Yasir Mehmood 2011-NUST-MS-CCS-031 Thesis Supervisor: Dr. M. Awais Shibli G.E.C Members:

Distributed Intrusion Detection Distributed Intrusion Detection System using Mobile Agents in Cloud System using Mobile Agents in Cloud Computing Environment (DIDMACC)Computing Environment (DIDMACC)

Yasir Mehmood

2011-NUST-MS-CCS-031

Thesis Supervisor:

Dr. M. Awais Shibli

G.E.C Members:

Dr. Abdul Ghafoor Abbasi

Dr. Adnan Khalid Kiyani

Ms. Hirra Anwar

October 03, 2014

In-house DefenseSchool of Electrical

Engineering & Computer Science, NUST Islamabad

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

AgendaAgenda

Introduction

Motivation

Research Methodology

Problem Statement

Contributions

Implementation

Security Evaluation

Future Directions

Demonstration

References

2Department of Computing, School of Electrical Engineering and Computer


Intrusion Detection System in Intrusion Detection System in CloudCloud



Intrusion Detection Systems in Intrusion Detection Systems in CloudCloud



Deployment of IDS and Service Deployment of IDS and Service ModelsModels

In Cloud environment, IDS may be deployed at any of the three layers:

Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)



Challenges to Cloud based IDSChallenges to Cloud based IDS



Literature ReviewLiterature Review

Security Perspective Security Perspective Industrial PerspectiveIndustrial Perspective

Cisco MetaFlows PaloAlto Networks Juniper Networks Tipping Point Symantec

Conference & Journal papers IDS in Cloud Challenges to CIDS

Well-known Open source IDS Standards Next Generation IDS Detection Techniques of IDS

Best Practices State-of-the-art Tools and

Technologies


Sciences, NUST - Islamabad7

Research MethodologyResearch Methodology8



Cont..Cont..9



Problem StatementProblem Statement

The large-scale and distributed intrusions that are caused mainly due to the open and distributed architecture of Cloud threaten both Cloud Service Providers (CSPs) and Cloud Service Consumers (CSCs) and we aim to detect such intrusions through correlation of intrusion alerts collected using mobile agents.



ContributionsContributions

11

Our Contribution is twofold, which includes: 1

2



Research Paper 1 Yasir Mehmood, Umme Habiba, M. Awais Shibli, Rahat Masood,

“Intrusion Detection System in Cloud Computing: Challenges and Opportunities”, 2nd National Conference on Information Assurance, (NCIA-2013), MCS, Rawalpindi, Pakistan, pp. 59-66, December 11-12, 2013.

Research Paper 2Yasir Mehmood, Ayesha Kanwal, M. Awais Shibli, “Distributed

Intrusion Detection System using Mobile Agents in Cloud Computing Environment”, Submitted to 5th ACM Conference on Data and Application Security and Privacy (CODASPY-2015), San Antonio, TX, USA, March 2-4, 2015.

Research PerspectiveResearch Perspective



Research Findings- Analysis of existing Research Findings- Analysis of existing CIDSCIDS

13

Features

References

Detection Technique

IDS Type Positioning Detection Time Data Source Attacks covered Limitations/ Challenges

CIDS for Cloud

Computing Networks, 2010

[2]

Signature based

Distributed Each Cloud region

Real timeNetwork traffic,

signatures of known attacks

Protects system from single point of failure, DoS

and DDoS

Can’t detect unknown attacks,

High computational

overhead

Securing cloud from

DDOS Attacks using IDS in

VMs, 2010 [18]

Network based Virtual Switch Real timeNetwork packets,

signatures of known intrusions

Secures VMs from DDoS

attacks

Detects only known attacks

Integrating a NIDS into an Open Source

Cloud Computing

Environment, 2010 [17]

Network based At each node Real time

Real time

Network traffic, normal usage of resources like

CPU

Only Known attacks

particularly SIP flooding

can’t detect unknown attacks,



Research Findings (cont..) Research Findings (cont..)

14

Features

References

Detection Technique


Autonomic Agent-Based

Self-Managed IDPS, 2010 [20]

Anomaly based

Host based N/A Real timeNetwork traffic, System activities

(system calls etc.)

Can detect all types of attacks

in real-time

Implementation details are not

given

Multi-level IDS and Log

Management in CC, 2011 [21]

Host based At each guest OS Real timeUser behaviors, known attack

patterns

Can detect both known and

unknown attacks at a fast rate

Consumes more resources for

high level users

Distributed Intrusion

Detection in Clouds using

MAs, 2009 [22]

Distributed At each VM Real timeAudit data,

known intrusion patterns, system

logs

Can detect both known and

unknown attacks

There is a limit on the number of

VMs to be visited

Collabra: Xen Hypervisor

based Collaborative IDS, 2011 [29]

VMM based, Distributed

At each VMM Real timeAudit data,

anomaly database

Can detect hyper-call based attacks on VMM

and host OS

Cannot detect other types of

attacks



Research Findings (cont..) Research Findings (cont..)

15

Features

References

Detection Technique


IDS for Cloud Computing, 2012 [19]

Hybrid

DistributedAt the processing

serverReal time

Audit data, user profiles,

signatures of known intrusions

Can help CSP to improve its quality of

service, detects unknown attacks

The proposed idea is

theoretical, No implementation

provided

Bayesian Classifier and Snort based

NIDS in Cloud Computing,

2012 [5]

Network based At the processing servers

Real time Network packets, known attack

signatures, prior events

Detects all types of attacks

Complexity increased due to

integration of both, signatures and anomalies

IDS in Cloud Computing

Environment, 2011 [28]

Host based and Network based At each node Real time

Logs of user activities,

signatures of known attacks

Can detect all known attacks,

may detect unknown attacks

using ANN

Experimental results are not

given

GCCIDS, 2010 [27]

Host based At each node Real time Audit data, user profiles

Known attacks, Unknown attacks

using ANN

Accurate detection

requires more training time, there is a limit on number of

rules.



Implement a distributed intrusion detection system for cloud, based on suricata, mobile agents and OSSIM that can:

1) Detect intrusions on local VMs.

2) Enable the user to update suricata rules files

3) Use mobile agents to carry intrusion alerts from VM to the management server.

4) Detect distributed intrusions using OSSIM correlation engine

5) Update rules files on VMs using mobile agents

Implementation Implementation PerspectivePerspective



Well known open source Well known open source IDSIDS

17

Project Name Open Source Developer IDS/IPS capability URL

Snort Yes, GPLv2+ Sourcefire, Inc. Both IDS & IPS http://www.snort.org/

Suricata Yes, GNU GPL v2 OISF Both IDS & IPS http://suricata-ids.org/

Bro Yes, BSD license Vern Paxson IDS only http://www.bro.org/

Security Onion Yes, GNU GPL v2 Security Onion IDS only http://securityonion.net/



Suricata Yes OISF IDS/IPS

Why Suricata IDS Why Suricata IDS ??

18

Development ToolkitDevelopment Toolkit



Layered ArchitectureLayered Architecture

Alert Correlation

Engine (OSSIM)

Intrusion D

etection

JAD

E(M

A G

eneration)

Alert Generation

Sys Admin/ Alert Console

IDS Signature Database JADE

agents

Suricata (signature

DB)

MA- Mobile AgentVM- Virtual Machine

Host OS

Hardware

Host OS

Hardware

JADEagents

Suricata (signature

DB)

HypervisorHypervisor

Management Server (MS)

Applications

Applications

Infrastructure to be monitored

20

IDS Signature Database

Alert Correlation Engine

(OSSIM)

Management Server (MS)

MA

1. R

eque

st fo

r VM

2. V

M [

IDS

+ JA

DE]

5. EC_agent can move between VMsUser A

Cloud Service Provider (CSP)

Sys Admin/ Alert Console

3. R

M_a

gent

rep

orts

susp

icio

us a

ctiv

ity

8. Alert

User B User C

MAVM 1 VM 3VM 2

6. E

C_ag

ent r

etur

ns to

MS

afte

r

colle

ctin

g al

ert i

nfor

mat

ion

9. MS sends signature of distributed & latest intrusion to other VMs

Workflow of our SystemWorkflow of our System

21

4. E

C_ag

ent t

o ga

ther

ale

rt in

foJA

DE

(MA

Generation)

7. Correlation

and Intrusion Detection

Components of our SystemComponents of our System



Components of our System Components of our System (Cont..)(Cont..)



1.Suricata rule management:

Components of our System Components of our System (Cont..)(Cont..)



II. Mobile Agentsa) Alert carrier mobile

agentb) Evidence collector

mobile agentc) Signature writer mobile

agent

I. Local Agentsa) Intrusion detection

agentb) Resource monitoring

agentc) Port scanning agent

2. Agents development module:

Components of our Components of our System (Cont..)System (Cont..)

Correlation of alerts collected from VMs:

I. Use Suricata as source of alerts

II. Forward the alerts to OSSIM correlation engine

III. Correlation of alerts to detect distributed intrusions

IV. Update rules files of VMs using mobile agents



3. Alert Correlation Module:

Security Evaluation with Security Evaluation with PytbullPytbull



Security Evaluation with Security Evaluation with PytbullPytbull



Future DirectionsFuture Directions An anomaly based system can be combined with

our system to make a hybrid CIDS for improved detection.

Another possible research direction is to integrate a correlation module other than OSSIM and compare its results with those achieved through OSSIM correlation engine.



ConclusionConclusion Intrusion Detection System is very useful to detect

the malicious activities before they damage the Cloud resources.

The impact of IDS on performance of cloud resources should also be considered while developing CIDS.

The use of mobile agents to carry intrusion-specific data and code reduces network load.

The global-level correlation helps in efficient detection of distributed intrusions.



Demo- Suricata Alerts on the Demo- Suricata Alerts on the local VMlocal VM



Suricata logs on OSSIMSuricata logs on OSSIM



Events after correlation by OSSIMEvents after correlation by OSSIM



33

Special Thanks to my Supervisor and committee

members..



References

[1]. C. C. Lo, C. C. Huang, J. Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks”, 39th International Conference on Parallel Processing Workshops 2010, pp. 280-284.

[2]. C. N. Modi, D. R. Patel, A. Patel, R. Muttukrishnan, “Bayesian Classifier and Snort based Network Intrusion Detection System in Cloud Computing”, Third International Conference on Computing, Communication and Networking Technologies, 26th-28th July 2012.

[3]. C. Mazzariello, R. Bifulco and R. Canonico, “Integrating a Network IDS into an Open Source Cloud Computing Environment”, 2010 Sixth International Conference on Information Assurance and Security, pp. 265-270.

[4]. A. Bakshi, Yogesh B, “Securing cloud from DDOS Attacks using Intrusion Detection System in Virtual Machine”, 2010 Second International Conference on Communication Software and Networks, pp. 260-264.

[5]. Ms. P. K. Shelke, Ms. S. Sontakke, Dr. A. D. Gawande, “Intrusion Detection System for Cloud Computing”, International Journal of Scientific & Technology Research Volume 1, Issue 4, May 2012, pp. 67-71.



References[6]. A. Patel, Q. Qassim, Z. Shukor, J. Nogueira, J. Júnior and C. Wills,

“Autonomic Agent-Based Self-Managed Intrusion Detection and Prevention System”, Proceedings of the South African Information Security Multi-Conference (SAISMC 2010), pp. 223-234.

[7]. J. H. Lee, M. W. Park, J. H. Eom, T. M. Chung, “Multi-level Intrusion Detection System and Log Management in Cloud Computing”, ICACT, 2011, pp. 552-555.

[8]. A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.

[9]. K. Vieira, A. Schulter, Carlos B. Westphall, and C. M. Westphall, “Intrusion Detection for Grid and Cloud Computing”, IEEE Computer Society, (July/August 2010), pp. 38-43.

[10]. S. N. Dhage, B. B. Meshram, R. Rawat, S. Padawe, M. Paingaokar, A. Misra , “Intrusion Detection System in Cloud Computing Environment”, International Conference and Workshop on Emerging Trends in Technology (ICWET 2011), pp. 235-239.



References

[11]. S. Bharadwaja, W. Sun, M. Niamat, F. Shen, “Collabra: A Xen Hypervisor based Collaborative Intrusion Detection System”, Eighth International Conference on Information Technology: New Generations, 2011, pp. 695-700.

[12]. M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.

[13]. M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.

[14]. Suricata: The Snort Replacer (Part 1: Intro & Install), Jul 24, 2013, http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/

[15]. cloudstack-users mailing list archives: November 2013,

http://mail-archives.apache.org/mod_mbox/cloudstack- users/201311.mbox/browser

[16]. P. Cox , Intrusion detection in a cloud computing environment, http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment



Documents

Yasir Mehmood 2011-NUST-MS-CCS-031 Thesis Supervisor: Dr. M. Awais Shibli G.E.C Members: