NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems

Cloud security is one of most important issues that has attracted a lot of research and development effort in past few years. Particularly, attackers can explore vulnerabilities of a cloud system and compromise virtual machines to deploy further large-scale Distributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such as multistep exploitation, low-frequency vulnerability scanning, and compromising identified vulnerable virtual machines as zombies, and finally DDoS attacks through the compromised zombies. Within the cloud system, especially the Infrastructure-as-a-Service (IaaS) clouds, the detection of zombie exploration attacks is extremely difficult. This is because cloud users may install vulnerable applications on their virtual machines. To prevent vulnerable virtual machines from being compromised in the cloud, we propose a multiphase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE, which is built on attack graph-based analytical models and reconfigurable virtual network-based countermeasures. The proposed framework leverages OpenFlow network programming APIs to build a monitor and control plane over distributed programmable virtual switches to significantly improve attack detection and mitigate attack consequences. The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution.

[1]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[2]  Ahmed Patel,et al.  An intrusion detection and prevention system in cloud computing: A systematic review , 2013, J. Netw. Comput. Appl..

[3]  A. Nur Zincir-Heywood,et al.  VEA-bility Security Metric: A Network Security Analysis Tool , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[4]  Sanjay Kumar Madria,et al.  Challenges in Secure Sensor-Cloud Computing , 2011, Secure Data Management.

[5]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[6]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[7]  S. Radack The Common Vulnerability Scoring System (CVSS) , 2007 .

[8]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[9]  Samee Ullah Khan,et al.  Future Generation Computer Systems ( ) – Future Generation Computer Systems towards Secure Mobile Cloud Computing: a Survey , 2022 .

[10]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[11]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[12]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  Shrimati Indira,et al.  NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK SYSTEMS , 2013 .

[14]  Gunjan Tank,et al.  Software-Defined Networking-The New Norm for Networks , 2012 .

[15]  Jin-Wook Chung,et al.  Network Security Management Using ARP Spoofing , 2004, ICCSA.

[16]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[17]  Jin B. Hong,et al.  Scalable Security Models for Assessing Effectiveness of Moving Target Defenses , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[18]  Jin B. Hong,et al.  Performance Analysis of Scalable Attack Representation Models , 2013, SEC.

[19]  Carla Merkle Westphall,et al.  Intrusion Detection for Grid and Cloud Computing , 2010, IT Professional.

[20]  N. Johnson The MITRE corporation , 1961, ACM National Meeting.

[21]  Flemming Nielson,et al.  Automated Generation of Attack Trees , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[22]  B. Joshi,et al.  Securing cloud computing environment against DDoS attacks , 2012, 2012 International Conference on Computer Communication and Informatics.

[23]  Luis Miguel Vaquero Gonzalez,et al.  Locking the sky: a survey on IaaS cloud security , 2010, Computing.

[24]  Ali Ghorbani,et al.  Alert correlation survey: framework and techniques , 2006, PST.

[25]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[26]  Karen A. Scarfone,et al.  The Common Vulnerability Scoring System (CVSS) and its Applicability to Federal Agency Systems , 2007 .

[27]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[28]  Zhenhai Duan,et al.  Detecting Spam Zombies by Monitoring Outgoing Messages , 2009, IEEE INFOCOM 2009.

[29]  Siddharth Nayak,et al.  Detecting Spam Zombies , 2015 .

[30]  Saeed Jalili,et al.  A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs , 2011, Comput. Networks.

[31]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[32]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[33]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[34]  Anoop Singhal,et al.  Quantitative Security Risk Assessment of Enterprise Networks , 2011, Springer Briefs in Computer Science.

[35]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[36]  Christoph Meinel,et al.  A New Alert Correlation Algorithm Based on Attack Graph , 2011, CISIS.

[37]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[38]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[39]  Ravishankar K. Iyer,et al.  Reliability and Security Monitoring of Virtual Machines Using Hardware Architectural Invariants , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[40]  Ping Wang,et al.  Threat risk analysis for cloud security based on Attack-Defense Trees , 2012, 2012 8th International Conference on Computing Technology and Information Management (NCM and ICNIT).

[41]  K. Popovic,et al.  Cloud computing security issues and challenges , 2010, The 33rd International Convention MIPRO.

[42]  Muttukrishnan Rajarajan,et al.  A survey of intrusion detection techniques in Cloud , 2013, J. Netw. Comput. Appl..

[43]  David E. Williams Virtualization with Xen(tm): Including XenEnterprise, XenServer, and XenExpress: Including XenEnterprise, XenServer, and XenExpress , 2007 .

[44]  K. A. Jackson,et al.  A phased approach to network intrusion detection , 1991 .

[45]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[46]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[47]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[48]  Dong Seong Kim,et al.  Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[49]  Gail-Joon Ahn,et al.  Towards temporal access control in cloud computing , 2012, 2012 Proceedings IEEE INFOCOM.

[50]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[51]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[52]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[53]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .