Ensuring Security in Cloud with Multi-Level IDS and Log Management System

Transcription

1 Ensuring Security in Cloud with Multi-Level IDS and Log Management System 1 Prema Jain, 2 Ashwin Kumar PG Scholar, Mangalore Institute of Technology & Engineering, Moodbidri, Karnataka1, Assistant Professor, Mangalore Institute of Technology & Engineering, Moodbidri, Karnataka Prema.jain19@gmail.com, 2 ashwin@mite.ac.in Abstract Cloud computing systems provide services to so many people who are not proven to be trustworthy. Due to their distributed nature, cloud computing environment are easy targets for intruders. There are various issues that need to be dealt with respect to security and performance in a cloud computing scenario. A common issue is intrusion detection systems management of large loads of data. There needs to be a strong balance between IDS security level and system performance. If the IDS provide stronger security service using more rules or patterns, then it needs much more computing resources in proportion to the strength of security. So the amount of resources allocating for customers decreases. Another issue in Cloud Computing is that, huge amount of logs makes system administrators hard to analyze them. To counter these kinds of issues, a multi-level intrusion detection system is proposed. The proposed system could detect various types of attacks and provide suitable level of security by examining attacker data record observed in processes on the virtual machine. Intrusion Detection System is a security layer over cloud server used to detect ongoing intrusive activity in network. Index Terms Cloud Computing, Intrusion Detection System, multi-level IDS, Trusted Third Party. I. INTRODUCTION Cloud computing is a collection of all sources to enable resource sharing in terms of scalable infrastructures, middleware and application development platforms, and value-added business applications. In past three decades, the world of computation has changed from centralized (client-server not web-based) to distributed systems and now we are getting back to the virtual centralization (Cloud Computing). But security in cloud computing environment is of major concern. Intrusion Detection Systems (IDSs) are amongst the main tools for providing security in networks, cloud and grid [1]. performance. Due to the large data sets, IDS require a huge amount of memory and CPU usage [2]. Another important problem is log management. Cloud Computing systems are used by many people, therefore, they generate huge amount of logs. So, system administrators should decide to which log should be analyzed first. In this paper, we propose Multi-level IDS and log management method based on consumer behavior for applying IDS effectively to Cloud Computing system. The rest of the paper is organized as follows. In Chapter II we describe relationship between Cloud Model to the Security Control & Compliance Model. In chapter III, we describe our proposal method and its implementation. Finally, we conclude the paper in chapter in Chapter IV. II. CLOUD MODEL, SECURITY CONTROL & COMPLIANCE MODEL A. Cloud model In cloud environments, multiple parties data and services may exist on a single physical platform running virtual services for its customers [3]. This creates several problems for security, compliance and audit, including: Limited ability to control data and applications Limited knowledge and no visibility into the degree of segmentation and security controls between those collocated virtual resources Audit and control of data in the public cloud with no visibility into the provider s systems and controls Traditional IDSs are not efficient enough to handle large data flow. A common issue is intrusion detection systems management of large loads of data. There needs to be a strong balance between IDS security level and system Even in a private cloud that is privately managed, multi-tenancy is enacted at many layers, including storage, application, database, operating platform and hypervisor-based infrastructure. In other words, shared hosts, data centers and networks can potentially exist 14

2 between the same and different organizations or internal business units. As such, it is critical that network segmentation is created securely with the ability to monitor any anomalies that may occur across virtual network boundaries. B. Security control Model As such, the differences in methods and responsibility for securing the three cloud service models mean that consumers of cloud services are faced with a challenging endeavor. Unless cloud providers can readily disclose their security controls and the extent to which they are implemented to the consumer and the consumer knows which controls are needed to maintain the security of their information, there is tremendous potential for misguided decisions and detrimental outcomes. This is critical. First one classifies a cloud service against the cloud architecture model. Then it is possible to map its security architecture; as well as business, regulatory, and other compliance activities from malicious host or network [7]. There are mainly two categories of IDSs, which are listed in Table 1. Once an intrusion has been detected, IDS issues alerts notifying administrators of this fact. The next step is undertaken either by the administrators or the IDS itself, by taking advantage of additional countermeasures (specific block functions to terminate sessions, backup systems, routing connections to a system trap, legal infrastructure etc.) following the organization s security policy (Figure 2). An IDS is an element of the security policy. Among various IDS tasks, intruder identification is one of the fundamental ones. It can be useful in the forensic research of incidents and installing appropriate patches to enable the detection of future attack attempts targeted on specific persons or resources. III. PROPOSED SYSTEM AND ITS IMPLEMENTATION In this section we describe architecture of multi-level intrusion detection system, log management system and implementation details of proposed system. A. Description of Proposed Architecture Figure 1 - Mapping the Cloud Model to the Security Control & Compliance Model requirements against it as a gap-analysis exercise. The result determines the general security posture of a service and how it relates to an asset s assurance and protection requirements [4]. The figure 1 shows an example of how a cloud service mapping can be compared against a catalogue of compensating controls to determine which controls exist and which do not as provided by the consumer, the cloud service provider, or a third party. This can in turn be compared to a compliance framework or set of requirements, as shown in figure 1. Reducing the number of resources required for IDS implementation and enhancing security are main concern so a new system based on multilevel concept is proposed which deals with effective use of system of resources. The proposed system binds user in different security groups based on degree of anomaly called anomaly level. Our proposal architecture is as shown in figure 3. It consists of AAA module which is responsible for authentication, authorization and accounting. When user tries to access the cloud the AAA checks the authentication of the user and based on it, it gets the recently updated anomaly level. Table 1: Types of IDS C. Compliance Model (Intrusion detection system) Intrusion detection systems (IDS) are an essential component of defensive measures protecting computer systems and network against harm abuse [5]. It becomes crucial part in the Cloud computing environment. The main aim of IDS is to detect computer attacks and provide the proper response [6]. An IDS is defined as the technique that is used to detect and respond to intrusion Figure 2: Intrusion Detection System (IDS) Infrastructure 15

3 Table 2: Assessment of Anomalous Table 3: Criteria of Anomaly Level Figure 3: Multilevel Proposed Model After that, AAA chooses suitable IDS which have the security level correspondent to the user s anomaly level. Security is divided into three levels viz. high, medium and low. High Level applies patterns of all known attacks and a portion of anomaly detection when it needs for providing strong security service. Medium Level applies patterns of known attacks to rules providing strong security service. Low Level has flexible resource management and applies patterns of chosen malicious attacks that can occur at high frequency which affect more fatally [8]. Multi-level IDS defines the anomaly behaviors by risk level policy. The risk levels assign risk points in proportion to risk of anomaly behavior. With example of login failure, the criteria of behaviors for judging that some traffic is anomaly are described in table 2. The criteria of anomaly level for deciding security group with risk point is shown in table 3. In Multi-level IDS scheme, an IDS consumes more resource when providing higher level security, because higher level security applies more rules than lower level. On the other hand, if an IDS provides lower level security policy, then the amount of resource usage is decreased although the detecting power of attacks also drops. The assignment of VM to a user is determined in accordance with security level. B. Log management system So many people would use Cloud Computing service, so the huge logs arise from transaction between systems, user information update, and mass data processing and so on. Therefore, it is very difficult to analyze using the logs in emergency. Log generation and storage can be complicated by several factors, including: A high number of log sources Inconsistent log content Lack of structure among generated logs Formats Timestamps among sources Increasingly large volumes of data Not calculating the proper events per second (EPS) and losing logs due to saturation. To make analyzing log better, we propose the method that divides log priority according to security level. The auditing priority of the logs is also decided by the anomaly level of users. It means the logs generated by user who have most high anomaly level are audited with top priority. On the other hand, logs of low-level users are audited at last. So our method can efficiently cope with potential attacks from the relatively more dangerous users than others. C. Implementation details Cloud Computing system deploys each VM to one of three security group. When a user is assigned a VM by the system first time, there is no data for determining which security level of IDS is suitable for the user, so a high-level IDS should be assigned to the user. Since first provisioning, the decision of which VM is to be assigned to the user may change according to anomaly level of the user, and a migration may occur. Migration is a technique to move VM to other VM space[9]. In the case of existing users, they are judged by previous personal usage history, and assigned VMs with the security level derived by the judgment. Intrusion detection systems (IDSs) are one of the most popular devices for protecting cloud computing systems from various types of attack [8]. IDS can observe the traffic from each virtual machine (VM) and generate alert logs and can manage cloud computing globally. Since cloud infrastructures have enormous network traffic, traditional IDSs are not efficient enough to handle such a substantial data flow. A common issue is intrusion detection systems management of large loads of data. There needs to be a strong balance between IDS security level and system performance. Multi-level IDS method leads to effective resource usage by applying 16

