Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Slides:



Advertisements
Similar presentations
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Advertisements

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Application of Bayesian Network in Computer Networks Raza H. Abedi.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Data Mining and Intrusion Detection
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Presentation by : Samad Najjar Enhancing the performance of intrusion detection system using pre-process mechanisms Supervisor: Dr. L. Mohammad Khanli.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Signature Based and Anomaly Based Network Intrusion Detection
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Department of Computer Science Punjabi University, Patiala
DETECTING INTRUSIONS By Matthew Morrow. WHAT ARE INTRUSIONS? Definition: “To compromise a computer system by breaking the security of such a system or.
Some Great Open Source Intrusion Detection Systems (IDSs)
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
IDS Intrusion Detection Systems
Snort – IDS / IPS.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection system
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Presentation transcript:

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network Intrusion Detection System in Cloud

Outline Introduction Problem Statement Proposed Work Goals of Proposed Work Proposed Framework Design of NIDS Module Signature Generation Theoretical Analysis Summary References C. N. Modi, Ph. D Colloquium, CSI /28/2015 2

Introduction Cloud Computing: providing convenient, on-demand network access to a shared pool of configurable computing resources via Internet [1]. Services: SaaS, PaaS, IaaS. Cloud-Integration of many technologies. Each has some bugs or vulnerabilities [2][3]. Exploitation of existing vulnerabilities affects confidentiality, availability and integrity of Cloud resources as well as services. Most of the intrusion activities are attempted over network. Well known intrusions: Insider attacks, flooding attack, DoS/DDoS attacks [4][5], User to Root Attacks (U2R), Scan, VM level attacks etc. C. N. Modi, Ph. D Colloquium, CSI /28/2015 3

Introduction For preventing cloud from such attacks, use of only traditional firewall is not an efficient solution [6]. Another solution is to incorporate an efficient network based intrusion detection system (NIDS) module in Cloud computing. It should have following properties: Completeness, Scalability and Compatibility. C. N. Modi, Ph. D Colloquium, CSI /28/2015 4

Problem Statement To incorporate an efficient NIDS module in Cloud, in such a way that it can detect intrusions from external as well as internal network of Cloud. Challenges to NIDS in Cloud: Detection of known as well as unknown network attacks on each layer (front end, back end or VM) of Cloud Low computational cost High detection rate Low false positive and false negative alarm rate Scalability Compatibility C. N. Modi, Ph. D Colloquium, CSI /28/2015 5

Goals of Proposed Work Detection of known attacks as well as variation of known attacks at front end and back end of Cloud. Variation of known attack- examples [7][8]: Content: "|2F C74 2E F4E4E4E|" (Code Red-I) Content: "|2F C74 2E F585858|" (Code Red-II) Same pattern: 2F C74 2E Content: "/iisadmpwd/aexp2.htr".(WEB-IIS access) Content: "scripts/iisadmin/default.htm". (WEB- IIS/scripts/iisadmin/default.htm access) Same pattern: /iisadm. Low computational cost than other anomaly techniques Low false positive alarm rate Scalability C. N. Modi, Ph. D Colloquium, CSI /28/2015 6

Proposed Framework Three possibilities for positioning NIDS in cloud. On cloud front point: On each server: On each VM: Each has some advantages and drawbacks. Figure 1: Positioning NIDS in Cloud. C. N. Modi, Ph. D Colloquium, CSI /28/2015 7

Design of NIDS Module Network External network Internal network Snort [9] Used to capture packets. Detects intrusions based on configured rules. Known signature DB Contains known attacks patterns or part of them. Signature Apriori [8] For snort, generates new signatures from captured packets and part of known signatures. Figure 2: Design of our NIDS module. C. N. Modi, Ph. D Colloquium, CSI /28/2015 8

Working of NIDS Module in Cloud Capture Packets Snort Known Signature DB Known Signature Signature Apriori New Signatures Update Snort Rules Network Any match found? Allow or deny packet Figure 3: Working of NIDS module. C. N. Modi, Ph. D Colloquium, CSI /28/2015 9

Working of NIDS Module Packets passing through network are captured. Captured packets are monitored by snort and matched with configured rules. If any matches found, it is allowed or denied based on configured rules. Also, captured packets are given as a input to signature apriori algorithm [8]. Signature apriori algorithm takes two inputs: (1) Packet captures from network. (2) Part of known signatures. It generates new possible attack signatures which are derivative of known attacks. Generated signatures are updated as rules into snort configuration file for detecting derivative attack in future. So, snort can detect some partially unknown attacks. C. N. Modi, Ph. D Colloquium, CSI /28/

