Network Intrusion Detection and Countermeasure Selection in Virtual

8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual

1/28

Presented By:

Heena Mathur

Network Intrusion Detection And

Countermeasure Selection In Virtual

Network System

1/14/15 1


2/28

Contents

Introduction

What is Intrusion

What is Network Intrusion Detection System

Objective

Eistin! System

Disadvanta!e o" eistin! System

#ro$osed System

%dvanta!e o" #ro$osed System

System %rchitecture

%&!orithm used

'odu&es(

'odu&e Descri$tion

)onc&usion

1/14/15 *


3/28

Introduction+,-E%+ +O NE+WO-. SE)-I+0

% si!ni"icant security $rob&em "or networked system is or at &east unwanted tres$ass by users or so"tware(

ser tres$ass can take "orm o" unauthori2ed &o!on to a machine

or in case o" an authori2ed user ac3uisition o" $rivi&e!es or$er"ormance o" action beyond these that have been authori2ed(

So"tware tres$ass can take "orm o" a virus worm or +rojan horse(

1/14/15


4/28

What is an Intrusion?De"initionAn intrusion can be defined as a subversion of security to

gain access to a system. This intrusion can use muti!e attac"

methods and can s!an ong !eriods of time.

+hese unauthori2ed accesses to com$uter or network systems are o"ten

desi!ned to study the system6s weaknesses "or "uture attacks(

Other "orms o" intrusions are aimed at &imitin! access or even

$reventin! access to com$uter systems or networks(

1/14/15 4


5/28

Ty!es of IntrudersIn an ear&y study o" intrusion %nderson identi"ied three c&asses o" intruders

'as3ueraders %n individua& who is not authori2ed to use the com$uter and who $enetrates a

system6s access contro&s to e$&oit a &e!itimate user6s account(

'is"easor % &e!itimate users who accesses data $ro!rams or resources "or

which such access is not authori2ed or who is authori2ed "or such access but

misuses his or her $rivi&e!es(

)&andestine user %n individua& who sei2es su$ervisory contro& o" the system

and uses this contro& to evade auditin! and access contro&s or to su$$ress

audit actions(

1/14/15 5


6/28

Methods of Intrusions+he methods used by intruders can o"ten contain any one or even combinations

o" the "o&&owin! intrusion ty$es

Distributed Denia& o" Service

+rojan ,orse

7iruses and Worms

S$oo"in!

Network/#ort Scans8u""er Over"&ow

1/14/15 9


7/28

Intrusion Detection System

.now&ed!e

8ase-es$onse

'ode&

Event #rovider

Other 'achine

%&ert Data

%na&ysis En!ine

1/14/15 :


8/28

#et$or" Intrusion %etection &ystem%efinition: In com$uter security a Network Intrusion Detection System ;NIDS< is an

intrusion detection system that attem$ts to discover unauthori2ed access to a com$uter

network by ana&y2in! tra""ic on the network "or si!ns o" ma&icious activity(

In a )&oud com$utin! environment attackers can determine the vu&nerabi&ities

in the c&oud systems and com$romise the virtua& machines to set out &ar!e sca&e

Distributed Denia&=o"=Service ;DDOS< attack( +o avert these machines "rom

concession we $ro$ose a mu&ti=$hase so&ution NI)E ;Network Intrusion

Detection and )ountermeasure se&ection in 7irtua& Network Systems


9/28

'b(ective: +he main aim o" this $roject is to $revent the vu&nerab&e virtua&

machines "rom bein! com$romised in the c&oud server usin!

mu&ti=$hase distributed vu&nerabi&ity detection measurement

and countermeasure se&ection mechanism ca&&ed NI)E(

1/14/15 ?


