1. technology and computing

International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
Multiphase Distributed Network Intrusion Detection and Prevention Framework in
Virtual Networking System
Archana A. P1, Balaji K2
Post graduate student, Dept of CSE, SVCE, [email protected]
2
Assistant Professor, Dept of CSE,SVCE, [email protected]
1
ABSTRACT
Cloud security is a standout amongst the most essential issues that has pulled in a ton of innovative work
exertion in recent years. DDoS attacks normally include early stage activities, for example, multistep exploitation,
low-frequency vulnerability checking, and trading off recognized vulnerability virtual machines as zombies, lastly
DDoS attacks through the bargained zombies. Inside the cloud framework, particularly the Infrastructure-as-aService(IaaS) clouds, the identification of zombie exploration attacks is greatly troublesome. This is on the grounds
that cloud clients may introduce helpless applications on their virtual machines. To keep powerless virtual machines
from being compromised in the cloud, we propose a Multiphase distributed vulnerability detection, measurement and
countermeasure selection mechanism called MDNID, which is based on attack graph based countermeasures. The
proposed structure influences OpenFlow system programming APIs to construct a monitor and control plane over
distributed programmable virtual machines to altogether enhance attack identification and relieve attack outcomes.
The framework and security assessments exhibit the productivity and adequacy of the proposed arrangement.
Key Words : Network security, cloud computing, intrusion detection, attack graph, zombie detection
1.
INTRODUCTION
Recent studies have demonstrated that clients moving to th e cloud consider security as the most vital element. A
recent Cloud Security Alliance (CSA) survey demonstrates that among all security issues abuse and loathsome utilization
of distributed computing is considered as the top security risk, in which attacke rs can exploit vulnerabilities in cloud and
use cloud framework resources to deploy attacks. In traditional data centers, where system administrator have full control
over the host machines, vulnerabilities can be recognized and fixed by the system adminis trator in a centralized manner.
However, fixing known security gaps in cloud data centers, where cloud clients typically have the benefit to control
software installed on their managed VMs, may not work effectively and can violate the Service Level Agreeme nt(SLA).
Moreover, cloud clients can install vulnerable software on their VMs, which basically contributes to the loopholes in cloud
security. The challenge is to secure a viable vulnerability/attack discovery and response system for precisely recognizing
attacks and minimizing the effect of security breach to cloud users.
Armbrust et al. addressed that ensuring "business coherence and administrations accessibility" from service outages
is one of the top concerns in distributed computing systems. In a cloud system, where the infrastructure is imparted by
conceivably a great many clients, abuse and nefarious utilization of the shared infrastructure benefits attackers to endeavor
vulnerabilities of the cloud and utilize its resources to send attacks in more productive ways. Such attacks are more viable
in the cloud environment because cloud clients more often share computing resources, e.g., being associated through the
same switch, offering to the same information storage and file systems, even with potential attackers. The comparable
setup for VMs in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking etc, draws in
attackers to compromise various VMs.
In this paper, we propose multiphase Distributed Network Intrusion Detection and countermeasure selection in virtual
system (MDNID) to build a defense-in-depth intrusion detection framework. For better attack recognition, MDNID joins
attack graph analytical procedures into the Intrusion recognition processes. We must note t hat the configuration of
MDNID does not plan to enhance any of the current intrusion detection algorithms. Indeed, MDNID utilizes a
reconfigurable virtual networking approach to detect and counter the attempts to compromise VMs, thus preventing
zombie VMs.
In general, MDNID incorporates two primary stages 1) deploy a lightweight mirroring based network intrusion
detection agent (NICE-A) on each cloud server to catch and investigate cloud activity. A NICE-A periodically checks the
virtual framework vulnerabilities inside a cloud server to make Scenario Attack Graph (SAGs), and based on the
seriousness of identified vulnerability toward the collaborative attack objectives, MDNID will choose whether or not to put
a VM in network inspection state. 2) once a VM enters inspection state, Deep Packet Inspection (DPI) is connected, and/or
virtual network reconfigurations can be deployed to the inspecting VM to make the potential attack behaviors prominent.
IJRISE| www.ijrise.org|[email protected][49-52]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
MDNID fundamentally progresses the current system IDS/IPS arrangements by utilizing programmable
virtual networking approach that permits the system to develop a mirroring based traffic capturing framework to minimize
the interference on clients activity compared with traditional bump -in-the-wire (i.e., proxy based) IDS/IPS. The
programmable virtual networking architecture of MDNID empowers the cloud to make inspection and quarantine modes for
suspicious VMs as per their current vulnerability state in the current SAG. Based on collective behavior of VMs in the
SAG, MDNID can choose suitable activities, for instance, DPI or traffic filtering on the suspicious VM in its early attack
stage. The contributions of MDNID are presented as follows:
 We devise MDNID, a new multiphase distributed network intrusion detection and prevention framework in virtual
networking environment that catches and assesses suspicious cloud traffic with intruding on client’s applications
and cloud services.
 MDNID consolidates a software switching solution to isolate and inspect suspicious VMs for further examination
and security. Through programmable network approaches, MDNID can enhance the strength to VM exploitation
attack without interrupting existing normal cloud services.
 MDNID utilizes a novel attack graph approach for attack identificatio n and prevention by correlating attack
behavior and also recommends powerful countermeasures.
 MDNID upgrades the implementation on cloud servers to minimize resource consumption. Our study
demonstrates that MDNID devours less computational overhead contra sted with proxy based network intrusion
detection solutions.
2. LITERATURE SURVEY
In this segment, we display writings of a few profoundly related exploration regions to MDNID, including: Zombie
detection and prevention, attack graph construction and security analysis, and software defined networks for attack
countermeasures.
The area of detecting malicious behavior has been well explored. The work by Duan et al. focuses on the detection of
compromised machines that have been recruited to serve as spam zombies. Their approach, SPOT, is based on sequentially
scanning outgoing messages while employing a statistical method Sequential Probability Ratio Test (SPRT), to quickly
determine whether a host has been compromised. BotHunter detects compromised machines bas ed on the fact that a
thorough malware infection process has a number of well-defined stages that allow correlating the intrusion alarms
triggered by inbound traffic with resulting outgoing communication patterns. BotSniffer exploits uniform spatial-temporal
behavior characteristics of compromised machines to detect zombies by grouping flows according to server connections
and searching for similar behavior in the flow. Many attack graph-based alert correlation techniques have been proposed
recently. Wang et al. devised an in memory structure, called queue graph (QG), to trace alerts matching each exploit in the
attack graph. However, the implicit correlations in this design make it difficult to use the correlated alerts in the graph f or
analysis of similar attack scenarios. Roschke et al. proposed a modified attack-graph-based correlation algorithm to create
explicit correlations only by matching alerts to specific exploitation nodes in the attack graph with multiple mapping
functions, and devised an alert dependencies graph (DG) to group related alerts with multiple correlation criteria. Each path
in DG represents a subset of alerts that might be part of an attack scenario. However, their algorithm involved all pairs
shortest path searching and sorting in DG, which consumes considerable computing power. After knowing the possible
attack scenarios, applying countermeasure is the next important task. Several solutions have been proposed to select
optimal countermeasures based on the likelihood of the attack pat h and cost benefit analysis. Roy et al. proposed an attack
countermeasure tree (ACT) to consider attacks and countermeasures together in an attack tree structure. They devised
several objective functions based on greedy and branch and bound techniques to minimize the number of countermeasure,
reduce investment cost, and maximize the benefit from implementing a certain countermeasure set. In their design, each
countermeasure optimization problem could be solved with and without probability assignments to the model. However,
their solution focuses on a static attack scenario and predefined countermeasure for each attack. Poolsappasit et al.
proposed a Bayesian attack graph (BAG) to address dynamic security risk management problem and applied a genetic
algorithm to solve countermeasure optimization problem.
Our solution utilizes a new network control approach called SDN, where networking functions can be programmed
through software switch and OpenFlow protocol, plays a major role in this research. Flowbased switches, such as OVS and
OpenFlow Switch (OFS), support fine-grained and flow-level control for packet switching. With the help of the central
controller, all OpenFlow-based switches can be monitored and configured. We take advantage of flow-based switching
(OVS) and network controller to apply the selected network countermeasures in our solution.
3. SYSTEM ANALYSIS
3.1 Existing System
Cloud clients can introduce vulnerable software on their VMs, which basically adds to loopholes in cloud
security. The challenge is to build a successful vulnerability/attack identification and response system for precisely
IJRISE| www.ijrise.org|[email protected][49-52]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
identifying attacks and minimizing the effect of security breach to cloud clients. In a cloud system where the
infrastructure is shared by possibly a large number of users, abuse and nefarious use of of the shared infrastructure
benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways . Such
attacks are more powerful in the cloud environment since cloud clients normally impart computing resources, e.g., being
associated through the same switch, imparting to the same data storage and file system, even with potential attackers. The
similar setup for VMs in the cloud, e.g., virtualization procedures, VM OS, introduced powerless programming, organizing,
and so on., pulls in aggressors to trade off different VMs.
3.2 Proposed System
In this article, we propose MDNID (Multiphase Distributed Network Intrusion identification and Countermeasure
determination in virtual system frameworks) to establish a defense-in-depth intrusion detection framework. For better attack
identification, MDNID incorporates attack graph diagnostic techniques into the intrusion detection processes. We must
note that the outline of MDNID does not mean to enhance any of the current intrusion detection algorithms to be sure,
MDNID utilizes a reconfigurable virtual systems administration way to deal with recognize and counter the endeavors to
trade off VMs, hence preventing zombie VMs.
4. SYSTEM DESIGN AND IMPLEMENTATION
4.1 Design
Fig-4.1: System Model
The above figure shows system model and it consists of the following:
Data Owner
Users, who have information to be put away in the cloud and depend on the cloud for information calculation,
comprise of both individual consumers and organizations.
Cloud Service Provider (CSP)
A CSP, who has huge resources and expertise in building and overseeing conveyed distributed cloud storage
servers on distinctive virtual machines, possesses and works live Cloud Computing system.
Virtual Machine for Cloud data storage
Cloud data storage, a client stores his information through a CSP into a set of cloud servers, which are running in a
simultaneous, the client communicates with the cloud serv ers by means of CSP to get to or recover his information. At
times, the client may need to perform block level operations on his information. Clients ought to be furnished with security
means so they can make continuous correctness assurance of their put away information even without the presence of
local copies. The cloud comprises of different Virtual machines on which the owner information will be allocated and shared
and the cloud will listen the distinctive sorts of attackers called
 Stable: There does not exist any known weakness on the VM.
 Vulnerable: Presence of one or more vulnerabilities on a VM, which stays unexploited.
 Exploited: At slightest one weakness has been exploited and the VM is compromised.
 Zombie: VM is under control of attacker.

Attack Analyzer
The significant elements of MDNID framework are performed by attack analyzer, which incorporates strategies,
such as, attack graph construction and upgrade, alert correlation, and countermeasure selection.
IJRISE| www.ijrise.org|[email protected][49-52]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
End User
The Remote client is the person who is accessing the policies set by the cloud administrator. Client is substantial
if he get to the strategies set by the cloud chief or else he will be recognizing as a fraud user in the cloud networking. If
client's strategies are legitimate which doled out for him, then the client can get to all the benefits in the cloud networking.
4.2 Implementation
It shows the MDNID framework within one cloud server cluster. Major components in this framework are
distributed and light-weighted NICE-A on each physical cloud server, a network controller, a VM profiling server, and an
attack analyzer. The latter three components are located in a centralized control center connected to software switches on
each cloud server (i.e., virtual switches built on one or multiple Linux software bridges). NICE-A is a software agent
implemented in each cloud server connected to the control center through a dedicated and isolated secure channel, which
is separated from the normal data packets using OpenFlow tunneling or VLAN approaches. The network controller is
responsible for deploying attack countermeasures based on decisions made by the attack analyzer.
In the following description, our terminologies are based on the XEN virtualization technology. NICE-A is a network
intrusion detection engine that can be installed in either Dom0 or DomU of a XEN cloud server to capture and filter
malicious traffic. Intrusion detection alerts are sent to control center when suspicious or anomalous traffic is detected.
After receiving an alert, attack analyzer evaluates the severity of the alert based on the attack graph, decides what
countermeasure strategies to take, and then initiates it through the network controller. An attack graph is established
according to the vulnerability information derived from both offline and real-time vulnerability scans. Offline scanning can
be done by running penetration tests and online real-time vulnerability scanning can be triggered by the network controller
(e.g., when new ports are opened and identified by OFSs) or when new alerts are generated by the NICE-A.
5. CONCLUSION AND FUTURE ENHANCEMENT
In this paper, we introduced MDNID, which is proposed to distinguish and mitigate collaborative attacks in the
cloud virtual networking environment. MDNID uses the attack diagram model to lead attack detection and prediction. The
proposed arrangement examines how to utilize the programmability of software switch based solution for enhancing the
detection accuracy and defeat victim exploitation phases of collaborative attacks. The system performance evaluation
exhibits the practicality of MDNID and demonstrates that the proposed solution can essentially reduce the risk of the
cloud framework from being misused and abused by internal and external attackers. MDNID only investigates the network
IDS way to deal with counter zombie explorative attacks. To enhance the detection accuracy, host -based IDS arrangements
are expected to be incorporated and to cover the entire range of IDS in the cloud system. This oug ht to be explored in the
future work. Moreover, as demonstrated in the paper, we will explore the adaptability of the proposed MDNID arrangement
by researching the decentralized network control and attack analysis model based on current study.
REFERENCES
[1] Cloud
Security
Alliance,
“Top
Threats
to
Cloud
Computing
v1.0,”
https://cloudsecurityalliance.org/topthreats/csathreats. v1.0.pdf, Mar. 2010.
[2] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M.
Zaharia, “A View of Cloud Computing,” ACM Comm., vol. 53, no. 4, pp. 50-58, Apr. 2010.
[3] B. Joshi, A. Vijayan, and B. Joshi, “Securing Cloud Computing Environment Against DDoS Attacks,” Proc. IEEE Int’l
Conf. Computer Comm. and Informatics (ICCCI ’12), Jan. 2012.
[4] H. Takabi, J.B. Joshi, and G. Ahn, “Security and Privacy Challenges in Cloud Computing Environments,” IEEE Security
and Privacy, vol. 8, no. 6, pp. 24-31, Dec. 2010.
[5] “Open vSwitch Project,” http://openvswitch.org, May 2012.
[6] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, “Detecting Spam Zombies by Monitoring
Outgoing Messages,” IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp. 198-210, Apr. 2012.
[7] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: Detecting Malware Infection
through IDS-driven Dialog Correlation,” Proc. 16th USENIX Security Symp. (SS ’07), pp. 12:1-12:16, Aug. 2007.
[8] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” Proc.
15th Ann. Network and Distributed Sytem Security Symp. (NDSS ’08), Feb. 2008.
IJRISE| www.ijrise.org|[email protected][49-52]