Network Intrusion Detection in Virtual Network Systems Using NICE-A

Transcription

1 Network Intrusion Detection in Virtual Network Systems Using NICE-A V.Narmada Assistant Professor, Department of Computer Science, Malla Reddy Engineering College for Women, Maisammaguda, Hyderabad. G.Prabhakar Assistant Professor, Department of Computer Science, Malla Reddy Engineering College for Women, Maisammaguda, Hyderabad. Abstract:-Cloud security is one of most important issues that have attracted a lot of research and development effort in past few years. Particularly, attackers can explore vulnerabilities of a cloud system and compromise virtual machines to deploy further large-scale Distributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such as multi-step exploitation, low frequency vulnerability scanning, and compromising identified vulnerable virtual machines as zombies, and finally DDoS attacks through the compromised zombies. Within the cloud system, especially the Infrastructure-as-a-Service (IaaS) clouds, the detection of zombie exploration attacks is extremely difficult. This is because cloud users may install vulnerable applications on their virtual machines. To prevent vulnerable virtual machines from being compromised in the cloud, we propose a multi-phase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE, which is built on attack graph based analytical models and reconfigurable virtual network-based countermeasures. The proposed framework leverages Open Flow network programming APIs to build a monitor and control plane over distributed programmable virtual switches in order to significantly improve attack detection and mitigate attack consequences. The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution. Keywords: -Network Security, Cloud Computing, Intrusion Detection, Attack Graph, Zombie Detection. INTRODUCTION In computer security, a Network Intrusion Detection System (NIDS) is an intrusion detection system that attempts to discover unauthorized access to a computer network by analyzing traffic on the network for signs of malicious activity. A recent CSA (Cloud Survey Alliance) survey reports that among all security issues exploitation and despicable use of cloud computing is considered as the main security threat. In traditional data centers, where system administrators have full control over the host machines, vulnerabilities can be detected and patched by the system administrator in a centralized manner. However, patching known security holes in cloud data centers, where cloud users usually have the privilege to control software installed on their managed VMs, may not work effectively and can violate the Service Level Agreement (SLA). Furthermore, cloud users can install vulnerable software on their VMs, which essentially contributes to loopholes in cloud security. The challenge is to establish an effective vulnerability/attack detection and response system for accurately identifying attacks and minimizing the impact of security breach to cloud users. In a cloud system where the infrastructure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways. Such attacks are more effective in the cloud environment since cloud users usually share computing resources, e.g., being connected through the same switch, sharing with the same data storage and file systems, even with potential attackers. The similar setup for VMs in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking, etc., attracts attackers to compromise multiple VMs. In this article, we propose NICE (Network Intrusion detection and Countermeasures Election in virtual network systems) to establish a defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to compromise VMs, thus preventing zombie VMs. OBJECTIVE The main aim of this project is to prevent the vulnerable virtual machines from being compromised in the cloud server using multi-phase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE. EXISTING SYSTEM Cloud users can install vulnerable software on their VMs, which essentially contributes to loopholes in cloud security. The challenge is to establish an effective vulnerability/attack detection and response system for accurately identifying 6

2 attacks and minimizing the impact of security breach to cloud users. In a cloud system where the infrastructure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways. Such attacks are more effective in the cloud environment since cloud users usually share computing resources, e.g., being connected through the same switch, sharing with the same data storage and file systems, even with potential attackers. The similar setup for VMs in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking, etc., attracts attackers to compromise multiple VMs. Disadvantages Of Existing System: 1. No detection and prevention framework in a virtual networking environment. 2. Not accuracy in the attack detection from attackers. Literature Survey 1) BotSniffer: detecting botnet command and control channels in network traffic AUTHORS: G. Gu, J. Zhang, and W. Lee Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowl- edge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observa- tion that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated Bot Sniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate 2) Automated generation and analysis of attack graphs AUTHORS: O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing An integral part of modeling the global view of network security is constructing attack graphs. Manual attack graph construction is tedious, errorprone, and impractical for attack graphs larger than a hundred nodes. In this paper we present an automated technique for generating and analyzing attack graphs. We base our technique on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently. We also describe two analyses to help decide which attacks would be most cost-effective to guard against. We implemented our technique in a tool suite and tested it on a small network example, which includes models of a firewall and an intrusion detection system. 3) A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs AUTHORS: S. H. Ahmadinejad, S. Jalili, and M. Abadi Managing and analyzing a huge number of low-level alerts is very difficult and exhausting for network administrators. Alert correlation methods have been proposed to decrease the number of alerts and make them more intelligible. Proposed methods for alert correlation are different in terms of their performance, accuracy and adaptivity. We present a new hybrid model not only to correlate alerts as accurately and efficiently as possible but also to be able to boost the model in the course of time. The model presented in this paper consists of two parts: (1) an attack graph-based method to correlate alerts raised for known attacks and hypothesize missed alerts and (2) a similarity-based method to correlate alerts raised for unknown attacks which can not be correlated using the first part and also to update the attack graph. These two parts cooperate with each other such that if the first part could not correlate a new alert, the second part is applied. We propose two different methods for these two parts. In order to update the attack graph, we present a technique (using the similarity-based method in the second part of the model) which is actually the most salient feature of our model: capability of hypothesizing missed exploits and discovering defects in pre and post conditions of known exploits in attack graphs. We also propose an additional method named alerts bisimulation for compressing graphs of correlated alerts. 4) MulVAL: a logicbased network security analyzer AUTHORS: X. Ou, S. Govindavajhala, and A. W. Appel To determine the security impact software vulnerabilities have on a particular network, one must consider interactions among multiple network elements. For a vulnerability analysis tool to be useful in practice, two features are crucial. First, the 7

3 model used in the analysis must be able to automatically integrate formal vulnerability specifications from the bug-reporting community. Second, the analysis must be able to scale to networks with thousands of machines. We show how to achieve these two goals by presenting MulVAL, an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating-system permission and privilege model, etc.). We easily leverage existing vulnerability-database and scanning tools by expressing their output in Datalog and feeding it to our MulVAL reasoning engine. Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines. 5) Alert correlation survey: framework and techniques AUTHORS: R. Sadoddin and A. Ghorbani Managing raw alerts generated by various sensors are becoming of more significance to intrusion detection systems as more sensors with different capabilities are distributed spatially in the network. Alert Correlation addresses this issue by reducing, fusing and correlating raw alerts to provide a condensed, yet more meaningful view of the network from the intrusion standpoint. Techniques from a divers range of disciplines have been used by researchers for different aspects of correlation. This paper provides a survey of the state of the art in alert correlation techniques. Our main contribution is a two-fold classification of literature based on correlation framework and applied techniques. The previous works in each category have been described alongside with their strengths and weaknesses from our viewpoint. In recent studies have shown that users migrating to the cloud consider security as the most important factor. A recent Cloud Security Alliance (CSA) survey shows that among all security issues, abuse and nefarious use of cloud computing is considered as the top security threat, in which attackers can exploit vulnerabilities in clouds and utilize cloud system resources to deploy attacks. In traditional data centers, where system administrators have full control over the host machines, vulnerabilities can be detected and patched by the system administrator in a centralized manner. However, patching known security holes in cloud data centers, where cloud users usually have the privilege to control software installed on their managed VMs, may not work effectively and can violate the Service Level Agreement (SLA). Furthermore, cloud users can install vulnerable software on their VMs, which essentially contributes to loopholes in cloud security. The challenge is to establish an effective vulnerability/attack detection and response system for accurately identifying attacks and minimizing the impact of security breach to cloud users. In a cloud system where the infra-structure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways. Such attacks are more effective in the cloud environment since cloud users usually share computing resources, e.g., being connected through the same switch, sharing with the same data storage and file systems, even with potential attackers. PROPOSED SYSTEM In this article, we propose NICE (Network Intrusion detection and Countermeasure selection in virtual network systems) to establish a defense-indepth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to compromise VMs, thus preventing zombie VMs. Advantages Of Proposed System:- The contributions of NICE are presented as follows: We devise NICE, a new multi-phase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud services. NICE incorporates a software switching solution to quarantine and inspect suspicious VMs for further investigation and protection. Through programmable network approaches, NICE can improve the attack detection probability and improve the resiliency to VM exploitation attack without interrupting existing normal cloud services. NICE employs a novel attack graph approach for attack detection and prevention by correlating attack behavior and also suggests effective countermeasures. NICE optimizes the implementation on cloud servers to minimize resource consumption. Our study shows that NICE consumes less computational overhead compared to proxy-based network intrusion detection solutions. 8

4 SYSTEM ARCHITECTURE: phases: information gathering, attack graph construction, and potential exploit path analysis. With this information, attack paths can be modeled using SAG. The Attack Analyzer also handles alert correlation and analysis operations. MODULES DESCRIPTION Nice-A: The NICE-A is a Network-based Intrusion Detection System (NIDS) agent installed in each cloud server. It scans the traffic going through the bridges that control all the traffic among VMs and in/out from the physical cloud servers. It will sniff a mirroring port on each virtual bridge in the Open vswitch. Each bridge forms an isolated subnet in the virtual network and connects to all related VMs. The traffic generated from the VMs on the mirrored software bridge will be mirrored to a specific port on a specific bridge using SPAN, RSPAN, or ERSPAN methods. It s more efficient to scan the traffic in cloud server since all traffic in the cloud server needs go through it; however our design is independent to the installed VM. The false alarm rate could be reduced through our architecture design. VM Profiling: Virtual machines in the cloud can be profiled to get precise information about their state, services running, open ports, etc. One major factor that counts towards a VM profile is its connectivity with other VMs. Also required is the knowledge of services running on a VM so as to verify the authenticity of alerts pertaining to that VM. An attacker can use port scanning program to perform an intense examination of the network to look for open ports on any VM. So information about any open ports on a VM and the history of opened ports plays a significant role in determining how vulnerable the VM is. All these factors combined will form the VM profile. VM profiles are maintained in a database and contain comprehensive information about vulnerabilities, alert and traffic. Attack Analyzer: The major functions of NICE system are performed by attack analyzer, which includes procedures such as attack graph construction and update, alert correlation and countermeasure selection. The process of constructing and utilizing the Scenario Attack Graph (SAG) consists of three This component has two major functions: (1) constructs Alert Correlation Graph (ACG), (2) provides threat information and appropriate countermeasures to network controller for virtual network reconfiguration. NICE attack graph is constructed based on the following information: Cloud system information, Virtual network topology and configuration information, Vulnerability information. Network Controller: The network controller is a key component to support the programmable networking capability to realize the virtual network reconfiguration. In NICE, we integrated the control functions for both OVS and OFS into the network controller that allows the cloud system to set security/filtering rules in an integrated and comprehensive manner. The network controller is responsible for collecting network information of current Open Flow network and provides input to the attack analyzer to construct attack graphs. In NICE, the network control also consults with the attack analyzer for the flow access control by setting up the filtering rules on the corresponding OVS and OFS. Network controller is also responsible for applying the countermeasure from attack analyzer. Based on VM Security Index and severity of an alert, countermeasures are selected by NICE and executed by the network controller. CONCLUSION In this paper, we presented NICE, which is proposed to detect and mitigate collaborative attacks in the cloud virtual networking environment. NICE utilizes the attack graph model to conduct attack detection and prediction. The proposed solution investigates how to use the programmability of software switches based solutions to improve the detection accuracy and defeat victim exploitation phases of collaborative attacks. The system performance evaluation demonstrates the feasibility of NICE and shows that 9

5 the proposed solution can significantly reduce the risk of the cloud system from being exploited and abused by internal and external attackers. NICE only investigates the network IDS approach to counter zombie explorative attacks. In order to improve the detection accuracy, host-based IDS solutions are needed to be incorporated and to cover the whole spectrum of IDS in the cloud system. This should be investigated in the future work. Additionally, as indicated in the paper, we will investigate the scalability of the proposed NICE solution by investigating the decentralized network control and attack analysis model based on current study. FUTURE WORK Furthermore, cloud users can install vulnerable software on their VMs, which essentially contributes to loopholes in cloud security. The challenge is to establish an effective vulnerability/attack detection and response system for accurately identifying attacks and minimizing the impact of security breach to cloud users. In, M. Armbrust et al. addressed that protecting Business continuity and services availability from service outages is one of the top concerns in cloud computing systems [2]. In a cloud system where the infrastructure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways. Such attacks are more effective in the cloud environment since cloud users usually share computing resources, e.g., being connected through the same switch, sharing with the same data storage and file systems, even with potential attackers. The similar setup for VMs in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking, etc., attracts attackers to compromise multiple VMs. REFERENCES [1] Coud Sercurity Alliance, Top threats to cloud computing v1.0, v1.0.pdf, March [2] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia A view of cloud computing, ACM Commun., vol. 53, no. 4, pp , Apr [3] B. Joshi, A. Vijayan, and B. Joshi, Securing cloud computing environment against DDoS attacks, IEEE Int l Conf. Computer Communication and Informatics (ICCCI 12), Jan [4] H. Takabi, J. B. Joshi, and G. Ahn, Security and privacy challenges in cloud computing environments, IEEE Security & Privacy, vol. 8, no. 6, pp , Dec [5] Open vswitch project, May [6] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, Detecting spam zombies by monitoring outgoing messages, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp , Apr IEEE TRANSACTIONS ON DEPEDABLE AND SECURE COMPUTING [7] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, Proc. of 16th USENIX Security Symp. (SS 07), pp. 12:1 12:16, Aug [8] G. Gu, J. Zhang, and W. Lee, BotSniffer: detecting botnet command and control channels in network traffic, Proc. of 15th Ann. Network and Distributed Sytem Security Symp. (NDSS 08), Feb [9] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, Automated generation and analysis of attack graphs, Proc. IEEE Symp. on Security and Privacy, 2002, pp [10] NuSMV: A new symbolic model checker, / nusmv. Aug [11] S. H. Ahmadinejad, S. Jalili, and M. Abadi, A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs, Computer Networks, vol. 55, no. 9, pp , Jun [12] X. Ou, S. Govindavajhala, and A. W. Appel, MulVAL: a logicbased network security analyzer, Proc. of 14th USENIX Security Symp., pp [13] R. Sadoddin and A. Ghorbani, Alert correlation survey: framework and techniques, Proc. ACM Int l Conf. on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (PST 06), pp. 37:1 37: [14] L. Wang, A. Liu, and S. Jajodia, Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts, Computer Communications, vol. 29, no. 15, pp , Sep [15] S. Roschke, F. Cheng, and C. Meinel, A new alert correlation algorithm based on attack graph, Computational Intelligence in Security for Information Systems, LNCS, vol. 6694, pp Springer, [16] A. Roy, D. S. Kim, and K. Trivedi, Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees, Proc. IEEE Int l Conf. on Dependable Systems Networks (DSN 12), Jun [17] N. Poolsappasit, R. Dewri, and I. Ray, Dynamic security risk management using bayesian attack graphs, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 1, pp , Feb

6 [18] Open Networking Fundation, Software-defined networking: The new norm for networks, ONF White Paper, Apr [19] Openflow [20] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, OpenFlow: enabling innovation in campus networks, SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp , Mar [21] E. Keller, J. Szefer, J. Rexford, and R. B. Lee, NoHype: virtualized cloud infrastructure without the virtualization, Proc. of the 37 th ACM ann. int l symp. on Computer architecture (ISCA 10), pp Jun [22] X. Ou, W. F. Boyer, and M. A. McQueen, A scalable approach to attack graph generation, Proc. of the 13th ACM conf. on Computer and communications security (CCS 06), pp [23] Mitre Corporation, Common vulnerabilities and exposures, CVE, [24] P. Mell, K. Scarfone, and S. Romanosky, Common vulnerability scoring system (CVSS), html, May [25] O. Database, Open source vulnerability database (OVSDB), [26] NIST, National vulnerability database, NVD, gov [27] N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker, NOX: towards an operating system for networks, SIGCOMM Comput. Commun. Rev., vol. 38, no. 3, pp , Jul [28] X. Ou and A. Singhal, Quantitative Security Risk Assessment of Enterprise Networks. Springer, Nov [29] M. Frigault and L. Wang, Measuring network security using bayesian Network-Based attack graphs, Proc. IEEE 32nd ann. int l conf. on Computer Software and Applications (COMPSAC 08), pp Aug [30] K. Kwon, S. Ahn, and J. Chung, Network security management using ARP spoofing, Proc. Int l Conf. on Computational Science and Its Applications (ICCSA 04), LNCS, vol. 3043, pp , Springer, [31] Metasploit, [32] Armitage, [33] M. Tupper and A. Zincir-Heywood, VEA-bility security metric: A network security analysis tool, Proc. IEEE Third Int l Conf. on Availability, Reliability and Security (ARES 08), pp , Mar