10/28

)*isting &ystem )&oud users can insta&& vu&nerab&e so"tware on their 7's which

essentia&&y contributes to &oo$ho&es in c&oud security( +he cha&&en!e is

to estab&ish an e""ective vu&nerabi&ity/attack detection and res$onsesystem "or accurate&y identi"yin! attacks and minimi2in! the im$act o"

security breach to c&oud users( In a c&oud system where the

in"rastructure is shared by $otentia&&y mi&&ions o" users abuse and

ne"arious use o" the shared in"rastructure bene"its attackers to e$&oit

vu&nerabi&ities o" the c&oud and use its resource to de$&oy attacks in

more e""icient ways

1/14/15 1@


11/28

Such attacks are more e""ective in the c&oud environment since

c&oud users usua&&y share com$utin! resources e(!( bein!

connected throu!h the same switch sharin! with the same data

stora!e and "i&e systems even with $otentia& attackers( +he simi&ar

setu$ "or 7's in the c&oud e(!( virtua&i2ation techni3ues 7'

OS insta&&ed vu&nerab&e so"tware networkin! etc( attractsattackers to com$romise mu&ti$&e 7's(

1/14/15 11


12/28

%isadvantage of )*isting &ystem

1(No detection and $revention "ramework in a virtua&

networkin! environment(

*(Not accuracy in the attack detection "rom attackers(

1/14/15 1*


13/28

Pro!osed &ystem

We $ro$ose NI)E ;Network Intrusion detection and )ountermeasure

se&ection in virtua& network systems< to estab&ish a de"ense=in=de$th

intrusion detection "ramework( Aor better attack detection NI)Eincor$orates attack !ra$h ana&ytica& $rocedures into the intrusion

detection $rocesses( We must note that the desi!n o" NI)E does not

intend to im$rove any o" the eistin! intrusion detection a&!orithmsB

indeed NI)E em$&oys a recon"i!urab&e virtua& networkin! a$$roach to

detect and counter the attem$ts to com$romise 7's thus $reventin!

2ombie 7's(

1/14/15 1


14/28

Advantage of Pro!osed &ystem

We devise NI)E a new mu&ti=$hase distributed network intrusion

detection and $revention "ramework in a virtua& networkin!

environment that ca$tures and ins$ects sus$icious c&oud tra""ic without

interru$tin! users6 a$$&ications and c&oud services(

NI)E incor$orates a so"tware switchin! so&ution to 3uarantine and

ins$ect sus$icious 7's "or "urther investi!ation and $rotection(

+hrou!h $ro!rammab&e network a$$roaches NI)E can im$rove the

attack detection $robabi&ity and im$rove the resi&iency to 7'

e$&oitation attack without interru$tin! eistin! norma& c&oud services(

1/14/15 14


15/28

NI)E em$&oys a nove& attack !ra$h a$$roach "or attack

detection and $revention by corre&atin! attack behavior and

a&so su!!ests e""ective countermeasures(

NI)E o$timi2es the im$&ementation on c&oud servers to

minimi2e resource consum$tion( Our study shows that NI)E

consumes &ess com$utationa& overhead com$ared to $roy=

based network intrusion detection so&utions(

1/14/15 15


16/28

&ystem Architecture

1/14/15 19


17/28

Agorithm +sed

%&ert )orre&ation %&!orithm

)ountermeasure Se&ection %&!orithm

1/14/15 1:


18/28

Modues1( Nice=%

*( 7' #ro"i&in!

( %ttack %na&y2er4( Network )ontro&&er

1/14/15 1>


19/28

Modue %escri!tion

#ice,A:

+he NI)E=% is a Network=based Intrusion Detection System ;NIDS< a!ent insta&&ed in

each c&oud server( It scans the tra""ic !oin! throu!h the brid!es that contro& a&& the tra""ic

amon! 7's and in/out "rom the $hysica& c&oud servers( It wi&& sni"" a mirrorin! $ort on

each virtua& brid!e in the O$en 7'switch( Each brid!e "orms an iso&ated subnet in the

virtua& network and connects to a&& re&ated 7's( +he tra""ic !enerated "rom the 7's on

the mirrored so"tware brid!e wi&& be mirrored to a s$eci"ic $ort on a s$eci"ic brid!e usin!

S#%N -S#%N or E-S#%N methods( It6s more e""icient to scan the tra""ic in c&oud

server since a&& tra""ic in the c&oud server needs !o throu!h itB however our desi!n is

inde$endent to the insta&&ed 7'( +he "a&se a&arm rate cou&d be reduced throu!h our

architecture desi!n((1/14/15 1?


20/28

-M Profiing

7irtua& machines in the c&oud can be $ro"i&ed to !et $recise in"ormation

about their state services runnin! o$en $orts etc( One major "actor that

counts towards a 7' $ro"i&e is its connectivity with other 7's( %&so

re3uired is the o" services runnin! on a 7' so as to veri"y the authenticity

o" a&erts $ertainin! to that 7'( %n attacker can use $ort scannin! $ro!ram

to $er"orm an intense eamination o" the network to &ook "or o$en $orts on

an 7'( So in"ormation about any o$en $orts on a 7' and the history o"

o$ened $orts $&ays a si!ni"icant ro&e in determinin! how vu&nerab&e the

7' is( %&& these "actors combined wi&& "orm the 7' $ro"i&e( 7' $ro"i&es

are maintained in a database and contain com$rehensive in"ormation about

vu&nerabi&ities a&ert and tra""ic(

1/14/15 *@


21/28

Attac" Anayer:

+he major "unctions o" NI)E system are $er"ormed by attack ana&y2er

which inc&udes $rocedures such as attack !ra$h construction and u$date

a&ert corre&ation and countermeasure se&ection( +he $rocess o" constructin!

and uti&i2in! the Scenario %ttack Cra$h ;&A/0 consists of three $hases

in"ormation !atherin! attack !ra$h construction and $otentia& e$&oit $ath

ana&ysis( With this in"ormation attack $aths can be mode&ed usin! S%C(

+he %ttack %na&y2er a&so hand&es a&ert corre&ation and ana&ysis

o$erations( +his com$onent has two major "unctions

1/14/15 *1


22/28

;1< )onstructs %&ert )orre&ation Cra$h ;AC/01

;*< #rovides threat in"ormation and a$$ro$riate countermeasures

to network contro&&er "or virtua& network recon"i!uration(

NI)E attack !ra$h is constructed based on the "o&&owin!

in"ormation )&oud system in"ormation 7irtua& network

to$o&o!y and con"i!uration in"ormation 7u&nerabi&ity

in"ormation(

1/14/15 **


23/28

#et$or" Controer:

+he network contro&&er is a key com$onent to su$$ort the $ro!rammab&e networkin!

ca$abi&ity to rea&i2e the virtua& network recon"i!uration( In NI)E we inte!rated the

contro& "unctions "or both O7S and OAS into the network contro&&er that a&&ows the

c&oud system to set security/"i&terin! ru&es in an inte!rated and com$rehensive

manner( +he network contro&&er is res$onsib&e "or co&&ectin! network in"ormation o"

current O$en A&ow network and $rovides in$ut to the attack ana&y2er to construct

attack !ra$hs(

In NI)E the network contro& a&so consu&ts with the attack ana&y2er "or the "&ow

access contro& by settin! u$ the "i&terin! ru&es on the corres$ondin! O7S and OAS(

Network contro&&er is a&so res$onsib&e "or a$$&yin! the countermeasure "rom attack

ana&y2er( 8ased on -M &ecurity Inde* and severity of an aert1 countermeasures are

se&ected by NI)E and eecuted by the network contro&&er( 1/14/15 *


24/28

&ystem Configuration

,ardware )on"i!uration=

#rocessor = #entium I7

S$eed = 1(1 C,2

-%' = *59 '8;min

Network Intrusion Detection and Countermeasure Selection in Virtual

Documents