Secure Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems

Transcription

1 Secure Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems Prerana S. Mohod 1 and Prof. Pushpanjali M. Chouragade 2 1 Prerana S. Mohod, Department of CSE, Government College of Engineering, Amravati, India, preranamohod@gmail.com 2 Prof. Pushpanjali M. Chouragade, Department of CSE, Government College of Engineering, Amravati, India, pushpanjalic3@gmail.com ABSTRACT With the recent rise of cloud computing, virtualization has become an increasingly important technology. Virtual machines (VM) are rapidly replacing physical machine infrastructures for their abilities to emulate hardware environments and share resources. Virtual machines are vulnerable to theft and denial of service attacks. Cloud users can install vulnerable software on their VMs, which essentially leads to violation in cloud security. Attackers can explore vulnerabilities of a cloud system and compromise virtual machines to deploy further large-scale Distributed Denial-of-Service (DDoS). This paper proposes survey on a framework to detect and mitigate attacks in the cloud environment. Host-based IDS solutions are incorporated in Network Intrusion Detection and Countermeasure Selection in virtual Network Systems (NICE) framework to cover the whole spectrum of IDS in the cloud system. The proposed solution improves the detection accuracy. Keywords: Network Intrusion Detection, Virtual Machines, Attack Graph, DDOS, Cloud Computing. 1. INTRODUCTION Recent studies have shown that users migrating to the cloud consider security as the most important factor. A recent Cloud Security Alliance (CSA) survey shows that among all security issues, abuse and nefarious use of cloud computing is considered as the top security threat, in which attackers can exploit vulnerabilities in clouds and utilize cloud system resources to deploy attacks. Furthermore, cloud users can install vulnerable software on their VMs, which essentially contributes to loopholes in cloud security. The challenge is to establish an effective vulnerability/attack detection and response system for accurately identifying attacks and minimizing the impact of security breach to cloud users. In this paper, we study on Secure Intrusion Detection and Attack measure exquisite in Virtual Systems to establish a defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to compromise VMs, thus preventing zombie VMs. In a cloud system where the infrastructure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways. Such attacks are more effective in the cloud environment since cloud users usually share computing resources, e.g., being connected through the same switch, sharing with the same data storage and file systems, even with potential attackers. The similar setup for VMs in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking, etc., attracts attackers to compromise multiple VMs. Network-based IDS can be a dedicated hardware appliance, or an application running on a computer attached to the network. It monitors traffic in a network or coming through an entry-point such as an Internet connection. It can monitor traffic only in its local network segment, unless it employs sensors. In switched and routed VOLUME-2, SPECIAL ISSUE-1, MARCH-2015 COPYRIGHT 2015 IJREST, ALL RIGHT RESERVED 451

2 networks, a sensor is required in each segment in which network traffic is to be monitored. When a sensor detects intrusion, it will report it to a central management console. Host-based IDS is usually a software application installed on a system and monitors activity only on that local system. It communicates directly with the operating system and has no knowledge of low-level network traffic. Most host-based intrusion detection systems rely on information from audit and system log files to detect intrusions. They can also monitor system files and system resources, and incoming application data. 2. LITERATURE SURVEY Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan, Peng Chen, Fernando Sanchez, Florida State University; Yingfei Dong, University of Hawaii; Mary Stephenson, James Barker, Florida State University Compromised machines are one of the key security threats on the Internet; they are often used to launch various security attacks such as spamming and spreading malware, DDoS, and identity theft. Given that spamming provides a key economic incentive for attackers to recruit the large number of compromised machines, we focus on the detection of the compromised machines in a network that are involved in the spamming activities, commonly known as spam zombies. We develop an effective spam zombie detection system named SPOT by monitoring outgoing messages of a network. SPOT is designed based on a powerful statistical tool called Sequential Probability Ratio Test, which has bounded false positive and false negative error rates. Their evaluation studies based on a two-month trace collected in a large U.S. campus network show that SPOT is an effective and efficient system in automatically detecting compromised machines in a network. For example, among the 440 internal IP addresses observed in the trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or highly likely (16) to be compromised. Moreover, only 7 internal IP addresses associated with compromised machines in the trace are missed by SPOT. In addition, we also compare the performance of SPOT with two other spam zombie detection algorithms based on the number and percentage of spam messages originated or forwarded by internal machines, respectively, and show that SPOT outperforms these two detection algorithms. MulVAL: A Logic-based Network Security Analyzer Xinming Ou Sudhakar Govinda vajhala Andrew W. Appel, Princeton University to determine the security impact software vulnerabilities have on a particular network, one must consider interactions among multiple network elements. For a vulnerability analysis tool to be useful in practice, two features are crucial. First, the model used in the analysis must be able to automatically integrate formal vulnerability specifications from the bug-reporting community. Second, the analysis must be able to scale to networks with thousands of machines. We show how to achieve these two goals by presenting MulVAL, an endto-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating-system permission and privilege model, etc.). We easily leverage existing vulnerability-database and scanning tools by expressing their output in Datalog and feeding it to their MulVAL reasoning engine. Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines. 3. METHODOLOGY In methodology we studied the existing system and their advantages are as follows: 3.1 Existing System Network intrusion detection and countermeasure selection in virtual network systems (NICE) establishes a defense-in-depth intrusion detection framework. It incorporates attack graph analytical procedures into the intrusion detection processes for better attack detection. Disadvantages: Protecting Business continuity and services availability from VOLUME-2, SPECIAL ISSUE-1, MARCH-2015 COPYRIGHT 2015 IJREST, ALL RIGHT RESERVED 452

3 service outages is one of the top concerns in cloud computing systems. Structure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways Intrusion Detection System IDS and firewall are widely used to monitor and detect suspicious events in the network. Disadvantages of this system are the false alarms and the large volume of raw alerts from IDS are two major problems for any IDS implementations. Many attack graph based alert correlation techniques have been proposed recently. L. Wang et al. devised an in-memory structure, called queue graph (QG), to trace alerts matching each exploit in the attack graph. The implicit correlations in this design make it difficult to use the correlated alerts in the graph for analysis of similar attack scenarios. Roschke et al. proposed a modified attack-graph-based correlation algorithm to create explicit correlations only by matching alerts to specific exploitation nodes in the attack graph with multiple mapping functions, and devised an alert dependencies graph (DG) to group related alerts with multiple correlation criteria Attack Countermeasure Tree Roy et al. proposed an attack countermeasure tree (ACT) to consider attacks and countermeasures together in an attack tree structure. They devised several objective functions based on greedy and branch and bound techniques to minimize the number of countermeasure, reduce investment cost, and maximize the benefit from implementing a certain countermeasure set. In their design, each countermeasure optimization problem could be solved with and without probability assignments to the model. Disadvantages is that their solution focuses on a static attack scenario and predefined countermeasure for each attack. N. Poolsappasit et al. proposed a Bayesian attack graph (BAG) to address dynamic security risk management problem and applied a genetic algorithm to solve countermeasure optimization problem. 4. ANALYSIS OF THE STUDY 1. NICE (Network Intrusion detection and Countermeasure selection in virtual network systems) is proposed to establish a defense-in-depth intrusion detection framework. 2. For better attack detection, NICE incorporates attack graph analytical procedures into the intrusion detection processes. 3. The design of NICE does not intend to improve any of the existing intrusion detection algorithms; indeed, NICE employs a reconfigurable virtual network. 4. Deploy a lightweight mirroring-based network intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified vulnerability towards the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. 5. Once a VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the inspecting VM to make the potential attack behaviors prominent. 6. By using software switching techniques, NICE constructs a mirroring-based traffic capturing framework to minimize the interference on users traffic compared to traditional bump-in-the-wire (i.e., proxy-based) IDS/IPS. 7. NICE enables the cloud to establish inspection and quarantine modes for suspicious VMs according to their current vulnerability state in the current SAG. 8. Based on the collective behavior of VMs in the SAG, NICE can decide appropriate actions, for example DPI or traffic filtering, on the suspicious VMs. Using this approach, NICE does not need to block traffic flows of a suspicious VM in its early attack stage. 4.1 Advantages of NICE System 9. The contributions of NICE are presented as follows: 10. We devise NICE, a new multi-phase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud services. 11. NICE incorporates a software switching solution to VOLUME-2, SPECIAL ISSUE-1, MARCH-2015 COPYRIGHT 2015 IJREST, ALL RIGHT RESERVED 453

4 quarantine and inspect suspicious VMs for further investigation and protection. Through programmable network approaches, NICE can improve the attack detection probability and improve the resiliency to VM exploitation attack without interrupting existing normal cloud services. 12. NICE employs a novel attack graph approach for attack detection and prevention by correlating attack behavior and also suggests effective countermeasures. 13. NICE optimizes the implementation on cloud servers to minimize resource consumption. Their study shows that NICE consumes less computational overhead compared to proxy-based network intrusion detection solutions. 5. SYSTEM ARCHITECTURE 5.1 Modules The modules in these NICE system are cloud clusters, attacker module, intrusion detection, attack countermeasure, attack graph. They are described as follows. Figure 1: System Architecture weighted on each physical cloud server, a network controller, a VM profiling server, and an attack analyzer. The latter three components are located in a centralized control center connected to software switches on each cloud server (i.e., virtual switches built on one or multiple software bridges). NICEA is a software agent implemented in each cloud server connected to the control center through a dedicated and isolated secure channel, which is separated from the normal data packets. The network controller is responsible for deploying attack countermeasures based on decision made by the attack analyzer Attacker module Attacker module is designed to produce DDOS attack on cloud server. The user who is giving more requests to cloud server is considered to be attacker. Intrusion detection alerts are sent to control center when suspicious or anomalous traffic is detected Intrusion detection When there is a considerable anomalous traffic is there, then there is an intrusion can be detected. When the traffic exceeds the threshold level, there is considered to be the intrusion in the network Attack graph After receiving an alert, attack analyzer evaluates the severity of the alert based on the attack graph, decides what Cloud clusters Consider a cloud cluster, which consists of two cloud server. It shows the NICE framework within one cloud server cluster. Major components in this framework are distributed and light- countermeasure strategies to take, and then initiates it through the network controller. An attack graph is established according to the vulnerability information derived from both offline and real time vulnerability scans Attack counter measure VOLUME-2, SPECIAL ISSUE-1, MARCH-2015 COPYRIGHT 2015 IJREST, ALL RIGHT RESERVED 454

5 As there are number of counter measure can be taken depending on the attack severity, we here established the anomalous traffic to cloud server and attack the cloud server. When the cloud server is attacked, the client request on the queue will be dropped. To avoid this, the clients requests to be redirected to another existing cloud server. The client request will be processed by second virtual machine. 5.2 Nice System Design In this section, we first present the system design overview of NICE and then detailed descriptions of its components System Design Overview The proposed NICE framework is illustrated in Figure 2.It shows the NICE framework within one cloud server cluster. Major components in this framework are distributed centralized control center connected to software switches on each cloud server (i.e., virtual switches built on one or multiple Linux software bridges) System Components In this section we explain each component of NICE. NICE-A The NICE-A is a Network-based Intrusion Detection System (NIDS) agent installed in either dom0 or domu in each cloud server. It scans the traffic going through Linux bridges that Figure 2: NICE Architecture within One Cloud Server Cluster control all the traffic among VMs and in/out from the physical cloud servers. NICEA is a software agent implemented in each cloud server connected to the control center through a dedicated and isolated secure channel, which is separated from the normal data packets using OpenFlow tunneling or VLAN approaches. The network controller is responsible for deploying attack countermeasures based on decisions made by the attack analyzer. VM Profiling Virtual machines in the cloud can be profiled to get precise information about their state, services running, open ports, etc. VM profiles are maintained in a database and contain comprehensive information about vulnerabilities, alert and traffic. The data comes from: Attack graph generator: while generating the attack graph, every detected vulnerability is added to its corresponding VM entry in the database. NICE-A: the alert involving the VM will be recorded in the VM profile database. Network controller: the traffic patterns involving the VM are based on 5 tuples (source MAC address, destination MAC address, source IP address, destination IP address, protocol). We can have traffic pattern where packets emanate from a single IP and are delivered to multiple destination IP addresses, and vice-versa. Attack Analyzer The major functions of NICE system are performed by attack analyzer, which includes procedures such as attack graph construction and update, alert correlation and countermeasure selection.the process of constructing and utilizing the Scenario Attack Graph (SAG) consists of three phases: information gathering, attack graph construction, and potential exploit path analysis. With this information, attack paths can be modeled using SAG. In summary, NICE attack graph is constructed based on the following information: Cloud system information is collected from the node controller and VM s Virtual Interface (VIF) information. Virtual network topology and configuration information is collected from the network controller, every VM s IP address, MAC address, port information, and traffic flow information. Vulnerability information is generated by both on demand vulnerability scanning. Network Controller The network controller is a key component to support the programmable networking capability to realize the virtual network reconfiguration feature based on Open-Flow protocol [5]. In NICE, within each cloud server there is a software switch, for example, Open vswitch (OVS) [5], which is used as the edge switch for VMs to handle traffic in & out from VMs. The network controller is responsible for collecting network information of current OpenFlow network and provides input to the attack analyzer to construct attack graphs. VOLUME-2, SPECIAL ISSUE-1, MARCH-2015 COPYRIGHT 2015 IJREST, ALL RIGHT RESERVED 455

6 6. CONCLUSION NICE, which is proposed to detect and mitigate collaborative attacks in the cloud virtual networking environment. NICE utilizes the attack graph model to conduct attack detection and prediction. The proposed solution investigates how to use the programmability of software switches based solutions to improve the detection accuracy and defeat victim exploitation phases of collaborative attacks. The system performance evaluation demonstrates the feasibility of NICE and shows that the proposed solution can significantly reduce the risk of the cloud system from being exploited and abused by internal and external attackers. REFERENCES [1] Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang, Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems, IEEE Trans. Dependable and Secure Computing, vol. 10, no. 4, July/August [2] Cloud Security Alliance, Top threats to cloud computingv1.0, topthreats/ csathreats.v1.0.pdf, March [3] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, A view of cloud computing, ACM Commun., vol. 53, no. 4, pp , Apr [4] B. Joshi, A. Vijayan, and B. Joshi, Securing cloud computing environment against DDoS attacks, IEEE Int l Conf. Computer Communication and Informatics (ICCCI 12), Jan [5] O. Sheyner, J. Haines, S. Jha, R. Lippmann and J. M. Wing, Automated generation and analysis of attack graphs, Proc. IEEE Symp. On Security and Privacy, 2002, pp [6] X. Ou, S. Govindavajhala, and A. W. Appel, MulVAL: a logic-based network security analyzer, Proc. of 14th USENIX Security Symp., pp [7] R. Sadoddin and A. Ghorbani, Alert correlation survey: framework and techniques, Proc. ACM Int l Conf. on Privacy, Security and Trust: Bridge the Gap between PST Technologies and Business Services (PST 06), pp.1-10, [8] S. Roschke, F. Cheng, and C. Meinel, A new alert correlation algorithm based on attack graph, Computational Intelligence in Security for Information Systems, LNCS, vol. 6694, pp Springer, [9] A. Roy, D. S. Kim, and K. Trivedi, Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees, Proc. IEEE Int l Conf. on Dependable Systems Networks (DSN 12), Jun Author Biography Prerana S.Mohod has received her the B.Tech. degree in Information Technology from Shri Guru Gobind Singhji Institute Of Engineering and Technology, Nanded, India in 2014 and persuing her M.Tech. in Computer Science and Engineering from Government College of Engineering, Amravati, India,since 2014.Her research interest includes Network Security, Data Mining, Web Mining, Image Processing. Pushpanjali M. Chouragade has received her Diploma in Computer Science and Engineering from Government Polytechnic, Amravati, India, in 2007, the B.Tech. degree in Computer Science and Engineering from Government College of Engineering, Amravati, India in 2010 and her M.Tech. in Computer Science and Engineering from Government College of Engineering, Amravati, India, in She was a Lecturer with Department of Computer Science & Engineering, in Government College of Engineering, Amravati, in Her research interest includes Data Mining, Web Mining, Image Processing. At present, she is an Assistant professor with department of Computer Science and Engineering at Government College of Engineering, Amravati, India, since VOLUME-2, SPECIAL ISSUE-1, MARCH-2015 COPYRIGHT 2015 IJREST, ALL RIGHT RESERVED 456