4. 4A Hybrid intrusion detection system for Cloud Computing Environments
Q: Please rate your level of overall security concern related to
adopting public cloud computing?
91% organizations have security concerns.•
4% not sure.•
5% not at all concerned.•
Source : Cloud Passage survey report 2016
Cloud Security Conserns
5. 5A Hybrid intrusion detection system for Cloud Computing Environments
Q: What types of business applications is your organization
deploying in the cloud?
46% Web Apps.•
38% Collaboration and Communication Apps.•
33% Productivity.•
27% IT Operations•
27% Custom Business Applications•
Most Popular Cloud Services
Source : Cloud Passage survey report 2016
6. 6A Hybrid intrusion detection system for Cloud Computing Environments
Main Question:
How to protect the Cloud using Intrusion Detection
Systems (IDS) ?
Second Questions:
How IDS best transformed to suit the Cloud ?
How may we increase the detection quality ?
How the Model is best Deployed ?
Research Question
7. 7A Hybrid intrusion detection system for Cloud Computing Environments
Aims and Objectives
Objective 1:
Review the current literature about security issues related
to the Cloud and proposed solutions to fully protect it.
Objective 2:
Identify key solutions and Design the architecture.
Objective 3:
Evaluate experimental results.
Aims and Objectives
9. 9A Hybrid intrusion detection system for Cloud Computing Environments
Cloud Computing
Virtualization
Vulnerabilities and attacks in Cloud Computing
Intrusion Detection Systems
Machine Learning
Background
11. 11A Hybrid intrusion detection system for Cloud Computing Environments
Isolation.1.
Interposition.2.
Inspection.3.
Virtualization
Virtual Machine Monitor (VMM)
12. 12A Hybrid intrusion detection system for Cloud Computing Environments
Virtualization
Approaches of Virtualization
User Apps
VMM
(Virtual Machine Monitor)
Host Hardware
Ring-0
Ring-1
Ring-2
Ring-3
Direct Execution
of User request
Binary Translation
of OS requests
Guest OS
Full Virtualization
14. 14A Hybrid intrusion detection system for Cloud Computing Environments
Intrusion Detection System
Intrusion Detection System vs Firewall•
What IDS Can/Can’t Do?•
Detection methods•
15. 15A Hybrid intrusion detection system for Cloud Computing Environments
Machine Learning
Supervised Learning
Unsupervised Learning
Naive Bayes
Decision Tree
17. 17A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Classification of the Literature
How to study the Literature?
18. 18A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
How to study the literature?
Where to detect? Network/Host/VM/Application
What to detect? Network packets/Processes/VMM/tasks
How to detect? Signature/Anomaly
Where?
What?How?
19. 19A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
How to study the literature?
Layers of the Cloud
Where
Audit source location
What
Detection method
How
Literature
PerspectivesScope
20. 20A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Classification of the Literature
Layers Of the Cloud
HostNetworkApplication Virtualization
21. 21A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Application Layer
AlQahtani et al. 2014 Metric to measure quality:
- Vulnerability Detection
- Avg Response time
Carmen et al. 2010
SQLInjection (SQLMap)
Web Traffic (XML+ModSecurity)
Detection
Metrics
?
“XML”- Better characterization of
normal traffic.
Felix et al. 2011
Heuristics
To Learn Algorithms and Keys
Encryption
?
22. 22A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Host Layer
Firkhman et al. 2011
Chirag et al. 2013
Host IDSs
?
Signatures for
known attacks
Top down approach & Bottom up approach
To place IDS on host, gests or hypervisors
SamanTaghavi et al. 2011
Cloud specific design
Log fie correlation
Hybrid solution
Unknown attacks
Log fie correlation
Cloud specificdesign
Several IDS methods (NIDS, HIDS, ...)
Hybrid solution
23. 23A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Comparative Summary
Ref Deployment Layers of interest Detection approach
Vikas Mishra et al. 2016 IaaS Network Signature-based
Sivakami Raja et al. 2016 IaaS Network Anomaly-based
KhamkoneSengaphayet
al.2016
IaaS Network
Signature-based
Anomaly-based
Zahraa Al-Mousa et al. 2015 IaaS Network Anomaly-based
Partha Ghosh et al. 2015 IaaS Network, Host Anomaly-based
Ming-Yi Liao et al. 2015 IaaS Network, VM Signature-based
Sangeetha et al. 2015 SaaS Applocation Signature-based
Manthira et al. 2014 IaaS, SaaS Network, Host
Signature-based
Anomaly-based
Omar Al-Jarrah et al. 2014 IaaS Network Anomaly-based
Felix Gröbert et al. 2011 SaaS Host
Heuristic-based
Signature-based
Nathaniel et al. 2011 SaaS Application Anomaly-based
Malek Ben Salem et al. 2011 IaaS Host, VM Anomaly-based
Cristina Abad et al. 2003 IaaS Network, VM
Signature-based
Anomaly-based
24. 24A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Main Detection methods
Signature-based IDS
Known attacks.•
Easy to implement.•
Frequent updates•
Slow reaction to new Attacks•
25. 25A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Main Detection methods
Anomaly-based IDS
Malicious network behaviour is noticeably different to•
regular behaviour.
