DETAILED SCHEDULE FOR ACSA-SUMMER 2012ltis.icnslab.net/ALTIS/Files/20120627_NguyenDoan... ·...
Transcript of DETAILED SCHEDULE FOR ACSA-SUMMER 2012ltis.icnslab.net/ALTIS/Files/20120627_NguyenDoan... ·...
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
4
DETAILED SCHEDULE FOR ACSA-SUMMER 2012
June 26, 2012 (Tuesday)
09:00 - 09:20 Registration
09:20 - 12:00 Session 1-E: ACSA-Summer 2012 & ASNUC 2012
(Room: Green Timber 2)
(Chair: Gokay Saldamli)
- A Security Proof for HMAC-E
Fanbao Liu, Tao Xie
- Biclique cryptanalysis on light-weight block cipher: HIGHT and Piccolo
JungHwan Song, KwanHyung Lee, HwanJin Lee
- The Optimal Split Method for Large Integer Multiplication on Low-End Devices
Ren-Junn Hwang, Loang-Shing Huang, Feng-Fu Su
- Partially Interleaved Modular Karatsuba-Ofman Multiplication
Gokay Saldamli
- Lite-AKA: Lightweight Authentication Key Agreement for Pervasive Computing
Hwaseong Lee, Dong Hoon Lee
- Modeling User-Generated Contents: An Intelligent State Machine for User-Centric
Decision-Making Support
Neil Y. Yen, Jonghyuk Park, Qun Jin
- ALCA: Agent Learning Based Clustering in Vehicular Ad Hoc Networks
Neeraj kumar, Naveen Chilamkurti, Jonghyuk Park
- Genetic Algorithm for Effective Open Port Selection for a Web Filter
Anjolaoluwa Olayemi, Sajid Hussain, Sang Soo Yeo
09:20 - 12:00 Session 1-F: ACSA-Summer 2012
(Room: Green Timber 3)
(Chair: Yungho Choi)
- Source Identification of Spoofed DDoS Attacks using an Image Processing Approach
Tae Hwan Kim, Dong-Seong Kim, Joon Heo
- Cooperation in Fully Distributed and Decentralized VANETs
Jezabel Molina-Gil, Pino Caballero-Gil, C Caballero-Gil
- An Attack Path based Collaborative Defense Mechanism for DDoS Attacks
PyungKu Park, SeongMin Yoo, HoYong Ryu, JaeCheol Ryou
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
5
- Improvement of the hash-based RFID mutual authentication protocol using a secret
value
JuSeok Shin, Sejin Oh, Kwangseon Ahn
- On Securing One-way Hash Chain Based Incentive Mechanism for VANET
Joon-Sang Park, Seung Jun Baek
12:00 - 13:30 Lunch
13:30 - 13:40 Opening Remark
(Room: Tynehead Ballroom)
Prof. Seungmin Rho, Baekseok University, Korea
13:40 - 14:50 Invited Speaking 1 : MUSIC 2012
(Room: Tynehead Ballroom)
(Chair: Youngsik Jeong)
Energy Adaptation in Ubiquitous Computing
Prof. Krishna Kant, George Mason University, USA
14:50 - 15:00 Break
15:00 - 16:20 Invited Speaking 2 : FutureTech 2012
(Room: Tynehead Ballroom)
(Chair: Seungmin Rho)
Mobile Cloud and Green Computing
Prof. Ivan Stojmenovic, University of Ottawa, Canada
16:20 - 16:40 Coffee Break
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
6
16:40 - 18:00 Session 2-E: ACSA-Summer 2012
(Room: Green Timber 2)
(Chair: Jezabel M. Molina Gil)
- The Impact of Trace Generalization on the Anomaly Detection Systems
Syed Shariyar Murtaza, Abdelwahab Hamou-Lhadj, Mario Couture
- Secure Asymmetric Two-Party Computation Protocol for Distance Measurement
KOK SENG WONG, MYUNG HO KIM
- Design and Implementation of Efficient Defense Mechanism Against ARP Spoofing
Attacks using AES and RSA
Seungpyo Hong, Myeungjin Oh, Sangjun Lee
- A Key Distribution Scheme for Mobile Underwater Wireless Sensor Networks
Kubra Kalkan, Albert Levi
16:40 - 18:00 Session 2-F: ACSA-Summer 2012
(Room: Green Timber 3)
(Chair: Cheonshik Kim)
- International Standardization Status and Analysis of National Priorities on Health
Information Security
Soonseok Kim, Gilhong Park, Yonghee Lee, Deokseok Seo, Yunyeop Cha, Changhoon Lee
- An Encryption Approach to Secure Modification and Deletion for Flash-based Storage
Systems
Rize Jin, Hyung-Ju Cho, Tae-Sun Chung
- Security Approach for Ubiquitous Healthcare Services through Wireless
Communication
INSHIL DOH, JUNG-MIN PARK, KIJOON CHAE
18:30 - 20:00 Conference Reception (Pool side Deck (2F))
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
7
June 27, 2012 (Wednesday)
09:00 - 09:20 Registration
09:20 - 12:00 Session 3-F: ACSA-Summer 2012
(Room: Green Timber 3)
(Chair: Wei-Chuen Yau)
- Searchable Encryption with User-Revocability in Undesignated Receiver Settings
DongMin Kim, Ji Young Chun, Ik Rae Jeong
- Characteristic Behavior Sequence Based Attack Detection Method for Browser
Extension
JUNJIE WANG, XIAOHONG LI, QIN WANG, GUANGQUAN XU
- An Adaptive-Secure k-Resilient Identity-Based Identification Scheme in the Standard
Model
Ji-Jian Chin, Swee-Huay Heng
- Attacks on Chows Identity-Based Undeniable Signature Scheme
Rouzbeh Behnia, Swee-Huay Heng, Che-Sheng Gan
- Lossless Information Hiding Scheme for Binary Document Images Using n-Pairs
Pattern
Cheonshik Kim, Dongkyoo Kim, Dongil Shin, Chin-Nung Yang
- Keyword Guessing Attacks on Secure Searchable Public Key Encryption Schemes with
a Designated Tester
Wei-Chuen Yau, Raphael C.-W. Phan, Swee-Huay Heng, Bok-Min Goi
12:00 - 13:30 Lunch
13:30 - 14:50 Invited Speaking 3: MUSIC 2012
(Room: Tynehead Ballroom)
(Chair: Jongsung Kim)
Intelligent Infrastructure, Sustainable Design, and Signature Structures
Prof. Hojjat Adeli, The Ohio State University, USA
14:50 - 15:00 Break
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
8
15:00 - 16:20 Session 4-F: ACSA-Summer 2012
(Room: Green Timber 3)
(Chair: Jongweon Kim)
- Infrastructure Design for Efficient Replica Detection in Large-scale Wireless Sensor
Networks
Kwantae Cho, Dong Hoon Lee
- A Secure File Storage System with Scaled Secret Sharing
Feng Shen, Hai Jiang, Laurence T. Yang, Su Chen
- Trustworthy Service Recommendation Based on Useri¯s QoS Requirements
Fang Liu, Shuiguang Deng, Longtao Huang, Jianwei Yin
- A Distributed Scheme for Row Based Computational Private Information Retrieval
Zhu Hong, Wang Zhipeng, Lv Kevin, Xie Meiyi
16:20 - 16:40 Break
16:40 - 18:00 Session 5-E: ACSA-Summer 2012
(Room: Green Timber 2)
(Chair: Inshil Doh)
- Validating Prefix Announcements in Inter-Domain Routing:An Approach Based on
Fuzzy Set Theory
Wenping Deng, Yuexiang Yang, Peidong Zhu
- MalShield: Collaborative and Online Malware Detection using Distributed
Rendezvous-based Behavior Accumulation
Huabiao Lu, Xiaofeng Wang, Jinshu Su
- BGP Surviving under Extreme Cross Plane Attacks
Hongjun Liu, Xiaofeng Hu, Dan Zhao, Xicheng Lu
- Collusion Attack-Resistant Watermarking Scheme using Correlation Peak Position
Modulation
Jihah Nah, Jongweon Kim
16:40 - 18:00 Session 5-F: ACSA-Summer 2012
(Room: Green Timber 3)
(Chair: Li Xiaohong)
- Evaluation a Collaborative Intrusion Detection System Framework in Cloud
Computing
Doan Man Nguyen, Eui-Nam Huh
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
9
- Secure user authentication and key agreement protocol for mobile client-server
environments
Cheng-Chi Lee, Chun-Ta Li, Chia-Ying Wu, Te-Yu Chen, Shiow-Yuan Huang
- Encrypted and Deniable File Systems Is Not Enough: Shielding Your Privacy with
Shadow Execution Environment
Yan Wen, Jinjing Zhao, Gang Zhao, Minhuan Huang
18:30 - 21:00 Banquet (Guildford Ballroom (F1))
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
10
June 28, 2012 (Thursday)
09:00 - 09:20 Registration
09:20 - 12:00 Session 6-E: ACSA-Summer 2012
(Room: Tynehead 3)
(Chair: Kitae Jeong)
- Improved Differential Fault Analysis on PRESENT-80/128
Kitae Jeong, Yuseop Lee, Jaechul Sung, Seokhie Hong
- The Role of IE Status concerning the Digital Evidence Analysis in terms of Instant
Messaging of Gmail Chat
HAI-CHENG CHU, SZU-WEI YANG, CHING-HSIEN HSU, JONG HYUK PARK
- Lifting the veil on mobile malware: A complete dynamic solution for iOS
Dimitrios Damopoulos, Georgios Kambourakis, Stefanos Gritzalis, Sang Oh Park
- An Analysis of DDoS Attacks in Different Networks Using Attack Graphs Based on the
Expected Loss
Ying Liu, Yang Sun Lee, Hong-Ke Zhang, Tin-Yu Wu, Chi-Hsiang Lo
- RFID based Indoor Location Tracking to Ensure the Safety of the Elderly in Smart
Home Environments
Soo-Cheol Kim, Young-Sik Jeong, Sang Oh Park
09:20 - 12:00 Session 6-F: ACSA-Summer 2012
(Room: Green Timber 3)
(Chair: I-Cheng Chang)
- Password Authentication Scheme using Virtual Scroll Wheel for Smart Devices
Hyunyi Yi, Siwan Kim, Gunil Ma, Jeong Hyun Yi
- Router Architecture Evaluation for Security Network
Yungho Choi, Jaebum Park, Young-Ho Park, Neungsoo Park
- A Study on the Association of Information Technology Risk Management and Business
Performance
SHE-I CHANG, I-CHENG CHANG, CHIA-YI LEE
- A Method for the Risk Measurement of Malicious Activities of Botnets
Dohoon Kim, Young-Gab Kim, Hoh In, Hyun Choel JEONG
- Anonymous Proximity Mobile Payment (APMP)
SADIQ ALMUAIRFI, PRAKASH VEERAGHAVAN, NAVEEN CHILAMKURTI, Doo-Soon
PARK
The 7th FTRA International Conference onFuture Information Technology (FutureTech 2012)
The 3rd FTRA International Conference onMobile, Ubiquitous, and Intelligent Computing (MUSIC 2012)
The FTRA International Symposium on Advances in Cryptography, Security and Applications (ACSA-Summer 2012)
11
- Performance Enhancement of Nonlinear Weighted DPA Attack based on Differential
Trace Model
JeongChoon Ryoo, Dong-Guk Han, Sangjin Lee
- Electromagnetic Disturbance Analysis on Commercial Contactless Smartcards
Jae Deok Ji, Dong-Guk Han, Seok Won Jung, Sangjin Lee, Jong Sub Moon
Evaluation a Collaborative Intrusion Detection System Framework in Cloud Computing
NGUYEN DOAN MAN AND EUI-NAM HUH
Department of Computing Engineering Kyunghee University
REPUBLIC OF KOREA [email protected]
Abstract
Intrusion Detection Systems (IDS) have been used widely in the ICT systems to detect malicious behaviors in network communications and hosts. Facing new application scenarios in Cloud computing, a new revolutionized computing paradigm, the recent IDS approach yields several problems which stem from the distributed and complicated manner of Cloud computing. To overcome these issues, collaboration among Cloud providers (CPs) is a solution to achieve benefits by collecting knowledge and information from the Cloud peers and more accurate intrusion detection. Instead of sharing intrusion data which raises the privacy concern of participants, we propose a knowledge-based Intrusion Detection network which is constructed with sharing intrusion knowledge among security systems of Cloud peers. We also present an optimized problem in this model and their solutions. Finally, several simulations are implemented to evaluate the efficiency of our model in optimization overheads and the ability to detect intrusions. Keywords: Cloud computing, Intrusion Detection System, Collaboration, Distribution 1 Introduction Cloud computing is an emerging commercial infrastructure paradigm that promises to eliminate the need for maintaining expensive computing facilities by companies and institutes alike. The combination Internet with virtualization technology enables Cloud computing to emerge with promising prospects to facilitate the development of large scale, flexible computing infrastructures, and available on-demand to meet the computational requirements of e-Science applications. However, without appropriate security and privacy solutions, this revolutionizing computing paradigm could become a huge failure.
To protect the virtual systems of Cloud users from malicious intrusions, Intrusion Detection Systems are designed to monitor network traffic and system behaviors by raising intrusions alerts to network administrators or security operators. As usual, traditional IDSs work independently from each other and rely on new signatures or detection rules from the corresponding security
vendor’s signature/rule repository to remain synchronized with new detection knowledge. However, the complexity of Cloud computing, which is caused by the virtualization technology and sharing the resources between different users, makes increase the number and diversity of intrusions. This limits the efficiency of traditional IDSs in Cloud computing since no single vendor can cover all the possible intrusions due to limited labor and available technology. To address the issue, the distributed and collaborative IDS (CIDS) approaches [1,2,3] were proposed to adapt with the distributed manner of Cloud computing as well as use the intrusion knowledge from Cloud peers to improve the detection ability and accuracy.
A new detection rule created by an IDS framework of a Cloud peer may be adopted directly by others if they have similar network, platform or application configurations. For example, a new intrusion detection rule created to minimize vulnerability of a software can be adopted by others using the same software. Sharing attack detection rules among IDS models on Cloud peers can be an effective way to improve the overall security in a Cloud federation environment. However, in some cases, the CIDS frameworks rely on the sharing of intrusion data, which raises privacy concerns. Moreover, instead of the real environment such as the limitation of resources (e.g. computing resources, network bandwidth) or the weak compatibility about network, platforms, etc among Cloud peers, most recent approaches were proposed and evaluated only within the ideal conditions with the unlimited resources for the attack detection.
In this paper, we present a mechanism to take advantage of the benefits of intrusion detection knowledge sharing and propose RSCIDS, a rule sharing-based CIDS framework, where intrusion detection rules are shared among Cloud peers on a Cloud federation. RSCIDS is based on a peer-to-peer (P2P) overlay, where each Cloud peer maintains a database of information about other peers and communicates through the P2P system. Accordingly, an automatic knowledge dissemination mechanism is proposed to allow CPs effectively to share detection rules with others in the constraints of resources such as network bandwidth. The efficiency of the framework is demonstrated by using some experimental results that the proposed rule sharing mechanism can improve the overall security of the community and provide incentive-compatibility and fairness to the Cloud peers.
The rest of our paper is organized into the following sections. In Section 2, we introduce several recent
approaches to integrate the collaborative IDS framework in the common physical network architecture as well as into Cloud computing. We give an overall description for the RSCIDS framework and its solutions to effectively operate this framework in the Section 3. The experimental results to demonstrate the efficiency of our proposed model are mentioned in the Section 4. In the last section, we conclude the paper and present the future intentions. 2 Related works Traditional IDS collaboration utilizes the collective intrusion information and knowledge from other IDSs to improve accuracy in intrusion detection. In [5, 6], IDSs collect intrusion data such as intrusion alerts or firewall logs from other nodes to perform overall intrusion detection for the whole network. They are especially effective to detect epidemic worms or attacks in the environment of homogeneous IDS sensors. Meanwhile, the expertise-based CIDS models encourage peers to send the suspicious data samples to expert peers for analysis. Feedbacks from the peers were then aggregated to help the sending IDSs detect intrusions [8]. However, both types of CIDSs rely on the sharing of intrusion data, which raises privacy concerns. Instead, Quanyan Zhu [7] presented SMURFEN, a framework for sharing detection knowledge, such as detection rules and malware signatures among IDSs. In this model, the efficiency was evaluated by the compatibility as well as the satisfaction level of IDS peers to the shared rules. This information was used to determine the optimized rates of rule sharing from a peer to others on the constraints of resources.
In Cloud computing, requirement for a CIDS framework becomes nature due to the distributed manner of Cloud computing and the development of the collaborative models among CPs. Sebastian Roschke [1] and Saman Taghavi Zargar [3] presented the potential approaches to build a distributed IDS framework in Cloud. Roschke’s work focused on communication and information exchange between multiple types of IDS sensors (i.e. NIDS and HIDS) which are deployed in each layer of a Cloud infrastructure. Meanwhile, in addition to use numerous IDS sensors into each Cloud for attack detection locally, DCDIDP model of Saman Taghavi Zargar also offered sharing intrusion knowledge among collaborators to enrich the quantity and quality of attack signatures. However, these works only proposed the novel CIDS models theoretically as well as in the ideal conditions without resource constraints. Meanwhile, Chi-Chun Lo [4] applied CIDS into protecting Cloud peers from DoS or DDoS attacks. The approach was based on the majority voting mechanism on the Snort alerts, which are shared among peers as suspicious events are detected, to determine if a suspicious event is related to a DoS or DDoS attack. However, the information exchanged among Clouds in the Cloud federation was potential intrusion data, which can violate the privacy concerns. In our approach, instead of intrusion data, peers in the collaboration share attack detection rules, which are considered as knowledge, to limit or prevent the disclosure of system configurations.
3 The RSCIDS Framework An intrusion detection rule is a detection policy which specifies the pattern of suspicious attacks. Each rule can trigger an alert once the pattern is matched. The patterns can be the IP address, port number, protocol flags, content of the data payload, etc. Defense against attackers is a challenging problem since a defender needs to know all possible attacks to ensure network security, whereas an attacker only needs to know a few attack techniques to succeed. It is impossible for one or a small group of defenders to know all attack techniques but is common to have knowledge about some attacks. Hence, this motivates defenders to share knowledge with others to overcome their weakness. The purpose of RSCIDS is to provide a model for Cloud peers of a Cloud federation to share their attack detection rules with others effectively.
Fig. 1: The Communication Model among Cloud Peers in the RSCIDS Framework 3.1. Problem Model Let N = ci| i = 1,2,…,n be the set of n Cloud peers which are in the same Cloud federation and ready to share their attack detection rules each other. Each peer ci is provided a set of elementary IDSs D = di| i = 1,2,…,m. To simplify the management of these IDSs, all VMs are partitioned into several groups, which relies on the different types of OSs and assigns one or several particular IDSs to monitor and detect intrusions on each VM group.
In general, one of the most important aspects which hinder the success of the rule sharing process is the platform compatibility between Cloud peers. Each Cloud is comprised of multiple types of OSs as well as a large number of applications running on those OSs. Meanwhile, each attack detection rule only supports to detect intrusions on a particular platform which includes a specific OS as well as runtimes or APIs. Hence, a rule can be useful to a Cloud if there is at least one platform compatible with the information of the platform that the rule mentioned on this Cloud.
In the initialization step, each Cloud peer ci keeps a neighbor list which includes all other peers in the Cloud
Collaborative Cloud Computing Environment
Node 2VM
VM
Neighbors
Node 1 Node 4
Node 5 Node 3
Node 6
Node 3VM
VM
Node 4VM
VM
Node 5VM
VM
Node 1VM
VM
Node 7VM
VM
Node 6VM
VM
Best Neighbors
Node 1 Node 3
Node 4 Node 6
Testing Rules
Knowledge Rules
Feedbacks
federation. From the information in the list, each peer sends testing rules to all other peers and then aggregates feedbacks to compute the compatibility level between each pair of peers. To express the compatibility level, we present a measurement, Compatibility Ratio (CR), which is the probability that a rule from peer ci is accepted by peer cj with a particular OS type k and denoted 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 where i, j are indexes of Cloud peers (0≤i,j≤n). A peer can also rely on the compatibility levels to determine the rule propagation rates to its neighbors. Each decision of each peer cj to accept or reject a new rule is updated to peer ci for the 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 learning process.
We also present two additional parameters; namely, the compatibility threshold τ and the maximum length of Best Neighbor (BN) list 𝑙𝑙𝑖𝑖𝑚𝑚𝑚𝑚𝑚𝑚 . After a training process, only at most 𝑙𝑙𝑖𝑖𝑚𝑚𝑚𝑚𝑚𝑚 peers which have the highest 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 and 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 ≥ 𝜏𝜏 with 𝑖𝑖, 𝑖𝑖 ∈ 𝑁𝑁 would be considered as the BNs of this peer (i.e. Ni = cj|𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 ≥ 𝜏𝜏 and |Ni|≤𝑙𝑙𝑖𝑖𝑚𝑚𝑚𝑚𝑚𝑚 ) and prioritized to exchange the new attack detection rules with peer ci later. The Compatibility Ratio 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 is evaluated and updated constantly to determine removal or addition of Cloud peers into the BN lists. The limit of the quantity of BNs to a Cloud peer helps to reduce an amount of its resources used to share the attack knowledge as well as the network bandwidth for communications among peers. Moreover, peer ci still communicate with peers cj whose 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 is less than τ by sending testing rules to them with a low rate to update the new 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 to replace the old BNs if needed. 3.2. Evaluating Compatibility Ratio Firstly, a Cloud peer needs to update the compatibility level on a specific OS type k with all other peers, which helps to select an optimized propagation rate of new attack detection rules and find its BNs. To effectively evaluate the CR, at the beginning, each peer sends the testing rules, which include some information about detected intrusions related to the OS type k and can be accepted or rejected by recipients. With the feedbacks of recipients, we can predict the usefulness of attack detection rules and know the existence of the compatible platforms in Cloud neighbors. In this section, we present a Bayesian learning approach to build the compatibility levels among Cloud peers. In particular, a peer ci uses a Beta distribution to estimate 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 with its neighbor cj. The posterior probability is updated at each step by using the empirical data on the outcome of the acceptance/rejection decision.
