CIDS: Adapting Legacy Intrusion Detection Systems to the Cloud with Hybrid Sampling

Many attacks originate from inside, and security problems within cloud-computing platforms are becoming more and more severe. Although many Intrusion Detection System (IDS) help monitor and protect the inbound and outbound traffic of data centers, it is still challenging to deploy IDS inside a cloud-computing platform due to extremely high bandwidth within, and the lack of a single ingress point to deploy the IDS. This paper presents two ideas allowing traditional IDS to be adopted to the cloud environment: software-defined-networking (SDN) based packet collection and a hybrid sampling algorithm to significantly reduce workload on the IDS. We integrate our data collector in the Open vSwitch of every physical server, making packets capturing highly efficient. Our hybrid sampling algorithm combines both flow statistics and IDS feedback to intelligently choose which packets to sample. The sampling rate is determined by the current workload in the cloud, and thus minimizing the effects to normal workload. We evaluate our prototype CIDS on a 125-server production OpenStack cloud using real world attack traces, and demonstrate the effectiveness of our approach.

[1]  Rocco Aversa,et al.  Intrusion Detection in Cloud Computing , 2013, 2013 Eighth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing.

[2]  William Stallings,et al.  High-Speed Networks: TCP/IP and ATM Design Principles , 1998 .

[3]  Hui Zang,et al.  Is sampled data sufficient for anomaly detection? , 2006, IMC '06.

[4]  Jason Lee,et al.  Intrusion detection at 100G , 2011, 2011 International Conference for High Performance Computing, Networking, Storage and Analysis (SC).

[5]  Quinton Anderson Storm Real-Time Processing Cookbook , 2013 .

[6]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[7]  Muttukrishnan Rajarajan,et al.  A novel framework for intrusion detection in cloud , 2012, SIN '12.

[8]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[9]  David Kaeli,et al.  Virtual machine monitor-based lightweight intrusion detection , 2011, OPSR.

[10]  Stephen Biggs,et al.  Cloud Computing: The impact on digital forensic investigations , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[11]  Christoph Meinel,et al.  Intrusion Detection in the Cloud , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[12]  Muttukrishnan Rajarajan,et al.  A survey of intrusion detection techniques in Cloud , 2013, J. Netw. Comput. Appl..

[13]  Marc Boisseau,et al.  High-speed networks , 1994, Wiley series in communication and distributed systems.

[14]  Huaglory Tianfield,et al.  Intrusion Detection System for Cloud Environment , 2014, SIN.

[15]  Martín Casado,et al.  The Design and Implementation of Open vSwitch , 2015, NSDI.

[16]  Sebastian Muller Openstack Operations Guide , 2016 .

[17]  Christoph Meinel,et al.  Multi-step Attack Pattern Detection on Normalized Event Logs , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[18]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[19]  강인혜,et al.  [서평]High-Speed Networks : TCP/IP and ATM Design Principles , 1999 .

[20]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[21]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[22]  Roberto Bifulco,et al.  Integrating a network IDS into an open source Cloud Computing environment , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[23]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[24]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[25]  Richard Wolski,et al.  The Eucalyptus Open-Source Cloud-Computing System , 2009, 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid.