Self-similarity Based Lightweight Intrusion Detection Method for Cloud Computing

Information security is the key success factor to provide safe cloud computing services. Despite its usefulness and cost-effectiveness, public cloud computing service is hard to accept because there are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these abnormal activities, intrusion detection system (IDS) require a learning process that can cause system performance degradation. However, providing high performance computing environment to the subscribers is very important, so a lightweight anomaly detection method is highly desired. In this paper, we propose a lightweight IDS with self-similarity measures to resolve these problems. Normally, a regular and periodic self-similarity can be observed in a cloud system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. So monitoring a system's self-similarity can be used to detect the system's anomalies. We developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.

[1]  Yiyu Yao,et al.  A statistical similarity measure , 1987, SIGIR '87.

[2]  Ming Li,et al.  Decision analysis of network-based intrusion detection systems for denial-of-service attacks , 2001, 2001 International Conferences on Info-Tech and Info-Net. Proceedings (Cat. No.01EX479).

[3]  Walter Willinger,et al.  Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level , 1997, TNET.

[4]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[5]  John McHugh,et al.  Intrusion and intrusion detection , 2001, International Journal of Information Security.

[6]  M. A. Maarof,et al.  Iterative Window Size Estimation on Self-Similarity Measurement for Network Traffic Anomaly Detection , 2004 .

[7]  Gautam Das,et al.  Intelligent Information Technology, 7th International Conference on Information Technology, CIT 2004, Hyderabad, India, December 20-23, 2004, Proceedings , 2004, CIT.

[8]  David A. Nash,et al.  Simulation of self-similarity in network utilization patterns as a precursor to automated testing of intrusion detection systems , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[9]  W. Schleifer,et al.  Online error detection through observation of traffic self-similarity , 2001 .

[10]  Sanjay Rawat,et al.  Network Intrusion Detection Using Wavelet Analysis , 2004, CIT.

[11]  William H. Allen,et al.  On the self-similarity of synthetic traffic for the evaluation of intrusion detection systems , 2003, 2003 Symposium on Applications and the Internet, 2003. Proceedings..