Cloud computing-based forensic analysis for collaborative network security management system

Internet security problems remain a major challenge with many security concerns such as Internet worms, spam, and phishing attacks. Botnets, well-organized distributed network attacks, consist of a large number of bots that generate huge volumes of spam or launch Distributed Denial of Service (DDoS) attacks on victim hosts. New emerging botnet attacks degrade the status of Internet security further. To address these problems, a practical collaborative network security management system is proposed with an effective collaborative Unified Threat Management (UTM) and traffic probers. A distributed security overlay network with a centralized security center leverages a peer-to-peer communication protocol used in the UTMs collaborative module and connects them virtually to exchange network events and security rules. Security functions for the UTM are retrofitted to share security rules. In this paper, we propose a design and implementation of a cloud-based security center for network security forensic analysis. We propose using cloud storage to keep collected traffic data and then processing it with cloud computing platforms to find the malicious attacks. As a practical example, phishing attack forensic analysis is presented and the required computing and storage resources are evaluated based on real trace data. The cloud-based security center can instruct each collaborative UTM and prober to collect events and raw traffic, send them back for deep analysis, and generate new security rules. These new security rules are enforced by collaborative UTM and the feedback events of such rules are returned to the security center. By this type of close-loop control, the collaborative network security management system can identify and address new distributed attacks more quickly and effectively.

[1]  Zhen Chen,et al.  A collaborative botnets suppression system based on overlay network , 2012, Int. J. Secur. Networks.

[2]  Dawn Xiaodong Song,et al.  Design and Evaluation of a Real-Time URL Spam Filtering Service , 2011, 2011 IEEE Symposium on Security and Privacy.

[3]  Zhen Chen,et al.  Garlic: A Distributed Botnets Suppression System , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[4]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[5]  Lin Chuang,et al.  Handling High Speed Traffic Measurement Using Network Processors , 2006, 2006 International Conference on Communication Technology.

[6]  Chuang Lin,et al.  A Fast Multi-pattern Matching Algorithm for Deep Packet Inspection on a Network Processor , 2007, 2007 International Conference on Parallel Processing (ICPP 2007).

[7]  Hermann de Meer,et al.  A Novelty-Driven Approach to Intrusion Alert Correlation Based on Distributed Hash Tables , 2007, 2007 12th IEEE Symposium on Computers and Communications.

[8]  Chuang Lin,et al.  AntiWorm NPU-based Parallel Bloom filters in Giga-Ethernet LAN , 2006, 2006 IEEE International Conference on Communications.

[9]  Chuck Lam,et al.  Hadoop in Action , 2010 .

[10]  Gary Warner,et al.  Identifying vulnerable websites by analysis of common strings in phishing URLs , 2009, 2009 eCrime Researchers Summit.

[11]  Sahin Albayrak,et al.  Collaborative Intrusion Detection Framework: Characteristics, Adversarial Opportunities and Countermeasures , 2010, CollSec.

[12]  Weidong Liu,et al.  Enhancing Tit-for-Tat Strategy to Cope with Free-Riding in Unreliable P2P Networks , 2008, 2008 Third International Conference on Internet and Web Applications and Services.

[13]  Anja Feldmann,et al.  Enriching network security analysis with time travel , 2008, SIGCOMM '08.

[14]  Jun Li,et al.  TIFA: Enabling Real-Time Querying and Storage of Massive Stream Data , 2011, 2011 Second International Conference on Networking and Distributed Computing.

[15]  Chuang Lin,et al.  AntiWorm NPU-based Parallel Bloom Filters for TCP/IP Content Processing in Giga-Ethernet LAN , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[16]  Shuai Ding,et al.  LARX: Large-Scale Anti-Phishing by Retrospective Data-Exploring Based on a Cloud Computing Platform , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[17]  Paul A. Watters,et al.  Automatically determining phishing campaigns using the USCAP methodology , 2010, 2010 eCrime Researchers Summit.

[18]  Luiz André Barroso,et al.  Web Search for a Planet: The Google Cluster Architecture , 2003, IEEE Micro.

[19]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Phishing Blacklists , 2009, CEAS 2009.

[20]  Beipeng Mu,et al.  A Collaborative Network Security Management System in Metropolitan Area Network , 2011, 2011 Third International Conference on Communications and Mobile Computing.

[21]  Luca Deri,et al.  Collection and Exploration of Large Data Monitoring Sets Using Bitmap Databases , 2010, TMA.

[22]  Peter Desnoyers,et al.  Hyperion: High Volume Stream Archival for Retrospective Querying , 2007, USENIX Annual Technical Conference.

[23]  GhemawatSanjay,et al.  The Google file system , 2003 .

[24]  Vladimir Gorodetsky,et al.  Computer Network Security: Report from MMM-ACNS , 2004, IEEE Secur. Priv..

[25]  Anja Feldmann,et al.  Building a time machine for efficient recording and retrieval of high-volume network traffic , 2005, IMC '05.

[26]  Shujun Li,et al.  A novel anti-phishing framework based on honeypots , 2009, 2009 eCrime Researchers Summit.

[27]  Xin Jiang,et al.  TNC-UTM: A Holistic Solution to Secure Enterprise Networks , 2008, 2008 The 9th International Conference for Young Computer Scientists.

[28]  Brian D. Carrier Digital Forensics Works , 2009, IEEE Security & Privacy.

[29]  Simson L. Garfinkel,et al.  An Evaluation of Amazon's Grid Computing Services: EC2, S3, and SQS , 2007 .

[30]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[31]  Zhen Chen,et al.  High Speed Traffic Archiving System for Flow Granularity Storage and Querying , 2012, 2012 21st International Conference on Computer Communications and Networks (ICCCN).

[32]  Frédéric Raynal,et al.  Honeypot Forensics, Part II: Analyzing the Compromised Host , 2004, IEEE Secur. Priv..

[33]  Nasir D. Memon,et al.  Digital Forensics , 2009, IEEE Secur. Priv..

[34]  Dongting Yu,et al.  Humboldt: A distributed phishing disruption system , 2009, 2009 eCrime Researchers Summit.

[35]  Beipeng Mu,et al.  NetSecu: A Collaborative Network Security Platform for In-network Security , 2011, 2011 Third International Conference on Communications and Mobile Computing.

[36]  Frédéric Raynal,et al.  Honeypot Forensics Part I: Analyzing the Network , 2004, IEEE Secur. Priv..