4 differentiated level of security strength to users based on the degree of anomaly. Flow of the proposed system is as shown in figure 4. In TPA module, an optional TPA, who has expertise and capabilities that users may not have, is trusted to assess and expose risk of cloud storage services on behalf of the users upon request. Users should be equipped with security means so that they can make continuous correctness assurance of their stored data even without the existence of local copies. In case that user does not necessarily have the time, feasibility or resources to monitor their data, they can delegate the tasks to an optional trusted TPA of their respective choices as shown in figure 6. In our model, we assume that the point-to-point communication channels between each cloud server and the user is authenticated and reliable, which can be achieved in practice with little overhead. Figure 4: Flowchart for Proposed Model Figure 6: TPA module with capability of verifying the user data on behalf of the users upon request. Figure 5: User module in which user can upload, download files There are 3 modules which are implemented in multi-level Intrusion detection system: user module, Trusted third party (TPA) module and cloud provider (CSP) module. In user module, the user sends the request to the server. Based on the request, CSP provides the permission to download or upload the corresponding file to the user which is shown in figure 5. Before this process, the user authorization step is involved. In the server side, it checks the user name and its password for security process. If it is satisfied and then received the queries form the client and provide the corresponding functionalities. If the server finds the intruder means, it set the alternative path to those intruders. Figure 7: CSP module with detailed description of intruder 17

5 CSP module is the important part of proposed system because major functions of intrusion detection can be carried out in current module. Users store their data through a CSP into a set of cloud servers, which are running in a simultaneous, the user interacts with the cloud servers via CSP to access or retrieve his data. One of the key issues is to effectively detect any unauthorized data modification and corruption, possibly due to server compromise and/or random Byzantine failures. Besides, in the distributed case when such inconsistencies are successfully detected, to find such intruders is also of great significance. When a user access Cloud computing system first time, Multi-level IDS judges anomaly level of user using following matters: the user s IP coverage, vulnerable ports to attack, the number of ID/PW failure, and so on. The most important element for estimating anomaly level is how fatal it is. The rest of judgment criteria are possibility to attack success, possibility to attack occurrence, and so on [10]. Based on degree of anomaly, bind the users into corresponding security group. In this system divide security level into three, such as High, Medium and Low for effective IDS construction. The risk points for user anomaly level are decided by Cloud Service Provider. If the user belongs to low security level then CSP will send a sms to user. If the user belongs to middle security level then the user get a warning from CSP. In case the user belongs to high security level then that particular user is considered as a most dangerous intruder and such user will be blocked by CSP. In figure 7 shows that user anomaly level is 3 and belongs to medium security level group. IV. CONCLUSION Multi-level IDS and log management method is based on consumer behavior for applying IDS effectively to the cloud system. They assign a risk level to user behavior based on analysis of their behavior over time. By applying differentiated levels of security strength to users based on the degree of anomaly increases the effective usage of resources. Their method proposes the classification of generated logs by anomaly level. This is so that the system administrator analyses logs of the most suspected users first. Also the data traffic in the cloud is minimized and security is enhanced. REFERENCES [1] Introduction to Cloud Computing white paper Dialogic, [2] Roberto Di Pietro and Luigi V.Mancini, Intrusion Detection Systems, Springer, Jan [3] Thoran Rodrigues, "Cloud Security: Technology, Processes, Responsibility", The Enterprise Cloud, May 29,2012. [4] Security Guidance for Critical Areas of Focus in Cloud Computing, aguide.v2.1.pdf [5] J. Mchugh, A. Christie, and J. Allen, Defending Yourself: The Role of Intrusion Detection Systems, IEEE Software, Volume 17, Issue 5, Sep.-Oct., pp , [6] K. V. S. N. R. Rao, A. Pal, and M. R. Patra, A Service Oriented Architectural Design for Building Intrusion Detection Systems, International Journal of Recent Trends in Engineering, vol. 1, no. 2, pp , [7] U. Thakar, HoneyAnalyzer Analysis and Extraction of Intrusion Detection Patterns & Signatures Using Honeypot, The second International Conference on Innovations in Information Technology, Dubai, UAE September 26-28, [8] T. Kropp, System threats and vulnerabilities [power system protection], IEEE Power and Energy Magazine, vol. 4, no. 2, pp , [9] Kento S, Hitoshi. S, Satoshi. M, A Model-based Algorithm for Optimizing I/O Intensive Applications in Clouds using VM-Based Migration, 9 th IEEE/ACM International Symposium, Cluster Computing and Grid, [10] Wikipedia, en.wikipedia.org/ wiki/ Cloud_computing 18