as well as variation of known attacks.

Also, it can detect intrusion passing through external network as well as internal network.

False positive rate: We used longer signature for snort rules, which reduces false positive rate since probability of a shorter signature in normal traffic is high.

Computational cost: It has low computational cost than other anomaly techniques since once rules are generated, there is no need to generated those rules again. Multiple instances to IDS are not required.Further it can be reduced by reducing number of database scans.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2313

Theoretical AnalysisScalability: New rules can be easily added into

snort without modifying existing rules.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2314

SummaryThere are various intrusions in Cloud, which affect the

confidentiality, availability and integrity of cloud resources.

Integration of only firewall in Cloud is not an efficient solution for preventing such attacks.

We proposed a framework incorporating NIDS into Cloud.

Our proposed framework can be used to detect network attacks (known attacks as well as variation of known attacks) at front end and back end of Cloud.

It has very low false positive alarm rate with reasonable computational cost since signature based technique is used.

However, it can not detect fully unknown attacks.C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2315

References1. P. Mell, and T. Grance, “The nist definition of cloud computing (draft),”

NIST, [Online]. Available: http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf (2011).

2. “Top threats to cloud computing,” [Online]. Available: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2010).

3. “National Vulnerability Database,” NIST, [Online]. Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733

4. C. Brooks, “Amazon EC2 Attack Prompts Customer Support Changes,” Tech Target, [Online]. Available: http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci1371090,00.html (2009).

5. M. Slaviero, “Black Hat presentation demo vids: Amazon,” [Online]. Available: http://www.sensepost.com/blog/3797.html (2009).

6. S. Beg, U. Naru1, M. Ashraf, and S. Mohsin, “Feasibility of Intrusion Detection System with High Performance Computing: A Survey,” International Journal for Advances in Computer Science, vol. 1, no. 1, 2010.

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2316

References7. H. Han, X. L. Lu, L. Y. Ren, Using Data Mining To Discover

Signatures In Network-Based Intrusion Detection, Proceedings of the First International Conference on Machine Learning and Cybernetics, Beijing vol. 1. 2002.

8. H. Zhengbing, L. Zhitang, W. Jumgi, A Novel Intrusion Detection System (NIDS) Based on Signature Search of DataMining, WKDD First International Workshop on Knowledge discovery and Data Ming, 2008, pp. 10-16.

9. Snort-Home page, Website, [Online]. Available: https://www.snort.org/ (2011).

C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2317

Thank You