Here
International Journal of Research In Science & Engineering Volume: 1 Special Issue: 2 e-ISSN: 2394-8299 p-ISSN: 2394-8280 Multiphase Distributed Network Intrusion Detection and Prevention Framework in Virtual Networking System Archana A. P1, Balaji K2 Post graduate student, Dept of CSE, SVCE, [email protected] 2 Assistant Professor, Dept of CSE,SVCE, [email protected] 1 ABSTRACT Cloud security is a standout amongst the most essential issues that has pulled in a ton of innovative work exertion in recent years. DDoS attacks normally include early stage activities, for example, multistep exploitation, low-frequency vulnerability checking, and trading off recognized vulnerability virtual machines as zombies, lastly DDoS attacks through the bargained zombies. Inside the cloud framework, particularly the Infrastructure-as-aService(IaaS) clouds, the identification of zombie exploration attacks is greatly troublesome. This is on the grounds that cloud clients may introduce helpless applications on their virtual machines. To keep powerless virtual machines from being compromised in the cloud, we propose a Multiphase distributed vulnerability detection, measurement and countermeasure selection mechanism called MDNID, which is based on attack graph based countermeasures. The proposed structure influences OpenFlow system programming APIs to construct a monitor and control plane over distributed programmable virtual machines to altogether enhance attack identification and relieve attack outcomes. The framework and security assessments exhibit the productivity and adequacy of the proposed arrangement. Key Words : Network security, cloud computing, intrusion detection, attack graph, zombie detection 1. INTRODUCTION Recent studies have demonstrated that clients moving to th e cloud consider security as the most vital element. A recent Cloud Security Alliance (CSA) survey demonstrates that among all security issues abuse and loathsome utilization of distributed computing is considered as the top security risk, in which attacke rs can exploit vulnerabilities in cloud and use cloud framework resources to deploy attacks. In traditional data centers, where system administrator have full control over the host machines, vulnerabilities can be recognized and fixed by the system adminis trator in a centralized manner. However, fixing known security gaps in cloud data centers, where cloud clients typically have the benefit to control software installed on their managed VMs, may not work effectively and can violate the Service Level Agreeme nt(SLA). Moreover, cloud clients can install vulnerable software on their VMs, which basically contributes to the loopholes in cloud security. The challenge is to secure a viable vulnerability/attack discovery and response system for precisely recognizing attacks and minimizing the effect of security breach to cloud users. Armbrust et al. addressed that ensuring "business coherence and administrations accessibility" from service outages is one of the top concerns in distributed computing systems. In a cloud system, where the infrastructure is imparted by conceivably a great many clients, abuse and nefarious utilization of the shared infrastructure benefits attackers to endeavor vulnerabilities of the cloud and utilize its resources to send attacks in more productive ways. Such attacks are more viable in the cloud environment because cloud clients more often share computing resources, e.g., being associated through the same switch, offering to the same information storage and file systems, even with potential attackers. The comparable setup for VMs in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking etc, draws in attackers to compromise various VMs. In this paper, we propose multiphase Distributed Network Intrusion Detection and countermeasure selection in virtual system (MDNID) to build a defense-in-depth intrusion detection framework. For better attack recognition, MDNID joins attack graph analytical procedures into the Intrusion recognition processes. We must note t hat the configuration of MDNID does not plan to enhance any of the current intrusion detection algorithms. Indeed, MDNID utilizes a reconfigurable virtual networking approach to detect and counter the attempts to compromise VMs, thus preventing zombie VMs. In general, MDNID incorporates two primary stages 1) deploy a lightweight mirroring based network intrusion detection agent (NICE-A) on each cloud server to catch and investigate cloud activity. A NICE-A periodically checks the virtual framework vulnerabilities inside a cloud server to make Scenario Attack Graph (SAGs), and based on the seriousness of identified vulnerability toward the collaborative attack objectives, MDNID will choose whether or not to put a VM in network inspection state. 2) once a VM enters inspection state, Deep Packet Inspection (DPI) is connected, and/or virtual network reconfigurations can be deployed to the inspecting VM to make the potential attack behaviors prominent. IJRISE| www.ijrise.org|[email protected][49-52] International Journal of Research In Science & Engineering Volume: 1 Special Issue: 2 e-ISSN: 2394-8299 p-ISSN: 2394-8280 MDNID fundamentally progresses the current system IDS/IPS arrangements by utilizing programmable virtual networking approach that permits the system to develop a mirroring based traffic capturing framework to minimize the interference on clients activity compared with traditional bump -in-the-wire (i.e., proxy based) IDS/IPS. The programmable virtual networking architecture of MDNID empowers the cloud to make inspection and quarantine modes for suspicious VMs as per their current vulnerability state in the current SAG. Based on collective behavior of VMs in the SAG, MDNID can choose suitable activities, for instance, DPI or traffic filtering on the suspicious VM in its early attack stage. The contributions of MDNID are presented as follows: We devise MDNID, a new multiphase distributed network intrusion detection and prevention framework in virtual networking environment that catches and assesses suspicious cloud traffic with intruding on client’s applications and cloud services. MDNID consolidates a software switching solution to isolate and inspect suspicious VMs for further examination and security. Through programmable network approaches, MDNID can enhance the strength to VM exploitation attack without interrupting existing normal cloud services. MDNID utilizes a novel attack graph approach for attack identificatio n and prevention by correlating attack behavior and also recommends powerful countermeasures. MDNID upgrades the implementation on cloud servers to minimize resource consumption. Our study demonstrates that MDNID devours less computational overhead contra sted with proxy based network intrusion detection solutions. 2. LITERATURE SURVEY In this segment, we display writings of a few profoundly related exploration regions to MDNID, including: Zombie detection and prevention, attack graph construction and security analysis, and software defined networks for attack countermeasures. The area of detecting malicious behavior has been well explored. The work by Duan et al. focuses on the detection of compromised machines that have been recruited to serve as spam zombies. Their approach, SPOT, is based on sequentially scanning outgoing messages while employing a statistical method Sequential Probability Ratio Test (SPRT), to quickly determine whether a host has been compromised. BotHunter detects compromised machines bas ed on the fact that a thorough malware infection process has a number of well-defined stages that allow correlating the intrusion alarms triggered by inbound traffic with resulting outgoing communication patterns. BotSniffer exploits uniform spatial-temporal behavior characteristics of compromised machines to detect zombies by grouping flows according to server connections and searching for similar behavior in the flow. Many attack graph-based alert correlation techniques have been proposed recently. Wang et al. devised an in memory structure, called queue graph (QG), to trace alerts matching each exploit in the attack graph. However, the implicit correlations in this design make it difficult to use the correlated alerts in the graph f or analysis of similar attack scenarios. Roschke et al. proposed a modified attack-graph-based correlation algorithm to create explicit correlations only by matching alerts to specific exploitation nodes in the attack graph with multiple mapping functions, and devised an alert dependencies graph (DG) to group related alerts with multiple correlation criteria. Each path in DG represents a subset of alerts that might be part of an attack scenario. However, their algorithm involved all pairs shortest path searching and sorting in DG, which consumes considerable computing power. After knowing the possible attack scenarios, applying countermeasure is the next important task. Several solutions have been proposed to select optimal countermeasures based on the likelihood of the attack pat h and cost benefit analysis. Roy et al. proposed an attack countermeasure tree (ACT) to consider attacks and countermeasures together in an attack tree structure. They devised several objective functions based on greedy and branch and bound techniques to minimize the number of countermeasure, reduce investment cost, and maximize the benefit from implementing a certain countermeasure set. In their design, each countermeasure optimization problem could be solved with and without probability assignments to the model. However, their solution focuses on a static attack scenario and predefined countermeasure for each attack. Poolsappasit et al. proposed a Bayesian attack graph (BAG) to address dynamic security risk management problem and applied a genetic algorithm to solve countermeasure optimization problem. Our solution utilizes a new network control approach called SDN, where networking functions can be programmed through software switch and OpenFlow protocol, plays a major role in this research. Flowbased switches, such as OVS and OpenFlow Switch (OFS), support fine-grained and flow-level control for packet switching. With the help of the central controller, all OpenFlow-based switches can be monitored and configured. We take advantage of flow-based switching (OVS) and network controller to apply the selected network countermeasures in our solution. 3. SYSTEM ANALYSIS 3.1 Existing System Cloud clients can introduce vulnerable software on their VMs, which basically adds to loopholes in cloud security. The challenge is to build a successful vulnerability/attack identification and response system for precisely IJRISE| www.ijrise.org|[email protected][49-52] International Journal of Research In Science & Engineering Volume: 1 Special Issue: 2 e-ISSN: 2394-8299 p-ISSN: 2394-8280 identifying attacks and minimizing the effect of security breach to cloud clients. In a cloud system where the infrastructure is shared by possibly a large number of users, abuse and nefarious use of of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways . Such attacks are more powerful in the cloud environment since cloud clients normally impart computing resources, e.g., being associated through the same switch, imparting to the same data storage and file system, even with potential attackers. The similar setup for VMs in the cloud, e.g., virtualization procedures, VM OS, introduced powerless programming, organizing, and so on., pulls in aggressors to trade off different VMs. 3.2 Proposed System In this article, we propose MDNID (Multiphase Distributed Network Intrusion identification and Countermeasure determination in virtual system frameworks) to establish a defense-in-depth intrusion detection framework. For better attack identification, MDNID incorporates attack graph diagnostic techniques into the intrusion detection processes. We must note that the outline of MDNID does not mean to enhance any of the current intrusion detection algorithms to be sure, MDNID utilizes a reconfigurable virtual systems administration way to deal with recognize and counter the endeavors to trade off VMs, hence preventing zombie VMs. 4. SYSTEM DESIGN AND IMPLEMENTATION 4.1 Design Fig-4.1: System Model The above figure shows system model and it consists of the following: Data Owner Users, who have information to be put away in the cloud and depend on the cloud for information calculation, comprise of both individual consumers and organizations. Cloud Service Provider (CSP) A CSP, who has huge resources and expertise in building and overseeing conveyed distributed cloud storage servers on distinctive virtual machines, possesses and works live Cloud Computing system. Virtual Machine for Cloud data storage Cloud data storage, a client stores his information through a CSP into a set of cloud servers, which are running in a simultaneous, the client communicates with the cloud serv ers by means of CSP to get to or recover his information. At times, the client may need to perform block level operations on his information. Clients ought to be furnished with security means so they can make continuous correctness assurance of their put away information even without the presence of local copies. The cloud comprises of different Virtual machines on which the owner information will be allocated and shared and the cloud will listen the distinctive sorts of attackers called Stable: There does not exist any known weakness on the VM. Vulnerable: Presence of one or more vulnerabilities on a VM, which stays unexploited. Exploited: At slightest one weakness has been exploited and the VM is compromised. Zombie: VM is under control of attacker. Attack Analyzer The significant elements of MDNID framework are performed by attack analyzer, which incorporates strategies, such as, attack graph construction and upgrade, alert correlation, and countermeasure selection. IJRISE| www.ijrise.org|[email protected][49-52] International Journal of Research In Science & Engineering Volume: 1 Special Issue: 2 e-ISSN: 2394-8299 p-ISSN: 2394-8280 End User The Remote client is the person who is accessing the policies set by the cloud administrator. Client is substantial if he get to the strategies set by the cloud chief or else he will be recognizing as a fraud user in the cloud networking. If client's strategies are legitimate which doled out for him, then the client can get to all the benefits in the cloud networking. 4.2 Implementation It shows the MDNID framework within one cloud server cluster. Major components in this framework are distributed and light-weighted NICE-A on each physical cloud server, a network controller, a VM profiling server, and an attack analyzer. The latter three components are located in a centralized control center connected to software switches on each cloud server (i.e., virtual switches built on one or multiple Linux software bridges). NICE-A is a software agent implemented in each cloud server connected to the control center through a dedicated and isolated secure channel, which is separated from the normal data packets using OpenFlow tunneling or VLAN approaches. The network controller is responsible for deploying attack countermeasures based on decisions made by the attack analyzer. In the following description, our terminologies are based on the XEN virtualization technology. NICE-A is a network intrusion detection engine that can be installed in either Dom0 or DomU of a XEN cloud server to capture and filter malicious traffic. Intrusion detection alerts are sent to control center when suspicious or anomalous traffic is detected. After receiving an alert, attack analyzer evaluates the severity of the alert based on the attack graph, decides what countermeasure strategies to take, and then initiates it through the network controller. An attack graph is established according to the vulnerability information derived from both offline and real-time vulnerability scans. Offline scanning can be done by running penetration tests and online real-time vulnerability scanning can be triggered by the network controller (e.g., when new ports are opened and identified by OFSs) or when new alerts are generated by the NICE-A. 5. CONCLUSION AND FUTURE ENHANCEMENT In this paper, we introduced MDNID, which is proposed to distinguish and mitigate collaborative attacks in the cloud virtual networking environment. MDNID uses the attack diagram model to lead attack detection and prediction. The proposed arrangement examines how to utilize the programmability of software switch based solution for enhancing the detection accuracy and defeat victim exploitation phases of collaborative attacks. The system performance evaluation exhibits the practicality of MDNID and demonstrates that the proposed solution can essentially reduce the risk of the cloud framework from being misused and abused by internal and external attackers. MDNID only investigates the network IDS way to deal with counter zombie explorative attacks. To enhance the detection accuracy, host -based IDS arrangements are expected to be incorporated and to cover the entire range of IDS in the cloud system. This oug ht to be explored in the future work. Moreover, as demonstrated in the paper, we will explore the adaptability of the proposed MDNID arrangement by researching the decentralized network control and attack analysis model based on current study. REFERENCES [1] Cloud Security Alliance, “Top Threats to Cloud Computing v1.0,” https://cloudsecurityalliance.org/topthreats/csathreats. v1.0.pdf, Mar. 2010. [2] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A View of Cloud Computing,” ACM Comm., vol. 53, no. 4, pp. 50-58, Apr. 2010. [3] B. Joshi, A. Vijayan, and B. Joshi, “Securing Cloud Computing Environment Against DDoS Attacks,” Proc. IEEE Int’l Conf. Computer Comm. and Informatics (ICCCI ’12), Jan. 2012. [4] H. Takabi, J.B. Joshi, and G. Ahn, “Security and Privacy Challenges in Cloud Computing Environments,” IEEE Security and Privacy, vol. 8, no. 6, pp. 24-31, Dec. 2010. [5] “Open vSwitch Project,” http://openvswitch.org, May 2012. [6] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, “Detecting Spam Zombies by Monitoring Outgoing Messages,” IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp. 198-210, Apr. 2012. [7] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: Detecting Malware Infection through IDS-driven Dialog Correlation,” Proc. 16th USENIX Security Symp. (SS ’07), pp. 12:1-12:16, Aug. 2007. [8] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” Proc. 15th Ann. Network and Distributed Sytem Security Symp. (NDSS ’08), Feb. 2008. IJRISE| www.ijrise.org|[email protected][49-52]
© Copyright 2024