jelidi.mohamad@gmail.com

Introduction

4A Hybrid intrusion detection system for Cloud Computing Environments

Q: Please rate your level of overall security concern related to adopting public cloud computing?

91% organizations have security concerns.•4% not sure.•5% not at all concerned.•

Source : Cloud Passage survey report 2016

Cloud Security Conserns

5A Hybrid intrusion detection system for Cloud Computing Environments

Q: What types of business applications is your organizationdeploying in the cloud?

46% Web Apps.•38% Collaboration and Communication Apps.•33% Productivity.•27% IT Operations•27% Custom Business Applications•

Most Popular Cloud Services

Source : Cloud Passage survey report 2016

6A Hybrid intrusion detection system for Cloud Computing Environments

Main Question:How to protect the Cloud using Intrusion Detection

Systems (IDS) ?

Second Questions:How IDS best transformed to suit the Cloud ?

How may we increase the detection quality ?

How the Model is best Deployed ?

Research Question

7A Hybrid intrusion detection system for Cloud Computing Environments

Aims and Objectives

Objective 1:Review the current literature about security issues related to the Cloud and proposed solutions to fully protect it.

Objective 2:Identify key solutions and Design the architecture.

Objective 3:Evaluate experimental results.

Aims and Objectives

Cloud Computing and Security

9A Hybrid intrusion detection system for Cloud Computing Environments

Cloud Computing

Virtualization

Vulnerabilities and attacks in Cloud Computing

Intrusion Detection Systems

Machine Learning

Background

Virtualization

11A Hybrid intrusion detection system for Cloud Computing Environments

Isolation.1. Interposition.2. Inspection.3.

VirtualizationVirtual Machine Monitor (VMM)

12A Hybrid intrusion detection system for Cloud Computing Environments

VirtualizationApproaches of Virtualization

User Apps

VMM(Virtual Machine Monitor)

Host Hardware

Ring-0

Ring-1

Ring-2

Ring-3Direct Execution of User request

Binary Translation of OS requests

Guest OS

Full Virtualization

Intrusion Detection Systems

14A Hybrid intrusion detection system for Cloud Computing Environments

Intrusion Detection System

Intrusion Detection System vs Firewall•What IDS Can/Can’t Do?•Detection methods•

15A Hybrid intrusion detection system for Cloud Computing Environments

Machine Learning

Supervised LearningUnsupervised Learning

Naive BayesDecision Tree

Literature Review

17A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewClassification of the Literature

How to study the Literature?

18A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewHow to study the literature?

Where to detect? Network/Host/VM/Application

What to detect? Network packets/Processes/VMM/tasks

How to detect? Signature/Anomaly

Where?

What?How?

19A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewHow to study the literature?

Layers of the CloudWhere

Audit source locationWhat

Detection methodHow

Literature

PerspectivesScope

20A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewClassification of the Literature

Layers Of the Cloud

HostNetworkApplication Virtualization

21A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewApplication Layer

AlQahtani et al. 2014 Metric to measure quality:- Vulnerability Detection- Avg Response time

Carmen et al. 2010

SQLInjection (SQLMap)Web Tra�c (XML+ModSecurity)

DetectionMetrics

?

“XML”- Better characterization of normal tra�c.

Felix et al. 2011

Heuristics

To Learn Algorithms and Keys

Encryption

?

22A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewHost Layer

Firkhman et al. 2011

Chirag et al. 2013

Host IDSs

?

Signatures for known attacks

Top down approach & Bottom up approach

To place IDS on host, gests or hypervisors

SamanTaghavi et al. 2011

Cloud speci�c design

Log �e correlation

Hybrid solution

Unknown attacks

Log �e correlation

Cloud speci�cdesign

Several IDS methods (NIDS, HIDS, ...)Hybrid solution

23A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewComparative Summary

Ref Deployment Layers of interest Detection approachVikas Mishra et al. 2016 IaaS Network Signature-based

Sivakami Raja et al. 2016 IaaS Network Anomaly-based

K h a m k o n e S e n g a p h a y e t al.2016

IaaS NetworkSignature-basedAnomaly-based

Zahraa Al-Mousa et al. 2015 IaaS Network Anomaly-based

Partha Ghosh et al. 2015 IaaS Network, Host Anomaly-based

Ming-Yi Liao et al. 2015 IaaS Network, VM Signature-based

Sangeetha et al. 2015 SaaS Applocation Signature-based

Manthira et al. 2014 IaaS, SaaS Network, HostSignature-basedAnomaly-based

Omar Al-Jarrah et al. 2014 IaaS Network Anomaly-based

Felix Gröbert et al. 2011 SaaS HostHeuristic-basedSignature-based

Nathaniel et al. 2011 SaaS Application Anomaly-based

Malek Ben Salem et al. 2011 IaaS Host, VM Anomaly-based

Cristina Abad et al. 2003 IaaS Network, VMSignature-basedAnomaly-based

24A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewMain Detection methods

Signature-based IDS

Known attacks.•Easy to implement.•Frequent updates•Slow reaction to new Attacks•

25A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewMain Detection methods

Anomaly-based IDS

Malicious network behaviour is noticeably different to •regular behaviour.Able to detect unknown/new attacks.•High Alarm Rates.•Requires a system-training period.•Greater implementation complexity.•

26A Hybrid intrusion detection system for Cloud Computing Environments

Literature ReviewSummary

Deployment locations• and detection methods.

Partial• Detection On the Cloud.

No Detection Model can protect the • entire Cloud.

Less • distinction of attacks/layer.

Less Focus on the significant attributes.•

Model Design

28A Hybrid intrusion detection system for Cloud Computing Environments

Model DesignProposed Architecture

NIDS

Vypervisor VM-IDS

Internet

Lab Router

Cloud Infrastructure

Guest A Guest B Guest C

Host-IDS

Web-IDS

Host-IDS

Web-IDS

Host-IDS

Web-IDS

Placement of IDSs.•Layered Security •design.Combining detection •methods.Event Correlation.•

Model design parameters:

29A Hybrid intrusion detection system for Cloud Computing Environments

Model DesignSignature IDSs Positions

NIDS

VypervisorVM-IDS

Internet

Lab Router

Cloud Infrastructure

First Detection Line

Second Detection Line

Third Detection Line

Guest A

Web-IDS

Guest B

Web-IDS

Guest C

Web-IDS

Hacker Position

ModSecuritySnortOssec

AnomalyDetectionSguil/ELK

Implementation preferences

30A Hybrid intrusion detection system for Cloud Computing Environments

Model DesignDifferent zones of detection

Modsecurity (WIDS)

Snort (NIDS)

OSSEC (HIDS)

OSSEC (VMIDS)

Hacker

Detection Level

Visualization Level

Log Correlation:-Logstash

Logs Centralized:-Syslog

Visualization Module:-Kibana-SnorBy-Sguil

Anomaly Detection:(Train - Test - Prediction)

Recommended for Rule Adding

31A Hybrid intrusion detection system for Cloud Computing Environments

Model DesignFrom Signature zone to Anomaly zone

Knowledge BasedDetection

Anomaly BasedDetection

Administrator

Training Dataset

> Normal> Attacks

> Attacks

> Normal

> Attacks

> Normal

Recommended toadmin

Test

ModSecurity

MachineLearningAnomaly Detection

Evaluation

33A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationCollected data for evaluation

Real traffic from the network.

Web vulnerability scanner (W3af) implemented by OWASP.

Simulated attacks on the host.

34A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQuantitative analysis

Number of resources Targeted layers Datasets total size Dataset/Tools Number of sessions

70 Network, Host, Web More than 235 MB Pcap Files and W3af 88

Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions

36 Network

Exploit Kit Snort 53Angler Exploit KitFiesta Exploit Kit

Neutrino Exploit KitAngler Exploit Kit

Magnitude Exploit KitNuclear Exploit Kit

RIG Exploit KitUpatre downloader

Malspam

Snort 53

35A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQuantitative analysis

Number of resources Targeted layers Host/Guest IDS Total Number of sessions

10 Host LUbuntu 15 OSSEC 10

Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions

24 Web

Blind_sqliBuffer_overflow

csrfdaveval

file_uploadformat_string

frontpagegeneric

global_redirecthtaccess_methods

ldapilfi

mx_injectionos_commandingphishing_vector

preg_replace...

ModSecurity 24

36A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQuantitative analysis

Distribution of attacks per layers

PercentageNumber of attacksTP/FN91.43%64True Positives

8.57%6False Negatives

%ofdetectioninSignaturedetectionzone

37A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

ObfuscationFragmentation

EncryptionDenial of Service

38A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

In 2014: "IntelCor_8" (Windows)1. MAC address : 00:1b:21:ca:fe:d7 2. IP : 192.168.137.62. 3. "www.earsurgery.org" (216.9.81.189) --> "qwe.mvdunalterableairreport.net" 4. (192.99.198.158) exploit kit EK and malware payload to «IntelCor_8».

Manual Analysis using «Wireshark»

>>

39A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

40A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

Opening the malicious file using HexEditorChar XOR with String

41A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)ET TROJAN Bedep SSL Cert (sid:2019645)

ModSecurity (WEBIDS)Snort (NETIDS)NOYES

42A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

ModSecurity (WEBIDS)Snort (NETIDS)YESNO

43A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

Passing Tra�cNIDS HIDS WIDS AD

Undetected Attacks (Evasion)

ObfuscationFragmentationEncryptionDenial of Service

ObfuscationApplication HijackingFile locations and Integrity

xx

xx

xx

xx

Detected attacks

44A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

. . . [Wed Jun 01 16:14:11.413715 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within %{tx.allowed_methods}» against «REQUEST_METHOD» required. [file «/usr/share/modsecuri-ty-crs/activated_rules/modsecurity_crs_30_http_policy.conf»] [line «31»] [id «960032»] [rev «2»] [msg «Method is not allowed by policy»] [data «GET»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [ma-turity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/METHOD_NOT_ALLOWED»] [tag «WASCTC/WASC-15»] [tag «OWASP_TOP_10/A6»] [tag «OWASP_AppSensor/RE1»] [tag «PCI/12.1»] [host-name «localhost»] [uri «/DVWA-master/login.php»] [unique_id «V077w38AAQEAAAYZ2K0AAAAA»]

[Wed Jun 01 16:14:11.494197 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within %{tx.allowed_http_versions}» against «REQUEST_PROTOCOL» required. [file «/usr/share/modsecurity-crs/ac-tivated_rules/modsecurity_crs_30_http_policy.conf»] [line «78»] [id «960034»] [rev «2»] [msg «HTTP protocol version is not allowed by policy»] [data «HTTP/1.1»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [maturity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED»] [tag «WASCTC/WASC-21»] [tag «OWASP_TOP_10/A6»] [tag «PCI/6.5.10»] [hostname «localhost»] [uri «/DVWA-master/login.php»]...

Showing that obfuscated SQL Injection was detected by Modsecurity

45A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

...** Alert 1464865058.166: mail - ossec,syscheck, 2016 Jun 02 11:57:38 cidslayer-VirtualBox->syscheck Rule: 550 (level 7) -> ‘Integrity checksum changed.’ Integrity checksum changed for: ‘/etc/alternatives/gnome-text-editor.1.gz’ Size changed from ‘32’ to ‘30’ Old md5sum was: ‘2e8d9e791f0d21b5b32fe15b76b41749’ New md5sum is : ‘f9c516214d25862e629c53a005ad8642’ Old sha1sum was: ‘97b7bfbfbe0465dc8f4c44f1ba375a4766bf6f39’ New sha1sum is : ‘31f025817c004ef13679ceb3ab82259a310d92d3’...

2016/02/09 14:38:41 ossec-rootcheck: INFO: Started (pid: 1665). 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/etc’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/bin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/sbin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/bin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/sbin’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/auth.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/syslog’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/dpkg.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/error.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/access.log’.

46A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationQualitative analysis

Difference NIDS HIDS WIDS

Needto protect and moni-

tor the Networkto protect and

monitor the Hostto protect and moni-

tor the Web

Design Network based Host based Web based

SourceNetwork Flow and

packets

system log files, programs and

processes

Web log files and web protocols

47A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationAnomaly Detection Zone

Knowledge BasedDetection

Anomaly BasedDetection

Administrator

Training Dataset

> Normal> Attacks

> Attacks

> Normal

> Attacks

> Normal

Recommended toadmin

Test

ModSecurity

MachineLearningAnomaly Detection

48A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationAnomaly Detection Steps

Data CollectionPreprocessing

TrainingTest

49A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationData Collection & Preprocessing

CSIC Information Security Institute (Spanish Research National Council)

«CSIC 2010 HTTP Dataset» in CSV format (for Weka Analysis) (2010) dataset

Normal requests36,000Anomalous requests25,000

SQL injection, buffer overflow, information gathering, files disclosure, CRLF injec-tion, XSS, server side include, parameter tampering and so on.

50A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationCleaning Data - Removing Noisy Attributes

51A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationCleaning Data-Step01, Step02 and Step03

Ranked attributes:

Non significant attributesSignificant attributes0 6 pragma0 4 protocol0 5 userAgent0 7 cacheControl0 13 connection0 11 acceptLanguage0 10 acceptCharset0 8 accept0 9 acceptEncoding

Ranked attributes:0.99649 16 cookie0.42637 17 payload0.29471 1 index0.12669 3 url0.10206 14 contentLength0.01273 2 method0.00892 12 host0.00492 15 contentType

Set of Significant attributes = {cookie, payload, index, url, contentLength, method, host, contentType}Set of Noisy attributes = {pragma, protocol, userAgent, cacheControl, connection, acceptLanguage,acceptCharset, accept, acceptEncoding}

Repeat Step 01 and Step 02Set of Significant attributes = {payload}

52A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationCleaning Data-Step04 and Step05

GET Replaced by 1POST Replaced by 2PUT Replaced by 3localhost:8080 Replaced by 5...

payload label4 anom... ...20 norm

53A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationTraining and Testing

Learning Configuration%

Classifier Detection%Model creation

(sec)Cleaning

Data70% C4.5 62.0097% 25.8 Seconds Before

70% Naive Bayes 61.9709% 0.12 Seconds Before

70% C4.5 62.1334% 14.56 Seconds After

70% Naive Bayes 50.3377% 0.22 Seconds After

54A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationROC Before and After Cleaning

55A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationAdministration

56A Hybrid intrusion detection system for Cloud Computing Environments

EvaluationAdministration

57A Hybrid intrusion detection system for Cloud Computing Environments

ConclusionMeeting the Objectives

Gap in the Literature Proposed SolutionPartial Detection On the Cloud. Full Detection in the CloudLess distinction of attacks/layer. Deploy IDSs specificaly to protect

strategic layers.Less Focus on the significant at-tributes.

Cleaning the Dataset by removing insignificant and less significant attributes

58A Hybrid intrusion detection system for Cloud Computing Environments

Prototype Optimization: • Better performance and accuracy.Additional Protection: • The use of Honeypots with more Intelligent techniques for analysis and detec-tion.

Future ResearchPerspectives

Thank You..