8/2/2019 2011_10_ef5b36db

1/16

Intrusion Detection for Gridand Cloud Computing

Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall,and Carla Merkle Westphall

Federal University of Santa Catarina, Brazil

Content Type Journals

Appears IT Professional

Date July/August 2010

Speaker Jyue-Li Lu

8/2/2019 2011_10_ef5b36db

2/16

Introduction

Providing security in a distributed system requires morethan user authentication with passwords or digitalcertificates and confidentiality in data transmission. TheGrid and Cloud Computing Intrusion Detection System

integrates knowledge and behavior analysis to detectintrusions.

Because of their distributed nature, grid and cloud

computing environments are easy targets for intruderslooking for possible vulnerabilities to exploit.

To combat attackers, intrusion-detection systems canoffer additional security measures.

8/2/2019 2011_10_ef5b36db

3/16

Introduction

IDS (intrusion-detection systems) must monitor eachnode and, when an attack occurs, alert other nodes inthe environment.

This kind of communication requires compatibilitybetweenheterogeneous hosts, various communicationmechanisms, and permission control over systemmaintenance and updatestypical features in grid and

cloud environments.

Cloud middleware usually provides these features, so wepropose an IDS service offered at the middleware layer.

8/2/2019 2011_10_ef5b36db

4/16

Introduction

An attack against a cloud computing system can besilent, because cloud-specific attacks dont necessarilyleave traces in a nodes operating system.

In this way, traditional IDSs cant appropriately identify

suspicious activities in a grid and cloud environment.

We propose the Grid and Cloud Computing IntrusionDetection System (GCCIDS), which has an audit systemdesigned to cover attacks.

8/2/2019 2011_10_ef5b36db

5/16

Figure 1

The architecture of gridand cloud computingintrusion detection. Eachnode identifies local eventsthat could representsecurity violations and

sends an alert to the othernodes.

8/2/2019 2011_10_ef5b36db

6/16

Out Proposed Service

Figure 1 depicts the sharing of information between theIDS service and the other elements participating in thearchitecture: the node, service, event auditor, andstorage service.

Node : resources, which are accessed homogeneously through themiddleware.

Service : provides its functionality in the environment through themiddleware, which facilitates communication.

Event Auditor : is the key piece in the system. It capturesdata fromvarious sources, such as the log system, service, and node messages.

Storage Service : holds the data that the IDS service must analyze. Itsimportant for all nodes to have access to the same data.

8/2/2019 2011_10_ef5b36db

7/16

IDS Service

The IDS service increases a clouds security level by

applying two methods of intrusion detection.

The behavior-based method dictates how to comparerecent user actions to the usual behavior.

The knowledge-based method detects known trailsleft

by attacks or certain sequences of actions from a userwho might represent an attack.

8/2/2019 2011_10_ef5b36db

8/16

IDS Service - Analyzer

The analyzer uses a profile history database todetermine the distance between a typical user behaviorand the suspect behavior and communicates this to theIDS service.

With these responses, the IDS calculates the probabilitythat the action represents an attack and alerts the othernodes if the probability is sufficiently high.

8/2/2019 2011_10_ef5b36db

9/16

Behavior Analysis

Numerous methods exist for behavior-based intrusiondetection, such as data mining, artificial neural networks,and artificial immunological systems.

We use a feed-forward artificial neural network, becausethis type of network can quickly process information, hasself-learning capabilities, and can tolerate small behaviordeviations. These features help overcome some IDS

limitations.

8/2/2019 2011_10_ef5b36db

10/16

Behavior Analysis

Using this method, we need to recognize expectedbehavior (legitimate use) or a severe behaviordeviation.

For a given intrusion sample set, the network learns to

identify the intrusions using its retropropagationalgorithm.

However, we focus on identifying user behavioral

patterns and deviations from such patterns.

With this strategy, we can cover a wider range ofunknown attacks.

8/2/2019 2011_10_ef5b36db

11/16

Knowledge Analysis

Knowledge-based intrusion detection is the most oftenapplied technique in the field because it results in a lowfalse-alarm rate and high positive rates, although it cantdetect unknown attackpatterns.

Using an expert system, we can describe a maliciousbehavior with a rule. One advantage of using this kind ofintrusion detection is that we can add new rules withoutmodifying existing ones.

In contrast, behavior-based analysis is performed onlearned behavior that cant be modified without losing theprevious learning.

8/2/2019 2011_10_ef5b36db

12/16

Increasing Attack Coverage

The two intrusion detection techniques are distinct.

The knowledge-based intrusion detection ischaracterized by a high hit rate of known attacks, but its

deficient in detecting new attacks. We thereforecomplemented it with the behavior based technique.

The volume of data in a cloud computing environment

can be high, so administrators dont observe each usersactionsthey observe only alerts from the IDS.

8/2/2019 2011_10_ef5b36db

13/16

Results

We developed a prototype to evaluate the proposedarchitecture using Grid-M, a middleware of our researchgroup developed at the Federal University of SantaCatarina.

We prepared three types of simulation data to test. First, we created data representing legitimate action by executing a set

of known services simulating a regular behavior.

Then, we created data representing behavior anomalies.

Finally, we created data representing policy violation.

8/2/2019 2011_10_ef5b36db

14/16

Evaluating the Event Auditor

The event auditor captures all requests received by anode and the corresponding responses, which isfundamental for behavior analysis.

In the experiments with the behavior-based IDS, weconsidered using audit data from both a log and acommunication system.

Unfortunately, data from a log system has a limited set ofvalues with little variation.

8/2/2019 2011_10_ef5b36db

15/16

Evaluating the Event Auditor

This made it difficult to find attack patterns, so we optedto explore communication elements to evaluate thistechnique.

We evaluated the behavior-based technique usingartificial intelligence enabled by a feedforward neuralnetwork.

In the simulation environment, we monitored fiveintruders and five legitimate users.

8/2/2019 2011_10_ef5b36db

16/16

Evaluating the Event Auditor

We initiated the neural-network training with a data set representing10 days of usage simulation.

Using this data resulted in a high number of false negatives and ahigh level of uncertainty.

Increasing the sample period for the learning phase improved theresults.