An Approach for Intrusion Detection and Countermeasure Selection in Virtual Network System

Transcription

1 33 An Approach for Intrusion Detection and Countermeasure Selection in Virtual Network System Rubal Dahat, Department of Computer Technology, Yeshwant Rao College of Engineering, Nagpur, India Rashmi Jain, Professor, Department of Computer Technology, Yeshwant Rao College of Engineering, Nagpur, India ABSTRACT Today people are not buying the resources but are switch to cloud to use the resources. Cloud has a security issue concerned with it. Majorly DDoS attacks are used to break the security. Distributed Denial of Service has one or more attackers to hamper to the security in distributed system. Network Intrusion Detection and Countermeasure (NICE) method is used to detect the DDoS attack in virtual network. Along with detection, this method also gives the countermeasure to prevent the system. But NICE use only Network-based IDS approach for intrusion detection. To accurately detect the intrusion, it is important to use Host-based approach. Therefore we are introducing a new approach which combines Network intrusion Detection System and Host-based Intrusion Detection using Entropy Variant method, which exactly finds the source of attack by studying the variation of packed size in travelled path. To prevent the network from threat, the user must be authenticated. So, a Client-Puzzle method, having a set of questions for user authentication process will be used. Hence, we introduce a novel approach for intrusion detection and countermeasure selection in virtual network and hope it outperform the previous methodology. For doing so we are going to use a simulation, to be implemented in Dot Net framework. Keywords: Network security, virtual network system computing, intrusion detection, DDoS I. INTRODUCTION Virtual network system security is one of most important issues that have attracted a lot of research and development effort in past few years. Particularly, attackers can explore vulnerabilities of a virtual network system and compromise virtual machines to deploy further large-scale Distributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such as multi-step exploitation, low frequency vulnerability scanning, compromising identified vulnerable virtual machines as zombies, and finally DDoS attacks through the compromised zombies. Within the virtual network system, especially the Infrastructure-as-a-Service (IaaS) virtual network systems, the detection of zombie exploration attacks is extremely difficult. This is because virtual network system users may install vulnerable applications on their virtual machines. To prevent vulnerable virtual machines from being compromised in the virtual network system, we propose a distributed network intrusion detection and countermeasure selection mechanism, which is built on analytical models based on attack graph and countermeasures based on reconfigurable virtual network. In order to significantly improve attack detection and mitigate attack consequences, the proposed framework leverages Open Flow network programming APIs to build a monitor and control plane over distributed programmable virtual switches. The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution. II. PROBLEM DEFINITION Our new approach is to detect the DDoS attack on different parameters such as their pattern, behavior, malicious packet size, ip spoofing etc. It is extremely difficult to trace back the attackers, therefore we are going to use entropy variations method which will efficiently identify trace back of the attackers and also will protect the data from the attackers. To defend servers against Distributed Denial of Service attacks we are going to use client-puzzles mechanism. We are going to simulate in Dot Net framework for intrusion detection and countermeasure using entropy method and client puzzle method. Thus our approach is to provide security in virtual network against the attacks and the attackers. III. LITERATURE ISSN: Vol.3, Issue1, Dr. Balachandra, D.N.Karthek (July-Aug. 2012) An Overview on Security Issues in Cloud Computing we have studied how security and compliance integrity can be maintained in new environment. The prosperity in Cloud Computing literature is to be coming after security and privacy issues are resolved.

2 34 Vol.3, No.4, Hamoud Alshammari and Christian Bach, August 2013 Administration Security Issues In Cloud Computing, in this paper we have studied most administration security issues and concept of the Service Level Agreement or any trust third party that can control the processing over Could Computing. The solution to get more secure Cloud Computing environment is to have a strong service level agreement offering an adequate level of security and privacy for the information that is already in the cloud. ISSN: , Sina Manavi, Sadra ohammadalian, Nur Izura Udzir, Azizol Abdullah,2012 Secure Model for Virtualization Layer in Cloud Infrastructure, in this paper we have studied to propose a model to secure and proper mechanism to react reasonable against the detected attack by intrusion detection system. With the secured model (SNODE) against the attack SVL model, (Secure Model for Virtualization layer) which combines virtualization and intrusion detection system, can increase the detection rate and provide protection against attacks targeting virtualization, and consequently will result in reliable cloud security the proposed model and framework will be implemented in order to compare and evaluate it with the ISSN: , Vol. 4, Issue 3(Version 5), Mr. V.V.Prathap, Mrs.D.Saveetha, 2014 Detecting Malware Intrusion in Network Environment, in this is model we have studied three model intrusion detection Threat model, attack graph model, existing model NICE utilizes the attack graph model to conduct attack detection and prediction. NICE only investigates the network IDS approach to counter zombie explorative attacks. VOL. 10, NO. 4 Chun-Jen Chung,Tianyi Xing,Dijiang Huang,2013, NICE: Network Intrusion Detectin and Countermeasure Selectionin Virtual Network Systems In this paper we have studied The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution NICE, which is proposed to detect and mitigate collaborative attacks in the cloud virtual networking environment. NICE only investigates the network IDS approach to counter zombie explorative attacks. Host-based IDS solutions are needed to be incorporated and to cover the whole spectrum of IDS in the cloud system for to improve the detection certainty. Shina Sheen, R Rajesh, Network Intrusion Detection using Feature Selection and Decision tree classifier In this paper we have studied three different approaches for feature selection such as chi square, information gain and relieff which is based on filter approach Intrusion Detection with feature selection was able to outperform the decision tree algorithm without feature selection Intrusion Detection approach is very useful for counter measure. Vol. 2 Issue. 7, Prof.D.P.Gaikwad, Pooja Pabshettiwar, Priyanka Musale, Pooja Paranjape, Ashwini S. Pawar,2012 A Proposal for Implementation of Signature Based Intrusion Detection System Using Multithreading Technique In this paper we have studied signature based intrusion detection system, using multithreading technique. The diligent management of network security is essential to the activity of networks, regardless of whether they have segments or not. Multithreaded technique for better intrusion detection should be distributed and cooperative by applying co-operative agents to the network. Vol.5, No.2, Shalvi Dave, Bhushan Trivedi and Jimit Mahadevia, 2013 Efficacy of attack detection capability of IDPS based on its deployment in wired and Wireless environment In this paper we have studied the IDS logging agent inspects the data with the help of Suricata. Suricata is an open-source IDS available on all the platforms. It determines an attack based on pre-defined signature rule -set. Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defence against a variety of attacks that can compromise the security. IEEE 12th International Conference on Data Mining Workshops, Anand Kannan and Gerald Q. Maguire, Ayush Sharma and Peter Schoo,2012. In this paper we have studied the Genetic Algorithm based Feature Selection Algorithm for Effective Intrusion Detection in Cloud Networks, we have studied a new traditional manner intrusion detection model in which we combine a newly proposed genetic based feature selection algorithm and an existing Fuzzy Support Vector Machines (SNODE) for effective classification as a solution. New genetic based feature selection algorithm is used to select optimal number of features from the KDD cup data set for intrusion detection.genetic algorithm is very helpful for intrusion detection /10/$26.00 IEEE, Aizhong Mi Linpeng Hai, A Clustering-based Classifier Selection Method for Network Intrusion Detection in this paper we studied the pattern recognition approach based on classifier selection to network intrusion detection and proposes a clustering-based classifier selection method. The pattern recognition technique for intrusion detection, and offer a network intrusion detection approach based on multiple classifier