When peer cj receives a new detection rule from peer ci, it can choose either to accept the rule (h = 1), or reject the rule (h = 0). Let X ∈ Ω:= 0, 1 be a random variable which denotes the decision outcome: rejection or acceptance. Note that on the case that a rule is accepted in the beginning and then rejected due to high false positive rate, the weight of the reject decision is doubled to reverse the impact of the previous acceptance decision. Since the definition of CR is the probability a rule is accepted from the neighbor, we have Cij = P[X = 1], where P: 2Ω → [0,1] is a probability measure. We estimate Cij on the past
observations 𝐻𝐻𝑚𝑚 = ℎ𝑢𝑢 𝑢𝑢=1𝑚𝑚 ∈ 0, 1. The distribution of
Cij can be represented as a Beta distribution in the form of
𝑪𝑪𝒊𝒊𝒊𝒊(𝒎𝒎) = 𝟏𝟏
𝑩𝑩(𝜶𝜶(𝒎𝒎),𝜷𝜷(𝒎𝒎))∗ 𝒙𝒙𝜶𝜶(𝒎𝒎)−𝟏𝟏 ∗ (𝟏𝟏 − 𝒙𝒙)𝜷𝜷(𝒎𝒎)−𝟏𝟏 (1)
𝜶𝜶(𝒎𝒎) = ∑ 𝜸𝜸𝒕𝒕𝒖𝒖 ∗ 𝒉𝒉𝒖𝒖 + 𝜸𝜸𝒕𝒕𝟎𝟎 ∗ 𝜶𝜶𝟎𝟎𝒎𝒎
𝒖𝒖=𝟏𝟏 (2)
𝜷𝜷(𝒎𝒎) = ∑ 𝜸𝜸𝒕𝒕𝒖𝒖 ∗𝒎𝒎𝒖𝒖=𝟏𝟏 𝝑𝝑𝒖𝒖 ∗ (𝟏𝟏 − 𝒉𝒉𝒖𝒖) + 𝜸𝜸𝒕𝒕𝟎𝟎 ∗ 𝜷𝜷𝟎𝟎 (3)
where α0, β0 are the initial beliefs of Cij, 1−C ij, respectively; α(m), β(m) represent the Beta parameters after m decision outcomes; hu ∈ 0, 1 is the uth experience; tu is the age of the uth experience. 𝜗𝜗𝑢𝑢 ∈ 1, 2 is the weight of the reject decision, 𝜗𝜗𝑢𝑢 = 1 for the rejection of new rule and 𝜗𝜗𝑢𝑢 = 2 for the rejection of previously accepted rule. We put more weights on new experience by introducing a forgetting factor 𝜸𝜸, which is used to reduce the effect of the previous outcomes on two parameters α(m), β(m). 3.3. Management of the Best Neighbors Since virtual machines and their corresponding platforms k in Cloud computing can easily be added or removed or changed to a new platform at any time, this can affect the Ck values between the Cloud peers in a Collaborative Cloud computing environment. Each of these changes can create a need to update the BN lists on the relevant Cloud peers. In some cases, a Cloud peer cj which inherently is the BN of a peer ci can be removed out of the BN list as 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 decreased significantly to be less than either the 𝐶𝐶𝑖𝑖𝑢𝑢𝑘𝑘 of an arbitrary peer cu which is not in the BN list before or threshold τ. On the other side, a peer that was not involved in the BN list, after some changes on the platform layer, improved its Ck and should be added into this list.
Hence, for a Cloud peer cj that is not involved in the BN list of peer ci, ci still sends the testing rules to cj with a lower rate than that is used to share detection rules with BNs to update the new 𝐶𝐶𝑖𝑖𝑖𝑖𝑘𝑘 values. The limit of the rate that a peer tests the non-BN peers will help to save the amount of resources which are prioritized to the rule sharing process between the high-compatible peers. 3.4. Rule Propagation and Receiving Rates Intrusion detection knowledge propagation mechanism is an essential part of the RSCIDS framework, where IDSs decide the rule propagation rates to their neighbors. An appropriate propagation design provides not only the incentive compatibility which discourages free-riders and rewards contributors, but also provides fairness to all participants and be robust to malicious insiders.
In our approach, each Cloud peer ci controls two decision variables, namely, sij and rij. sij is the rule propagation rate from node ci to each cj of its BNs. To prevent from DoS attacks from malicious neighbors, a peer ci also sets an expected receiving rate rji, which is considered as the upper bound of the rule propagation rates from each neighbor ci to estimate the satisfaction of a peer cj with 𝑖𝑖 ∈ 𝑁𝑁𝑖𝑖 . In our approach, we assume that the rule
sharing rates only depend on the network bandwidth which is assigned to each IDS model in each Cloud. Hence, the communication between peer ci with its BNs is limited by the parameter M, which is considered as the maximum rate of a peer to send the new attack detection rules to its BNs.
∑ 𝒔𝒔𝒊𝒊𝒊𝒊 𝒊𝒊∈𝑵𝑵𝒊𝒊 ≤ 𝑴𝑴 (4)
sij: the propagation rate from peer ci to peer cj
To determine the rule propagation rate and the receiving rate of a peer, we give a concept of Sat(ci,cj), which represents the satisfaction level of a peer cj to the rules which are propagated by peer ci, as the following formula:
𝑺𝑺𝑺𝑺𝒕𝒕(𝒏𝒏)𝒄𝒄𝒊𝒊, 𝒄𝒄𝒊𝒊 = 𝑪𝑪𝒊𝒊𝒊𝒊(𝒏𝒏) 𝒙𝒙 𝐥𝐥𝐥𝐥 𝐠𝐠 𝟏𝟏 +
𝒔𝒔𝒊𝒊𝒊𝒊(𝒏𝒏)
𝒓𝒓𝒊𝒊𝒊𝒊(𝒏𝒏) (5)
rji: the expected rate of peer ci to rules from peer cj
The concavity and monotonicity of the satisfaction level indicate that a recipient is increasingly pleased when more rules are received but the marginal satisfaction decreases as the number of received rules increases. The parameter Cij in (5) suggests that peer cj is more content when the compatibility or usefulness of rules from peer ci is high.
We define a problem to find 𝑠𝑠𝑖𝑖 = 𝑠𝑠𝑖𝑖𝑖𝑖 |𝑖𝑖 ∈ 𝑁𝑁𝑖𝑖 to maximize the total benefit from all BNs as follow:
𝐦𝐦𝐦𝐦𝐦𝐦𝒇𝒇(𝒔𝒔𝒊𝒊) = ∑ 𝑪𝑪𝒊𝒊𝒊𝒊𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑺𝑺𝑺𝑺𝒕𝒕𝒄𝒄𝒊𝒊, 𝒄𝒄𝒊𝒊 (6) ∑ 𝒔𝒔𝒊𝒊𝒊𝒊 ≤𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑴𝑴 (7)
The objective function 𝑓𝑓(𝑠𝑠𝑖𝑖 ) in (6) aggregates the
satisfaction level 𝑆𝑆𝑚𝑚𝑆𝑆𝑐𝑐𝑖𝑖 , 𝑐𝑐𝑖𝑖 of node cj by the compatibility ratio Cji. The problem is constrained by (7) in that the total propagation rate of a peer ci is limited by its communication capacity. From the defined problem, we form a Lagrangian function 𝐿𝐿𝑖𝑖 :𝑅𝑅𝑛𝑛𝑖𝑖 𝑚𝑚 𝑅𝑅 → 𝑅𝑅
𝑳𝑳𝒊𝒊(𝒔𝒔𝒊𝒊 ,𝝅𝝅𝒊𝒊) = ∑ 𝑪𝑪𝒊𝒊𝒊𝒊𝑪𝑪𝒊𝒊𝒊𝒊𝒊𝒊∈𝑵𝑵𝒊𝒊 𝐥𝐥𝐥𝐥𝐠𝐠 𝟏𝟏 + 𝒔𝒔𝒊𝒊𝒊𝒊𝒓𝒓𝒊𝒊𝒊𝒊 − 𝝅𝝅𝒊𝒊∑ 𝒔𝒔𝒊𝒊𝒊𝒊 −𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑴𝑴 (8)
where 𝜋𝜋𝑖𝑖 satisfies the complementary condition 𝝅𝝅𝒊𝒊∑ 𝒔𝒔𝒊𝒊𝒊𝒊 −𝒊𝒊∈𝑵𝑵𝒊𝒊 𝑴𝑴 = 𝟎𝟎.
From the complementary condition, we get ∑ 𝒔𝒔𝒊𝒊𝒊𝒊𝒊𝒊∈𝑵𝑵𝒊𝒊 =𝑴𝑴 and find the optimal solution
𝒔𝒔𝒊𝒊𝒊𝒊 = 𝑪𝑪𝒊𝒊𝒊𝒊𝑪𝑪𝒊𝒊𝒊𝒊∑ 𝑪𝑪𝒌𝒌𝒊𝒊𝑪𝑪𝒊𝒊𝒌𝒌𝒌𝒌∈𝑵𝑵𝒊𝒊
𝑴𝑴 − ∑ 𝒓𝒓𝒊𝒊𝒉𝒉𝒉𝒉∈𝑵𝑵𝒊𝒊 − 𝒓𝒓𝒊𝒊𝒊𝒊 (9)
Eq. (9) gives us a method to compute the optimal rule propagation rates for each peer ci in a Cloud federation to achieve the highest satisfaction of the BNs.
4 Experiments In this section, we simulated a network which is comprised of numerous nodes which are considered as Cloud infrastructures in the same Cloud federation to demonstrate the benefits of the RSCIDS framework. 4.1. Accuracy of Intrusion Detection
Fig. 2: The Percentage of Detected Attacks with and without Rule Sharing In this experiment, we evaluated the efficiency of attack detection in case of rule sharing. We generated a model including 100 Cloud peers with the same set of vulnerabilities and including peers with the attack detection level (expertise level) reaching 0.9 and novice peers with expertise level 0.1. Each node had on average 20 randomly selected neighbors. We simulated 40 attacks on the network. 10 attacks are detectable by all IDSs on Cloud peers via released rules, and the rest of attacks are not supported by the vendor but detectable by rules created and shared among the peers in the Cloud federation. In this case, high-expertise peers are able to detect novel attacks more effectively than the low-expertise ones. We observed the average percentage of attacks which could be detected by IDSs on each Cloud peer, with and without rule sharing, and with different ratios of high-expertise peers. Fig. 2 shows that with the rule sharing, the average percentage of detected attacks is improved significantly compared to the case without sharing. The higher the ratio of high-expert Cloud peers is, the higher the detection rate is. The reason is that the high-expertise peers were able to propagate more high quality rules to other peers to improve the ability of attack detection in the whole of Cloud federation.
Fig. 3: Evaluating Compatibility Ratio with Learning Schemes 4.2. Compatibility Evaluation We set up a simple model including two peers: peer 1 and peer 2. Peer 1 whose CR with peer 2 is 0.8 sends attack detection rules to peer 2 following a Poisson process with
the propagation rate r12 = 10 rules/day. However, at the beginning of the 40th day, the compatibility level between peer 1 and peer 2 reduced when there are some changes of the systems of VMs on peer 2. In this case, several VMs installed the OS which got used to being compatible with peer 1 are terminated or installed other OSs. Peer 1 evaluates and compares CR12 using the two different methods, i.e. simple average and beta distribution.
The simple average learning scheme is summarized as
peer 2 takes average of the past experiences 𝑪𝑪𝒊𝒊𝒊𝒊 = ∑ 𝒉𝒉𝒌𝒌𝒏𝒏𝒌𝒌=𝟎𝟎𝒏𝒏
. The forgetting factor used is λ = 0.9. Fig. 3 shows that C12 converges after a few days and the Beta distribution method reached slightly lower value compared to the simple average method. From the 40th day, both methods observe a fast decrease of C12. However, the learning speeds of the beta distribution method are faster than the simple average method. This is because the forgetting factor puts higher weights on new experiences.
Fig. 4: Scalability Level of RSCIDS Framework 4.3 Scalability In this experiment, we compare the scalability between the proposed rules propagation scheme in the RSCIDS framework with the traditional mechanism, Mailing List. We simulate a Cloud federation whose size starts from 10 Cloud peers and increases gradually 30 peers for each step to reach 100 peers. The number of BNs of each peer in this model is 10 and the rule propagation rate from a peer to its BNs is s = 2 rules/day. For the low-compatible peers, the rate that a peer sends the testing rules is 1 rule/day. Meanwhile, each peer in the mailing list model can propagate to all its neighbors with rate 2 rules/day.
Fig. 4 shows the number of rules a peer receives increases linearly with the network size when using the mailing list. When the network size is large, the receiving rate may exceed the tolerance of a peer and be considered as spam. RSCIDS framework controls the received rule rate within the predefined capacity, and does not increase with the network size in both cases of the low and high-compatible peers. This means that RSCIDS is scalable regarding to the network size.
5 Conclusions
In this paper, we have introduced a rule sharing-based IDS framework called RSCIDS for a Cloud federation environment. We proposed an optimization problem to determine the rule propagation rates, which are limited by the maximum amount of resources that CPs assigned to its IDS framework. Also, a Beta distribution-based learning scheme was constructed to estimate the compatibility between Cloud peers based on empirical data. By simulation, we have demonstrated the most important properties of RSCIDS framework. We have shown that our system effectively improves the system-wide intrusion detection accuracy, and has the properties of scalability and robustness to denial-of-service attacks. As future work, we intend to show robustness of this framework to different insider attacks. Furthermore, the efficiency evaluation of this model in the real Cloud computing environment is a challenge that we consider to address.
Acknowledgments
This work was partly supported by the IT R&D program of MKE (The Ministry of Knowledge Economy)/ KEIT (Korea Evaluation Institute of Industrial Technology) [10035321, Terminal Independent Personal Cloud System].
Reference
1. Sebastian Roschke, Feng Cheng, and Christoph Meinel, “Intrusion Detection in the Cloud”, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing
2. Amir Vahid Dastjerdi, and Sayed Gholam Hassan Tabatabaei, “Distributed Intrusion Detection in Clouds Using Mobile Agents”, 2009 Third International Conference on Advanced Engineering Computing and Applications in Sciences
3. Saman Taghavi Zargar, Hassan Takabi, and James B.D. Joshi, “DCDIDP: A Distributed, Collaborative, and Data-driven Intrusion Detection and Prevention Framework for Cloud Computing Environments”, The 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing, Florida, USA, October 15-18, 2011
4. Chi-Chun Lo, and Joy Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks”, 2010 39th International Conference on Parallel Processing Workshops
5. V. Yegneswaran, P. Barford, and S. Jha, “Global intrusion detection in the domino overlay system,” in NDSS’04.
6. M. Cai, K. Hwang, Y. Kwok, S. Song, and Y. Chen, “Collaborative internet worm containment,” IEEE Security & Privacy, vol. 3, no. 3, pp. 25–33, 2005.
7. Quanyan Zhu, Carol Fung, Raouf Boutaba and Tamer Basar, “A Game-Theoretic Approach to Rule Sharing Mechanism in Networked Intrusion Detection Systems: Robustness, Incentives and Security”, 50th IEEE Conference on Decision and Control and European Control Conference