DETAILED SCHEDULE FOR ACSA-SUMMER 2012ltis.icnslab.net/ALTIS/Files/20120627_NguyenDoan... ·...

The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)

The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)

The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)

4

DETAILED SCHEDULE FOR ACSA-SUMMER 2012

June 26, 2012 (Tuesday)

09:00 - 09:20 Registration

09:20 - 12:00 Session 1-E: ACSA-Summer 2012 & ASNUC 2012

(Room: Green Timber 2)

(Chair: Gokay Saldamli)

- A Security Proof for HMAC-E

Fanbao Liu, Tao Xie

- Biclique cryptanalysis on light-weight block cipher: HIGHT and Piccolo

JungHwan Song, KwanHyung Lee, HwanJin Lee

- The Optimal Split Method for Large Integer Multiplication on Low-End Devices

Ren-Junn Hwang, Loang-Shing Huang, Feng-Fu Su

- Partially Interleaved Modular Karatsuba-Ofman Multiplication

Gokay Saldamli

- Lite-AKA: Lightweight Authentication Key Agreement for Pervasive Computing

Hwaseong Lee, Dong Hoon Lee

- Modeling User-Generated Contents: An Intelligent State Machine for User-Centric

Decision-Making Support

Neil Y. Yen, Jonghyuk Park, Qun Jin

- ALCA: Agent Learning Based Clustering in Vehicular Ad Hoc Networks

Neeraj kumar, Naveen Chilamkurti, Jonghyuk Park

- Genetic Algorithm for Effective Open Port Selection for a Web Filter

Anjolaoluwa Olayemi, Sajid Hussain, Sang Soo Yeo

09:20 - 12:00 Session 1-F: ACSA-Summer 2012


(Chair: Yungho Choi)

- Source Identification of Spoofed DDoS Attacks using an Image Processing Approach

Tae Hwan Kim, Dong-Seong Kim, Joon Heo

- Cooperation in Fully Distributed and Decentralized VANETs

Jezabel Molina-Gil, Pino Caballero-Gil, C Caballero-Gil

- An Attack Path based Collaborative Defense Mechanism for DDoS Attacks

PyungKu Park, SeongMin Yoo, HoYong Ryu, JaeCheol Ryou




5

- Improvement of the hash-based RFID mutual authentication protocol using a secret

value

JuSeok Shin, Sejin Oh, Kwangseon Ahn

- On Securing One-way Hash Chain Based Incentive Mechanism for VANET

Joon-Sang Park, Seung Jun Baek

12:00 - 13:30 Lunch

13:30 - 13:40 Opening Remark

(Room: Tynehead Ballroom)

Prof. Seungmin Rho, Baekseok University, Korea

13:40 - 14:50 Invited Speaking 1 : MUSIC 2012


(Chair: Youngsik Jeong)

Energy Adaptation in Ubiquitous Computing

Prof. Krishna Kant, George Mason University, USA

14:50 - 15:00 Break

15:00 - 16:20 Invited Speaking 2 : FutureTech 2012


(Chair: Seungmin Rho)

Mobile Cloud and Green Computing

Prof. Ivan Stojmenovic, University of Ottawa, Canada

16:20 - 16:40 Coffee Break




6

16:40 - 18:00 Session 2-E: ACSA-Summer 2012


(Chair: Jezabel M. Molina Gil)

- The Impact of Trace Generalization on the Anomaly Detection Systems

Syed Shariyar Murtaza, Abdelwahab Hamou-Lhadj, Mario Couture

- Secure Asymmetric Two-Party Computation Protocol for Distance Measurement

KOK SENG WONG, MYUNG HO KIM

- Design and Implementation of Efficient Defense Mechanism Against ARP Spoofing

Attacks using AES and RSA

Seungpyo Hong, Myeungjin Oh, Sangjun Lee

- A Key Distribution Scheme for Mobile Underwater Wireless Sensor Networks

Kubra Kalkan, Albert Levi



(Chair: Cheonshik Kim)

- International Standardization Status and Analysis of National Priorities on Health

Information Security

Soonseok Kim, Gilhong Park, Yonghee Lee, Deokseok Seo, Yunyeop Cha, Changhoon Lee

- An Encryption Approach to Secure Modification and Deletion for Flash-based Storage

Systems

Rize Jin, Hyung-Ju Cho, Tae-Sun Chung

- Security Approach for Ubiquitous Healthcare Services through Wireless

Communication

INSHIL DOH, JUNG-MIN PARK, KIJOON CHAE

18:30 - 20:00 Conference Reception (Pool side Deck (2F))




7

June 27, 2012 (Wednesday)




(Chair: Wei-Chuen Yau)

- Searchable Encryption with User-Revocability in Undesignated Receiver Settings

DongMin Kim, Ji Young Chun, Ik Rae Jeong

- Characteristic Behavior Sequence Based Attack Detection Method for Browser

Extension

JUNJIE WANG, XIAOHONG LI, QIN WANG, GUANGQUAN XU

- An Adaptive-Secure k-Resilient Identity-Based Identification Scheme in the Standard

Model

Ji-Jian Chin, Swee-Huay Heng

- Attacks on Chows Identity-Based Undeniable Signature Scheme

Rouzbeh Behnia, Swee-Huay Heng, Che-Sheng Gan

- Lossless Information Hiding Scheme for Binary Document Images Using n-Pairs

Pattern

Cheonshik Kim, Dongkyoo Kim, Dongil Shin, Chin-Nung Yang

- Keyword Guessing Attacks on Secure Searchable Public Key Encryption Schemes with

a Designated Tester

Wei-Chuen Yau, Raphael C.-W. Phan, Swee-Huay Heng, Bok-Min Goi

12:00 - 13:30 Lunch

13:30 - 14:50 Invited Speaking 3: MUSIC 2012


(Chair: Jongsung Kim)

Intelligent Infrastructure, Sustainable Design, and Signature Structures

Prof. Hojjat Adeli, The Ohio State University, USA

14:50 - 15:00 Break




8



(Chair: Jongweon Kim)

- Infrastructure Design for Efficient Replica Detection in Large-scale Wireless Sensor

Networks

Kwantae Cho, Dong Hoon Lee

- A Secure File Storage System with Scaled Secret Sharing

Feng Shen, Hai Jiang, Laurence T. Yang, Su Chen

- Trustworthy Service Recommendation Based on Useri¯s QoS Requirements

Fang Liu, Shuiguang Deng, Longtao Huang, Jianwei Yin

- A Distributed Scheme for Row Based Computational Private Information Retrieval

Zhu Hong, Wang Zhipeng, Lv Kevin, Xie Meiyi

16:20 - 16:40 Break



(Chair: Inshil Doh)

- Validating Prefix Announcements in Inter-Domain Routing:An Approach Based on

Fuzzy Set Theory

Wenping Deng, Yuexiang Yang, Peidong Zhu

- MalShield: Collaborative and Online Malware Detection using Distributed

Rendezvous-based Behavior Accumulation

Huabiao Lu, Xiaofeng Wang, Jinshu Su

- BGP Surviving under Extreme Cross Plane Attacks

Hongjun Liu, Xiaofeng Hu, Dan Zhao, Xicheng Lu

- Collusion Attack-Resistant Watermarking Scheme using Correlation Peak Position

Modulation

Jihah Nah, Jongweon Kim



(Chair: Li Xiaohong)

- Evaluation a Collaborative Intrusion Detection System Framework in Cloud

Computing

Doan Man Nguyen, Eui-Nam Huh

PhilioS

선

PhilioS

선




9

- Secure user authentication and key agreement protocol for mobile client-server

environments

Cheng-Chi Lee, Chun-Ta Li, Chia-Ying Wu, Te-Yu Chen, Shiow-Yuan Huang

- Encrypted and Deniable File Systems Is Not Enough: Shielding Your Privacy with

Shadow Execution Environment

Yan Wen, Jinjing Zhao, Gang Zhao, Minhuan Huang

18:30 - 21:00 Banquet (Guildford Ballroom (F1))




10

June 28, 2012 (Thursday)



(Room: Tynehead 3)

(Chair: Kitae Jeong)

- Improved Differential Fault Analysis on PRESENT-80/128

Kitae Jeong, Yuseop Lee, Jaechul Sung, Seokhie Hong

- The Role of IE Status concerning the Digital Evidence Analysis in terms of Instant

Messaging of Gmail Chat

HAI-CHENG CHU, SZU-WEI YANG, CHING-HSIEN HSU, JONG HYUK PARK

- Lifting the veil on mobile malware: A complete dynamic solution for iOS

Dimitrios Damopoulos, Georgios Kambourakis, Stefanos Gritzalis, Sang Oh Park

- An Analysis of DDoS Attacks in Different Networks Using Attack Graphs Based on the

Expected Loss

Ying Liu, Yang Sun Lee, Hong-Ke Zhang, Tin-Yu Wu, Chi-Hsiang Lo

- RFID based Indoor Location Tracking to Ensure the Safety of the Elderly in Smart

Home Environments

Soo-Cheol Kim, Young-Sik Jeong, Sang Oh Park



(Chair: I-Cheng Chang)

- Password Authentication Scheme using Virtual Scroll Wheel for Smart Devices

Hyunyi Yi, Siwan Kim, Gunil Ma, Jeong Hyun Yi

- Router Architecture Evaluation for Security Network

Yungho Choi, Jaebum Park, Young-Ho Park, Neungsoo Park

- A Study on the Association of Information Technology Risk Management and Business

Performance

SHE-I CHANG, I-CHENG CHANG, CHIA-YI LEE

- A Method for the Risk Measurement of Malicious Activities of Botnets

Dohoon Kim, Young-Gab Kim, Hoh In, Hyun Choel JEONG

- Anonymous Proximity Mobile Payment (APMP)

SADIQ ALMUAIRFI, PRAKASH VEERAGHAVAN, NAVEEN CHILAMKURTI, Doo-Soon

PARK




11

- Performance Enhancement of Nonlinear Weighted DPA Attack based on Differential

Trace Model

JeongChoon Ryoo, Dong-Guk Han, Sangjin Lee

- Electromagnetic Disturbance Analysis on Commercial Contactless Smartcards

Jae Deok Ji, Dong-Guk Han, Seok Won Jung, Sangjin Lee, Jong Sub Moon

Evaluation a Collaborative Intrusion Detection System Framework in Cloud Computing

NGUYEN DOAN MAN AND EUI-NAM HUH

Department of Computing Engineering Kyunghee University

REPUBLIC OF KOREA [email protected]

Abstract

Intrusion Detection Systems (IDS) have been used widely in the ICT systems to detect malicious behaviors in network communications and hosts. Facing new application scenarios in Cloud computing, a new revolutionized computing paradigm, the recent IDS approach yields several problems which stem from the distributed and complicated manner of Cloud computing. To overcome these issues, collaboration among Cloud providers (CPs) is a solution to achieve benefits by collecting knowledge and information from the Cloud peers and more accurate intrusion detection. Instead of sharing intrusion data which raises the privacy concern of participants, we propose a knowledge-based Intrusion Detection network which is constructed with sharing intrusion knowledge among security systems of Cloud peers. We also present an optimized problem in this model and their solutions. Finally, several simulations are implemented to evaluate the efficiency of our model in optimization overheads and the ability to detect intrusions. Keywords: Cloud computing, Intrusion Detection System, Collaboration, Distribution 1 Introduction Cloud computing is an emerging commercial infrastructure paradigm that promises to eliminate the need for maintaining expensive computing facilities by companies and institutes alike. The combination Internet with virtualization technology enables Cloud computing to emerge with promising prospects to facilitate the development of large scale, flexible computing infrastructures, and available on-demand to meet the computational requirements of e-Science applications. However, without appropriate security and privacy solutions, this revolutionizing computing paradigm could become a huge failure.

To protect the virtual systems of Cloud users from malicious intrusions, Intrusion Detection Systems are designed to monitor network traffic and system behaviors by raising intrusions alerts to network administrators or security operators. As usual, traditional IDSs work independently from each other and rely on new signatures or detection rules from the corresponding security

vendor’s signature/rule repository to remain synchronized with new detection knowledge. However, the complexity of Cloud computing, which is caused by the virtualization technology and sharing the resources between different users, makes increase the number and diversity of intrusions. This limits the efficiency of traditional IDSs in Cloud computing since no single vendor can cover all the possible intrusions due to limited labor and available technology. To address the issue, the distributed and collaborative IDS (CIDS) approaches [1,2,3] were proposed to adapt with the distributed manner of Cloud computing as well as use the intrusion knowledge from Cloud peers to improve the detection ability and accuracy.

A new detection rule created by an IDS framework of a Cloud peer may be adopted directly by others if they have similar network, platform or application configurations. For example, a new intrusion detection rule created to minimize vulnerability of a software can be adopted by others using the same software. Sharing attack detection rules among IDS models on Cloud peers can be an effective way to improve the overall security in a Cloud federation environment. However, in some cases, the CIDS frameworks rely on the sharing of intrusion data, which raises privacy concerns. Moreover, instead of the real environment such as the limitation of resources (e.g. computing resources, network bandwidth) or the weak compatibility about network, platforms, etc among Cloud peers, most recent approaches were proposed and evaluated only within the ideal conditions with the unlimited resources for the attack detection.

In this paper, we present a mechanism to take advantage of the benefits of intrusion detection knowledge sharing and propose RSCIDS, a rule sharing-based CIDS framework, where intrusion detection rules are shared among Cloud peers on a Cloud federation. RSCIDS is based on a peer-to-peer (P2P) overlay, where each Cloud peer maintains a database of information about other peers and communicates through the P2P system. Accordingly, an automatic knowledge dissemination mechanism is proposed to allow CPs effectively to share detection rules with others in the constraints of resources such as network bandwidth. The efficiency of the framework is demonstrated by using some experimental results that the proposed rule sharing mechanism can improve the overall security of the community and provide incentive-compatibility and fairness to the Cloud peers.

The rest of our paper is organized into the following sections. In Section 2, we introduce several recent

approaches to integrate the collaborative IDS framework in the common physical network architecture as well as into Cloud computing. We give an overall description for the RSCIDS framework and its solutions to effectively operate this framework in the Section 3. The experimental results to demonstrate the efficiency of our proposed model are mentioned in the Section 4. In the last section, we conclude the paper and present the future intentions. 2 Related works Traditional IDS collaboration utilizes the collective intrusion information and knowledge from other IDSs to improve accuracy in intrusion detection. In [5, 6], IDSs collect intrusion data such as intrusion alerts or firewall logs from other nodes to perform overall intrusion detection for the whole network. They are especially effective to detect epidemic worms or attacks in the environment of homogeneous IDS sensors. Meanwhile, the expertise-based CIDS models encourage peers to send the suspicious data samples to expert peers for analysis. Feedbacks from the peers were then aggregated to help the sending IDSs detect intrusions [8]. However, both types of CIDSs rely on the sharing of intrusion data, which raises privacy concerns. Instead, Quanyan Zhu [7] presented SMURFEN, a framework for sharing detection knowledge, such as detection rules and malware signatures among IDSs. In this model, the efficiency was evaluated by the compatibility as well as the satisfaction level of IDS peers to the shared rules. This information was used to determine the optimized rates of rule sharing from a peer to others on the constraints of resources.

In Cloud computing, requirement for a CIDS framework becomes nature due to the distributed manner of Cloud computing and the development of the collaborative models among CPs. Sebastian Roschke [1] and Saman Taghavi Zargar [3] presented the potential approaches to build a distributed IDS framework in Cloud. Roschke’s work focused on communication and information exchange between multiple types of IDS sensors (i.e. NIDS and HIDS) which are deployed in each layer of a Cloud infrastructure. Meanwhile, in addition to use numerous IDS sensors into each Cloud for attack detection locally, DCDIDP model of Saman Taghavi Zargar also offered sharing intrusion knowledge among collaborators to enrich the quantity and quality of attack signatures. However, these works only proposed the novel CIDS models theoretically as well as in the ideal conditions without resource constraints. Meanwhile, Chi-Chun Lo [4] applied CIDS into protecting Cloud peers from DoS or DDoS attacks. The approach was based on the majority voting mechanism on the Snort alerts, which are shared among peers as suspicious events are detected, to determine if a suspicious event is related to a DoS or DDoS attack. However, the information exchanged among Clouds in the Cloud federation was potential intrusion data, which can violate the privacy concerns. In our approach, instead of intrusion data, peers in the collaboration share attack detection rules, which are considered as knowledge, to limit or prevent the disclosure of system configurations.

3 The RSCIDS Framework An intrusion detection rule is a detection policy which specifies the pattern of suspicious attacks. Each rule can trigger an alert once the pattern is matched. The patterns can be the IP address, port number, protocol flags, content of the data payload, etc. Defense against attackers is a challenging problem since a defender needs to know all possible attacks to ensure network security, whereas an attacker only needs to know a few attack techniques to succeed. It is impossible for one or a small group of defenders to know all attack techniques but is common to have knowledge about some attacks. Hence, this motivates defenders to share knowledge with others to overcome their weakness. The purpose of RSCIDS is to provide a model for Cloud peers of a Cloud federation to share their attack detection rules with others effectively.

Fig. 1: The Communication Model among Cloud Peers in the RSCIDS Framework 3.1. Problem Model Let N = ci| i = 1,2,…,n be the set of n Cloud peers which are in the same Cloud federation and ready to share their attack detection rules each other. Each peer ci is provided a set of elementary IDSs D = di| i = 1,2,…,m. To simplify the management of these IDSs, all VMs are partitioned into several groups, which relies on the different types of OSs and assigns one or several particular IDSs to monitor and detect intrusions on each VM group.

In general, one of the most important aspects which hinder the success of the rule sharing process is the platform compatibility between Cloud peers. Each Cloud is comprised of multiple types of OSs as well as a large number of applications running on those OSs. Meanwhile, each attack detection rule only supports to detect intrusions on a particular platform which includes a specific OS as well as runtimes or APIs. Hence, a rule can be useful to a Cloud if there is at least one platform compatible with the information of the platform that the rule mentioned on this Cloud.

In the initialization step, each Cloud peer ci keeps a neighbor list which includes all other peers in the Cloud

Collaborative Cloud Computing Environment

Node 2VM

VM

Neighbors

Node 1 Node 4

Node 5 Node 3

Node 6

Node 3VM

VM

Node 4VM

VM

Node 5VM

VM

Node 1VM

VM

Node 7VM

VM

Node 6VM

VM

Best Neighbors

Node 1 Node 3

Node 4 Node 6

Testing Rules

Knowledge Rules

Feedbacks

federation. From the information in the list, each peer sends testing rules to all other peers and then aggregates feedbacks to compute the compatibility level between each pair of peers. To express the compatibility level, we present a measurement, Compatibility Ratio (CR), which is the probability that a rule from peer ci is accepted by peer cj with a particular OS type k and denoted 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 where i, j are indexes of Cloud peers (0≤i,j≤n). A peer can also rely on the compatibility levels to determine the rule propagation rates to its neighbors. Each decision of each peer cj to accept or reject a new rule is updated to peer ci for the 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 learning process.

We also present two additional parameters; namely, the compatibility threshold τ and the maximum length of Best Neighbor (BN) list 𝑙𝑙𝑖𝑖𝑚𝑚𝑚𝑚𝑚𝑚 . After a training process, only at most 𝑙𝑙𝑖𝑖𝑚𝑚𝑚𝑚𝑚𝑚 peers which have the highest 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 and 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 ≥ 𝜏𝜏 with 𝑖𝑖, 𝑖𝑖 ∈ 𝑁𝑁 would be considered as the BNs of this peer (i.e. Ni = cj|𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 ≥ 𝜏𝜏 and |Ni|≤𝑙𝑙𝑖𝑖𝑚𝑚𝑚𝑚𝑚𝑚 ) and prioritized to exchange the new attack detection rules with peer ci later. The Compatibility Ratio 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 is evaluated and updated constantly to determine removal or addition of Cloud peers into the BN lists. The limit of the quantity of BNs to a Cloud peer helps to reduce an amount of its resources used to share the attack knowledge as well as the network bandwidth for communications among peers. Moreover, peer ci still communicate with peers cj whose 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 is less than τ by sending testing rules to them with a low rate to update the new 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 to replace the old BNs if needed. 3.2. Evaluating Compatibility Ratio Firstly, a Cloud peer needs to update the compatibility level on a specific OS type k with all other peers, which helps to select an optimized propagation rate of new attack detection rules and find its BNs. To effectively evaluate the CR, at the beginning, each peer sends the testing rules, which include some information about detected intrusions related to the OS type k and can be accepted or rejected by recipients. With the feedbacks of recipients, we can predict the usefulness of attack detection rules and know the existence of the compatible platforms in Cloud neighbors. In this section, we present a Bayesian learning approach to build the compatibility levels among Cloud peers. In particular, a peer ci uses a Beta distribution to estimate 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 with its neighbor cj. The posterior probability is updated at each step by using the empirical data on the outcome of the acceptance/rejection decision.

When peer cj receives a new detection rule from peer ci, it can choose either to accept the rule (h = 1), or reject the rule (h = 0). Let X ∈ Ω:= 0, 1 be a random variable which denotes the decision outcome: rejection or acceptance. Note that on the case that a rule is accepted in the beginning and then rejected due to high false positive rate, the weight of the reject decision is doubled to reverse the impact of the previous acceptance decision. Since the definition of CR is the probability a rule is accepted from the neighbor, we have Cij = P[X = 1], where P: 2Ω → [0,1] is a probability measure. We estimate Cij on the past

observations 𝐻𝐻𝑚𝑚 = ℎ𝑢𝑢 𝑢𝑢=1𝑚𝑚 ∈ 0, 1. The distribution of

Cij can be represented as a Beta distribution in the form of

𝑪𝑪𝒊𝒊𝒊𝒊(𝒎𝒎) = 𝟏𝟏

𝑩𝑩(𝜶𝜶(𝒎𝒎),𝜷𝜷(𝒎𝒎))∗ 𝒙𝒙𝜶𝜶(𝒎𝒎)−𝟏𝟏 ∗ (𝟏𝟏 − 𝒙𝒙)𝜷𝜷(𝒎𝒎)−𝟏𝟏 (1)

𝜶𝜶(𝒎𝒎) = ∑ 𝜸𝜸𝒕𝒕𝒖𝒖 ∗ 𝒉𝒉𝒖𝒖 + 𝜸𝜸𝒕𝒕𝟎𝟎 ∗ 𝜶𝜶𝟎𝟎𝒎𝒎

𝒖𝒖=𝟏𝟏 (2)

𝜷𝜷(𝒎𝒎) = ∑ 𝜸𝜸𝒕𝒕𝒖𝒖 ∗𝒎𝒎𝒖𝒖=𝟏𝟏 𝝑𝝑𝒖𝒖 ∗ (𝟏𝟏 − 𝒉𝒉𝒖𝒖) + 𝜸𝜸𝒕𝒕𝟎𝟎 ∗ 𝜷𝜷𝟎𝟎 (3)

where α0, β0 are the initial beliefs of Cij, 1−C ij, respectively; α(m), β(m) represent the Beta parameters after m decision outcomes; hu ∈ 0, 1 is the uth experience; tu is the age of the uth experience. 𝜗𝜗𝑢𝑢 ∈ 1, 2 is the weight of the reject decision, 𝜗𝜗𝑢𝑢 = 1 for the rejection of new rule and 𝜗𝜗𝑢𝑢 = 2 for the rejection of previously accepted rule. We put more weights on new experience by introducing a forgetting factor 𝜸𝜸, which is used to reduce the effect of the previous outcomes on two parameters α(m), β(m). 3.3. Management of the Best Neighbors Since virtual machines and their corresponding platforms k in Cloud computing can easily be added or removed or changed to a new platform at any time, this can affect the Ck values between the Cloud peers in a Collaborative Cloud computing environment. Each of these changes can create a need to update the BN lists on the relevant Cloud peers. In some cases, a Cloud peer cj which inherently is the BN of a peer ci can be removed out of the BN list as 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 decreased significantly to be less than either the 𝐶𝐶𝑖𝑖𝑢𝑢𝑘𝑘 of an arbitrary peer cu which is not in the BN list before or threshold τ. On the other side, a peer that was not involved in the BN list, after some changes on the platform layer, improved its Ck and should be added into this list.

Hence, for a Cloud peer cj that is not involved in the BN list of peer ci, ci still sends the testing rules to cj with a lower rate than that is used to share detection rules with BNs to update the new 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 values. The limit of the rate that a peer tests the non-BN peers will help to save the amount of resources which are prioritized to the rule sharing process between the high-compatible peers. 3.4. Rule Propagation and Receiving Rates Intrusion detection knowledge propagation mechanism is an essential part of the RSCIDS framework, where IDSs decide the rule propagation rates to their neighbors. An appropriate propagation design provides not only the incentive compatibility which discourages free-riders and rewards contributors, but also provides fairness to all participants and be robust to malicious insiders.

In our approach, each Cloud peer ci controls two decision variables, namely, sij and rij. sij is the rule propagation rate from node ci to each cj of its BNs. To prevent from DoS attacks from malicious neighbors, a peer ci also sets an expected receiving rate rji, which is considered as the upper bound of the rule propagation rates from each neighbor ci to estimate the satisfaction of a peer cj with 𝑖𝑖 ∈ 𝑁𝑁𝑖𝑖 . In our approach, we assume that the rule

sharing rates only depend on the network bandwidth which is assigned to each IDS model in each Cloud. Hence, the communication between peer ci with its BNs is limited by the parameter M, which is considered as the maximum rate of a peer to send the new attack detection rules to its BNs.

∑ 𝒔𝒔𝒊𝒊𝒊𝒊 𝒊𝒊∈𝑵𝑵𝒊𝒊 ≤ 𝑴𝑴 (4)

sij: the propagation rate from peer ci to peer cj

To determine the rule propagation rate and the receiving rate of a peer, we give a concept of Sat(ci,cj), which represents the satisfaction level of a peer cj to the rules which are propagated by peer ci, as the following formula:

𝑺𝑺𝑺𝑺𝒕𝒕(𝒏𝒏)𝒄𝒄𝒊𝒊, 𝒄𝒄𝒊𝒊 = 𝑪𝑪𝒊𝒊𝒊𝒊(𝒏𝒏) 𝒙𝒙 𝐥𝐥𝐥𝐥 𝐠𝐠 𝟏𝟏 +

𝒔𝒔𝒊𝒊𝒊𝒊(𝒏𝒏)

𝒓𝒓𝒊𝒊𝒊𝒊(𝒏𝒏) (5)

rji: the expected rate of peer ci to rules from peer cj

The concavity and monotonicity of the satisfaction level indicate that a recipient is increasingly pleased when more rules are received but the marginal satisfaction decreases as the number of received rules increases. The parameter Cij in (5) suggests that peer cj is more content when the compatibility or usefulness of rules from peer ci is high.

We define a problem to find 𝑠𝑠𝑖𝑖 = 𝑠𝑠𝑖𝑖𝑖𝑖 |𝑖𝑖 ∈ 𝑁𝑁𝑖𝑖 to maximize the total benefit from all BNs as follow:

𝐦𝐦𝐦𝐦𝐦𝐦𝒇𝒇(𝒔𝒔𝒊𝒊) = ∑ 𝑪𝑪𝒊𝒊𝒊𝒊𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑺𝑺𝑺𝑺𝒕𝒕𝒄𝒄𝒊𝒊, 𝒄𝒄𝒊𝒊 (6) ∑ 𝒔𝒔𝒊𝒊𝒊𝒊 ≤𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑴𝑴 (7)

The objective function 𝑓𝑓(𝑠𝑠𝑖𝑖 ) in (6) aggregates the

satisfaction level 𝑆𝑆𝑚𝑚𝑆𝑆𝑐𝑐𝑖𝑖 , 𝑐𝑐𝑖𝑖 of node cj by the compatibility ratio Cji. The problem is constrained by (7) in that the total propagation rate of a peer ci is limited by its communication capacity. From the defined problem, we form a Lagrangian function 𝐿𝐿𝑖𝑖 :𝑅𝑅𝑛𝑛𝑖𝑖 𝑚𝑚 𝑅𝑅 → 𝑅𝑅

𝑳𝑳𝒊𝒊(𝒔𝒔𝒊𝒊 ,𝝅𝝅𝒊𝒊) = ∑ 𝑪𝑪𝒊𝒊𝒊𝒊𝑪𝑪𝒊𝒊𝒊𝒊𝒊𝒊∈𝑵𝑵𝒊𝒊 𝐥𝐥𝐥𝐥𝐠𝐠 𝟏𝟏 + 𝒔𝒔𝒊𝒊𝒊𝒊𝒓𝒓𝒊𝒊𝒊𝒊 − 𝝅𝝅𝒊𝒊∑ 𝒔𝒔𝒊𝒊𝒊𝒊 −𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑴𝑴 (8)

where 𝜋𝜋𝑖𝑖 satisfies the complementary condition 𝝅𝝅𝒊𝒊∑ 𝒔𝒔𝒊𝒊𝒊𝒊 −𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑴𝑴 = 𝟎𝟎.

From the complementary condition, we get ∑ 𝒔𝒔𝒊𝒊𝒊𝒊𝒊𝒊∈𝑵𝑵𝒊𝒊 =𝑴𝑴 and find the optimal solution

𝒔𝒔𝒊𝒊𝒊𝒊 = 𝑪𝑪𝒊𝒊𝒊𝒊𝑪𝑪𝒊𝒊𝒊𝒊∑ 𝑪𝑪𝒌𝒌𝒊𝒊𝑪𝑪𝒊𝒊𝒌𝒌𝒌𝒌∈𝑵𝑵𝒊𝒊

𝑴𝑴 − ∑ 𝒓𝒓𝒊𝒊𝒉𝒉𝒉𝒉∈𝑵𝑵𝒊𝒊 − 𝒓𝒓𝒊𝒊𝒊𝒊 (9)

Eq. (9) gives us a method to compute the optimal rule propagation rates for each peer ci in a Cloud federation to achieve the highest satisfaction of the BNs.

4 Experiments In this section, we simulated a network which is comprised of numerous nodes which are considered as Cloud infrastructures in the same Cloud federation to demonstrate the benefits of the RSCIDS framework. 4.1. Accuracy of Intrusion Detection

Fig. 2: The Percentage of Detected Attacks with and without Rule Sharing In this experiment, we evaluated the efficiency of attack detection in case of rule sharing. We generated a model including 100 Cloud peers with the same set of vulnerabilities and including peers with the attack detection level (expertise level) reaching 0.9 and novice peers with expertise level 0.1. Each node had on average 20 randomly selected neighbors. We simulated 40 attacks on the network. 10 attacks are detectable by all IDSs on Cloud peers via released rules, and the rest of attacks are not supported by the vendor but detectable by rules created and shared among the peers in the Cloud federation. In this case, high-expertise peers are able to detect novel attacks more effectively than the low-expertise ones. We observed the average percentage of attacks which could be detected by IDSs on each Cloud peer, with and without rule sharing, and with different ratios of high-expertise peers. Fig. 2 shows that with the rule sharing, the average percentage of detected attacks is improved significantly compared to the case without sharing. The higher the ratio of high-expert Cloud peers is, the higher the detection rate is. The reason is that the high-expertise peers were able to propagate more high quality rules to other peers to improve the ability of attack detection in the whole of Cloud federation.

Fig. 3: Evaluating Compatibility Ratio with Learning Schemes 4.2. Compatibility Evaluation We set up a simple model including two peers: peer 1 and peer 2. Peer 1 whose CR with peer 2 is 0.8 sends attack detection rules to peer 2 following a Poisson process with

the propagation rate r12 = 10 rules/day. However, at the beginning of the 40th day, the compatibility level between peer 1 and peer 2 reduced when there are some changes of the systems of VMs on peer 2. In this case, several VMs installed the OS which got used to being compatible with peer 1 are terminated or installed other OSs. Peer 1 evaluates and compares CR12 using the two different methods, i.e. simple average and beta distribution.

The simple average learning scheme is summarized as

peer 2 takes average of the past experiences 𝑪𝑪𝒊𝒊𝒊𝒊 = ∑ 𝒉𝒉𝒌𝒌𝒏𝒏𝒌𝒌=𝟎𝟎𝒏𝒏

. The forgetting factor used is λ = 0.9. Fig. 3 shows that C12 converges after a few days and the Beta distribution method reached slightly lower value compared to the simple average method. From the 40th day, both methods observe a fast decrease of C12. However, the learning speeds of the beta distribution method are faster than the simple average method. This is because the forgetting factor puts higher weights on new experiences.

Fig. 4: Scalability Level of RSCIDS Framework 4.3 Scalability In this experiment, we compare the scalability between the proposed rules propagation scheme in the RSCIDS framework with the traditional mechanism, Mailing List. We simulate a Cloud federation whose size starts from 10 Cloud peers and increases gradually 30 peers for each step to reach 100 peers. The number of BNs of each peer in this model is 10 and the rule propagation rate from a peer to its BNs is s = 2 rules/day. For the low-compatible peers, the rate that a peer sends the testing rules is 1 rule/day. Meanwhile, each peer in the mailing list model can propagate to all its neighbors with rate 2 rules/day.

Fig. 4 shows the number of rules a peer receives increases linearly with the network size when using the mailing list. When the network size is large, the receiving rate may exceed the tolerance of a peer and be considered as spam. RSCIDS framework controls the received rule rate within the predefined capacity, and does not increase with the network size in both cases of the low and high-compatible peers. This means that RSCIDS is scalable regarding to the network size.

5 Conclusions

In this paper, we have introduced a rule sharing-based IDS framework called RSCIDS for a Cloud federation environment. We proposed an optimization problem to determine the rule propagation rates, which are limited by the maximum amount of resources that CPs assigned to its IDS framework. Also, a Beta distribution-based learning scheme was constructed to estimate the compatibility between Cloud peers based on empirical data. By simulation, we have demonstrated the most important properties of RSCIDS framework. We have shown that our system effectively improves the system-wide intrusion detection accuracy, and has the properties of scalability and robustness to denial-of-service attacks. As future work, we intend to show robustness of this framework to different insider attacks. Furthermore, the efficiency evaluation of this model in the real Cloud computing environment is a challenge that we consider to address.

Acknowledgments

This work was partly supported by the IT R&D program of MKE (The Ministry of Knowledge Economy)/ KEIT (Korea Evaluation Institute of Industrial Technology) [10035321, Terminal Independent Personal Cloud System].

Reference

1. Sebastian Roschke, Feng Cheng, and Christoph Meinel, “Intrusion Detection in the Cloud”, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing

2. Amir Vahid Dastjerdi, and Sayed Gholam Hassan Tabatabaei, “Distributed Intrusion Detection in Clouds Using Mobile Agents”, 2009 Third International Conference on Advanced Engineering Computing and Applications in Sciences

3. Saman Taghavi Zargar, Hassan Takabi, and James B.D. Joshi, “DCDIDP: A Distributed, Collaborative, and Data-driven Intrusion Detection and Prevention Framework for Cloud Computing Environments”, The 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing, Florida, USA, October 15-18, 2011

4. Chi-Chun Lo, and Joy Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks”, 2010 39th International Conference on Parallel Processing Workshops

5. V. Yegneswaran, P. Barford, and S. Jha, “Global intrusion detection in the domino overlay system,” in NDSS’04.

6. M. Cai, K. Hwang, Y. Kwok, S. Song, and Y. Chen, “Collaborative internet worm containment,” IEEE Security & Privacy, vol. 3, no. 3, pp. 25–33, 2005.

7. Quanyan Zhu, Carol Fung, Raouf Boutaba and Tamer Basar, “A Game-Theoretic Approach to Rule Sharing Mechanism in Networked Intrusion Detection Systems: Robustness, Incentives and Security”, 50th IEEE Conference on Decision and Control and European Control Conference

http://control.disp.uniroma2.it/cdcecc2011/




DETAILED SCHEDULE FOR ACSA-SUMMER 2012ltis.icnslab.net/ALTIS/Files/20120627_NguyenDoan... ·...

Documents

Transcript of DETAILED SCHEDULE FOR ACSA-SUMMER 2012ltis.icnslab.net/ALTIS/Files/20120627_NguyenDoan... ·...