Signature Generation IDPacket Contents 1A B C D E F G Q 2M N A B C D F G 3M A B C E F G P Q 4N A B C D E F G Q 5J B C D E F G 6P Q I C D E A C D E B C D E C C D E D C D E E C D E F C D E G Part of Known Sig.- “C D E” & 0.7 threshold Frequent content set: {A, B, C, D, E, F, G} Frequent content set: {C D E F} C D E F A C D E F B C D E F C C D E F D C D E F E C D E F F C D E F G Frequent content set: {C D E F G} C D E F G A C D E F G B C D E F G C C D E F G D C D E F G E C D E F G F C D E F G G A C D E F G B C D E F G C C D E F G D C D E F G E C D E F G F C D E F G G C D E F G Frequent content: {} Frequent content set: {B C D E F G} A B C D E F G B B C D E F G C B C D E F G D B C D E F G E B C D E F G F B C D E F G G B C D E F G Signature: {A B C D E F G} Table 1: Captured Packets.Table 2: First iteration.Table 3: Second iteration. Table 4: Third iteration.Table 5: Fourth iteration.Table 6: Fifth iteration. C. N. Modi, Ph. D Colloquium, CSI /28/

Signature Generation The possible number of attack signatures are as follows: C D E F C D E F G B C D E F G A B C D E F G Use of longer string as a signature for snort have greater detection accuracy than shorter string [8]. So, “A B C D E F G” can be used as a new derivative signature. C. N. Modi, Ph. D Colloquium, CSI /28/

Theoretical Analysis Detection of known attacks as well as variation of attacks: Since combination of snort and signature apriori algorithm used, proposed framework can detect known as well as variation of known attacks. Also, it can detect intrusion passing through external network as well as internal network. False positive rate: We used longer signature for snort rules, which reduces false positive rate since probability of a shorter signature in normal traffic is high. Computational cost: It has low computational cost than other anomaly techniques since once rules are generated, there is no need to generated those rules again. Multiple instances to IDS are not required. Further it can be reduced by reducing number of database scans. C. N. Modi, Ph. D Colloquium, CSI /28/

Theoretical Analysis Scalability: New rules can be easily added into snort without modifying existing rules. C. N. Modi, Ph. D Colloquium, CSI /28/

Summary There are various intrusions in Cloud, which affect the confidentiality, availability and integrity of cloud resources. Integration of only firewall in Cloud is not an efficient solution for preventing such attacks. We proposed a framework incorporating NIDS into Cloud. Our proposed framework can be used to detect network attacks (known attacks as well as variation of known attacks) at front end and back end of Cloud. It has very low false positive alarm rate with reasonable computational cost since signature based technique is used. However, it can not detect fully unknown attacks. C. N. Modi, Ph. D Colloquium, CSI /28/

References 1. P. Mell, and T. Grance, “The nist definition of cloud computing (draft),” NIST, [Online]. Available: 145_cloud-definition.pdf (2011). 2. “Top threats to cloud computing,” [Online]. Available: (2010). 3. “National Vulnerability Database,” NIST, [Online]. Available: 4. C. Brooks, “Amazon EC2 Attack Prompts Customer Support Changes,” Tech Target, [Online]. Available: ,00.html (2009). 5. M. Slaviero, “Black Hat presentation demo vids: Amazon,” [Online]. Available: (2009). 6. S. Beg, U. Naru1, M. Ashraf, and S. Mohsin, “Feasibility of Intrusion Detection System with High Performance Computing: A Survey,” International Journal for Advances in Computer Science, vol. 1, no. 1, C. N. Modi, Ph. D Colloquium, CSI /28/

References 7. H. Han, X. L. Lu, L. Y. Ren, Using Data Mining To Discover Signatures In Network- Based Intrusion Detection, Proceedings of the First International Conference on Machine Learning and Cybernetics, Beijing vol H. Zhengbing, L. Zhitang, W. Jumgi, A Novel Intrusion Detection System (NIDS) Based on Signature Search of DataMining, WKDD First International Workshop on Knowledge discovery and Data Ming, 2008, pp Snort-Home page, Website, [Online]. Available: (2011). C. N. Modi, Ph. D Colloquium, CSI /28/

Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.