a hybrid intrusion detection system for cloud computing environments
TRANSCRIPT
Introduction
4A Hybrid intrusion detection system for Cloud Computing Environments
Q: Please rate your level of overall security concern related to adopting public cloud computing?
91% organizations have security concerns.•4% not sure.•5% not at all concerned.•
Source : Cloud Passage survey report 2016
Cloud Security Conserns
5A Hybrid intrusion detection system for Cloud Computing Environments
Q: What types of business applications is your organizationdeploying in the cloud?
46% Web Apps.•38% Collaboration and Communication Apps.•33% Productivity.•27% IT Operations•27% Custom Business Applications•
Most Popular Cloud Services
Source : Cloud Passage survey report 2016
6A Hybrid intrusion detection system for Cloud Computing Environments
Main Question:How to protect the Cloud using Intrusion Detection
Systems (IDS) ?
Second Questions:How IDS best transformed to suit the Cloud ?
How may we increase the detection quality ?
How the Model is best Deployed ?
Research Question
7A Hybrid intrusion detection system for Cloud Computing Environments
Aims and Objectives
Objective 1:Review the current literature about security issues related to the Cloud and proposed solutions to fully protect it.
Objective 2:Identify key solutions and Design the architecture.
Objective 3:Evaluate experimental results.
Aims and Objectives
Cloud Computing and Security
9A Hybrid intrusion detection system for Cloud Computing Environments
Cloud Computing
Virtualization
Vulnerabilities and attacks in Cloud Computing
Intrusion Detection Systems
Machine Learning
Background
Virtualization
11A Hybrid intrusion detection system for Cloud Computing Environments
Isolation.1. Interposition.2. Inspection.3.
VirtualizationVirtual Machine Monitor (VMM)
12A Hybrid intrusion detection system for Cloud Computing Environments
VirtualizationApproaches of Virtualization
User Apps
VMM(Virtual Machine Monitor)
Host Hardware
Ring-0
Ring-1
Ring-2
Ring-3Direct Execution of User request
Binary Translation of OS requests
Guest OS
Full Virtualization
Intrusion Detection Systems
14A Hybrid intrusion detection system for Cloud Computing Environments
Intrusion Detection System
Intrusion Detection System vs Firewall•What IDS Can/Can’t Do?•Detection methods•
15A Hybrid intrusion detection system for Cloud Computing Environments
Machine Learning
Supervised LearningUnsupervised Learning
Naive BayesDecision Tree
Literature Review
17A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewClassification of the Literature
How to study the Literature?
18A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewHow to study the literature?
Where to detect? Network/Host/VM/Application
What to detect? Network packets/Processes/VMM/tasks
How to detect? Signature/Anomaly
Where?
What?How?
19A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewHow to study the literature?
Layers of the CloudWhere
Audit source locationWhat
Detection methodHow
Literature
PerspectivesScope
20A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewClassification of the Literature
Layers Of the Cloud
HostNetworkApplication Virtualization
21A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewApplication Layer
AlQahtani et al. 2014 Metric to measure quality:- Vulnerability Detection- Avg Response time
Carmen et al. 2010
SQLInjection (SQLMap)Web Tra�c (XML+ModSecurity)
DetectionMetrics
?
“XML”- Better characterization of normal tra�c.
Felix et al. 2011
Heuristics
To Learn Algorithms and Keys
Encryption
?
22A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewHost Layer
Firkhman et al. 2011
Chirag et al. 2013
Host IDSs
?
Signatures for known attacks
Top down approach & Bottom up approach
To place IDS on host, gests or hypervisors
SamanTaghavi et al. 2011
Cloud speci�c design
Log �e correlation
Hybrid solution
Unknown attacks
Log �e correlation
Cloud speci�cdesign
Several IDS methods (NIDS, HIDS, ...)Hybrid solution
23A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewComparative Summary
Ref Deployment Layers of interest Detection approachVikas Mishra et al. 2016 IaaS Network Signature-based
Sivakami Raja et al. 2016 IaaS Network Anomaly-based
K h a m k o n e S e n g a p h a y e t al.2016
IaaS NetworkSignature-basedAnomaly-based
Zahraa Al-Mousa et al. 2015 IaaS Network Anomaly-based
Partha Ghosh et al. 2015 IaaS Network, Host Anomaly-based
Ming-Yi Liao et al. 2015 IaaS Network, VM Signature-based
Sangeetha et al. 2015 SaaS Applocation Signature-based
Manthira et al. 2014 IaaS, SaaS Network, HostSignature-basedAnomaly-based
Omar Al-Jarrah et al. 2014 IaaS Network Anomaly-based
Felix Gröbert et al. 2011 SaaS HostHeuristic-basedSignature-based
Nathaniel et al. 2011 SaaS Application Anomaly-based
Malek Ben Salem et al. 2011 IaaS Host, VM Anomaly-based
Cristina Abad et al. 2003 IaaS Network, VMSignature-basedAnomaly-based
24A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewMain Detection methods
Signature-based IDS
Known attacks.•Easy to implement.•Frequent updates•Slow reaction to new Attacks•
25A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewMain Detection methods
Anomaly-based IDS
Malicious network behaviour is noticeably different to •regular behaviour.Able to detect unknown/new attacks.•High Alarm Rates.•Requires a system-training period.•Greater implementation complexity.•
26A Hybrid intrusion detection system for Cloud Computing Environments
Literature ReviewSummary
Deployment locations• and detection methods.
Partial• Detection On the Cloud.
No Detection Model can protect the • entire Cloud.
Less • distinction of attacks/layer.
Less Focus on the significant attributes.•
Model Design
28A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignProposed Architecture
NIDS
Vypervisor VM-IDS
Internet
Lab Router
Cloud Infrastructure
Guest A Guest B Guest C
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Host-IDS
Web-IDS
Placement of IDSs.•Layered Security •design.Combining detection •methods.Event Correlation.•
Model design parameters:
29A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignSignature IDSs Positions
NIDS
VypervisorVM-IDS
Internet
Lab Router
Cloud Infrastructure
First Detection Line
Second Detection Line
Third Detection Line
Guest A
Web-IDS
Guest B
Web-IDS
Guest C
Web-IDS
Hacker Position
ModSecuritySnortOssec
AnomalyDetectionSguil/ELK
Implementation preferences
30A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignDifferent zones of detection
Modsecurity (WIDS)
Snort (NIDS)
OSSEC (HIDS)
OSSEC (VMIDS)
Hacker
Detection Level
Visualization Level
Log Correlation:-Logstash
Logs Centralized:-Syslog
Visualization Module:-Kibana-SnorBy-Sguil
Anomaly Detection:(Train - Test - Prediction)
Recommended for Rule Adding
31A Hybrid intrusion detection system for Cloud Computing Environments
Model DesignFrom Signature zone to Anomaly zone
Knowledge BasedDetection
Anomaly BasedDetection
Administrator
Training Dataset
> Normal> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended toadmin
Test
ModSecurity
MachineLearningAnomaly Detection
Evaluation
33A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCollected data for evaluation
Real traffic from the network.
Web vulnerability scanner (W3af) implemented by OWASP.
Simulated attacks on the host.
34A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQuantitative analysis
Number of resources Targeted layers Datasets total size Dataset/Tools Number of sessions
70 Network, Host, Web More than 235 MB Pcap Files and W3af 88
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
36 Network
Exploit Kit Snort 53Angler Exploit KitFiesta Exploit Kit
Neutrino Exploit KitAngler Exploit Kit
Magnitude Exploit KitNuclear Exploit Kit
RIG Exploit KitUpatre downloader
Malspam
Snort 53
35A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQuantitative analysis
Number of resources Targeted layers Host/Guest IDS Total Number of sessions
10 Host LUbuntu 15 OSSEC 10
Number of resources Targeted layers Platform/Payloads IDS Total Number of sessions
24 Web
Blind_sqliBuffer_overflow
csrfdaveval
file_uploadformat_string
frontpagegeneric
global_redirecthtaccess_methods
ldapilfi
mx_injectionos_commandingphishing_vector
preg_replace...
ModSecurity 24
36A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQuantitative analysis
Distribution of attacks per layers
PercentageNumber of attacksTP/FN91.43%64True Positives
8.57%6False Negatives
%ofdetectioninSignaturedetectionzone
37A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
ObfuscationFragmentation
EncryptionDenial of Service
38A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
In 2014: "IntelCor_8" (Windows)1. MAC address : 00:1b:21:ca:fe:d7 2. IP : 192.168.137.62. 3. "www.earsurgery.org" (216.9.81.189) --> "qwe.mvdunalterableairreport.net" 4. (192.99.198.158) exploit kit EK and malware payload to «IntelCor_8».
Manual Analysis using «Wireshark»
>>
39A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
40A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
Opening the malicious file using HexEditorChar XOR with String
41A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)ET TROJAN Bedep SSL Cert (sid:2019645)
ModSecurity (WEBIDS)Snort (NETIDS)NOYES
42A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
ModSecurity (WEBIDS)Snort (NETIDS)YESNO
43A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
Passing Tra�cNIDS HIDS WIDS AD
Undetected Attacks (Evasion)
ObfuscationFragmentationEncryptionDenial of Service
ObfuscationApplication HijackingFile locations and Integrity
xx
xx
xx
xx
Detected attacks
44A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
. . . [Wed Jun 01 16:14:11.413715 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within %{tx.allowed_methods}» against «REQUEST_METHOD» required. [file «/usr/share/modsecuri-ty-crs/activated_rules/modsecurity_crs_30_http_policy.conf»] [line «31»] [id «960032»] [rev «2»] [msg «Method is not allowed by policy»] [data «GET»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [ma-turity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/METHOD_NOT_ALLOWED»] [tag «WASCTC/WASC-15»] [tag «OWASP_TOP_10/A6»] [tag «OWASP_AppSensor/RE1»] [tag «PCI/12.1»] [host-name «localhost»] [uri «/DVWA-master/login.php»] [unique_id «V077w38AAQEAAAYZ2K0AAAAA»]
[Wed Jun 01 16:14:11.494197 2016] [:error] [pid 1561] [client 127.0.0.1] ModSecurity: Warning. Match of «within %{tx.allowed_http_versions}» against «REQUEST_PROTOCOL» required. [file «/usr/share/modsecurity-crs/ac-tivated_rules/modsecurity_crs_30_http_policy.conf»] [line «78»] [id «960034»] [rev «2»] [msg «HTTP protocol version is not allowed by policy»] [data «HTTP/1.1»] [severity «CRITICAL»] [ver «OWASP_CRS/2.2.9»] [maturity «9»] [accuracy «9»] [tag «OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED»] [tag «WASCTC/WASC-21»] [tag «OWASP_TOP_10/A6»] [tag «PCI/6.5.10»] [hostname «localhost»] [uri «/DVWA-master/login.php»]...
Showing that obfuscated SQL Injection was detected by Modsecurity
45A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
...** Alert 1464865058.166: mail - ossec,syscheck, 2016 Jun 02 11:57:38 cidslayer-VirtualBox->syscheck Rule: 550 (level 7) -> ‘Integrity checksum changed.’ Integrity checksum changed for: ‘/etc/alternatives/gnome-text-editor.1.gz’ Size changed from ‘32’ to ‘30’ Old md5sum was: ‘2e8d9e791f0d21b5b32fe15b76b41749’ New md5sum is : ‘f9c516214d25862e629c53a005ad8642’ Old sha1sum was: ‘97b7bfbfbe0465dc8f4c44f1ba375a4766bf6f39’ New sha1sum is : ‘31f025817c004ef13679ceb3ab82259a310d92d3’...
2016/02/09 14:38:41 ossec-rootcheck: INFO: Started (pid: 1665). 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/etc’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/bin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/sbin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/bin’. 2016/02/09 14:38:41 ossec-syscheckd: INFO: Monitoring directory: ‘/sbin’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/auth.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/syslog’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/dpkg.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/error.log’. 2016/02/09 14:38:42 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/apache2/access.log’.
46A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationQualitative analysis
Difference NIDS HIDS WIDS
Needto protect and moni-
tor the Networkto protect and
monitor the Hostto protect and moni-
tor the Web
Design Network based Host based Web based
SourceNetwork Flow and
packets
system log files, programs and
processes
Web log files and web protocols
47A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAnomaly Detection Zone
Knowledge BasedDetection
Anomaly BasedDetection
Administrator
Training Dataset
> Normal> Attacks
> Attacks
> Normal
> Attacks
> Normal
Recommended toadmin
Test
ModSecurity
MachineLearningAnomaly Detection
48A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAnomaly Detection Steps
Data CollectionPreprocessing
TrainingTest
49A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationData Collection & Preprocessing
CSIC Information Security Institute (Spanish Research National Council)
«CSIC 2010 HTTP Dataset» in CSV format (for Weka Analysis) (2010) dataset
Normal requests36,000Anomalous requests25,000
SQL injection, buffer overflow, information gathering, files disclosure, CRLF injec-tion, XSS, server side include, parameter tampering and so on.
50A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCleaning Data - Removing Noisy Attributes
51A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCleaning Data-Step01, Step02 and Step03
Ranked attributes:
Non significant attributesSignificant attributes0 6 pragma0 4 protocol0 5 userAgent0 7 cacheControl0 13 connection0 11 acceptLanguage0 10 acceptCharset0 8 accept0 9 acceptEncoding
Ranked attributes:0.99649 16 cookie0.42637 17 payload0.29471 1 index0.12669 3 url0.10206 14 contentLength0.01273 2 method0.00892 12 host0.00492 15 contentType
Set of Significant attributes = {cookie, payload, index, url, contentLength, method, host, contentType}Set of Noisy attributes = {pragma, protocol, userAgent, cacheControl, connection, acceptLanguage,acceptCharset, accept, acceptEncoding}
Repeat Step 01 and Step 02Set of Significant attributes = {payload}
52A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationCleaning Data-Step04 and Step05
GET Replaced by 1POST Replaced by 2PUT Replaced by 3localhost:8080 Replaced by 5...
payload label4 anom... ...20 norm
53A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationTraining and Testing
Learning Configuration%
Classifier Detection%Model creation
(sec)Cleaning
Data70% C4.5 62.0097% 25.8 Seconds Before
70% Naive Bayes 61.9709% 0.12 Seconds Before
70% C4.5 62.1334% 14.56 Seconds After
70% Naive Bayes 50.3377% 0.22 Seconds After
54A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationROC Before and After Cleaning
55A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAdministration
56A Hybrid intrusion detection system for Cloud Computing Environments
EvaluationAdministration
57A Hybrid intrusion detection system for Cloud Computing Environments
ConclusionMeeting the Objectives
Gap in the Literature Proposed SolutionPartial Detection On the Cloud. Full Detection in the CloudLess distinction of attacks/layer. Deploy IDSs specificaly to protect
strategic layers.Less Focus on the significant at-tributes.
Cleaning the Dataset by removing insignificant and less significant attributes
58A Hybrid intrusion detection system for Cloud Computing Environments
Prototype Optimization: • Better performance and accuracy.Additional Protection: • The use of Honeypots with more Intelligent techniques for analysis and detec-tion.
Future ResearchPerspectives
Thank You..