Distributed Intrusion Detection Distributed Intrusion Detection System using Mobile Agents in Cloud System using Mobile Agents in Cloud Computing Environment (DIDMACC)Computing Environment (DIDMACC)
Yasir Mehmood
2011-NUST-MS-CCS-031
Thesis Supervisor:
Dr. M. Awais Shibli
G.E.C Members:
Dr. Abdul Ghafoor Abbasi
Dr. Adnan Khalid Kiyani
Ms. Hirra Anwar
October 03, 2014
In-house DefenseSchool of Electrical
Engineering & Computer Science, NUST Islamabad
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
AgendaAgenda
Introduction
Motivation
Research Methodology
Problem Statement
Contributions
Implementation
Security Evaluation
Future Directions
Demonstration
References
2Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Intrusion Detection System in Intrusion Detection System in CloudCloud
3Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Intrusion Detection Systems in Intrusion Detection Systems in CloudCloud
4Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Deployment of IDS and Service Deployment of IDS and Service ModelsModels
In Cloud environment, IDS may be deployed at any of the three layers:
Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)
5Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Challenges to Cloud based IDSChallenges to Cloud based IDS
6Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Literature ReviewLiterature Review
Security Perspective Security Perspective Industrial PerspectiveIndustrial Perspective
Cisco MetaFlows PaloAlto Networks Juniper Networks Tipping Point Symantec
Conference & Journal papers IDS in Cloud Challenges to CIDS
Well-known Open source IDS Standards Next Generation IDS Detection Techniques of IDS
Best Practices State-of-the-art Tools and
Technologies
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad7
Research MethodologyResearch Methodology8
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad8
Cont..Cont..9
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad9
Problem StatementProblem Statement
The large-scale and distributed intrusions that are caused mainly due to the open and distributed architecture of Cloud threaten both Cloud Service Providers (CSPs) and Cloud Service Consumers (CSCs) and we aim to detect such intrusions through correlation of intrusion alerts collected using mobile agents.
10Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
ContributionsContributions
11
Our Contribution is twofold, which includes: 1
2
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Research Paper 1 Yasir Mehmood, Umme Habiba, M. Awais Shibli, Rahat Masood,
“Intrusion Detection System in Cloud Computing: Challenges and Opportunities”, 2nd National Conference on Information Assurance, (NCIA-2013), MCS, Rawalpindi, Pakistan, pp. 59-66, December 11-12, 2013.
Research Paper 2Yasir Mehmood, Ayesha Kanwal, M. Awais Shibli, “Distributed
Intrusion Detection System using Mobile Agents in Cloud Computing Environment”, Submitted to 5th ACM Conference on Data and Application Security and Privacy (CODASPY-2015), San Antonio, TX, USA, March 2-4, 2015.
Research PerspectiveResearch Perspective
12Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Research Findings- Analysis of existing Research Findings- Analysis of existing CIDSCIDS
13
Features
References
Detection Technique
IDS Type Positioning Detection Time Data Source Attacks covered Limitations/ Challenges
CIDS for Cloud
Computing Networks, 2010
[2]
Signature based
Distributed Each Cloud region
Real timeNetwork traffic,
signatures of known attacks
Protects system from single point of failure, DoS
and DDoS
Can’t detect unknown attacks,
High computational
overhead
Securing cloud from
DDOS Attacks using IDS in
VMs, 2010 [18]
Network based Virtual Switch Real timeNetwork packets,
signatures of known intrusions
Secures VMs from DDoS
attacks
Detects only known attacks
Integrating a NIDS into an Open Source
Cloud Computing
Environment, 2010 [17]
Network based At each node Real time
Real time
Network traffic, normal usage of resources like
CPU
Only Known attacks
particularly SIP flooding
can’t detect unknown attacks,
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Research Findings (cont..) Research Findings (cont..)
14
Features
References
Detection Technique
IDS Type Positioning Detection Time Data Source Attacks covered Limitations/ Challenges
Autonomic Agent-Based
Self-Managed IDPS, 2010 [20]
Anomaly based
Host based N/A Real timeNetwork traffic, System activities
(system calls etc.)
