560 likes | 1.03k Views
Yasir Mehmood 2011-NUST-MS-CCS-031 Thesis Supervisor: Dr. M. Awais Shibli G.E.C Members: Dr. Abdul Ghafoor Abbasi Dr. Adnan Khalid Kiyani Ms. Hirra Anwar. October 03, 2014 In-house Defense School of Electrical Engineering & Computer Science, NUST Islamabad.
E N D
YasirMehmood 2011-NUST-MS-CCS-031 Thesis Supervisor: Dr. M. AwaisShibli G.E.C Members: Dr. Abdul GhafoorAbbasi Dr. Adnan Khalid Kiyani Ms. Hirra Anwar October 03, 2014 In-house DefenseSchool of Electrical Engineering & Computer Science, NUST Islamabad Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment (DIDMACC) Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Agenda • Introduction • Motivation • Research Methodology • Problem Statement • Contributions • Implementation • Security Evaluation • Future Directions • Demonstration • References Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Intrusion Detection System in Cloud Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Intrusion Detection Systems in Cloud Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Deployment of IDS and Service Models • In Cloud environment, IDS may be deployed at any of the three layers: • Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Software as a Service (SaaS) Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Challenges to Cloud based IDS Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Literature Review Security Perspective Industrial Perspective • Conference & Journal papers • IDS in Cloud • Challenges to CIDS • Well-known Open source IDS Standards • Next Generation IDS • Detection Techniques of IDS • Best Practices • State-of-the-art Tools and Technologies • Cisco • MetaFlows • PaloAlto Networks • Juniper Networks • Tipping Point • Symantec Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 7
Research Methodology Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 8
Cont.. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 9
Problem Statement The large-scale and distributed intrusions that are caused mainly due to the open and distributed architecture of Cloud threaten both Cloud Service Providers (CSPs) and Cloud Service Consumers (CSCs) and we aim to detect such intrusions through correlation of intrusion alerts collected using mobile agents. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Our Contribution is twofold, which includes: 1 2 Contributions Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Research Paper 1 YasirMehmood, UmmeHabiba, M. AwaisShibli, RahatMasood, “Intrusion Detection System in Cloud Computing: Challenges and Opportunities”, 2nd National Conference on Information Assurance, (NCIA-2013), MCS, Rawalpindi, Pakistan, pp. 59-66, December 11-12, 2013. Research Paper 2 YasirMehmood, Ayesha Kanwal, M. AwaisShibli, “Distributed Intrusion Detection System using Mobile Agents in Cloud Computing Environment”, Submitted to 5th ACM Conference on Data and Application Security and Privacy (CODASPY-2015), San Antonio, TX, USA, March 2-4, 2015. Research Perspective Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Research Findings- Analysis of existing CIDS Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Research Findings (cont..) Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Research Findings (cont..) Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Implementa distributed intrusion detection system for cloud, based on suricata, mobile agents and OSSIM that can: Detect intrusions on local VMs. Enable the user to update suricata rules files Use mobile agents to carry intrusion alerts from VM to the management server. Detect distributed intrusions using OSSIM correlation engine Update rules files on VMs using mobile agents Implementation Perspective Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Suricata Yes OISF IDS/IPS Well known open source IDS Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Development Toolkit Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Layered Architecture MA Suricata (signature DB) Suricata (signature DB) Intrusion Detection JADE (MA Generation) Alert Correlation Engine (OSSIM) Applications Applications IDS Signature Database MA MA JADE JADE agents agents Alert Generation VM 1 VM 2 Hypervisor Hypervisor Host OS Host OS Hardware Hardware Management Server (MS) Infrastructure to be monitored MA- Mobile Agent VM- Virtual Machine Sys Admin/ Alert Console
Workflow of our System 7. Correlation and Intrusion Detection 8. Alert JADE (MA Generation) IDS Signature Database Alert Correlation Engine (OSSIM) Sys Admin/ Alert Console Cloud Service Provider (CSP) Management Server (MS) 9. MS sends signature of distributed & latest intrusion to other VMs 1. Request for VM 2. VM [ IDS + JADE] 3. RM_agent reports suspicious activity 4. EC_agent to gather alert info 6. EC_agent returns to MS after collecting alert information MA MA VM 1 VM 2 VM 3 User C 5. EC_agent can move between VMs User B User A
Components of our System Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Components of our System (Cont..) Suricata rule management: Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Components of our System (Cont..) Agents development module: • Local Agents • Intrusion detection agent • Resource monitoring agent • Port scanning agent • Mobile Agents • Alert carrier mobile agent • Evidence collector mobile agent • Signature writer mobile agent Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Components of our System (Cont..) Alert Correlation Module: Correlation of alerts collected from VMs: Use Suricata as source of alerts Forward the alerts to OSSIM correlation engine Correlation of alerts to detect distributed intrusions Update rules files of VMs using mobile agents Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Security Evaluation with Pytbull Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Security Evaluation with Pytbull Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Future Directions • An anomaly based system can be combined with our system to make a hybrid CIDS for improved detection. • Another possible research direction is to integrate a correlation module other than OSSIM and compare its results with those achieved through OSSIM correlation engine. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Conclusion • Intrusion Detection System is very useful to detect the malicious activities before they damage the Cloud resources. • The impact of IDS on performance of cloud resources should also be considered while developing CIDS. • The use of mobile agents to carry intrusion-specific data and code reduces network load. • The global-level correlation helps in efficient detection of distributed intrusions. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Demo- Suricata Alerts on the local VM Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Suricata logs on OSSIM Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Events after correlation by OSSIM Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
Special Thanks to my Supervisor and committee members.. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
References [1]. C. C. Lo, C. C. Huang, J. Ku, “A Cooperative Intrusion Detection System Framework for Cloud Computing Networks”, 39th International Conference on Parallel Processing Workshops 2010, pp. 280-284. [2]. C. N. Modi, D. R. Patel, A. Patel, R. Muttukrishnan, “Bayesian Classifier and Snort based Network Intrusion Detection System in Cloud Computing”, Third International Conference on Computing, Communication and Networking Technologies, 26th-28th July 2012. [3]. C. Mazzariello, R. Bifulco and R. Canonico, “Integrating a Network IDS into an Open Source Cloud Computing Environment”, 2010 Sixth International Conference on Information Assurance and Security, pp. 265-270. [4]. A. Bakshi, Yogesh B, “Securing cloud from DDOS Attacks using Intrusion Detection System in Virtual Machine”, 2010 Second International Conference on Communication Software and Networks, pp. 260-264. [5]. Ms. P. K. Shelke, Ms. S. Sontakke, Dr. A. D. Gawande, “Intrusion Detection System for Cloud Computing”, International Journal of Scientific & Technology Research Volume 1, Issue 4, May 2012, pp. 67-71. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
References [6]. A. Patel, Q. Qassim, Z. Shukor, J. Nogueira, J. Júnior and C. Wills, “Autonomic Agent-Based Self-Managed Intrusion Detection and Prevention System”, Proceedings of the South African Information Security Multi-Conference (SAISMC 2010), pp. 223-234. [7]. J. H. Lee, M. W. Park, J. H. Eom, T. M. Chung, “Multi-level Intrusion Detection System and Log Management in Cloud Computing”, ICACT, 2011, pp. 552-555. [8]. A. V. Dastjerdi, K. A. Bakar, S. G. H. Tabatabaei, “Distributed Intrusion Detection in Clouds using Mobile Agents”, Third International Conference on Advanced Engineering Computing and Applications in Sciences, 2009, pp. 175-180. [9]. K. Vieira, A. Schulter, Carlos B. Westphall, and C. M. Westphall, “Intrusion Detection for Grid and Cloud Computing”, IEEE Computer Society, (July/August 2010), pp. 38-43. [10]. S. N. Dhage, B. B. Meshram, R. Rawat, S. Padawe, M. Paingaokar, A. Misra , “Intrusion Detection System in Cloud Computing Environment”, International Conference and Workshop on Emerging Trends in Technology (ICWET 2011), pp. 235-239. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad
References [11]. S. Bharadwaja, W. Sun, M. Niamat, F. Shen, “Collabra: A Xen Hypervisor based Collaborative Intrusion Detection System”, Eighth International Conference on Information Technology: New Generations, 2011, pp. 695-700. [12]. M. Uddin, A. A. Rehman, N. Uddin, et al., “Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents”, International Journal of Network Security, Vol. 15, No. 1, Jan. 2013, pp. 79-87. [13]. M. Xiu-liang, W. Chun-dong, W. Huai-bin, “A Distributed Intrusion Detection System Based on Mobile Agents”, IEEE 2009. [14]. Suricata: The Snort Replacer (Part 1: Intro & Install), Jul 24, 2013, http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ [15]. cloudstack-users mailing list archives: November 2013, http://mail-archives.apache.org/mod_mbox/cloudstack- users/201311.mbox/browser [16]. P. Cox , Intrusion detection in a cloud computing environment, http://searchcloudcomputing.techtarget.com/tip/Intrusion-detection-in-a-cloud-computing-environment Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad