Automated Evaluation of Network Intrusion Detection Systems in IaaS Clouds

This paper describes an approach for the automated security evaluation of operational Network Intrusion Detection Systems (NIDS) in Infrastructure as a Service (IaaS) cloud computing environments. Our objective is to provide automated and experimental methods to execute attack campaigns and analyze NIDS reactions, in order to highlight the ability of the NIDS to protect clients' virtual infrastructures and find potential weaknesses in their placement and configuration. To do so, we designed a three-phase approach. It is composed of the cloning of the target client's infrastructure to perform the subsequent audit operations on a clone, followed by the analysis of network access controls to determine the network accessibilities in the cloned infrastructure. Using evaluation traffic we modeled and generated, the last phase of the approach, presented in this paper, focuses on executing attack campaigns following an optimized algorithm. The NIDS alerts are analyzed and evaluation metrics are computed. Our approach is sustained by a prototype and experiments carried out on a VMware-based cloud platform.

[1]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[3]  David Brumley,et al.  Replayer: automatic protocol replay by binary analysis , 2006, CCS '06.

[4]  Gulshan Kumar,et al.  Evaluation Metrics for Intrusion Detection Systems - A Study , 2014 .

[5]  Evangelos P. Markatos,et al.  Generating realistic workloads for network intrusion detection systems , 2004, WOSP '04.

[6]  Nicole Krämer,et al.  Learning stateful models for network honeypots , 2012, AISec.

[7]  Patrick Martin,et al.  IDSaaS: Intrusion Detection System as a Service in Public Clouds , 2012, 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012).

[8]  Hatem Hamad,et al.  Managing Intrusion Detection as a Service in Cloud Networks , 2012 .

[9]  Biswanath Mukherjee,et al.  A Methodology for Testing Intrusion Detection Systems , 1996, IEEE Trans. Software Eng..

[10]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[11]  M. Hemalatha,et al.  Handling Intrusion Detection System using Snort Based Statistical Algorithm and Semi-supervised Approach , 2013 .

[12]  Vincent Nicomette,et al.  An Approach for the Automated Analysis of Network Access Controls in Cloud Computing Infrastructures , 2014, NSS.

[13]  Sören Bleikertz,et al.  Automated Security Analysis of Infrastructure Clouds , 2010 .

[14]  Hervé Debar,et al.  Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems , 2002, RAID.

[15]  Frank Doelitzscher,et al.  Sun Behind Clouds - On Automatic Cloud Security Audits and a Cloud Audit Policy Language , 2013 .

[16]  João Antunes,et al.  Network Attack Injection , 2013 .

[17]  Guillaume Hiet,et al.  Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems , 2011, 2011 Conference on Network and Information Systems Security.

[18]  Li Chen,et al.  A Survey on Methods of Automatic Protocol Reverse Engineering , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[19]  Marc Dacier,et al.  ScriptGen: an automated script generation tool for Honeyd , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[20]  François Gagnon,et al.  Automatic Evaluation of Intrusion Detection Systems , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).