A hybrid intrusion detection system for cloud computing environments

4A Hybrid intrusion detection system for Cloud Computing Environments
Q: Please rate your level of overall security concern related to
adopting public cloud computing?
91% organizations have security concerns.•
4% not sure.•
5% not at all concerned.•
Source : Cloud Passage survey report 2016
Cloud Security Conserns

Q: What types of business applications is your organization
deploying in the cloud?
46% Web Apps.•
38% Collaboration and Communication Apps.•
33% Productivity.•
27% IT Operations•
27% Custom Business Applications•
Most Popular Cloud Services
Source : Cloud Passage survey report 2016

Main Question:
How to protect the Cloud using Intrusion Detection
Systems (IDS) ?
Second Questions:
How IDS best transformed to suit the Cloud ?
How may we increase the detection quality ?
How the Model is best Deployed ?
Research Question

Aims and Objectives
Objective 1:
Review the current literature about security issues related
to the Cloud and proposed solutions to fully protect it.
Objective 2:
Identify key solutions and Design the architecture.
Objective 3:
Evaluate experimental results.
Aims and Objectives

Cloud Computing
Virtualization
Vulnerabilities and attacks in Cloud Computing
Intrusion Detection Systems
Machine Learning
Background

Isolation.1.
Interposition.2.
Inspection.3.
Virtualization
Virtual Machine Monitor (VMM)

Virtualization
Approaches of Virtualization
User Apps
VMM
(Virtual Machine Monitor)
Host Hardware
Ring-0
Ring-1
Ring-2
Ring-3
Direct Execution
of User request
Binary Translation
of OS requests
Guest OS
Full Virtualization

Intrusion Detection System
Intrusion Detection System vs Firewall•
What IDS Can/Can’t Do?•
Detection methods•

Machine Learning
Supervised Learning
Unsupervised Learning
Naive Bayes
Decision Tree

Literature Review
Classification of the Literature
How to study the Literature?

Literature Review
How to study the literature?
Where to detect? Network/Host/VM/Application
What to detect? Network packets/Processes/VMM/tasks
How to detect? Signature/Anomaly
Where?
What?How?

Literature Review
How to study the literature?
Layers of the Cloud
Where
Audit source location
What
Detection method
How
Literature
PerspectivesScope

Literature Review
Classification of the Literature
Layers Of the Cloud
HostNetworkApplication Virtualization

Literature Review
Application Layer
AlQahtani et al. 2014 Metric to measure quality:
- Vulnerability Detection
- Avg Response time
Carmen et al. 2010
SQLInjection (SQLMap)
Web Traffic (XML+ModSecurity)
Detection
Metrics
?
“XML”- Better characterization of
normal traffic.
Felix et al. 2011
Heuristics
To Learn Algorithms and Keys
Encryption
?

Literature Review
Host Layer
Firkhman et al. 2011
Chirag et al. 2013
Host IDSs
?
Signatures for
known attacks
Top down approach & Bottom up approach
To place IDS on host, gests or hypervisors
SamanTaghavi et al. 2011
Cloud specific design
Log fie correlation
Hybrid solution
Unknown attacks
Log fie correlation
Cloud specificdesign
Several IDS methods (NIDS, HIDS, ...)
Hybrid solution

Literature Review
Comparative Summary
Ref Deployment Layers of interest Detection approach
Vikas Mishra et al. 2016 IaaS Network Signature-based
Sivakami Raja et al. 2016 IaaS Network Anomaly-based
KhamkoneSengaphayet
al.2016
IaaS Network
Signature-based
Anomaly-based
Zahraa Al-Mousa et al. 2015 IaaS Network Anomaly-based
Partha Ghosh et al. 2015 IaaS Network, Host Anomaly-based
Ming-Yi Liao et al. 2015 IaaS Network, VM Signature-based
Sangeetha et al. 2015 SaaS Applocation Signature-based
Manthira et al. 2014 IaaS, SaaS Network, Host
Signature-based
Anomaly-based
Omar Al-Jarrah et al. 2014 IaaS Network Anomaly-based
Felix Gröbert et al. 2011 SaaS Host
Heuristic-based
Signature-based
Nathaniel et al. 2011 SaaS Application Anomaly-based
Malek Ben Salem et al. 2011 IaaS Host, VM Anomaly-based
Cristina Abad et al. 2003 IaaS Network, VM
Signature-based
Anomaly-based

Literature Review
Main Detection methods
Signature-based IDS
Known attacks.•
Easy to implement.•
Frequent updates•
Slow reaction to new Attacks•

Literature Review
Main Detection methods
Anomaly-based IDS
Malicious network behaviour is noticeably different to•
regular behaviour.
Able to detect unknown/new attacks.•
High Alarm Rates.•
Requires a system-training period.•
Greater implementation complexity.•

Literature Review
Summary
Deployment locations• and detection methods.
Partial• Detection On the Cloud.
No Detection Model can protect the• entire Cloud.
Less• distinction of attacks/layer.
Less Focus on the significant attributes.•

Model Design
Proposed Architecture
NIDS
Vypervisor VM-IDS
Internet
Lab Router
Cloud Infrastructure
Guest A Guest B Guest C
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Placement of IDSs.•
Layered Security•
design.
Combining detection•
methods.
Event Correlation.•
Model design parameters:

Model Design
Signature IDSs Positions
NIDS
Vypervisor
VM-IDS
Internet
Lab Router
Cloud Infrastructure
First Detection Line
Second Detection Line
Third Detection Line
Guest A
Web-IDS
Guest B
Web-IDS
Guest C
Web-IDS
Hacker Position
ModSecurity
Snort
Ossec
AnomalyDetection
Sguil/ELK
Implementation preferences

Model Design
Different zones of detection
Modsecurity (WIDS)
Snort (NIDS)
OSSEC (HIDS)
OSSEC (VMIDS)
Hacker
DetectionLevelVisualizationLevel
Log Correlation:
-Logstash
Logs Centralized:
-Syslog
Visualization Module:
-Kibana
-SnorBy
-Sguil
Anomaly Detection:
(Train - Test - Prediction)
Recommended for
Rule Adding

Model Design
From Signature zone to Anomaly zone
Knowledge Based
Detection
Anomaly Based
Detection
Administrator
Training Dataset
> Normal
> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended to
admin
Test
ModSecurity
MachineLearning
Anomaly Detection

Evaluation
Collected data for evaluation
Real traffic from the network.
Web vulnerability scanner (W3af) implemented by
OWASP.
Simulated attacks on the host.

Evaluation
Quantitative analysis
Number of resources Targeted layers Datasets total size Dataset/Tools Number of sessions
70 Network, Host, Web More than 235 MB Pcap Files and W3af 88
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
36 Network
Exploit Kit Snort 53
Angler Exploit Kit
Fiesta Exploit Kit
Neutrino Exploit Kit
Angler Exploit Kit
Magnitude Exploit Kit
Nuclear Exploit Kit
RIG Exploit Kit
Upatre downloader
Malspam
Snort 53

Evaluation
Number of resources Targeted layers Host/Guest IDS Total Number of sessions
10 Host LUbuntu 15 OSSEC 10
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
24 Web
Blind_sqli
Buffer_overflow
csrf
dav
eval
file_upload
format_string
frontpage
generic
global_redirect
htaccess_methods
ldapi
lfi
mx_injection
os_commanding
phishing_vector
preg_replace
...
ModSecurity 24

Evaluation
Distribution of attacks per layers
PercentageNumber of attacksTP/FN
91.43%64True Positives
8.57%6False Negatives
% of detection in Signature detection zone

Evaluation
Qualitative analysis
Obfuscation
Fragmentation
Encryption
Denial of Service

Evaluation
In 2014: "IntelCor_8" (Windows)1.
MAC address : 00:1b:21:ca:fe:d72.
IP : 192.168.137.62.3.
"www.earsurgery.org" (216.9.81.189) --> "qwe.mvdunalterableairreport.net"4.
(192.99.198.158) exploit kit EK and malware payload to «IntelCor_8».
Manual Analysis using «Wireshark»
>>

Evaluation

Evaluation
Opening the malicious file using HexEditor
Char XOR with String

Evaluation
ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)
ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
ET TROJAN Bedep SSL Cert (sid:2019645)
ModSecurity (WEBIDS)Snort (NETIDS)
NOYES

Evaluation
ModSecurity (WEBIDS)Snort (NETIDS)
YESNO

Evaluation
Passing Traffic
NIDS HIDS WIDS AD
Undetected Attacks (Evasion)
Obfuscation
Fragmentation
Encryption
Denial of Service
Obfuscation
Application Hijacking
File locations and Integrity
x
x
x
x
x
x
x
x
Detected attacks

Evaluation
. . .
[Wed Jun 01 16:14:11.413715 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of
«within %{tx.allowed_methods}» against «REQUEST_METHOD» required. [file «/usr/share/modsecuri-
ty-crs/activated_rules/modsecurity_crs_30_http_policy.conf»] [line «31»] [id «960032»] [rev «2»] [msg
«Method is not allowed by policy»] [data «GET»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [ma-
turity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/METHOD_NOT_ALLOWED»] [tag «WASCTC/
WASC-15»] [tag «OWASP_TOP_10/A6»] [tag «OWASP_AppSensor/RE1»] [tag «PCI/12.1»] [host-
name «localhost»] [uri «/DVWA-master/login.php»] [unique_id «V077w38AAQEAAAYZ2K0AAAAA»]
[Wed Jun 01 16:14:11.494197 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within
%{tx.allowed_http_versions}» against «REQUEST_PROTOCOL» required. [file «/usr/share/modsecurity-crs/ac-
tivated_rules/modsecurity_crs_30_http_policy.conf»] [line «78»] [id «960034»] [rev «2»] [msg «HTTP protocol
version is not allowed by policy»] [data «HTTP/1.1»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [maturity
«9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED»] [tag «WASCTC/WASC-21»]
[tag «OWASP_TOP_10/A6»] [tag «PCI/6.5.10»] [hostname «localhost»] [uri «/DVWA-master/login.php»]
...
Showing that obfuscated SQL Injection was detected by Modsecurity

Evaluation
...
** Alert 1464865058.166: mail - ossec,syscheck,
2016 Jun 02 11:57:38 cidslayer-VirtualBox->syscheck
Rule: 550 (level 7) -> ‘Integrity checksum changed.’
Integrity checksum changed for: ‘/etc/alternatives/gnome-text-editor.1.gz’
Size changed from ‘32’ to ‘30’
Old md5sum was: ‘2e8d9e791f0d21b5b32fe15b76b41749’
New md5sum is : ‘f9c516214d25862e629c53a005ad8642’
Old sha1sum was: ‘97b7bfbfbe0465dc8f4c44f1ba375a4766bf6f39’
New sha1sum is : ‘31f025817c004ef13679ceb3ab82259a310d92d3’
...
2016/02/09 14:38:41 ossec-rootcheck: INFO: Started (pid: 1665).
2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/etc’.
2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/bin’.
2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/sbin’.
2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/bin’.
2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/sbin’.
2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/auth.log’.
2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/syslog’.
2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/dpkg.log’.
2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/error.log’.
2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/access.log’.

Evaluation
Difference NIDS HIDS WIDS
Need
to protect and moni-
tor the Network
to protect and
monitor the Host
to protect and moni-
tor the Web
Design Network based Host based Web based
Source
Network Flow and
packets
system log files,
programs and
processes
Web log files and
web protocols

Evaluation
Anomaly Detection Zone
Knowledge Based
Detection
Anomaly Based
Detection
Administrator
Training Dataset
> Normal
> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended to
admin
Test
ModSecurity
MachineLearning
Anomaly Detection

Evaluation
Anomaly Detection Steps
Data Collection
Preprocessing
Training
Test

Evaluation
Data Collection & Preprocessing
CSIC Information Security Institute (Spanish Research National
Council)
«CSIC 2010 HTTP Dataset» in CSV format (for Weka Analysis)
(2010) dataset
Normal requests36,000
Anomalous requests25,000
SQL injection, buffer overflow, information gathering, files disclosure, CRLF injec-
tion, XSS, server side include, parameter tampering and so on.

Evaluation
Cleaning Data - Removing Noisy Attributes

Evaluation
Cleaning Data-Step01, Step02 and Step03
Ranked attributes:
Non significant attributesSignificant attributes
0 6 pragma
0 4 protocol
0 5 userAgent
0 7 cacheControl
0 13 connection
0 11 acceptLanguage
0 10 acceptCharset
0 8 accept
0 9 acceptEncoding
Ranked attributes:
0.99649 16 cookie
0.42637 17 payload
0.29471 1 index
0.12669 3 url
0.10206 14 contentLength
0.01273 2 method
0.00892 12 host
0.00492 15 contentType
Set of Significant attributes = {cookie, payload, index, url, contentLength, method, host, contentType}
Set of Noisy attributes = {pragma, protocol, userAgent, cacheControl, connection, acceptLanguage,
acceptCharset, accept, acceptEncoding}
Repeat Step 01 and Step 02
Set of Significant attributes = {payload}

Evaluation
Cleaning Data-Step04 and Step05
GET Replaced by 1
POST Replaced by 2
PUT Replaced by 3
localhost:8080 Replaced by 5
...
payload label
4 anom
... ...
20 norm

Evaluation
Training and Testing
Learning
Configuration%
Classifier Detection%
Model creation
(sec)
Cleaning
Data
70% C4.5 62.0097% 25.8 Seconds Before
70% Naive Bayes 61.9709% 0.12 Seconds Before
70% C4.5 62.1334% 14.56 Seconds After
70% Naive Bayes 50.3377% 0.22 Seconds After

Evaluation
ROC Before and After Cleaning

Evaluation
Administration

Conclusion
Meeting the Objectives
Gap in the Literature Proposed Solution
Partial Detection On the Cloud. Full Detection in the Cloud
Less distinction of attacks/layer. Deploy IDSs specificaly to protect
strategic layers.
Less Focus on the significant at-
tributes.
Cleaning the Dataset by
removing insignificant and less
significant attributes

Prototype Optimization:• Better performance and
accuracy.
Additional Protection:• The use of Honeypots with
more Intelligent techniques for analysis and detec-
tion.
Future Research
Perspectives

A hybrid intrusion detection system for cloud computing environments

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie A hybrid intrusion detection system for cloud computing environments

Ähnlich wie A hybrid intrusion detection system for cloud computing environments (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

A hybrid intrusion detection system for cloud computing environments