Academia.eduAcademia.edu

Figure from:A survey of intrusion detection techniques in Cloud

See full PDFdownloadDownload figure
Fig. 2. Architecture of NeGPAIM (Botha et al., 2002). As shown in Fig. 2 (Botha et al., 2002), NeGPAIM is based on hybrid technique combining two low level components including fuzzy logic for misuse detection and neural networks for anomaly detection, and one high level component which is a central engine analyzing outcome of two low level components. It is an effective model, which does not require dynamic updates of rules. Gong. et al. (2005) used seven 1 features (Duration, Protocol, Source_port, Destination_port, Source_IP, Destination_IP, Attack_- name) of captured packet. They used support confidence based

Figure 2 Architecture of NeGPAIM (Botha et al., 2002). As shown in Fig. 2 (Botha et al., 2002), NeGPAIM is based on hybrid technique combining two low level components including fuzzy logic for misuse detection and neural networks for anomaly detection, and one high level component which is a central engine analyzing outcome of two low level components. It is an effective model, which does not require dynamic updates of rules. Gong. et al. (2005) used seven 1 features (Duration, Protocol, Source_port, Destination_port, Source_IP, Destination_IP, Attack_- name) of captured packet. They used support confidence based

Related Figures (21)

Contents 1084-8045/$-see front matter © 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.jnca.2012.05.003 Keywords: Cloud computing Firewalls Intrusion detection system Intrusion prevention system
Contents 1084-8045/$-see front matter © 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.jnca.2012.05.003 Keywords: Cloud computing Firewalls Intrusion detection system Intrusion prevention system
Fig. 1. Basic firewall installation (2011, http://teleco-network.blogspot.com/). Firewall (in Cloud) could be the common solution to prevent some of the attacks listed above. To prevent attacks on VM/ Hypervisor, anomaly based intrusion detection techniques can be
Fig. 1. Basic firewall installation (2011, http://teleco-network.blogspot.com/). Firewall (in Cloud) could be the common solution to prevent some of the attacks listed above. To prevent attacks on VM/ Hypervisor, anomaly based intrusion detection techniques can be
Summary of firewalls. Table 1
Summary of firewalls. Table 1
Summary of IDS/IPS techniques. Table 2
Summary of IDS/IPS techniques. Table 2
Fig. 3. Host based intrusion detection system (HIDS) (2011, http://maltainfosec org/archives/26-The-concept-of-Intrusion-Detection-Systems.html).
Fig. 3. Host based intrusion detection system (HIDS) (2011, http://maltainfosec org/archives/26-The-concept-of-Intrusion-Detection-Systems.html).
Fig. 4. IDS architecture for Grid/Cloud environment (Vieira et al., 2010).
Fig. 4. IDS architecture for Grid/Cloud environment (Vieira et al., 2010).
Fig. 5. Multilevel IDS architecture (Lee et al., 2011).
Fig. 5. Multilevel IDS architecture (Lee et al., 2011).
Fig. 6. Network based intrusion detection system (2011, http://maltainfosec.org archives/26-The-concept-of-Intrusion-Detection-Systems.html). Hamad and Hoby (2012) proposed a method for providing intrusion Detection as a Service in Cloud, which delivers Snort for Cloud clients in a service-based manner. Fig. 8 shows subscription and IDS operation request of Cloud intrusion detection service (CIDS). User request related to his subscription details is for- warded to the database layer, whereas the IDS operation requests are forwarded to the system layer. The system layer and the database layer can communicate with each other to translate preferences (that exist in the database layer) into runtime- configurations that are used at the system layer. The limitation
Fig. 6. Network based intrusion detection system (2011, http://maltainfosec.org archives/26-The-concept-of-Intrusion-Detection-Systems.html). Hamad and Hoby (2012) proposed a method for providing intrusion Detection as a Service in Cloud, which delivers Snort for Cloud clients in a service-based manner. Fig. 8 shows subscription and IDS operation request of Cloud intrusion detection service (CIDS). User request related to his subscription details is for- warded to the database layer, whereas the IDS operation requests are forwarded to the system layer. The system layer and the database layer can communicate with each other to translate preferences (that exist in the database layer) into runtime- configurations that are used at the system layer. The limitation
Fig. 7. Architecture of VM integrated IDS management (Roschkeet al., 2009). In cooperative agent based approach (Lo et al., 2008), indivi- dual NIDS module is deployed in each Cloud region as shown in Fig. 10 (Lo et al., 2008). If any Cloud region detects intrusions, it alerts other region. Each ID sends alert to each other, to judge severity of this alert. If new attack is detected, the new blocking rule is added to block list. So, this type of detection and preven- tion helps to resist attacks in Cloud.
Fig. 7. Architecture of VM integrated IDS management (Roschkeet al., 2009). In cooperative agent based approach (Lo et al., 2008), indivi- dual NIDS module is deployed in each Cloud region as shown in Fig. 10 (Lo et al., 2008). If any Cloud region detects intrusions, it alerts other region. Each ID sends alert to each other, to judge severity of this alert. If new attack is detected, the new blocking rule is added to block list. So, this type of detection and preven- tion helps to resist attacks in Cloud.
Fig. 8. Intrusion detection as a service in Cloud (Hamad and Hoby, 2012).
Fig. 8. Intrusion detection as a service in Cloud (Hamad and Hoby, 2012).
Fig. 10. Block diagram of cooperative agent based approach (Lo et al., 2008) Fig. 9. Distributed intrusion detection system (DIDS).
Fig. 10. Block diagram of cooperative agent based approach (Lo et al., 2008) Fig. 9. Distributed intrusion detection system (DIDS).
[PS should be configured accurately for expected results; other- wise it stops flow of packets resulting in network unavailability For intrusion prevention, mostly firewall with IDS is used which contains signature specifying network traffic rules. Based on the preconfigured rules, IPS decides whether network traffic should be passed or blocked. In response to detected attack, IPS can stor the attack itself, can change the attack contents or change security environment.
[PS should be configured accurately for expected results; other- wise it stops flow of packets resulting in network unavailability For intrusion prevention, mostly firewall with IDS is used which contains signature specifying network traffic rules. Based on the preconfigured rules, IPS decides whether network traffic should be passed or blocked. In response to detected attack, IPS can stor the attack itself, can change the attack contents or change security environment.
Fig. 12. Network based intrusion prevention system (2011, http://www.javvin.com/networksecurity/IPS.html]). Fig. 11. VMI-based IDS architecture (Garfinkel and Rosenblum, 2003).
Fig. 12. Network based intrusion prevention system (2011, http://www.javvin.com/networksecurity/IPS.html]). Fig. 11. VMI-based IDS architecture (Garfinkel and Rosenblum, 2003).
Fig. 13. The architecture of Xen based firewall and its extension (Fagui et al., 2009).
Fig. 13. The architecture of Xen based firewall and its extension (Fagui et al., 2009).
Fig. 14. Architecture of dynamic intelligence Cloud firewall (Jia and Wang, 2011).
Fig. 14. Architecture of dynamic intelligence Cloud firewall (Jia and Wang, 2011).
Fig. 15. Positioning IDPS in network (Scarfone and Mell, 2007).
Fig. 15. Positioning IDPS in network (Scarfone and Mell, 2007).
Summary of IDS/IPS types. Table 3 Jia and Wang (2011) designed an IPS model based on dynamically distributed Cloud firewall linkage. Authors intro- duced the structure and function of Cloud firewall. As shown in Fig. 14, external information is trained using data switcher through credible database. Then this information is learned HOOK function to identify the rules irrespective of the rules matching the data. The skb buffer saves the data of the packet, such as source IP address, destination port number, which is captured when it goes through the HOOK. However, Unknown attacks cannot be prevented by this approach.
Summary of IDS/IPS types. Table 3 Jia and Wang (2011) designed an IPS model based on dynamically distributed Cloud firewall linkage. Authors intro- duced the structure and function of Cloud firewall. As shown in Fig. 14, external information is trained using data switcher through credible database. Then this information is learned HOOK function to identify the rules irrespective of the rules matching the data. The skb buffer saves the data of the packet, such as source IP address, destination port number, which is captured when it goes through the HOOK. However, Unknown attacks cannot be prevented by this approach.
Fig. 16. Placement of IDS on VMs and hypervisor/host system.
Fig. 16. Placement of IDS on VMs and hypervisor/host system.
Summary of existing IDS approaches in Cloud Table 4 2007). Proper configuration and management of IDS and IPS combination can improve security. NIST (Scarfone and Mell, 2007) explained how intrusion detection and prevention can be used together to strengthen security, and also discussed different ways to design, configure, and manage IDPS. using knowledge base and compared with predefined rules or policies. Rules or policies are generated by using data mining techniques. The defending agents, expert system, and the detecting and identifying agents are used for real time defense, detection of intrusions and identification. If the intrusions are detected, the monitor station calls defending filter, prevention and generates alerts, then give auditing record. The monitoring work station is used to monitor internal intrusions. An intelli- gent IPS module based on dynamically distributed Cloud fire- wall linkage is used for real time interactive defense and better optimization of Cloud firewall. When user of internal network accesses external network resources, IPS uses feature detection and recognition mode of Cloud security for analyzing and deciding safety of resources which are accessed by users. It uses expert system used in Cloud firewall. In this approach user’s behaviors, files, web pages etc are used for calculating resources’ reputation and detecting intrusions. Experimental results of this approach are not evaluated.
Summary of existing IDS approaches in Cloud Table 4 2007). Proper configuration and management of IDS and IPS combination can improve security. NIST (Scarfone and Mell, 2007) explained how intrusion detection and prevention can be used together to strengthen security, and also discussed different ways to design, configure, and manage IDPS. using knowledge base and compared with predefined rules or policies. Rules or policies are generated by using data mining techniques. The defending agents, expert system, and the detecting and identifying agents are used for real time defense, detection of intrusions and identification. If the intrusions are detected, the monitor station calls defending filter, prevention and generates alerts, then give auditing record. The monitoring work station is used to monitor internal intrusions. An intelli- gent IPS module based on dynamically distributed Cloud fire- wall linkage is used for real time interactive defense and better optimization of Cloud firewall. When user of internal network accesses external network resources, IPS uses feature detection and recognition mode of Cloud security for analyzing and deciding safety of resources which are accessed by users. It uses expert system used in Cloud firewall. In this approach user’s behaviors, files, web pages etc are used for calculating resources’ reputation and detecting intrusions. Experimental results of this approach are not evaluated.