Download presentation
Presentation is loading. Please wait.
Published byAdele Beasley Modified over 9 years ago
1
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India cnmodi.956@gmail.com dhiren29p@gmail.com Ph. D Colloquium, CSI-2011 Signature Apriori based Network Intrusion Detection System in Cloud
2
Outline Introduction Problem Statement Proposed Work Goals of Proposed Work Proposed Framework Design of NIDS Module Signature Generation Theoretical Analysis Summary References C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 2
3
Introduction Cloud Computing: providing convenient, on-demand network access to a shared pool of configurable computing resources via Internet [1]. Services: SaaS, PaaS, IaaS. Cloud-Integration of many technologies. Each has some bugs or vulnerabilities [2][3]. Exploitation of existing vulnerabilities affects confidentiality, availability and integrity of Cloud resources as well as services. Most of the intrusion activities are attempted over network. Well known intrusions: Insider attacks, flooding attack, DoS/DDoS attacks [4][5], User to Root Attacks (U2R), Scan, VM level attacks etc. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 3
4
Introduction For preventing cloud from such attacks, use of only traditional firewall is not an efficient solution [6]. Another solution is to incorporate an efficient network based intrusion detection system (NIDS) module in Cloud computing. It should have following properties: Completeness, Scalability and Compatibility. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 4
5
Problem Statement To incorporate an efficient NIDS module in Cloud, in such a way that it can detect intrusions from external as well as internal network of Cloud. Challenges to NIDS in Cloud: Detection of known as well as unknown network attacks on each layer (front end, back end or VM) of Cloud Low computational cost High detection rate Low false positive and false negative alarm rate Scalability Compatibility C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 5
6
Goals of Proposed Work Detection of known attacks as well as variation of known attacks at front end and back end of Cloud. Variation of known attack- examples [7][8]: Content: "|2F646566 1756C74 2E696461 3F4E4E4E|" (Code Red-I) Content: "|2F646566 1756C74 2E696461 3F585858|" (Code Red-II) Same pattern: 2F646566 1756C74 2E696461. Content: "/iisadmpwd/aexp2.htr".(WEB-IIS access) Content: "scripts/iisadmin/default.htm". (WEB- IIS/scripts/iisadmin/default.htm access) Same pattern: /iisadm. Low computational cost than other anomaly techniques Low false positive alarm rate Scalability C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 6
7
Proposed Framework Three possibilities for positioning NIDS in cloud. On cloud front point: On each server: On each VM: Each has some advantages and drawbacks. Figure 1: Positioning NIDS in Cloud. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 7
8
Design of NIDS Module Network External network Internal network Snort [9] Used to capture packets. Detects intrusions based on configured rules. Known signature DB Contains known attacks patterns or part of them. Signature Apriori [8] For snort, generates new signatures from captured packets and part of known signatures. Figure 2: Design of our NIDS module. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 8
9
Working of NIDS Module in Cloud Capture Packets Snort Known Signature DB Known Signature Signature Apriori New Signatures Update Snort Rules Network Any match found? Allow or deny packet Figure 3: Working of NIDS module. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 9
10
Working of NIDS Module Packets passing through network are captured. Captured packets are monitored by snort and matched with configured rules. If any matches found, it is allowed or denied based on configured rules. Also, captured packets are given as a input to signature apriori algorithm [8]. Signature apriori algorithm takes two inputs: (1) Packet captures from network. (2) Part of known signatures. It generates new possible attack signatures which are derivative of known attacks. Generated signatures are updated as rules into snort configuration file for detecting derivative attack in future. So, snort can detect some partially unknown attacks. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 10
11
Signature Generation IDPacket Contents 1A B C D E F G Q 2M N A B C D F G 3M A B C E F G P Q 4N A B C D E F G Q 5J B C D E F G 6P Q I C D E A C D E B C D E C C D E D C D E E C D E F C D E G Part of Known Sig.- “C D E” & 0.7 threshold Frequent content set: {A, B, C, D, E, F, G} Frequent content set: {C D E F} C D E F A C D E F B C D E F C C D E F D C D E F E C D E F F C D E F G Frequent content set: {C D E F G} C D E F G A C D E F G B C D E F G C C D E F G D C D E F G E C D E F G F C D E F G G A C D E F G B C D E F G C C D E F G D C D E F G E C D E F G F C D E F G G C D E F G Frequent content: {} Frequent content set: {B C D E F G} A B C D E F G B B C D E F G C B C D E F G D B C D E F G E B C D E F G F B C D E F G G B C D E F G Signature: {A B C D E F G} Table 1: Captured Packets.Table 2: First iteration.Table 3: Second iteration. Table 4: Third iteration.Table 5: Fourth iteration.Table 6: Fifth iteration. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 11
12
Signature Generation The possible number of attack signatures are as follows: C D E F C D E F G B C D E F G A B C D E F G Use of longer string as a signature for snort have greater detection accuracy than shorter string [8]. So, “A B C D E F G” can be used as a new derivative signature. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 12
13
Theoretical Analysis Detection of known attacks as well as variation of attacks: Since combination of snort and signature apriori algorithm used, proposed framework can detect known as well as variation of known attacks. Also, it can detect intrusion passing through external network as well as internal network. False positive rate: We used longer signature for snort rules, which reduces false positive rate since probability of a shorter signature in normal traffic is high. Computational cost: It has low computational cost than other anomaly techniques since once rules are generated, there is no need to generated those rules again. Multiple instances to IDS are not required. Further it can be reduced by reducing number of database scans. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 13
14
Theoretical Analysis Scalability: New rules can be easily added into snort without modifying existing rules. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 14
15
Summary There are various intrusions in Cloud, which affect the confidentiality, availability and integrity of cloud resources. Integration of only firewall in Cloud is not an efficient solution for preventing such attacks. We proposed a framework incorporating NIDS into Cloud. Our proposed framework can be used to detect network attacks (known attacks as well as variation of known attacks) at front end and back end of Cloud. It has very low false positive alarm rate with reasonable computational cost since signature based technique is used. However, it can not detect fully unknown attacks. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 15
16
References 1. P. Mell, and T. Grance, “The nist definition of cloud computing (draft),” NIST, [Online]. Available: http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800- 145_cloud-definition.pdf (2011). 2. “Top threats to cloud computing,” [Online]. Available: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2010). 3. “National Vulnerability Database,” NIST, [Online]. Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733 4. C. Brooks, “Amazon EC2 Attack Prompts Customer Support Changes,” Tech Target, [Online]. Available: http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci137 1090,00.html (2009). 5. M. Slaviero, “Black Hat presentation demo vids: Amazon,” [Online]. Available: http://www.sensepost.com/blog/3797.html (2009). 6. S. Beg, U. Naru1, M. Ashraf, and S. Mohsin, “Feasibility of Intrusion Detection System with High Performance Computing: A Survey,” International Journal for Advances in Computer Science, vol. 1, no. 1, 2010. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 16
17
References 7. H. Han, X. L. Lu, L. Y. Ren, Using Data Mining To Discover Signatures In Network- Based Intrusion Detection, Proceedings of the First International Conference on Machine Learning and Cybernetics, Beijing vol. 1. 2002. 8. H. Zhengbing, L. Zhitang, W. Jumgi, A Novel Intrusion Detection System (NIDS) Based on Signature Search of DataMining, WKDD First International Workshop on Knowledge discovery and Data Ming, 2008, pp. 10-16. 9. Snort-Home page, Website, [Online]. Available: https://www.snort.org/ (2011). C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 17
18
Thank You
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.