Can detect all types of attacks
in real-time
Implementation details are not
given
Multi-level IDS and Log
Management in CC, 2011 [21]
Host based At each guest OS Real timeUser behaviors, known attack
patterns
Can detect both known and
unknown attacks at a fast rate
Consumes more resources for
high level users
Distributed Intrusion
Detection in Clouds using
MAs, 2009 [22]
Distributed At each VM Real timeAudit data,
known intrusion patterns, system
logs
Can detect both known and
unknown attacks
There is a limit on the number of
VMs to be visited
Collabra: Xen Hypervisor
based Collaborative IDS, 2011 [29]
VMM based, Distributed
At each VMM Real timeAudit data,
anomaly database
Can detect hyper-call based attacks on VMM
and host OS
Cannot detect other types of
attacks
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Research Findings (cont..) Research Findings (cont..)
15
Features
References
Detection Technique
IDS Type Positioning Detection Time Data Source Attacks covered Limitations/ Challenges
IDS for Cloud Computing, 2012 [19]
Hybrid
DistributedAt the processing
serverReal time
Audit data, user profiles,
signatures of known intrusions
Can help CSP to improve its quality of
service, detects unknown attacks
The proposed idea is
theoretical, No implementation
provided
Bayesian Classifier and Snort based
NIDS in Cloud Computing,
2012 [5]
Network based At the processing servers
Real time Network packets, known attack
signatures, prior events
Detects all types of attacks
Complexity increased due to
integration of both, signatures and anomalies
IDS in Cloud Computing
Environment, 2011 [28]
Host based and Network based At each node Real time
Logs of user activities,
signatures of known attacks
Can detect all known attacks,
may detect unknown attacks
using ANN
Experimental results are not
given
GCCIDS, 2010 [27]
Host based At each node Real time Audit data, user profiles
Known attacks, Unknown attacks
using ANN
Accurate detection
requires more training time, there is a limit on number of
rules.
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Implement a distributed intrusion detection system for cloud, based on suricata, mobile agents and OSSIM that can:
1) Detect intrusions on local VMs.
2) Enable the user to update suricata rules files
3) Use mobile agents to carry intrusion alerts from VM to the management server.
4) Detect distributed intrusions using OSSIM correlation engine
5) Update rules files on VMs using mobile agents
Implementation Implementation PerspectivePerspective
16Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Well known open source Well known open source IDSIDS
17
Project Name Open Source Developer IDS/IPS capability URL
Snort Yes, GPLv2+ Sourcefire, Inc. Both IDS & IPS http://www.snort.org/
Suricata Yes, GNU GPL v2 OISF Both IDS & IPS http://suricata-ids.org/
Bro Yes, BSD license Vern Paxson IDS only http://www.bro.org/
Security Onion Yes, GNU GPL v2 Security Onion IDS only http://securityonion.net/
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Suricata Yes OISF IDS/IPS
Development ToolkitDevelopment Toolkit
19Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Layered ArchitectureLayered Architecture
Alert Correlation
Engine (OSSIM)
Intrusion D
etection
JAD
E(M
A G
eneration)
Alert Generation
Sys Admin/ Alert Console
IDS Signature Database JADE
agents
Suricata (signature
DB)
MA- Mobile AgentVM- Virtual Machine
Host OS
Hardware
Host OS
Hardware
JADEagents
Suricata (signature
DB)
HypervisorHypervisor
Management Server (MS)
Applications
Applications
Infrastructure to be monitored
20
IDS Signature Database
Alert Correlation Engine
(OSSIM)
Management Server (MS)
MA
1. R
eque
st fo
r VM
2. V
M [
IDS
+ JA
DE]
5. EC_agent can move between VMsUser A
Cloud Service Provider (CSP)
Sys Admin/ Alert Console
3. R
M_a
gent
rep
orts
susp
icio
us a
ctiv
ity
8. Alert
User B User C
MAVM 1 VM 3VM 2
6. E
C_ag
ent r
etur
ns to
MS
afte
r
colle
ctin
g al
ert i
nfor
mat
ion
9. MS sends signature of distributed & latest intrusion to other VMs
Workflow of our SystemWorkflow of our System
21
4. E
C_ag
ent t
o ga
ther
ale
rt in
foJA
DE
(MA
Generation)
7. Correlation
and Intrusion Detection
Components of our SystemComponents of our System
22Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Components of our System Components of our System (Cont..)(Cont..)
23Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
1.Suricata rule management:
Components of our System Components of our System (Cont..)(Cont..)
24Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
II. Mobile Agentsa) Alert carrier mobile
agentb) Evidence collector
mobile agentc) Signature writer mobile
agent
I. Local Agentsa) Intrusion detection
agentb) Resource monitoring
agentc) Port scanning agent
2. Agents development module:
Components of our Components of our System (Cont..)System (Cont..)
Correlation of alerts collected from VMs:
I. Use Suricata as source of alerts
II. Forward the alerts to OSSIM correlation engine
III. Correlation of alerts to detect distributed intrusions
IV. Update rules files of VMs using mobile agents
25Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
3. Alert Correlation Module:
Security Evaluation with Security Evaluation with PytbullPytbull
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad26
Security Evaluation with Security Evaluation with PytbullPytbull
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad27
Future DirectionsFuture Directions An anomaly based system can be combined with
our system to make a hybrid CIDS for improved detection.
Another possible research direction is to integrate a correlation module other than OSSIM and compare its results with those achieved through OSSIM correlation engine.
28Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
ConclusionConclusion Intrusion Detection System is very useful to detect
the malicious activities before they damage the Cloud resources.
The impact of IDS on performance of cloud resources should also be considered while developing CIDS.
The use of mobile agents to carry intrusion-specific data and code reduces network load.
The global-level correlation helps in efficient detection of distributed intrusions.
29Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Demo- Suricata Alerts on the Demo- Suricata Alerts on the local VMlocal VM
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad30
Suricata logs on OSSIMSuricata logs on OSSIM
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad31
Events after correlation by OSSIMEvents after correlation by OSSIM
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad32
33
Special Thanks to my Supervisor and committee
members..
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
References
[1]. C. C. Lo, C. C. Huang, J. Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks”, 39th International Conference on Parallel Processing Workshops 2010, pp. 280-284.
[2]. C. N. Modi, D. R. Patel, A. Patel, R. Muttukrishnan, “Bayesian Classifier and Snort based Network Intrusion Detection System in Cloud Computing”, Third International Conference on Computing, Communication and Networking Technologies, 26th-28th July 2012.
[3]. C. Mazzariello, R. Bifulco and R. Canonico, “Integrating a Network IDS into an Open Source Cloud Computing Environment”, 2010 Sixth International Conference on Information Assurance and Security, pp. 265-270.
[4]. A. Bakshi, Yogesh B, “Securing cloud from DDOS Attacks using Intrusion Detection System in Virtual Machine”, 2010 Second International Conference on Communication Software and Networks, pp. 260-264.
[5]. Ms. P. K. Shelke, Ms. S. Sontakke, Dr. A. D. Gawande, “Intrusion Detection System for Cloud Computing”, International Journal of Scientific & Technology Research Volume 1, Issue 4, May 2012, pp. 67-71.
34Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
References[6]. A. Patel, Q. Qassim, Z. Shukor, J. Nogueira, J. Júnior and C. Wills,
“Autonomic Agent-Based Self-Managed Intrusion Detection and Prevention System”, Proceedings of the South African Information Security Multi-Conference (SAISMC 2010), pp. 223-234.
[7]. J. H. Lee, M. W. Park, J. H. Eom, T. M. Chung, “Multi-level Intrusion Detection System and Log Management in Cloud Computing”, ICACT, 2011, pp. 552-555.
[8]. A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180.
[9]. K. Vieira, A. Schulter, Carlos B. Westphall, and C. M. Westphall, “Intrusion Detection for Grid and Cloud Computing”, IEEE Computer Society, (July/August 2010), pp. 38-43.
[10]. S. N. Dhage, B. B. Meshram, R. Rawat, S. Padawe, M. Paingaokar, A. Misra , “Intrusion Detection System in Cloud Computing Environment”, International Conference and Workshop on Emerging Trends in Technology (ICWET 2011), pp. 235-239.
35Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
References
[11]. S. Bharadwaja, W. Sun, M. Niamat, F. Shen, “Collabra: A Xen Hypervisor based Collaborative Intrusion Detection System”, Eighth International Conference on Information Technology: New Generations, 2011, pp. 695-700.
[12]. M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87.
[13]. M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009.
[14]. Suricata: The Snort Replacer (Part 1: Intro & Install), Jul 24, 2013, http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
[15]. cloudstack-users mailing list archives: November 2013,
http://mail-archives.apache.org/mod_mbox/cloudstack- users/201311.mbox/browser
[16]. P. Cox , Intrusion detection in a cloud computing environment, http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment
36Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad