Intrusion Detection System for Cloud Computing 1

Intrusion Detection System for Cloud Computing 2

Intrusion Detection System Implementation in Wireless Sensor Network

Dani Wafaul Falah

University of Vermont

Intrusion Detection System for Cloud Computing

Dani Wafaul Falah

University of Vermont

How to protect Coud Computing using IDS

Cloud computing is a new trend in data center industry. Many company shift their application to
this new infrastructure. Cloud computing compose of virtualization and utility computing. It
provides infrastructure, platform and software as a service that possible for customer to used it
on-demand basis. Cloud computing customer just pay for service that they use so the cost for
new infrastructure can be reduce. They do not need to invest for new machine for infrastructure.

There are several type of cloud computing such as, public cloud, private cloud and hybrid cloud.
In public cloud, service providers serve infrastructure as a service. Some example for provider
run this service are Amazon EC2 , Microsoft Azure. They offer infrastructure as utility
computing. In public cloud,

Cloud computing is build up from virtualization technology. The idea of virtualization can
Virtualization technology have some

As mentioned in gartner, there are several risk in cloud computing,

as cloud computing use internet as the backbone communication to connect cloud service
provider and their customer, there come some security and privacy issue. There can be some
security attack just like traditional infrastructure such as ARP poisoning, Man in the middle
attack, port scanning, ip spoofing, denial of service etc. in order to protect this type of attack that
Intrusion Detection System for Cloud Computing 3

can harm cloud service, many cloud provider put some security measurement to fortify their
cloud infrastructure and
cloud providers provide firewall service, so their customer can be protected infrastructure. Many
service provider di

firewall solution is the first line of defense. this is not enough if we talk about public infrastructure
and shared infrastructure. So there need a second line of defense to provide more protection in
cloud computing. An integration of Intrusion Detection System (IDS) in cloud computing can be
used as second line defense. IDS can detect network attack and some malicious activity that try to
compromise the system. Comparing to traditional IDS deployment, there are need some
modification to deploy IDS in cloud computing to provide maximum protection.
Intrusion Detection System for Cloud Computing 4

Intrusion Detection System for Cloud Computing

Introduction
Background information about cloud computing

Cloud Computing is becoming one of the next industry buzz words. Cloud computing builds upon
advance of research in virtualization, distributed computing, grid computing and utility computing.
It tries to satisfy user needs by providing infrastructure, platform and software as a service (IaaS,
PaaS, SaaS). In addition, it offers on-demand services, reduced total cost of services and economy
of scale. The key to the solution is an integrated framework that allows reliable, scalable (ability
to scale a solution to achieve economy of scale) and reconfigurable aggregation, sharing, and
allocation of software (SaaS), computational, storage and networking resources on-demand.

Cloud computing is a new term for a long-held dream of computing as a utility, which has recently
emerged as a commercial reality [1]. Foster et al. give the definition of cloud computing: A large-
scale distributed computing paradigm that is driven by economies of scale, in which a pool of
abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and
services are delivered on demand to external customers over the internet.

Cloud Computing refers to both the applications delivered as services over the Internet and the
hardware and systems software in the datacenters that provide those services. The services
themselves have long been referred to as Software as a Service (SaaS). The datacenter hardware
and software is what we will call a Cloud. When a Cloud is made available in a pay-as-you-go
manner to the public, we call it a Public Cloud; the service being sold is Utility Computing. Current
examples of public Utility Computing include Amazon EC2 which is an infrastructure as a service
provider (IaaS). We use the term Private Cloud to refer to internal datacenters of a business.

As Cloud services are delivered through the Internet; security and privacy of Cloud resources and
offered services are the biggest concerns. At network layer, Cloud suffers from traditional attacks
such as IP spoofing, Address Resolution Protocol (AR P) spoofing, Routing Information Protocol
(RIP) attack, DNS poisoning, man-in-the- middle attack, port scanning, Insider attack, Denial of
Service (DoS), Distributed Denial of Service (DDoS) etc. These attacks affect the confidentiality,
integrity and availability of Cloud resources and offered services. To address such issues, major
Cloud providers (like Amazon EC2, Window Azure, Rack Space, Eucalyptus, Open Nebula etc.)
use the firewall. Firewall protects the front access points of system and is treated as the first line
of defense. A detailed discussion on different firewalls is given in [2]. As firewall sniffs the
network packets only at the boundary of a network, insider attacks cannot be detected by it. Few
DoS or DDoS attacks are too complex to detect using traditional firewall. Therefore, use of only
traditional firewall to block all the intrusions is not an efficient solution.

Another solution is to integrate intrusion detection system (IDS) in Cloud computing. IDS
performs the role of alert system and adds the next preventive layer of security by detecting
network attacks that penetrate system. The efficiency of IDS depends on parameters like used
detection technique (signature based or anomaly based), it's positioning within network (front end
or back end), and its configuration (centralized or distributed).
Intrusion Detection System for Cloud Computing 5

In classical enterprise settings, an IDS is normally deployed on dedicated hardware at the edge of
the defended networking infrastructure or run on individual hosts on the network, in order to
protect respective network or host from external attacks. Today small and medium companies are
increasingly realizing that simply by tapping into the Cloud they can gain fast access to best
business applications, without training new personnel, or licensing new software. IDS is not an
exception to this tread and the interests for embedding IDS to a Cloud environment is undeniable.

How to protect cloud computing using IDS

Background information
- Introduction of cloud computing
- Security risk in CC
- Security measurement for CC
- How to protect CC using IDS
o Introduce IDS for CC

Solution Introduction
Brief IDS for CC
- Mention the goal of problem-solution review in general

IDS Component
Monitoring Component
- Logs & Audit Collector
- VMM
- Host-based IDS
- Network-based IDS
Detection & Analysis
- Behavior-based database
- Knowledge-based database
Alarm System
- Alert Parser
- Alert Summarizer
IDS Criteria
- Data Source & Monitoring Component
- Detection Method
- Detection Analysis
- Alert System
Solution IDS for Cloud Computing
- Distributed Host-based IDS vs Network-based IDS
-
- VMM – Virtual Machine Monitor
-

Discussion
- Proposed collaboration IDS for Cloud Computing
Intrusion Detection System for Cloud Computing 6

- Choose the better solution for each criteria

Summary

Kholidy
CIDS: Framework
Logs & audit collector: it acts as a sensor for both CIDS and HIDS detectors and collects
logs, audit data, and sequence of user actions and commands.


Type II Virtual Machine Monitor (VMM): CIDS uses type II VMM [19] implemented as
a process of an underlying operating system of the host machine. Some VMMs are useful
in system security, among them: Isolation, Inspection, and Interposition [19]. VMM
stores in the audit system the data collected by the logs & audit collector component and
forwards them to both CIDS and HIDS correlator components.

The audit system: this component implements three main functions. First of all, it
monitors message exchanges among nodes and extracts from them the behavior of the
cloud user. Then, it monitors the middleware logging system in the node itself. CIDS can
collect all audit data and middleware events such as user’s login or logout from the cloud
system or tasks submissions. The third function collects and stores events and logs from
the VM system. A log entry is created for each node action with the action’s type, (e.g.
error, alert, or warning), the event that generated it, and the message.

CIDS correlator and detector: it correlates user behaviors, e.g. sequence of commands or
actions collected from several sources, and analyzes them through our new heuristic
semi-global alignment approach (HSGAA). We will briefly explain later the HSGAA
approach in CIDS.

Chirag
Bayesian Classifier and Snort based

1) NIDS on Front-end of Cloud:IntegratingNIDSmodule on front end of Cloud he Ips to detect

network intrusions at external network of Cloud. However, it is not able to detect attack at
internal network of Cloud.

2) N1DS on Back-end (processing server): Positioning NIDS module on processing server helps
to detect intrusions at internal network of Cloud. It will also detect the intrusions coming from
external network . Large number of packets passing through server will result in packet dropping
and NIDS may be overloaded.
Intrusion Detection System for Cloud Computing 7

3) N1DS on each VM: It helps user for detecting intrusion on hislher VM. Such configuration
requires multiple instances of NIDS, which makes complex management of NIDS since VMs are
dynamically migrated, provisioned or de- provisioned.

Knowledge base stores rules (related to known attacks) that are used by Snort, whereas the
behavior base stores network events (normal events and intrusions) that are used by Bayesian
classifier. Our NIDS module uses two types of detection techniques to achieve high level
security in Cloud.

Distributed Cloud Intrusion Detection Model

Irfan Gul, M. Hussain

Distributed Intrusion Detection in Clouds Using Mobile Agents

Amir Vahid Dastjerdi

1) IDS Agency: Mobile Agents need an environment to become alive which is called
Agency. An agency is responsible for hosting and executing Agents in parallel and
provides them with environment so that they can access services, communicate with each
other, and migrate to other agencies. An agency also controls the execution of Agents and
protects the underlying VMs from unauthorized access by malicious Agents. In addition,
since virtualization creates a level of isolation, the physical machine resources can be
protected by executing Agents on VE. The problem of protecting hosts from malicious
Mobile Agents has been in place for a long time. However, as proved in [18], the
problem could be tackled by virtualization technology.

2) Application Specific Static Agent Detectors: Static Agent Detectors (SAD) act like
VM monitors, generating ID events whenever traces of an attack is detected, and these
events are sent in the form of structured messages to IDS Control Center [8]. SAD is
capable of monitoring the VM for different classes of attacks. The SAD is responsible for
parsing the log files, checking for intrusion related data pattern in log files, separating
data related to the attack from the rest of the data, and formatting the data as required by
the investigative MA. The architecture of our IDS allows applying components of other
projects as an intrusion detection sensor.

3) Specialized Investigative Mobile Agent: Investigative Mobile Agents (IMA) are

responsible for collecting evidences of an attack from all the attacked VM for further
analysis and auditing. Then, they have to correlate and aggregate that data to detect
distributed attacks. Each IMA is only responsible for detecting certain types of intrusions.
This makes it easier for updating when new types of intrusion are found or new types of
detection method are invented. In addition, Mobile Agents carry less data and code which
save bandwidth, and consequently that decrease operational cost. The investigative MA
Intrusion Detection System for Cloud Computing 8

uses List of Compromised Agency (LCA) to identify its itinerary for visiting Hosts.

4) IDS Control Center:An Intrusion Detection System Control Center is (IDSCC) a

central point of IDS components administration in each subnet. It includes all the
components that a normal VM does and also following components:

a) Databases: there should be a database of all intrusion patterns which can be used by
Alerting Console to raise the alarm if patterns matched with the detected suspicious
activities.

b) Alerting Console: this component compares the spotted suspicious activity with
intrusions’ database and raises the alarm if they are matched.

c) Agent generator: generate task specific Agent for detecting intrusions (SAD and IMA)
even new ones by using knowledge that is generated by data mining inference engine or
obtained from previous experiences.

d) Mobile Agent dispatcher: it dispatches investigative Mobile Agents to the VMs based
on the ID of event or suspicious activity received from their SADs. In addition, it
determines list of compromised Agencies (LCA) for IMAs.

e) Data mining inference engine: uses machine learning to deduce knowledge to detect
new intrusions from System databases which contains detected intrusion and system logs
and coming information from SADs. In this component we used Java Agents for Meta-
Learning (JAM) project [20] at Columbia University, NY, which applies meta-learning to
distributed data mining.

Internet Intrusion Detection System Service in a Cloud

Amirreza Zarrabi, Alireza Zarrabi

Intrusion Detection Service Agent: The agent is a light weight, single purpose equipment
- dedicated hardware or software - integrated inside the user network to collect necessary
information. According to the location of the agent, the CIDSS could protect a segment
of the network or the whole network. Agents are grouped based on rule-sets and
thresholds or network traffic to improve the service efficiency and protection flexibility.

 Cloud Computer Service Component: The CCSC collects messages from agents. It
formats all messages and send them to the IDSC according to grouping constrains
defined for messages. A secure connection path should be established by CCSC to
absorb information gathered by agents otherwise the system behavior could be
tainted by external intrusion. 

 Intrusion Detection Service Component: The IDSC is responsible for intrusion

detection. There are four sub components playing major rule in IDSC. 
Intrusion Detection System for Cloud Computing 9

• Collector: 


• Analysis Engin 


• Publisher: 


• IDS Controller:

Integrating Signature Apriori based Network Intrusion Detection System (NIDS) in Cloud
Computing

Chirag N. Modia,*, Dhiren R. Patela, Avi Patelb, Muttukrishnan Rajarajanb