Comparative Study of Intrusion Detection Systems in Cloud Computing

Transcription

1 Comparative Study of Intrusion Detection Systems in Cloud Computing Naresh Kumar a, Shalini Sharma b, * a Computer Engineering department, U.I.E.T, Kurukshetra University Kurukshetra, India b Computer Engineering department, U.I.E.T, Kurukshetra University, Kurukshetra India Abstract Cloud Computing have the capability to avoid wastage of resources, reduction of cost, flexibility, ease of service and mobility. This has resulted in the widespread prevalence of this service. Cloud Environment is distributed in nature. Thus, they are easy targets of the intruders. Intrusion Detection System is an appropriate system for detection and prevention of intrusions. There are various IDS available for cloud depending upon the nature of attack. This paper focuses on the comparative study of type of IDS in Cloud. Keywords: Cloud Computing, Intrusion Detection System, HIDS, NIDS, DIDS. 1. Introduction Information & technology has made drastic shift toward Cloud Computing in past few years. The framework and design of Cloud provides lots of advantages in terms of high availability, ease of use, low cost and Quality of Service. According to National Institute of standards and Technology Cloud Computing is defined as: Cloud Computing is a model which allows user accessibility to a convenient, spontaneous network access to a shared stack of configurable computing resources (e.g., networks, storages, servers, services and application) that can be provisioned frequently and released with minimal management effort or service provider interaction. This cloud model endorses availability and is comprised of four deployment models, three service models, and five essential characteristics, [1]. The IT sector has revolutionized with the phenomenal success of Cloud Computing. However there are some security issues associated with cloud. International Data Corporation (IDC) [2] carried out two surveys in the year 2008 and 2009 and placed security as the topmost issue in the path of success of Cloud. According to Cloud Security Alliance (CSA) [3] too top threats to cloud are: (a) Abuse and nefarious use of cloud computing, (b) Insecure Interfaces and APIs, (c) Malicious Insiders, (d) Shared technology issues, (e) leakage or loss of data, (f) Account or Service hijacking, (g) Unknown risk profiles. Thus, a defense measure is required to protect Cloud from such attacks. Intrusion Detection System is one of the most reliable mechanisms for Security of cloud. 2. Security Issues in Cloud Cloud Computing has emerged as the most important part of the IT sector. But the latest concern of the Cloud is security. The need of security is at various levels of Cloud.i.e. Network level, host level and application level. The various security issues associated with various levels of Cloud are given as follows. The classification is based on discussion in [4] for Amazon EC2 and as given in [5] 2.1. Basic Security The prevalence of latest technologies like Web 2.0 has resulted in giving more importance to Security. The attacks observed over web are: SQL Injection Attacks Cross Site Scripting Attacks Man in the Middle Attack * Corresponding author. Tel: , s: naresh_duhan@rediffmail.com, shalini7151@gmail.com 740

2 2.2. Network level Security There are different types of networks in cloud like public, private, hybrid. Each type of network has some threats. The possible network level Security threats are: DNS Attacks Sniffer Attacks Issue of Reused IP Addresses BGP Prefix IP Address 2.3 Application level Security The security of hardware and software resources is included in the Application level Security. The main purpose of this Application level Security is to protect application from any kind of hazards. Security related issues at Application level are: Denial of Service Attack Cookie Poisoning Backdoor Attacks Distributed Denial of Service Attacks CAPTCHA Breaking 3. Cloud Computing & its Security Requirements As there are issues regarding security of the cloud there are its countermeasures too. The potential solutions to the issues related to cloud can be [6]: Application Programming Interfaces of the Cloud (API) must be standardized Keeping low overhead over communication and computation Encryption of data and shredding the key Provision of backup service to the user by Cloud Service providers Time to time updation and patching of operating system and other Cloud related services To perform integrity checks over the instance of service being used To clean up cookies from time to time Use of Intrusion Detection Systems. 4. Intrusion Detection System Intrusion Detection System is one of the efficient solution to issues hindering the successful running of cloud. An Intrusion Detection System monitors the network and system for any malicious activity and report to the administrator to take an appropriate action against it [5]. Some IDS automatically take action against the malicious activity by blocking it on its own and some take action as instructed by the user. The components of Intrusion Detection System are [7]: 4.1 Network Sensors Sensors are like an eye on IDS. It monitors and analyzes an activity over network. It can be placed on any side of network. 4.2 Alert Systems It is a system which creates an alert on detection of an unwanted activity. A circumstance that enables the alert system to send messages is called a trigger. 4.3 Command Console Response System It provides the graphical interface to the IDS. 4.4 Database for Attack Signatures and behaviour IDS do not have the capability to make decisions on their own regarding attack. It can identify the attack from the source of information which is Database. 5. Requirements of an Intrusion Detection System An IDS must meet certain requirements to fulfil the security of the cloud or any network. These requirements are discussed as follows [6]: 5.1. Identification and Authentication This approach involves verification and validation of the users to protect their profiles. This is achieved by using a username and password Authorization This concept is used to provide privileges to the designated users. It maintains referential integrity Confidentiality The confidential data must be kept secure from the unauthorized access by the Cloud Service Provider. Confidentiality is defined as the assurance that sensitive information is not disclosed to unauthorized persons, processes, or devices [8] Integrity Integrity is consistency and accuracy of data stored in the cloud. The data remains even after any modification or alteration Non-Repudiation Non-Repudiation can be attained in Cloud through various traditional technologies like token passing, 741

3 confirmation receipts services, timestamps, and digital signature Availability In rate limiting mechanism a threshold value is set for the packets entering the network. If the numbers of packets entering the network exceeds this threshold value then it is considered as an attack Intrusion Detection System By using intrusion detection systems at host and network level can prevent any kind of intrusion in the network. 6. Classification of IDS 6.3 Distributed IDS (DIDS) Distributed IDS [11] integrates both types of sensors. DIDS consists of large number of IDS scattered over the large network. These IDS are arranged in the network in such a way that they can communicate with each or are connected to the central server. Thus, it provides an advanced level of monitoring, analysis of incident and prompt attack data. A DIDS consists of three components: DIDS Director, LAN monitor and series of Host monitors [12]. The DIDS Director analyzes the data which it receives from LAN monitor and Host monitors. The analyzed data is reported to the main controller. The LAN monitors LAN and reports suspicious activities the DIDS Director. Similarly, the Host LAN monitors the host machine and reports suspicious activity or any kind of intrusion to DIDS Director. Facts [12] There are many different types of Intrusion Detection Systems to prevent attacks. An Intrusion Detection System can be classified as: Host-based Intrusion Detection System (HIDS), Network based Intrusion Detection System (NIDS), Distributed Intrusion Detection System (DIDS). The process of implementing DIDS is lengthy. It is very difficult to maintain liaison between large number monitors. The process of DIDS is hierarchal. 6.1 Host based IDS (HIDS) Host based Intrusion Detection Systems [9] have sensors which focuses only on single host for the detection of the intrusion. A HIDS monitors the incoming and outgoing packets from the host and alerts the user or administrator of suspicious activity if detected any. Facts The operation of this IDS depends on the information collected from the log. It is dependent on Operating system of the machine It can operate even in encrypted environment. 6.2 Network based IDS (NIDS) Network based IDS [10] have sensors which detect the intrusions over the network. NIDS are placed at a strategic point or points within the network to monitor incoming and outgoing traffic of all devices on the network. Facts NIDS is a dedicated hardware or software over network analyzing network traffic The operation depends on the information collected through various sensors. It consists of single purpose sensors. NIDS have a very less impact over the performance of network. It does not have any kind of dependency on Operating System. 7. Related Work There are many different Intrusion Detection Systems that have been suggested time to time. Some of these IDS are discussed as follows: Sebastian Roschke et.al [13] in 2009 proposed an extensible IDS Management architecture in the Cloud. It was proposed to deploy an IDS at each layer of the cloud, so that it could gather all the alerts from all the sensors within the cloud. There were network sensors and host sensors for each layer separately. Then, an IDS Management System was proposed. It consists of: two components: IDS Sensors and IDS Management Unit.IDS Sensors detects and reports suspicious behaviour and thus alerts are generated. These alerts are handled by Event Handler. The alerts generated are stored in the Event Database Storage. The Analysis component represents the gathered events and also analyzes those events. IDS Remote Controller configures and controls the sensors connected to it. The IDS machines can be started, stopped and can also be recovered by the IDS Management System. The limitations of this architecture include: standardization of output from various sensors, inflexibility in the communication between different sensors and management components, and complexity of the architecture LIN Ying et.al [14] in 2010 suggested a Host Based Intrusion Detection System. The detection methods used in it are pattern matching and Back Propagation (BP) Neural Network. The source of information from where required data is extracted is Log File. In Log File Analysis the steps followed are: collection of log file, Pre-decoding of log file, Decoding of log file, Analysis of Log file and Report Events. The technique used to train the Neural Network Set is Back Propagation algorithm. The final results said that 742

4 the efficiency and accuracy to detect intrusion can be improved by use of HIDS. R. Vanathi et.al [15] in 2012 compared three NIDS: SNORT; TCPDUMP; Network Flight Decoder in cloud environment. SNORT is a lightweight IDS. It has low cost thus having good commercial demand. SNORT uses NIDS mode which is very complex and have manageable configuration. This enables SNORT to analyse network traffic efficiently. The Network Flight Recorder (NFR) makes use of power scripts N-CODE to analyse and then record the network data. It is rated best by the third party. It does not interfere in the network activities. TCPDUMP is another IDS. It captures network packets by use of local interface in promiscuous mode [11]. It can extract particular kind of traffic over network on the basis of header information. It is a well known tool for network debugging. It operates in Sniffer mode. From the comparison between the IDS author finds that SNORT is best NIDS from technical, monetary and administrative point of view. Amir Vahid et.al [16] in 2010 proposed a robust and distributed Intrusion Detection System to detect intrusions in cloud environment. Every subnet of Virtual Machines of model named as Distributed Intrusion Detections using mobile agents (DIDMA) consisted of: IDS Control Centre, Agency, Application Specific Static Agent Detectors, and Specialized Investigative Mobile Agents. The Application Specific Static Agent Detectors are like monitor to Virtual Machine as it detects the events of intrusions detection. The events of intrusion are forwarded to IDS Control Centre. Specialized Investigate Mobile Agent collects evidences of attack. The evidences are collected from VM for auditing and analysis purpose. A Neighbourhood Approach is also used to share the information regarding intrusion over there cloud environment so that preventive measures could be taken. This DIDS results in lowering the network load. The limitation here is that IDS Control Centre cannot add more than six VMs. 8. Comparison of Intrusion Detection Systems The different types of IDS can be used in different ways and for different purposes. Different kinds of IDS have its own positives and negatives. They can be compared on the basis of certain parameters. The parameters taken here are: Analysis, Protection, Versatility, Affordability, Ease of Implementation, Training, and Bandwidth requirement. Analysis refers to the analytic technique used for analyzing attack. Protection describes the circumstances under which the IDS would work or not. Versatility here means ability to work in different situations. Ease of Implementation refers to the level of ease or difficulty with which implementation of IDS can be made. Training is the process of learning skills required to make IDS capable for detection of attacks. Bandwidth requirement describes the amount of bandwidth consumed by IDS in its implementation. The comparative study of different types of Intrusion Detection Systems is given below in the table. The analysis is done on the basis of [17], [18], [19] and [20]. 9. Proposed Idea Cloud Computing provides Infrastructure, hardware, software, and many other resources as a Service. Cloud Computing is based on Virtualization [21]. A cloud may consist of any number of host machines depending upon the requirement of the user. From the comparative study of three kind of IDS i.e. HIDS, NIDS and DIDS it is clear that HIDS can be installed over single host machine for protection from intruders. But when the volume of traffic and the number of host machines within the cloud increases the performance of HIDS lowers. In such a condition NIDS can be implemented within the cloud to save it from the any kind of suspicious activity. Now, the NIDS can keep take care of the network traffic but it cannot give attention to single host as in that case the single host machines become easy victims of intruders. Thus, the proposed idea is to use DIDS in the cloud which is combination of HIDS and NIDS. The DIDS consists of number of sensors installed all over the host machines as well over the crucial points of the network. All sensors are connected to the Central Server. There are some DIDS where sensors can also communicate with each other. The DIDs basically consists of three components: [16] 9.1. DIDS Director The DIDS Director receives the data from Host Monitors and LAN Monitors This data is then analyzed by it for attacks and report is created for the main collector of reports and events LAN Monitor The LAN monitor monitors the network traffic and the suspicious activities are reported to DIDS Director Host Machines It monitors the single host machine. The received data is analyzed and report is given to DIDS Director. 743

5 Table 1-Comparison between HIDS, NIDS and DIDS Types Of IDS HIDS NIDS DIDS Parameters Analysis Analyzes logs & alerts host machine only Analyzes a network traffic directly Interactive querying of data for analysis using aggregation Protection Protects even when turned off Do not protect when turned off Provides complete protection Versatility Highly Versatile Comparatively less Versatile Least Versatile Affordability Low Cost Average Cost High Cost Ease of Implementation Easy Easy Difficult Training Requires minimum training Requires certain training Requires intense training Bandwidth Requirement No requirement of bandwidth Utilizes LAN bandwidth NIDS components utilizes bandwidth Pros High success rate Real time detection of attacks No requirement of additional hardware Cons Works for single system only Network level threats are not resolved Real time detection Detects attacks remain undetected by HIDS High ownership cost Cannot detect encrypted attacks Works over extensively large network Can be implemented over any type of network Very High Cost Complex implementation 10. Conclusion The Cloud is emerging as the latest trend in the IT world. But there are many issues associated with it too. Security is the most alarming issue of the cloud these days. Various Solutions have been suggested to cope up with these security issues and Intrusion Detection System is one such solution. Intrusion Detection system is a system which monitors the network or single host for any malicious activity and alerts the administrator or the database controller to take necessary action. These IDS can be categorized as HIDS, NIDS, and DIDS. The comparative analysis shows that each type of system have its applicability in different situation. Thus, we can choose an IDS depending upon our need and keeping these parameters in mind. Reference [1] National Institute of Standards and Technology- Computer Security Division- [2] (accessed in Feb 2013) [3] Top Threats to Cloud Computing, Cloud Security Alliance, http;// alliance.org/csaguide.pdf,v1.0(2010) [4] Amazon Web Services: Overview of Security Processes, Whitepaper, March pp aper.pdfscience, [5] Rohit Bhadauria, Sugata Sanyal, Survey on Security Issues in Cloud Computing and Associated Mitigation Techniques. In International Journal of Computer Applications 47(18): pp 47-66, June [6] Pengfei You, Yuxing Peng, Weidong Liu, Shoufu Xue, Security Issues and Solutions in Cloud Computing, In 32 nd International Conference on Distributed Computing Systems Workshops, pp , IEEE, 2012 [7] Vera Marinova- Boncheva, A Short Survey of Intrusion Detection Systems White paper, PROBLEMS OF ENGINEERING CYBERNETICS AND ROBOTICS, 58, BULGARIAN ACADEMY OF SCIENCES, Sofia, 2007 [8] (accessed in April 2013) [9] Yassin, M.M.; Awan, A.A., A Host Based IDS Using System Calls. In Networking and Communication Conference,pp , IEEE, 2004 [10] Dong Seong Kim, Jong Sou Park, Network Based IDS Using System with Support Vector Machines In International Conference, ICOIN 2003, Cheju Island, Korea,pp , Feburary 12-13, [11] Eung Jun Cho, Chong Seon Hong, Deokjic Choi, Distributed IDS for Effiecnt Resource Management in wireless Sensor Networks, In 13 th Asia Pacific Conference on Network Operations and Management Symposium (APNOMS), pp. 1-5, IEEE, 2011 [12]Amirreza Zarrabi, Alireza Zarrabi, Internet Intrusion Detection System Service in a Cloud, In International Journal of Computer Science Issues, Vol 9, Issue 5, No. 2, September 2012 [13] Martuza Ahmed, Rima Pal, Md. Mojammel Hossain, Md. Abu Naser Bikas, Md. Khalad Hasan, A Comparative Study on Currently existing intrusion detection System, In International Association of 744

6 Computer Science and Information Technolgy- Spring Conference, pp , IEEE, 2009 [14] Sebastian Roshke, Feng Cheng, Christoph Meinel, Intrusion Detection in the Cloud. In Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing, pp , IEEE, October 2009 [15] LIN Ying, ZHANG You, OU Yang Jia, The Design and Implementation of Host-based Intrusion Detection System, In Third International Symposium on Intelligent Information Technology and Security, pp , IEEE, 2010 [16] R. Vanathi, S. Gunasekarn, Comparison of Network Intruson Detection Systems in Cloud Computing Environment, In International Conference on Computer Communication and Informatics (ICCCI-2012), Jan 10-12, Coimbatore, India [17] Amir Vahid Datjerdi, Kamalrulnizam Abu Bakar, Sayed Gholam Hassan Tabatabaei, Distributed Intrusion Detection in Clouds Using Mobile Agents, In Third International Conference on Advanced Engineering Computing and Application in Sciences, pp , IEEE, 2009 [18] (accessed in April 2013) [19] [20] (accessed in april 2013) [21] n (accessed in Feb 2013) 745