Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India [email protected] [email protected]...
-
Upload
adele-beasley -
Category
Documents
-
view
216 -
download
0
Transcript of Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India [email protected] [email protected]...
Chirag N. Modi and Prof. Dhiren R. PatelNIT Surat, India
Ph. D Colloquium, CSI-2011
Signature Apriori based Network Intrusion Detection System in Cloud
Outline IntroductionProblem StatementProposed Work Goals of Proposed Work Proposed Framework Design of NIDS Module Signature GenerationTheoretical Analysis SummaryReferences
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/232
IntroductionCloud Computing: providing convenient, on-demand
network access to a shared pool of configurable computing resources via Internet [1].
Services: SaaS, PaaS, IaaS.Cloud-Integration of many technologies. Each has some bugs or vulnerabilities [2][3]. Exploitation of existing vulnerabilities affects
confidentiality, availability and integrity of Cloud resources as well as services.
Most of the intrusion activities are attempted over network.
Well known intrusions: Insider attacks, flooding attack, DoS/DDoS attacks [4][5], User to Root Attacks (U2R), Scan, VM
level attacks etc.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/233
IntroductionFor preventing cloud from such attacks, use of
only traditional firewall is not an efficient solution [6].
Another solution is to incorporate an efficient network based intrusion detection system (NIDS) module in Cloud computing.
It should have following properties: Completeness, Scalability and Compatibility.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/234
Problem StatementTo incorporate an efficient NIDS module in
Cloud, in such a way that it can detect intrusions from external as well as internal network of Cloud.
Challenges to NIDS in Cloud: Detection of known as well as unknown network attacks
on each layer (front end, back end or VM) of Cloud Low computational cost High detection rate Low false positive and false negative alarm rate Scalability Compatibility
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/235
Goals of Proposed Work Detection of known attacks as well as variation of
known attacks at front end and back end of Cloud.Variation of known attack- examples [7][8]:
Content: "|2F646566 1756C74 2E696461 3F4E4E4E|" (Code Red-I)Content: "|2F646566 1756C74 2E696461 3F585858|" (Code Red-II)
Same pattern: 2F646566 1756C74 2E696461. Content: "/iisadmpwd/aexp2.htr". (WEB-IIS access)
Content: "scripts/iisadmin/default.htm". (WEB-IIS/scripts/iisadmin/default.htm access)
Same pattern: /iisadm.Low computational cost than other anomaly techniquesLow false positive alarm rateScalability
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/236
Proposed Framework Three possibilities for
positioning NIDS in cloud.On cloud front point:On each server:On each VM:
Each has some advantages and drawbacks.
Figure 1: Positioning NIDS in Cloud.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/237
Design of NIDS ModuleNetwork
External networkInternal network
Snort [9]Used to capture packets.Detects intrusions based on
configured rules.Known signature DB
Contains known attacks patterns or part of them.
Signature Apriori [8]For snort, generates new
signatures from captured packets and part of known signatures.
Figure 2: Design of our NIDS module.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/238
Working of NIDS Module in Cloud
Capture Packets
Snort
Known Signature DB
Known Signature
Signature Apriori
New Signatures
Update Snort Rules
Network
Any match found?
Allow or deny packet
Figure 3: Working of NIDS module.C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/239
Signature Generation
IDPacket Contents
1A B C D E F G Q
2M N A B C D F G
3M A B C E F G P Q
4N A B C D E F G Q
5 J B C D E F G6 P Q I
C D E AC D E BC D E CC D E DC D E EC D E FC D E G
Part of Known Sig.- “C D E” & 0.7 thresholdFrequent content set: {A, B, C, D, E, F, G}
Frequent content set: {C D E F}
C D E F AC D E F BC D E F CC D E F DC D E F EC D E F FC D E F G Frequent
content set: {C D E F G}
C D E F G AC D E F G BC D E F G CC D E F G DC D E F G EC D E F G FC D E F G G
A C D E F GB C D E F GC C D E F GD C D E F GE C D E F GF C D E F GG C D E F G
Frequent content: {}
Frequent content set: {B C D E F G}
A B C D E F GB B C D E F GC B C D E F GD B C D E F GE B C D E F GF B C D E F GG B C D E F G
Signature:{A B C D E F G}
Table 1: Captured Packets.
Table 2: First iteration.
Table 3: Second iteration.
Table 4: Third iteration.
Table 5: Fourth iteration.
Table 6: Fifth iteration.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2311
Signature GenerationThe possible number of attack signatures are
as follows:C D E FC D E F GB C D E F GA B C D E F G
Use of longer string as a signature for snort have greater detection accuracy than shorter string [8]. So, “A B C D E F G” can be used as a new derivative signature.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2312
Theoretical AnalysisDetection of known attacks as well as variation of attacks:
Since combination of snort and signature apriori algorithm used, proposed framework can detect known as well as variation of known attacks.
Also, it can detect intrusion passing through external network as well as internal network.
False positive rate: We used longer signature for snort rules, which reduces false positive rate since probability of a shorter signature in normal traffic is high.
Computational cost: It has low computational cost than other anomaly techniques since once rules are generated, there is no need to generated those rules again. Multiple instances to IDS are not required.Further it can be reduced by reducing number of database scans.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2313
Theoretical AnalysisScalability: New rules can be easily added into
snort without modifying existing rules.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2314
SummaryThere are various intrusions in Cloud, which affect the
confidentiality, availability and integrity of cloud resources.
Integration of only firewall in Cloud is not an efficient solution for preventing such attacks.
We proposed a framework incorporating NIDS into Cloud.
Our proposed framework can be used to detect network attacks (known attacks as well as variation of known attacks) at front end and back end of Cloud.
It has very low false positive alarm rate with reasonable computational cost since signature based technique is used.
However, it can not detect fully unknown attacks.C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2315
References1. P. Mell, and T. Grance, “The nist definition of cloud computing (draft),”
NIST, [Online]. Available: http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf (2011).
2. “Top threats to cloud computing,” [Online]. Available: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2010).
3. “National Vulnerability Database,” NIST, [Online]. Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733
4. C. Brooks, “Amazon EC2 Attack Prompts Customer Support Changes,” Tech Target, [Online]. Available: http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci1371090,00.html (2009).
5. M. Slaviero, “Black Hat presentation demo vids: Amazon,” [Online]. Available: http://www.sensepost.com/blog/3797.html (2009).
6. S. Beg, U. Naru1, M. Ashraf, and S. Mohsin, “Feasibility of Intrusion Detection System with High Performance Computing: A Survey,” International Journal for Advances in Computer Science, vol. 1, no. 1, 2010.
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2316
References7. H. Han, X. L. Lu, L. Y. Ren, Using Data Mining To Discover
Signatures In Network-Based Intrusion Detection, Proceedings of the First International Conference on Machine Learning and Cybernetics, Beijing vol. 1. 2002.
8. H. Zhengbing, L. Zhitang, W. Jumgi, A Novel Intrusion Detection System (NIDS) Based on Signature Search of DataMining, WKDD First International Workshop on Knowledge discovery and Data Ming, 2008, pp. 10-16.
9. Snort-Home page, Website, [Online]. Available: https://www.snort.org/ (2011).
C. N. Modi, Ph. D Colloquium, CSI-2011 19/04/2317
Thank You