Verification for security monitoring SLAs in IaaS clouds: The example of a network IDS

In an IaaS cloud the physical infrastructure is controlled by service providers, including its security monitoring aspect. Clients hosting their information system are incited to trust the provider's claim (e.g. infrastructure availability) thanks to the assurance given by Service Level Agreements (SLAs). We aim at extending SLAs to include security monitoring terms. In this paper we describe the challenges to reach this goal, we propose a three-step incremental strategy and we apply the first step of this strategy on the case of network IDS (NIDS) monitoring probes. In this case study we select a relevant metric to describe the performance of an NIDS, that is the metric can figure in an SLA and can be measured to verify that the SLA is respected. In particular we propose an in situ verification method of such a metric on a production NIDS and evaluate experimentally and analytically the proposed method.

[1]  Christine Morin,et al.  Including Security Monitoring in Cloud Service Level Agreements , 2016, 2016 IEEE 35th Symposium on Reliable Distributed Systems (SRDS).

[2]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[3]  David A Mackey,et al.  The Importance of Conditional Probability in Diagnostic Reasoning and Clinical Decision Making: A Primer for the Eye Care Practitioner , 2017, Ophthalmic epidemiology.

[4]  Massimiliano Rak,et al.  REST-Based SLA Management for Cloud Applications , 2015, 2015 IEEE 24th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[5]  François Gagnon,et al.  Automatic Evaluation of Intrusion Detection Systems , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[6]  Vincent Nicomette,et al.  Automated Evaluation of Network Intrusion Detection Systems in IaaS Clouds , 2015, 2015 11th European Dependable Computing Conference (EDCC).

[7]  Gilles Grimaud,et al.  Discus: A massively distributed IDS architecture using a DSL-based configuration , 2014, 2014 International Conference on Information Science, Electronics and Electrical Engineering.

[8]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[9]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[10]  Emmanuel Jeannot,et al.  Adding Virtualization Capabilities to the Grid'5000 Testbed , 2012, CLOSER.

[11]  Florian Kutzner Ignorance of base rates , 2015 .

[12]  Valentina Casola,et al.  Automatically Enforcing Security SLAs in the Cloud , 2017, IEEE Transactions on Services Computing.

[13]  Francesco Torelli,et al.  SLA★: An abstract syntax for Service Level Agreements , 2010, 2010 11th IEEE/ACM International Conference on Grid Computing.

[14]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[15]  Carlos Becker Westphall,et al.  SLA Perspective in Security Management for Cloud Computing , 2010, 2010 Sixth International Conference on Networking and Services.

[16]  Asit Dan,et al.  Web services agreement specification (ws-agreement) , 2004 .

[17]  Guofei Gu,et al.  Measuring intrusion detection capability: an information-theoretic approach , 2006, ASIACCS '06.

[18]  Matti A. Hiltunen,et al.  An exploration of L2 cache covert channels in virtualized environments , 2011, CCSW '11.