Enhanced Host based Intrusion Detection Model to prevent Compromised vulnerable virtual machines

Transcription

1 Enhanced Host based Intrusion Detection Model to prevent Compromised vulnerable virtual machines Abstract Host-based infringement recognition solutions are desirable to be included and to swathe the whole spectrum of IDS in the cloud system. This should be investigated in the future work. Additionally, as indicated in the paper, we will investigate the scalability of the proposed NICE solution by investigating the decentralized network control and attack analysis model based on current study. Detecting intrusions in networks has become one of the most critical tasks to prevent their misuse by attackers. The rapid increase in network traffic and attacks made the Intrusion Detection Systems to fail in terms of accuracy and efficiency in many situations. We describe the problem of intrusion detection in detail and analyze various well known methods for intrusion detection with respect to two critical requirements viz. our proposed architecture and DARPA Dataset. Present networks and enterprises follow a layered defense approach to ensure security at different access levels by using a variety of tools such as network surveillance, perimeter access control, firewalls, network, host and application intrusion detection systems, data encryption and others. Given this traditional layered defense approach, only a single system is employed at every layer which is expected to detect attacks at that particular location. In this project an efficient way of finding intrusions has been proposed. The main goal of this approach in Intrusion Detection System is to achieve high accuracy and efficiency. Another advantage of our proposed system is that the alerts are sent to the mobiles also. So the network administrator can have easy usage of maintaining the network security. The proposed Intrusion Detection System can be used to build a network Intrusion Detection System which can detect a wide variety of attacks reliably and efficiently when compared to the traditional network intrusion detection systems.. services to wireless device clients. Therefore, uniqueness of the wireless devices-based attacks will have a severe impact to the ordinary procedure of wireless ad hoc networks. Spoofing attacks can extra make possible a variety of information interchange injection attacks such attacks on access control lists, rogue AP attacks, and eventually DoS and also led to the entire networks collapse. Overall system throughput is maximized by allocating at any time the common channel resource to the user that can best exploit it. Similar results can be obtained for the downlink from the base station to the network users. Keywords Denial of service in the wireless networks, security analysis, routing protocol, wireless ad hoc networks, wireless sensor networks, wireless networks, fault node discovery, networks force, entire networks life. I. INTRODUCTION Wireless ad hoc networks are further level risen up to the intermediate attacks or mockery of information from nodes. In uniqueness of the wireless device-based attacks, an assailant can counterfeit its characteristics to pretense as another wireless device or even generate several illegal identities in the wireless ad hoc networks by cloaked as an approved wireless Access point (AP) or an authorized patron. An assailant can initiate the denial-of-service (DoS) based attacks, evade access organize mechanisms, or fakely publicize Fig-1 Architecture of Intrusion Detection in WSN NICE, a new multi-phase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud detection and prevention by correlating attack behaviour and also suggests effective countermeasures. NICE optimizes the implementation on cloud servers to minimize resource 15

2 consumption. In order to provide the security assessment and alert correlation features, we modified and extended multiple value attack graph structure. In this paper, we are going to discuss about the actions of the attacks in the wireless ad hoc networks. We presented NICE, which is proposed to detect and mitigate collaborative attacks in the cloud virtual networking environment. NICE utilizes the attack graph model to conduct attack detection and prediction. The proposed solution investigates how to use the programmability of software switches based solutions to improve the detection accuracy and defeat victim exploitation phases of collaborative attacks. NICE only investigates the network IDS approach to counter zombie explorative attacks. system calls for initiating an attack. Our study shows that NICE consumes less computational overhead compared to proxy-based network intrusion detection solutions. Our proposed techniques are effective and efficient when compared to the previous approaches through our experimental and simulation analysis. The rest of the paper will be organised as follows: In section 2, we see about the related works of the paper. In section 3, we discuss about the proposed method. The algorithms and simulation are shown in the section 4 and 5. The conclusion of our paper is in section 6. II. RELATED WORKS In this section, we will see the some of the related works to the intrusion detection in the wireless ad hoc networks using different approaches: Figure 2- Architecture of Proposed System We devise NICE, a new multi-phase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud detection and prevention by correlating attack behavior and also suggests effective countermeasures. NICE optimizes the implementation on cloud servers to minimize resource consumption. We also proposed the effective technique to the find the vulnerable Virtual machines in the networks with the help of Enhanced host model. Host based detection systems can be generally classified into moreover anomaly detection or misuse detection. Host based methods are more popular due to the low, cost and processing overhead involved, as compared to other machinery s like virtualization based detection. Due to its effectiveness, attackers now manipulate Matthias Grossglauser and David N. C. Tse [1], Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowl- edge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observa- tion that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate Shuo Guo, Ziguo Zhong and Tian He [2], wireless Sensor Networks are typically huge compilation of sensor nodes for cumulative of data or information as of watching the surroundings and broadcast to base position through multi-hop wireless message of nodes. The present of faults nodes in the WSNs are extremely lofty owing to wireless contact and unsystematic operation strategy. Force protection in wireless sensor network is an extra issue is to get better applicability of WSNs (wireless sensor networks). In order to overcome the above issues, we recommend division based Misbehaviour 16

3 nodes identify and revival technique, which is as well as energy knowledgeable. In the above proposed technique, sensor nodes are agreed into several clusters. Cluster start and wireless sensor nodes are together for perceive the fault in the sensor nodes. Our proposed techniques are effective and efficient when compared to the previous approaches through our experimental and simulation analysis. B. Umakanth and J. Damodhar[3], Wireless Sensor Networks came to importance approximately the begin of this millennium provoked by the ubiquitous situation of small-sized sensors with limited range control deployed in the huge information over an vicinity to examine different occurrence. The solitary motivation of a large segment of investigate efforts has been to exploit the lifetime of the wireless network, where network lifetime is typically measured from the immediate of consumption to the peak when one of the nodes has exhausted its partial power source and become in-operational normally referred since first node collapse. In excess of the time, research has increasingly adopted ideas from wireless communications. In this paper we consider how routing protocols, affect from attack even those designed to be protected, be short of security from these attacks, which we call Vampire attacks in the wireless networks, which permanently immobilize networks by quickly misbehaviour nodes of draining the sequence energy. These type of parasite attacks are not specific to any specific protocol which are overwhelming, not easy to identify, and are easy to bring out using as few as one wicked insider sending only procedure acquiescent messages. We proposed a EWMA method to bound the damage caused by these vampire types of attacks during the packet forwarding phase. Zinaida benenson, Peter M. cholewinski and, Felix C. freiling [4], An integral part of modeling the global view of network security is constructing attack graphs. Manual attack graph construction is tedious, error-prone, and impractical for attack graphs larger than a hundred nodes. In this paper we present an automated technique for generating and analyzing attack graphs. We base our technique on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently. We also describe two analyses to help decide which attacks would be most cost-effective to guard against. We implemented our technique in a tool suite and tested it on a small network example, which includes models of a firewall and an intrusion detection system. Chris Karlof and David Wagner [5], we examine the routing protocol security in wireless networks. Many wireless sensor network routing protocols comprise be proposed in previous, but nothing of them have been considered with security as a goal in the wireless networks. We propose the effective protection goals for routing protocols in the sensor networks, show how attacks beside ad-hoc and end to end networks can be adapted into dominant attacks against sensor networks, initiate two classes of novel attacks touching sensor networks sinkholes and HELLO floods, and we analyse that the security of all the major sensor network routing protocols. We illustrate crippling attacks against all of them and propose countermeasures and aim for considerations. This is the first such examine of secure routing in wireless sensor networks. Farhad Nematy, and Naeim Rahmani [6], Managing and analyzing a huge number of low-level alerts is very difficult and exhausting for network administrators. Alert correlation methods have been proposed to decrease the number of alerts and make them more intelligible. Proposed methods for alert correlation are different in terms of their performance, accuracy and adaptivity. We present a new hybrid model not only to correlate alerts as accurately and efficiently as possible but also to be able to boost the model in the course of time. The model presented in this paper consists of two parts: (1) an attack graph-based method to correlate alerts raised for known attacks and hypothesize missed alerts and (2) a similaritybased method to correlate alerts raised for unknown attacks which cannot be correlated using the first part and also to update the attack graph. These two parts cooperate with each other such that if the first part could not correlate a new alert, the second part is applied. We propose two different methods for these two parts. In order to update the attack graph, we present a technique (using the similarity-based method in the second part of the model) which is actually the most salient feature of our model: capability of hypothesizing missed exploits and discovering defects in pre and post conditions of known exploits in attack graphs. We also propose an additional method named alerts bisimulation for compressing graphs of correlated alerts. Dr. G. Padmavathi, and Mrs. D. Shanmugapriya,[7], Wireless Sensor networks (WSN) is an rising technology and have immense credible to be betrothed in significant situation like battlefields surveillance, marketable applications such as construction, travel examination, environment monitoring and well-groomed homes and several additional scenarios. Smart environments correspond to the subsequently evolutionary expansion rung in building or homes, utilities, manufacturing purposes, residence, shipboard, and shipping systems mechanization. Similar to several conscious creatures, the elegant surroundings relies initial and leading on sensory data or information as of the genuine humanity. Such a Sensory data or information comes as of numerous sensors of unlike modalities in scattered surroundings. The elegant atmosphere desires in order about its environment because well about its interior mechanism; so it is captured in natural systems by the dissimilarity among the one is ext-eroceptors and other is proprioceptors. In the wireless communication technologies also acquire various types of security intimidation. This paper deals with an extensive diversity of attacks or privacy issue in 17

4 WSN and their categorization techniques and applying dissimilar securities levels available to feel them as well as the challenges or issues faced in WSN. Chaudhari H.C. and Kadam L.U [8], however, wireless sensor networks pretense exclusive protection challenges. Security is fetching a major anxiety for WSN protocol designers as of the extensive security serious applications of WSNs protocols. we include completed an attempt to document all the recognized security issues in wireless sensor networks and discuss a deals with an extensive diversity of attacks or privacy issue in WSN and their categorization techniques and applying dissimilar securities levels available to feel them as well as the challenges or issues faced in WSN. In this paper we took up the challenge or issues in the security level and have proposed an included wide-ranging security that will present security services for all services of sensor network. The sensing technology shared with processing control and wireless communication makes it gainful for being broken in great measure in future. The wireless communication technologies also acquire various types of security intimidation. III. PROPOSED WORK In this paper, we are going to discuss about the actions of the attacks in the wireless ad hoc networks. We presented NICE, which is proposed to detect and mitigate collaborative attacks in the cloud virtual networking environment. NICE utilizes the attack graph model to conduct attack detection and prediction. The proposed solution investigates how to use the programmability of software switches based solutions to improve the detection accuracy and defeat victim exploitation phases of collaborative attacks. NICE only investigates the network IDS approach to counter zombie explorative attacks. We devise NICE, a new multi-phase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud detection and prevention by correlating attack behavior and also suggests effective countermeasures. NICE optimizes the implementation on cloud servers to minimize resource consumption. We also proposed the effective technique to the find the vulnerable Virtual machines in the networks with the help of Enhanced host model. Host based detection systems can be generally classified into moreover anomaly detection or misuse detection. Host based methods are more popular due to the low, cost and processing overhead involved, as compared to other machinery s like virtualization based detection. Due to its effectiveness, attackers now manipulate system calls for initiating an attack. Our study shows that NICE consumes less computational overhead compared to proxy-based network intrusion detection solutions.. IV. ALGORITHM Host based Intrusion Detection Algorithm: Step 1: Select the 4 layers needed for the whole IDS. Step 2: Build Sensor Layer to detect Network and Host Systems. Step 3: Build Detection Layer based on Misuse and Anomaly detection technique. Step 4: Classify various types of alerts. (For example alert for System level intrusion or process level intrusion) Step 5: Code the system for detecting various types of attacks and alerts for respective attacks. Step 6: Integrate the system with Mobile device to get alerts from the proposed IDS. Step 7: Specify each type of alert on which category it falls, so that user can easily recognize the attack type. Step 8: Build Reaction layer with various options so that administrator/user can have various options to select or react on any type of intrusion. Step 9: Test the system using Attack Simulation module, by sending different attacks to the proposed IDS. Step 10: Build a log file, so that all the reports generated can be saved for future references. Server: V. SIMULATION WORKS/RESULTS Server module is the main module for this project. This module acts as the Intrusion Detection System. This module consists of four layers viz. sensor layer (which detects the user/client etc.), Detection layer, alert processing layer and reaction layer. In addition there is also Message Log, where all the alerts and messages are stored for the references. This Message Log can also be saved as Log file for future references for any network environment. Client: Client module is developed for testing the Intrusion Detection System. In this module the client can enter only 18

5 with a valid user name and password. If an intruder enters with any guessing passwords then the alert is given to the Server and the intruder is also blocked. Even if the valid user enters the correct user name and password, the user can use only for minimum number of times. For example even if the valid user makes the login for repeated number of times, the client will be blocked and the alert is sent to the admin. In the process level intrusion, each client would have given a specific process only. For example, a client may have given permission only for P1 process. If the client tries to make more then these processes the client will be blocked and the alert is given by the Intrusion Detection System. In this client module the client can be able to send data. Here, when ever data is sent Intrusion Detection System checks for the file. If the size of the file is large then it is restricted or else the data is sent. DARPA Dataset: This module is integrated in the Server module. This is an offline type of testing the intrusions. In this module, the DARPA Data Set is used to check the technique of the Online Intrusion Alert Aggregation with Generative Data Stream Modeling. The DARPA data set is downloaded and separated according to each layers. So we test the instance of DARPA Dataset using the open file dialog box. Whenever the dataset is chosen based on the conditions specified the Intrusion Detection System works. Attack Simulation: In this module, the attack simulation is made for ourself to test the system. Attacks are classified and made to simulate here. Whenever an attack is launched the Intrusion Detection System must be capable of detecting it. So our system will also be capable of detecting such attacks. For example if an IP trace attack is launched, the Intrusion Detection System must detect it and must kill or block the process. 19

6 VI. CONCLUSION Our proposed techniques in this paper, address the intrusion type of attacks in the wireless ad hoc networks In order to overcome the malicious attacks in WSN, the information transmission is carried in the trusted path of the networks. Our proposed technique addresses the vulnerable VM attacks in the wireless ad hoc networks when compared to the existing approaches. NICE, a new multi-phase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud detection and prevention by correlating attack behaviour and also suggests effective countermeasures. Our experimental result showed that our proposed novel technique works efficiently when compared to previous methods. VII. REFERENCES [1] Matthias Grossglauser and David N. C. Tse Mobility Increases the Capacity of Ad Hoc Wireless Networks - IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 10, NO. 4, AUGUST 2002 [2] Shuo Guo, Ziguo Zhong and Tian He FIND: Faulty Node Detection for Wireless Sensor Networks - SenSys 09, November 4 6, 2009, Berkeley, CA, USA [3] B. Umakanth and J. Damodhar Detection of Energy draining attack using EWMA in Wireless Ad Hoc Sensor Networks - International Journal of Engineering Trends and Technology (IJETT) Volume 4 Issue 8- August [4] Zinaida benenson, Peter M. cholewinski and, Felix C. freiling Vulnerabilities and Attacks in Wireless Sensor Networks [5] Chris Karlof and David Wagner proposed Trust Evaluation Based Security Solution in Ad Hoc Networks [6] Farhad Nematy, and Naeim Rahmani A New Approach for Recovering Nodes from Faulty Cluster Heads Using Genetic Algorithm - Proceedings of the International Conference on Soft Computing for Problem Solving (SocProS 2011) December 20-22, 2011 [7] Dr. G. Padmavathi, and Mrs. D. Shanmugapriya Simulation of a Secure Ad Hoc Network Routing Protocol - (IJCSIS) International Journal of Computer Science and Information Security, Vol. 4, No. 1 & 2, 2009 [8] Chaudhari H.C. and Kadam L.U Security in Ad Hoc Networks - International Journal of Networking Volume 1, Issue 1, 2011, pp [9] I. Aad, J.-P. Hubaux, and E.W. Knightly, Denial of Service Resilience in Ad Hoc Networks, Proc. ACM MobiCom,2004. [10] G. Acs, L. Buttyan, and I. Vajda, Provably Secure On-Demand Source Routing in Mobile Ad Hoc Networks, IEEE Trans. Mobile Computing,vol. 5, no. 11, pp , Nov [11] B. Joshi, A. Vijayan, and B. Joshi, Securing cloud computing environment against DDoS attacks, IEEE Int l Conf. Computer Communication and Informatics (ICCCI 12), Jan [12] H. Takabi, J. B. Joshi, and G. Ahn, Security and privacy challenges in cloud computing environments, IEEE Security & Privacy, vol. 8, no. 6, pp , Dec [13] Open vswitch project, May [14] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, Detecting spam zombies by monitoring outgoing messages, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp , Apr IEEE TRANSACTIONS ON DEPEDABLE AND SECURE COMPUTING [15] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, Proc. of 16th USENIX Security Symp. (SS 07), pp. 12:1 12:16, Aug [16] G. Gu, J. Zhang, and W. Lee, BotSniffer: detecting botnet command and control channels in network traffic, Proc. of 15th Ann. Network and Distributed Sytem Security Symp. (NDSS 08), Feb [17] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, Automated generation and analysis of attack graphs, Proc. IEEE Symp. on Security and Privacy, 2002, pp [18] NuSMV: A new symbolic model checker, / nusmv. Aug [19] S. H. Ahmadinejad, S. Jalili, and M. Abadi, A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs, Computer Networks, vol. 55, no. 9, pp , Jun [20] X. Ou, S. Govindavajhala, and A. W. Appel, MulVAL: a logicbased network security analyzer, Proc. of 14th USENIX Security Symp., pp [21] R. Sadoddin and A. Ghorbani, Alert correlation survey: framework and techniques, Proc. ACM Int l Conf. on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (PST 06), pp. 37:1 37: [22] L. Wang, A. Liu, and S. Jajodia, Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts, Computer Communications, vol. 29, no. 15, pp , Sep [23] S. Roschke, F. Cheng, and C. Meinel, A new alert correlation algorithm based on attack graph, Computational Intelligence in Security for Information Systems, LNCS, vol. 6694, pp Springer, [24] A. Roy, D. S. Kim, and K. Trivedi, Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees, Proc. IEEE Int l Conf. on Dependable Systems Networks (DSN 12), Jun [25] N. Poolsappasit, R. Dewri, and I. Ray, Dynamic security risk management using bayesian attack graphs, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 1, pp , Feb

7 [26] Open Networking Fundation, Software-defined networking: The new norm for networks, ONF White Paper, Apr [27] Openflow