The Research and Design of Intelligent IPS Model Based on Dynamic Cloud Firewall Linkage 1 Tiejun Jia, 2 Xiaogang Wang *1 College of Electronics & Information, Shanghai Dianji University, Shanghai 200240, China, jtj2000@163.com 2 College of Electronics & Information, Shanghai Dianji University, Shanghai 200240, China, wangxg@sdju.edu.cn doi:10.4156/jdcta.vol5. issue3.30 Abstract The cloud security is a new technology and developing trend in the field of internet and network security. On the basis of summarizing the cloud security s characteristics, superiority and core technologies, this paper proposes a new method to design and realize intelligent IPS model with dynamic cloud firewall linkage based on cloud security and analyzes the model s structure and features. This model has important practical significance for the research and development of advanced technologies of the network security. Keywords: Cloud Security, Cloud Firewall, Intrusion Prevention System( IPS), Model Design. 1. Introduction The cloud computing is a supercomputing mode using the huge internet which provides computational resource environment and services. It mainly assembles, cooperates and immediately processes all kinds of information resources storing in network linkage devices. The working principle of dynamic cloud security is that using distributed computing technologies to divide the computational processing program into many agent by network, making use of many servers to compose enormous system, and realizing network resource sharing by way of cooperative search, computation, analysis and processing. The technology s structure has become the newest application in the field of network security[1]. The firewall is really an access control system which detects outer network s information according to security policy, thereby protects inner one from outside illegal access and. From software, hardware, ASIC to UTM, the firewall always uses passive protection principle and cannot monitor inner network s abnormal behavior[2,3]. The main characteristic of the fifth generation cloud firewall include preventing corpse network or Trojan horse, protecting the host computers safety in inner network, Linking cloud detection and Intrusion Prevention System, joining SSL VPN by cloud security, supporting netflow by cloud monitoring, and realizing the unification of NOC and SOC. On the basis of discussing the characteristics, structure, functions and IPS s key technologies of the cloud computing and cloud firewall, this paper briefly analyzes the features, superiority and core technologies of the cloud security, proposes a new method of designing and realizing intelligent IPS model with dynamic cloud firewall linkage based on cloud security. 2. The characteristics and core technologies of the cloud security 2.1. The characteristics and superiority of the cloud security The three main characteristics of the cloud computing include dynamically dividing computing resources, centering on web and supporting network payment services. Through web standard, it makes the network having complicated technology structure and existing distinction become the cloud computing platform running different services and systems. By constructing a dynamic network security structure, the platform dynamically deploys and distributes computing resources, real time monitoring and security characteristic detection and protection so as to attain the high effective use of - 304 -
network resources and some new technologies about safety protection for the cloud security, mixing together distributed and parallel processing, grid computing and abnormal behavior detection etc, which can obtain the new information of some kind of viruses and malign programs, send them to the Server sides to automatically analyze and deal with, and reversely push optimized solutions to the Client sides. Web is the center of realizing and implementing the cloud security, and it gradually possesses the features of intelligence and awareness, which can make new generational network security protection structure really play its role. The characteristics and superiority of the cloud security mainly includes as follows[4]: (1) Providing the safeguards. There are some aspects of risk evaluation for data integrity, data recovery and privacy protection. The data is centrally stored in different data centers, which carry out unified management and maintenance, take charge of resource allocation and deployment, safety control and execute further safe and reliable realtime monitoring. (2) Unique mechanism of anticipating control. It is the most special mechanism in the cloud computing platform, can greatly improve users work environment and the settings of safe anticipating control, and realizes real time security prevention based on specific requirement. (3) The cloud environment realtime monitoring. It indexes and monitors the log recording dynamic information according to real requirement, supports extending log record using system s special C2 pattern of audit tracking, and may monitor unusual access attempts to database. (4) Safety performance test. It regularly carries out SAAS safety performance and password strength test for the cloud platform to guarantee system security and the reliability of password strength in time. (5) Updating traditional antivirus patterns. The most feature of the cloud security structure is becoming previous killing virus patterns into network cooperative ones, greatly enhances the efficiency of virus samples extraction and software update. Users neither need entirely setup and frequently upgrade antivirus software, nor occupy massive internal memory and network bandwidth. 2.2. The core technologies of the cloud security The cloud security based network protection structure is a kind of new generation of security infrastructure in the cloud client sides, which blocks and filters the new threats before they arrive on so as to achieve network security intelligence and active defense. The structure mainly makes use of the seven core technologies of the cloud security that include Web Reputation Service(WRS), E-mail Reputation Service(ERS), File Reputation Service(FRS), behavioral correlation analysis technologies, Automatic security information feedback mechanism, Threatening information collection and Virus characteristic blacklist technologies. The core of the structure surpasses the traditional methods to obstruct web threats, constructs the security structure in the cloud client sides on the basis of WRS, ERS and FRS, stores most of feature codes files into the cloud databases in internet and makes them keep minimum quantity in the terminals, with the help of whole reputation databases, may determine reputation parameters according to the factors of the website pages, the changes of historic locations and the indication of suspicious activities which are found through malicious software features and behavioral analysis, thus traces the reliability of the website pages. The structure reduces the consumption of bandwidth as well as provides faster timely protection all around[5]. 3. The structural characteristics and functions of the cloud firewall 3.1. The characteristics of the cloud firewall The firewall mainly uses network access security policies and the filtering choice of data packets as basic principles, supports adding or altering security policies and rules, as required, applies filtering technology to allow and prohibit appointed services and data packets, makes use of FTP and Telnet services to install and implement advanced identification measures, offers friendly interfaces and easily programming IP filtering, can filter information according to data packets properties, reduces the direct connection of SMTP services with external services and centralizes to deal with the whole - 305 -
website s e-mail, allows the public to access the website which isolates information services from other internal services, supports log management and statistic analysis, and can take part in intrusion detection system(ids)to realize linkage. But the major defect of the firewall is passively static defense which cannot monitor internal abnormal behavior so that hackers may often bypass the firewall to and destroy internal network. The cloud firewall is based on the cloud security and dynamically distributed core technologies which greatly improve the above defect of the firewall. Its key thought is becoming protecting into dynamic, cooperative and active intelligent access control and defensive system. Combining the cloud security with dynamically distributed intelligence firewall, it can be deployed by cooperative each other and dynamically interactive unification. The cloud firewall possesses some characteristics as follows[6]: (1) SensorBase-based dynamic updating polices. The cloud database-sensorbase deployed in internet is the core of the cloud firewall, which can around the world collect some kind of malicious URL, the websites inserted by Trojan horse and the features of detected s and viruses, and timely sends dynamic update to world wide client side users. This is the most characteristic of the cloud firewall. (2) Building reputation-associated cooperation with IPS. The cloud firewall records the operating actions reputation value of users threatening network security, and when the value decrease to fixed threshold, the reputation link is automatically closed. The users having good reputaion once in a while are ed by viruses or misoperation, they only are given a warning prompt. (3) The virtual cloud sides mobile safety access. Presently, mobile network security access has aroused significant attention. The cloud security can realize the safeguard of mobile access through SSL VPN technology. (4) Real time monitoring the netflow in the cloud. The one of import means of the cloud security and network protection is monitoring the abnormal netflow. In the cloud firewall, such as Netflow V9 technology adopted by Cisco, not only is the netflow detected by it, but the network administrators make use of it to manage network. 3.2. The structure and functions of the cloud firewall On the basis of the above analysis about the technologies characteristics of the cloud security and the cloud firewall, this paper designs a new dynamic intelligence cloud firewall model, as shown in figure1. Figure 1. The dynamic intelligence cloud firewall structural model The structural model and functions mainly include as follows: (1) After external information is trained through credible database in the data switcher, they can only enter credible knowledge base to learn and compare with the feature rules repository or policies. The credible knowledge base may firstly be trained through credible database, then execute feature extraction and data mining to obtain knowledge or rules which only pass adaptive learning to - 306 -
knowledge base and feature rules repository which go through continuous learning to update knowledge, rules and polices. (2) Interactively linking with the defending agents, the expert system and the detecting and identifying agents to realize integrated linking unification and interactive cooperation, realtime defense and detection and identification. If the abnormal behaviors and data packets are detected, the monitor station can automatically carry out defending filter, prevention and warning, then give auditing record. (3)If the abnormal behaviors and data packets are not detected, the authorized users may be allowed to access the internal network and real time interchange the monitoring information with the control workstation of the content detection, which includes dynamically realtime monitoring internal abnormal behaviors and data packets. (4) Only if the dynamic distributed intelligence cloud firewall needs to further cooperate with IPS, it can better bring system s effect such as whole coordination, optimization and real time interactive defense. 4. The design of the cloud security intelligent IPS 4.1. The main characteristics and key technologies of IPS Intrusion Prevention System(IPS) possesses the functions such as actively filtering, intelligent intrusion detection, prevention and access decision. It detects the abnormal behavior and data packets, real time judges to block access, and uses filter to intercept any operation attacking system s weakness. It real time defends network by multi layer, deep layer and active way to effectively protect network resource s safety [5]. The technologies of IPS have four great characteristics: Using imbedding pattern to real time intercept the abnormal behavior and data packets so as to realize realtime security protection; deep analyzing the attacking types and policies to certainly intercept the malicious netflow; efficiently running by high quality of intruding feature repository; making use of special hardware accelerating system to efficiently handle the suspicious data packets. IPS has four key technologies: The first one is actively defending technology which overall protects and strengthen the key host computers and services data, and properly limits users rights. It can positively distinguish the known attacks, refuse the malicious access, and prevent unknown attacking behaviors. The second one is linking technology with the firewall. The firewall proceeds access control defense of the first layer, IPS executes detecting intrusion defense of the second layer to filter the malicious communication, then informs the firewall to block the ones. The third one is comprehensive detection method. With a view to avoiding misoperation and blocking legal network events which cause data loss, it uses various detection methods such as misuse detection and abnormity detection to exactly judge the known and unknown attack. The fourth one is the hardware accelerating system that uses special technology to efficiently deal with data packets so as to achieve the functions of deep data packets detection and blocking in complicated network having a great rate of netflow[7]. 4.2. The structure of the cloud security intelligent IPS The cloud security is classified into two types: The first one is the storing and sharing of feature or resembling feature repository in the cloud sides; the second one is a new system that quickly collects, converges and respond to deal with malicious codes, junk mail or fishing site URL etc[8,9]. The cloud security integrates users with intelligent technology platforms through internet to comprise a safety network monitoring, searching, killing and defending the Trojan horses and attacking instructions. This paper constructs a new type of intelligent IPS model based on dynamically distributed cloud firewall linkage, as shown in figure2. - 307 -
Figure 2. The intelligent IPS model based on dynamically distributed cloud firewall linkage The main functions of the intelligent IPS are as follows: When internal network s users access external network resources, the intelligent IPS uses the cloud security s feature detection and recognition mode, through the working ways of intelligent IPS s collection, recognition, feature extraction, adaptive learning and so on, to automatically analyze and judge the safety of resources accessed by users, and uses terminal browser to interact with the cloud firewall, then deep analyzes and identifies to choose by the expert system in the cloud firewall. Using the resource information of users behaviors, files, web pages and so on to perform reputation modeling, then judges the level of the resources reputation[10]. 5. Acknowledgement This research was partially supported by The Natural Science Foundation of China(60803130), The Important Discipline of Shanghai Dianji University Fund (07XKJ01). 6. Conclusion On the basis of analyzing the characteristics, superiority and core technologies of the cloud computing, cloud security, cloud firewall and IPS, this paper proposes a new method to design and realize intelligent IPS model with dynamic cloud firewall linkage based on cloud security. The new generation of internet security protection system based on the cloud security s policies and the technologies of intelligently active defense can seamlessly integrate intelligent defensive system with software of killing virus, as a result, the occupation of computer s resources is greatly decreased. The proposed model can in time find, intercept and deal with a large number of latest abnormal attacks such as computer viruses and malicious websites, then timely send the solutions to all users sides so that they may in advance defend all kinds of new threat in network. 7. References [1] Lin Fan, Zeng Wenhua, Jiang Yi, Li Jianmin, Liang Qi, "A Group Tracing and Filtering Tree for REST DDos in Cloud", JDCTA, Vol. 4, No. 9, pp. 212 ~ 224, 2010 [2] Jia Tiejun etc., Network Security Management and Practical Technologies, Beijing: Machine Press, CHN,2010 [3] Jia Tiejun etc., Network Security Technologies and Application,,Beijing: Machine Press, CHN,2009 [4] Do-Yoon Ha, Chang-Yong Lee, Hyun-Cheol Jeong, Bong-Nam Noh, "Design and Implementation of SIP-aware DDoS Attack Detection System", AISS, Vol. 2, No. 4, pp. 25 ~ 32, 2010 [5] Jia Tiejun, Wang Xiaogang, The Construction and Realization of the Intelligent NIPS Based on the Cloud Security,2009 IEEE International conference on information science and technology - 308 -
(icise 2009) pp.158-161, Feb 22-24,2009. [6] Zi Shi, The cloud computing in china, The Cloud Security Makes Internet Become Largest Software Killing Viruses, http://www.chinacloud.cn/show.aspx?id=5682&cid =29, 2011.01.22 [7] Sohu IT, Intelligentizing Cloud Firewall Realizes Active Safety Defense, http://it.sohu.com/ 20100111 / n269505440.shtml, 2010.01.11 [8] Shi Meijun, The Intelligent Scheduling Center and Cloud Firewall Safeguard Network s Best Connectivity,http://www.cww.net.cn/zhuanfangjian/html/2010/11/25/201011251531370.htm. [9] Zhang Weiming, Tang Jianfeng, The Cloud Computing Profoundly Changes the Future, Beijing: Science Press, CHN, 2009 [10]Yi Yin, Kazuaki Hida, Yoshiaki Katayama, Naohisa Takahashi, Implementation of Filter Reverse Search System based on Spatial Relationships of Filters, JCIT, Vol. 3, No. 2, pp.6-12, 2008-309 -