3 35 selection, called CDS. This method is very useful intrusion detection. Tal Garfinkel Mendel Rosenblum A System Introspection Based Architecture for Intrusion Detection In this we studied an architecture that retains the visibility of host-based IDS, but drag the IDS outside of the host for greater attack resistance. The pattern recognition technique to intrusion detection and proposes a network intrusion detection approach based on multiple classifier selection, called CDS. This method is very useful intrusion detection. Approach for intrusion detection which co-locates an IDS on the same machine as the host it is monitoring and leverages a system monitor to isolate the IDS from the monitored host. IV. PROPOSED WORK Modules 1 Constructing Sensor Network 2 Packet Creation 3 Find authorized and un authorized port 4 Constructing Inter-Domain Packet Filters 5 Receiving the valid packet Modules Descriptions: Module-1: In this module, we are going to connect the network.each node is connected the neighboring node and it is independently deployed in network area. And also deploy the each port no is authorized in a node. Module-2: In this module, browse and select the source file. And selected data is converted into fixed size of packets. And the packet is send from source to detector. Module-3: The Clone detection is defined as a mechanism for a WSN to detect the existence of inappropriate, incorrect, or anomalous moving attackers. In this module check whether the path is authorized or unauthorized. If path is authorized the packet is send to valid destination. Otherwise the packet will be deleted. According port no only we are going to find the path is authorized or Unauthorized. Module-4: If the packet is received from other than the port no it will be filtered and discarded. This filter only removes the unauthorized packets and authorized packets send to destination. Module-5: In this module, after filtering the invalid packets all the valid packets will reach the destination. ATTACKS: TCP Flood Attack Though TCP protocol is a connection oriented and reliable protocol but still there a various loopholes that can be exploited. These loop holes are mostly explained in terms of attacks. The attack exploits an implementation characteristic of the Transmission Control Protocol (TCP), and can be used to make server processes incapable of answering a legitimate client application's requests for new TCP connections. Any service that binds to and listens on a TCP socket is potentially vulnerable to TCP SYN flooding attacks. UDP Flood Attack: UDP flood is a type of DDoS attack in which the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. UDP is a connectionless and session less networking protocol. Since UDP traffic doesn t require a three-way handshake like TCP, it runs with lower overhead and is ideal for traffic that doesn t need to be checked and rechecked. However, these same properties also make UDP more vulnerable to abuse. In the absence of an initial handshake, to establish a valid connection, a high volume of best effort traffic can be sent over UDP channels to any host, with no built-in protection to limit the rate of the UDP DDoS flood. This means that not only are UDP flood attacks highly-effective, but also that they could be executed with a help of relatively few resources. LAND Attack: Combining a SYN attack with IP spoofing, a land attack occurs when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and the source IP address. The receiving system responds by sending the SYN-ACK packet to itself, creating an empty connection that lasts until the idle timeout value is reached. Flooding a system with such empty connections can overwhelm the system, causing a denial of service. V. IMPLEMENTATION In distributed wired sensor network architecture. We used this topology for deployment of nodes because it is easy for the multiple nodes of their local region to report to cluster head. Each local region is called a cluster and cluster head is a data gathering node which is discussed later in this section. Another reason for using this topology is that the network deployment becomes attractive in heterogeneous settings when the cluster-head nodes are more powerful in terms of computation and communication. The main advantage of this two-tier hierarchical cluster based approach is that it usually crumbles a large network into separate zones within which data processing and aggregation can

4 36 be carried out locally. This topology consists of two types of sensor nodes: Forwarding nodes or simple sensor nodes which sense the activity and forward data to base station. Cluster head (CH) or simple data gathering point node, where all sensed data from the nodes are collected. We have four clusters. Each cluster selects a cluster head which is responsible for collection of data from the sensor nodes and send to base station (BS) or sink. CH is not a special node; it is one like other sensor node. Our approach is completely based model for classifier to identify the abnormal event pattern sensor nodes in the respective clusters. This classifier model tackle the security problems related to attacks in a distributed wireless sensor networks. In this model we used new system such as distributed data mining and agents for providing solution against wireless sensor network. In counterpoint, some emerging software disciplines such as extreme programming and the agile software development movement, adhere to a "test-driven software development" model. In this process unit tests are written first, by the programmers (often with pair programming in the extreme programming methodology). Of course these tests fail initially, as they are expected to. Then as code is written it passes incrementally larger portions of the test suites. The test suites are continuously updated as new failure conditions and corner cases are discovered, and they are integrated with any regression tests that are developed. Unit tests are maintained along with the rest of the software source code and generally integrated into the build process (with inherently interactive tests being relegated to a partially manual build acceptance process). VI. RESULT Our simulation was based on the sensor network running in dot net. We have used sensor nodes and four clusters. Each cluster head was elected using united dynamic cluster routing in networks. All nodes are constant bit rate transport protocol; The movement of all nodes was randomly generated oven 1000m 1000m field, with a maximum speed of 75m/s and an average pause of 10ms. Each simulation runs for a time period of 10,000 simulation seconds. We would have run this simulation for many times and had detected different common attacks. We have successfully detected maximum abnormal events. Using this model we have calculate percentage of abnormal events. VII. CONCLUSION AND FUTURE WORK This paper analyzes the detection problem by characterizing detection probability with respect to the network parameters. Throughout experiment the simulation results shows the performance of our proposed agent based model. The average detection rate of the wireless network is 98.66%. Hence this is a well approached model for detection of abnormal events. While doing experiment we found that individual detection rate is very small when the training sample is not substantial. So to achieve high accuracy rate we apply the classifier to a perfect training set of data with known classifications. Our Future enhancements are Clone detections in internet application and parallel computer interconnection network. REFERENCE [1] Coud Sercurity Alliance, Top Threats to Cloud Computing v1.0, eats.v1.0.pdf, Mar [2] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, A View of Cloud Computing, ACM Comm., vol. 53, no. 4, pp , Apr [3] B. Joshi, A. Vijayan, and B. Joshi, Securing Cloud Computing Environment Against DDoS Attacks, Proc. IEEE Int l Conf. Computer Comm. and Informatics (ICCCI 12), Jan [4] H. Takabi, J.B. Joshi, and G. Ahn, Security and Privacy Challenges in Cloud Computing Environments, IEEE Security and Privacy, vol. 8, no. 6, pp , Dec [5] Open vswitch Project, May [6] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, Detecting Spam Zombies by Monitoring Outgoing Messages, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp , Apr [7] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, BotHunter: Detecting Malware Infection through IDS-driven Dialog Correlation, Proc. 16th USENIX Security Symp. (SS 07), pp. 12:1-12:16, Aug [8] G. Gu, J. Zhang, and W. Lee, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, Proc. 15th Ann. Network and Distributed Sytem Security Symp. (NDSS 08), Feb [9] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing, Automated Generation and Analysis

5 37 of Attack Graphs, Proc. IEEE Symp. Security and Privacy, pp , [10] NuSMV: A New Symbolic Model Checker, Aug [11] P. Ammann, D. Wijesekera, and S. Kaushik, Scalable, graphbased network vulnerability analysis, Proc. 9th ACM Conf. Computer and Comm. Security (CCS 02), pp , [12] X. Ou, S. Govindavajhala, and A.W. Appel, MulVAL: A Logic-Based Network Security Analyzer, Proc. 14th USENIX Security Symp., pp , [13] R. Sadoddin and A. Ghorbani, Alert Correlation Survey: Framework and Techniques, Proc. ACM Int l Conf. Privacy, Security and Trust: Bridge the Gap between PST Technologies and Business Services (PST 06), pp. 37:1-37:10, [14] L. Wang, A. Liu, and S. Jajodia, Using Attack Graphs for Correlating, Hypothesizing, and Predicting Intrusion Alerts, Computer Comm., vol. 29, no. 15, pp , Sept [15] S. Roschke, F. Cheng, and C. Meinel, A New Alert Correlation Algorithm Based on Attack Graph, Proc. Fourth Int l Conf. Computational Intelligence in Security for Information Systems, pp , [16] A. Roy, D.S. Kim, and K. Trivedi, Scalable Optimal Countermeasure Selection Using Implicit Enumeration on Attack Countermeasure Trees, Proc. IEEE Int l Conf. Dependable Systems Networks (DSN 12), June [17] N. Poolsappasit, R. Dewri, and I. Ray, Dynamic Security Risk Management Using Bayesian Attack Graphs, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 1, pp , Feb [18] Open Networking Fundation, Software-Defined Networking:The New Norm for Networks, ONF White Paper, Apr [19] Openflow, learnmore/, [20] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L.Peterson, J. Rexford, S. Shenker, and J. Turner, OpenFlow:Enabling Innovation in Campus Networks, SIGCOMM ComputerComm. Rev., vol. 38, no. 2, pp , Mar