Framework to detect and repair distributed intrusions based on mobile agent in hybrid cloud

Transcription

1 Framework to detect and repair distributed intrusions based on mobile agent in hybrid cloud Abir KHALDI 1, Kamel KAROUI 1, Henda BEN GHEZALA 1 1 RIADI Laboratory ENSI, University of Manouba, Manouba, Tunisia Abstract- Cloud computing is an emerging paradigm based on distributed services. It is deployed in virtual resources to provide services to public customers and private organizations. Generally, without security measures, distributed cloud services are vulnerable. In this paper, we will propose a framework for detecting and repairing distributed intrusions in hybrid cloud. Our framework is based on secure mobile agents. Keywords: Cloud computing, security,, Mobile Agent. 1. Introduction Cloud providers offer the customers services requirements. There are some security issues associated with cloud services. These issues fall into two broad categories: Security issues faced by cloud providers and security issues faced by customers. In most cases, the providers must ensure their infrastructure security and their clients data integrity while the customer must ensure that the provider has taken the proper security measures to protect his information. Because of its distributed nature, cloud computing environments are easy targets for intruders looking for exploring possible vulnerabilities. The first defense line to face attackers is to deploy a firewall to filter unauthorized access then an (Intrusion detection system) in order to detect coming attacks. N Cloud Environment Firewall Figure 1. Firewall and N in the Cloud architecture In figure 1, we have an N (Network ) to monitor all cloud network traffics. When an attack occurs, N alerts cloud administrator. In [1], we proposed a secure cloud architecture based on an N as a second line of defense after the firewall. The N performance is really approved for detecting attacks. But, attacks can be distributed between cloud nodes and be hidden for the N. So to detect them, we will propose a framework implementing : - A H (Host ) in every virtual machine () - An intelligent process to correlate between H alerts. - Secure Agents to execute the correlating process We will focus on deploying this framework on hybrid cloud environment to: - Phase 1 : Detect distributed attacks - Phase 2 : Evaluate the attacks risks - Phase 3 : Repair attacks In this paper, we will propose a framework based on secure mobile agents to detect distributed intrusions and repair the vulnerabilities in hybrid cloud. The repairing phase consists on adding a new security policy in the firewall. The reminder of this paper is organized as fols. The section 2 discusses some related works in the area of mobile agent based. In the next sections, we will describe our proposed framework using mobile agents to detect and repair intrusions. Then we will explain implementation prototype in section 5 to evaluate results in section 6. Finally, we will give conclusions in section Related work The is based on two simple components architecture: collection component and analyzer component. While this architecture is effective just for small collections of monitored hosts. In fact, centralized analysis limits the ability to scale up to handle larger collections. Therefore, Mobile Agent-based intrusion detection system, such as Autonomous Agents for Intrusion Detection (AAFID) [2], fols a hierarchical structure. So, if any part of the internal nodes is disabled, the functioning of that branch of will be disqualified. In addition, those architectures are not flexible, not completely distributed and are not able to respond to attacks against intrusion detection system itself.

2 The performance using mobile agents is considerably important to reduce the network load. In this case, agents communications should be secured. This issue, which has been neglected by most of related works, will be one of the main concern when we design our framework. It will be based on secure mobile agents to detect distributed intrusions in hybrid cloud. Table I illustrates a comparative study on related works. managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, Table 1. Comparing properties of previous related work RELATE D WORK ARCHITECTURE NETWORK LOAD [2] Hierarchical Distributed towards root node [3][4] Hierarchical Distributed towards root node [5][6] Centralized Distributed towards root node [7] Hierarchical Distributed towards a gateway Agent SCALABILITY Low Low [8] Centralized Symmetrical High [9] Hierarchical Distributed towards upper level Low [10] Peer to peer Symmetrical High [11] Peer to peer Symmetrical High RESISTIBILITY of of of of AGENT SECURITY No security approach DESCRIPTION Increasing the resistance to the of a specific component by Using data and function redundancy Using Mobile Agents to trace intruders among the various hosts involved in an intrusion Agents are composed dynamically using a genetic algorithm, which continually attempts to maximize the likelihood of discovering existing vulnerabilities. Approach was proposed to detect distributed intrusion among the network by various Agents. The presented intrusion detection system, DIDMA is designed by keeping in mind the notion of flexibility, scalability, platform independence They show how dynamic aggregation provides a mechanism for extending existing objects and als us to quickly add new features to the system. A virtual neighborhood is created where neighbors take on the task of looking out for each other. Applying Mobile Agents technology to provide intrusion detection for Cloud applications regardless of their locations. 3. Proposal mobile agent framework in hybrid cloud In this section, we will define the cloud environment of our framework, its objectives, components and functions. 3.1 Cloud environment The deployment models of cloud computing are [12]: Public cloud : The cloud infrastructure is provisioned for open use by the general public. It may be owned, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). Community cloud : The cloud infrastructure is provisioned for exclusive use by a specific community of consumers

3 from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. In our proposed framework, we focus on detecting intrusions in hybrid cloud. 3.2 Framework objectives The main framework objectives are : - Distributing correlation and decreasing network load : To supervise all the network nodes, a central node should query them and collect detected intrusions information to analyze it. So the network traffic will increase. To do, we try to adopt a distributed correlated system based on mobile agents to reduce network load due to the migration of agents from one node to another. - Reducing CPU load for each Cloud node: We try to distribute the work load of detecting intrusions between nodes instead of centralized it on one principal node. - Securing communication: We want to adopt a secure mobile agents platform within an encrypted communication between agents in order to avoid any intrusion. - Detecting distributed intrusions: An attack against a cloud computing system can be silent and not detected just in only one node,. In fact, cloudspecific attacks don t necessarily leave traces in one node. In this way, we propose to analyze traces using data mining to detect new attacks. 3.3 Framework components Our framework is based on six actors described as fols (see figure2): 1. An : An is deployed in each node () in the hybrid cloud (private and public). The monitors the traffics, detects intrusions and saves it in its database. 2. Correlated Mobile Agent (): it is a mobile agent dispatched to each node in the cloud area. The contains the rules to verify in each node using the alerts saved in database. In the same time, the framework supports two every one in each cloud area (public, private) to have rapidly a hole idea about the hybrid cloud intrusions. 3. a Public Cloud Agent (PbCA) : It is a static agent implemented in the administrator node in public cloud. This agent dispatch a to detect intrusions and go back with all the results of the correlation process. 4. A Private Cloud Agent (PvCA) : It is a static agent implemented in the administrator node in private cloud. This agent dispatch a to detect intrusions and go back with all the results of the correlation process. 5. An Hybrid Cloud Agent (HCA): It is a static agent implemented in the administrator node in hybrid cloud. This agent query the PbCA and the PvCA to start with the detection process in order to evaluate the security level in the hybrid cloud. 6. A Static Agent () : The static agent is implemented in each to receive the. Hybrid Cloud 1 PbCA 2 Public Cloud n HCA PvCA Private Cloud 3.4 Framework Functions We will describe the different functions and interactions between agents to detect distributed intrusions in the figure 3. The HCA can manage all the hybrid cloud towards its cloud area: public cloud and private cloud. The management can only be done for one cloud area or the two area in the same time depending on the Cloud status. Therefore, HCA asks the PbCA (11) or the PvCA (21) or both of them in the same time to report it the distributed intrusions detection in their cloud to audit the hybrid cloud. The PbCA and the PcCA create a with all the rules implemented in its code and dispatch it to the Cloud (12,22). The migrates to the (13,23). The receives The and asks password. This step is very important because AS reject if it is not authenticated. After receiving (14,24), asks information stored in the database. It hasn t permissions to access directly to database so is the middleware. applies all the rules in its data base to detect distributed intrusions in the. When finished, moves to the next to repeat the same steps done in the first. After finishing the detection in all the cloud, reports the results to its Cloud Agent (PbCA (15) or 1 2 Figure 2. Mobile Agent Framework in Hybrid Cloud n

4 PvCA(25)) ). The Cloud Agent gives report to the HCA (16,26) to supervise the hybrid cloud. If any is not connected or broken down, the discovers the status and migrate to the next to continue its work. The distributed detection process can be launched by the HCA, the PbCA or the PVCA. RMA HCA RMA 11. HCA demands the intrusions detected in public cloud to PbCA 16 PbCA gives report to HCA HCA 21.HCA demands the intrusions detected in private cloud to PvCA 26 PVCA gives report to HCA Protects Vulnerable Firewall Policy rule to apply PbCA PvCA Figure 4. Repairing of vulnerability in cloud environment 12 PbCA dispatch migrates to Public Cloud 15 1 gives report to PbCA 14 receives 1 22 PvCA dispatch migrate to 25 2 gives report to PvCA 2 4. Mobile agent based framework 24 receives 2 fixing vulnerabilities in hybrid cloud When the HCA detects distributed intrusion, the cloud network administrator should take the necessary security measures and apply it immediately. For that, we propose to extend the Framework in section III to fix vulnerabilities and avoid intrusions (see figure 4). If intrusions occurs, it means that there is a vulnerability in the or a missing policy security in the firewall. So HCA could dispatch a Reparation mobile agent (RMA) to: - the vulnerable to repair it if there is any service to close or to reject any established communication with a malicious user. - the firewall to apply new security rules to avoid intrusions detected. In this way, firewall should implement a Static Agent to receive the RMA in order to get rules and apply them. Private Cloud Figure 3. Agent Framework intercommunication 5. Prototype Implementation The proposed framework in the previous section is illustrating how specific features of the Mobile Agents can increase the efficiency of the system and decrease the network load as well (see figure 5). Mobile Agent has been used for implementation. technology was first released in 1999 by Toshiba [13], as a new type of pure agent development framework for the advanced network society. Its communication framework is based on the multi-agents model. The Bee-gent framework is comprised of two types of agents: agent wrappers and mediation agents. Agent Wrappers are used to agentify existing applications. The agent wrappers manage the states of the applications, which are wrapped around, and invoke the applications when necessary. Mediation Agents support inter-application co-ordination by handling all communications among applications. The mediation agents move from the site of an application to another where they interact with the remote agent wrappers. For The, we deployed SNORT[14] in each to monitor the system and the network intrusions. We configured snort to save alerts in its mysql database to deal with analyzed phase by. We choose iptables as a firewall in a linux machine to manage the repairing of vulnerability and the application of new security rules. To implement our architecture, we ve chosen the ware vsphere Hypervisor 5 composed of an ESXi and vsphereclient. The choice of Ware ESXI was made based on foling reasons : - Freeware version - Solution qualified by the internet community as stable and portable - Fully managed through vsphere. - Supports hot migration. The figure 5 shows all the framework components to detect and avoid distributed intrusions in the cloud area.

5 () Snort (DB) () () () Snort (DB) Firewall (iptables) (AS) Cloud Manager () (RMA) () (RMA) () Snort (DB) 6. Framework Evaluation In this section, our mobile agent framework performance will be challenged while we are comparing it with the performance of client/server s approach. Our aim is to verify our features and effectiveness. The with Mobile Agent approach claims the less network load compared to the client/server approach, by shipping code to data instead of shipping data to code. In figure 6, we compare the network load (number of request exchanged in the network) for the client-server approach and the mobile agent approach according to the number of machines. So the mobile agent () is dispatched from the cloud manager (PbCM or PvCM) to each in the cloud to detect distributed intrusion and return back results. The number of request in this case is: RequestNumber = Number + 1 But when we use the client/server approach, the cloud manager should query each to receive response so: RequestNumber = Number *2 () () Snort (DB) () Figure 5. Framework components in hybrid cloud Consequently, the mobile agent concept becomes relatively interesting especially when the count of s increases. the mobile agent approach offers two important agent features: - When the mobile agent migrates to a broken, it moves to an another to continue its work. So due to this property, we avoid the single. - The mobile agent intercommunication should be authenticated and encrypted. This property avoid any attempted attack aiming to intercept agent communication. Using mobile agents als to fix vulnerabilities either in the or in the firewall by adding new security rules. Number of request Conclusion Figure 6. Evaluation of mobile agent versus client/server in Framework Cloud computing takes the essence of both Mobile agents and virtualization in a way to combine their key benefits. The s are the ideal platforms for agents to execute safely, based on the fact that virtual machine can be used to provide secure, isolated sand boxes for the Mobile Agents. In our framework, Clouds and Virtualization can benefit from approach which mobile agents makes it scalable, flexible and cost effective. In our future work, we will test this framework for detecting DDOS attacks in the cloud environment. 8. References Number of Client/Server Mobile Agent [1] A. khaldi, k. Karoui, N. Tanbène. H. Ben ghezala, Secure cloud architecture design, nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering, 2014 April, Oxford..

6 [2] J.Balasubramainyan, J.O. Garcia-Fernandez, D.Isacoff, E.H. Spafford, D.Zamboni, An architecture of intrusion detection using autonomous Agents, Department of Computer Science, Purdue University coast TR 98-05, [13], Online: (January 2014) [14] Snort, Online: ( December 2013). [3] Wayne Jansen, Peter Mell, Tom Karygiannis, Don Marks, Applying Mobile Agents to Intrusion Detection and Response, NIST Interim Report (IR) 6416 October [4] M.Asaka, S.Okazawa, A.Taguchi, and S.Goto, "A Method of Tracing Intruders by Use of Mobile Agents," INET'99, June [5] Michael Conner, Chirag Patel, Mike Little, Genetic Algorithm/Artificial Life Evolution of Security Vulnerability Agents, Army Research Laboratory Federal Laboratory 3rd Annual Symposium on Advanced Telecommunications & Information Distribution Research Program (ATIRP), February [6] Barrett, Michael, W. Booth, M. Conner, D. Dumas, M. Gaughan, S, Jacobs, M. Little, Intelligent Agents System Requirements and Architecture, Report to ATIRP, p. 5, October [7] P. C. Chan and Victor K. Wei, Preemptive Distributed Intrusion Detection using Mobile Agents, Department of Information. [8] Pradeep Kannadiga and Mohammad Zulkernine, A Distributed Intrusion Detection System Using Mobile Agents, School of Computing Queen s University, Kingston Ontario, Canada K7L 3N, DIDMA:, 2005 IEEE. [9] G. Helmer et al., Lightweight, Agents for intrusion detection, The Journal of Systems and Software 67 (2003) [10] Geetha Ramachandran and Delbert Hart, A P2P Intrusion Detection System based on Mobile Agents, 2004 ACM /04/04. [11] Dastjerdi, Amir Vahid, Kamalrulnizam Abu Bakar, and Sayed Gholam Hassan Tabatabaei. Distributed intrusion detection in clouds using mobile agents. Advanced Engineering Computing and Applications in Sciences, ADVCOMP'09. Third International Conference on. IEEE, [12] Mell, P. &Grance, T., 2011, The NIST Definition of Cloud Computing, NIST Special Publication (Draft). Retrieved )