Able to detect unknown/new attacks.•
High Alarm Rates.•
Requires a system-training period.•
Greater implementation complexity.•
26. 26A Hybrid intrusion detection system for Cloud Computing Environments
Literature Review
Summary
Deployment locations• and detection methods.
Partial• Detection On the Cloud.
No Detection Model can protect the• entire Cloud.
Less• distinction of attacks/layer.
Less Focus on the significant attributes.•
28. 28A Hybrid intrusion detection system for Cloud Computing Environments
Model Design
Proposed Architecture
NIDS
Vypervisor VM-IDS
Internet
Lab Router
Cloud Infrastructure
Guest A Guest B Guest C
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Placement of IDSs.•
Layered Security•
design.
Combining detection•
methods.
Event Correlation.•
Model design parameters:
29. 29A Hybrid intrusion detection system for Cloud Computing Environments
Model Design
Signature IDSs Positions
NIDS
Vypervisor
VM-IDS
Internet
Lab Router
Cloud Infrastructure
First Detection Line
Second Detection Line
Third Detection Line
Guest A
Web-IDS
Guest B
Web-IDS
Guest C
Web-IDS
Hacker Position
ModSecurity
Snort
Ossec
AnomalyDetection
Sguil/ELK
Implementation preferences
30. 30A Hybrid intrusion detection system for Cloud Computing Environments
Model Design
Different zones of detection
Modsecurity (WIDS)
Snort (NIDS)
OSSEC (HIDS)
OSSEC (VMIDS)
Hacker
DetectionLevelVisualizationLevel
Log Correlation:
-Logstash
Logs Centralized:
-Syslog
Visualization Module:
-Kibana
-SnorBy
-Sguil
Anomaly Detection:
(Train - Test - Prediction)
Recommended for
Rule Adding
31. 31A Hybrid intrusion detection system for Cloud Computing Environments
Model Design
From Signature zone to Anomaly zone
Knowledge Based
Detection
Anomaly Based
Detection
Administrator
Training Dataset
> Normal
> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended to
admin
Test
ModSecurity
MachineLearning
Anomaly Detection
33. 33A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Collected data for evaluation
Real traffic from the network.
Web vulnerability scanner (W3af) implemented by
OWASP.
Simulated attacks on the host.
34. 34A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Quantitative analysis
Number of resources Targeted layers Datasets total size Dataset/Tools Number of sessions
70 Network, Host, Web More than 235 MB Pcap Files and W3af 88
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
36 Network
Exploit Kit Snort 53
Angler Exploit Kit
Fiesta Exploit Kit
Neutrino Exploit Kit
Angler Exploit Kit
Magnitude Exploit Kit
Nuclear Exploit Kit
RIG Exploit Kit
Upatre downloader
Malspam
Snort 53
35. 35A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Quantitative analysis
Number of resources Targeted layers Host/Guest IDS Total Number of sessions
10 Host LUbuntu 15 OSSEC 10
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
24 Web
Blind_sqli
Buffer_overflow
csrf
dav
eval
file_upload
format_string
frontpage
generic
global_redirect
htaccess_methods
ldapi
lfi
mx_injection
os_commanding
phishing_vector
preg_replace
...
ModSecurity 24
36. 36A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Quantitative analysis
Distribution of attacks per layers
PercentageNumber of attacksTP/FN
91.43%64True Positives
8.57%6False Negatives
% of detection in Signature detection zone
37. 37A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
Obfuscation
Fragmentation
Encryption
Denial of Service
38. 38A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
In 2014: "IntelCor_8" (Windows)1.
MAC address : 00:1b:21:ca:fe:d72.
IP : 192.168.137.62.3.
"www.earsurgery.org" (216.9.81.189) --> "qwe.mvdunalterableairreport.net"4.
(192.99.198.158) exploit kit EK and malware payload to «IntelCor_8».
Manual Analysis using «Wireshark»
>>
39. 39A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
40. 40A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
Opening the malicious file using HexEditor
Char XOR with String
41. 41A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)
ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
ET TROJAN Bedep SSL Cert (sid:2019645)
ModSecurity (WEBIDS)Snort (NETIDS)
NOYES
42. 42A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
ModSecurity (WEBIDS)Snort (NETIDS)
YESNO
43. 43A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
Passing Traffic
NIDS HIDS WIDS AD
Undetected Attacks (Evasion)
Obfuscation
Fragmentation
Encryption
Denial of Service
Obfuscation
Application Hijacking
File locations and Integrity
x
x
x
x
x
x
x
x
Detected attacks
44. 44A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
. . .
[Wed Jun 01 16:14:11.413715 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of
«within %{tx.allowed_methods}» against «REQUEST_METHOD» required. [file «/usr/share/modsecuri-
ty-crs/activated_rules/modsecurity_crs_30_http_policy.conf»] [line «31»] [id «960032»] [rev «2»] [msg
«Method is not allowed by policy»] [data «GET»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [ma-
turity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/METHOD_NOT_ALLOWED»] [tag «WASCTC/
WASC-15»] [tag «OWASP_TOP_10/A6»] [tag «OWASP_AppSensor/RE1»] [tag «PCI/12.1»] [host-
name «localhost»] [uri «/DVWA-master/login.php»] [unique_id «V077w38AAQEAAAYZ2K0AAAAA»]
[Wed Jun 01 16:14:11.494197 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within
%{tx.allowed_http_versions}» against «REQUEST_PROTOCOL» required. [file «/usr/share/modsecurity-crs/ac-
tivated_rules/modsecurity_crs_30_http_policy.conf»] [line «78»] [id «960034»] [rev «2»] [msg «HTTP protocol
version is not allowed by policy»] [data «HTTP/1.1»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [maturity
«9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED»] [tag «WASCTC/WASC-21»]
[tag «OWASP_TOP_10/A6»] [tag «PCI/6.5.10»] [hostname «localhost»] [uri «/DVWA-master/login.php»]
...
Showing that obfuscated SQL Injection was detected by Modsecurity
46. 46A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Qualitative analysis
Difference NIDS HIDS WIDS
Need
to protect and moni-
tor the Network
to protect and
monitor the Host
to protect and moni-
tor the Web
Design Network based Host based Web based
Source
Network Flow and
packets
system log files,
programs and
processes
Web log files and
web protocols
47. 47A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Anomaly Detection Zone
Knowledge Based
Detection
Anomaly Based
Detection
Administrator
Training Dataset
> Normal
> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended to
admin
Test
ModSecurity
MachineLearning
Anomaly Detection
48. 48A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Anomaly Detection Steps
Data Collection
Preprocessing
Training
Test
49. 49A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Data Collection & Preprocessing
CSIC Information Security Institute (Spanish Research National
Council)
«CSIC 2010 HTTP Dataset» in CSV format (for Weka Analysis)
(2010) dataset
Normal requests36,000
Anomalous requests25,000
SQL injection, buffer overflow, information gathering, files disclosure, CRLF injec-
tion, XSS, server side include, parameter tampering and so on.
50. 50A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Cleaning Data - Removing Noisy Attributes
51. 51A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Cleaning Data-Step01, Step02 and Step03
Ranked attributes:
Non significant attributesSignificant attributes
0 6 pragma
0 4 protocol
0 5 userAgent
0 7 cacheControl
0 13 connection
0 11 acceptLanguage
0 10 acceptCharset
0 8 accept
0 9 acceptEncoding
Ranked attributes:
0.99649 16 cookie
0.42637 17 payload
0.29471 1 index
0.12669 3 url
0.10206 14 contentLength
0.01273 2 method
0.00892 12 host
0.00492 15 contentType
Set of Significant attributes = {cookie, payload, index, url, contentLength, method, host, contentType}
Set of Noisy attributes = {pragma, protocol, userAgent, cacheControl, connection, acceptLanguage,
acceptCharset, accept, acceptEncoding}
Repeat Step 01 and Step 02
Set of Significant attributes = {payload}
52. 52A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Cleaning Data-Step04 and Step05
GET Replaced by 1
POST Replaced by 2
PUT Replaced by 3
localhost:8080 Replaced by 5
...
payload label
4 anom
... ...
20 norm
53. 53A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Training and Testing
Learning
Configuration%
Classifier Detection%
Model creation
(sec)
Cleaning
Data
70% C4.5 62.0097% 25.8 Seconds Before
70% Naive Bayes 61.9709% 0.12 Seconds Before
70% C4.5 62.1334% 14.56 Seconds After
70% Naive Bayes 50.3377% 0.22 Seconds After
54. 54A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
ROC Before and After Cleaning
55. 55A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Administration
56. 56A Hybrid intrusion detection system for Cloud Computing Environments
Evaluation
Administration
57. 57A Hybrid intrusion detection system for Cloud Computing Environments
Conclusion
Meeting the Objectives
Gap in the Literature Proposed Solution
Partial Detection On the Cloud. Full Detection in the Cloud
Less distinction of attacks/layer. Deploy IDSs specificaly to protect
strategic layers.
Less Focus on the significant at-
tributes.
Cleaning the Dataset by
removing insignificant and less
significant attributes
58. 58A Hybrid intrusion detection system for Cloud Computing Environments
Prototype Optimization:• Better performance and
accuracy.
Additional Protection:• The use of Honeypots with
more Intelligent techniques for analysis and detec-
tion.
Future Research
Perspectives