Beruflich Dokumente
Kultur Dokumente
Intrusion Detection
for Grid and Cloud
Computing
Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall,
Federal University of Santa Catarina, Brazil
B
ecause of their distributed nature, usually provides these features, so we propose an
grid and cloud computing environ- IDS service offered at the middleware layer (as
ments are easy targets for intruders opposed to the infrastructure or software layers).
looking for possible vulnerabilities to An attack against a cloud computing system
exploit. By impersonating legitimate users, the can be silent for a network-based IDS deployed in
intruders can use a services abundant resources its environment, because node communication
maliciously. is usually encrypted. Attacks can also be invisi-
To combat attackers, intrusion-detection sys- ble to host-based IDSs, because cloud-specific
tems (IDSs) can offer additional security mea- attacks dont necessarily leave traces in a nodes
sures for these environments by investigating operating system, where the host-based IDS re-
configurations, logs, network traffic, and user sides. In this way, traditional IDSs cant appro-
actions to identify typical attack behavior.1 How- priately identify suspicious activities in a grid and
ever, an IDS must be distributed to work in a grid cloud environment3 (see the Related Work in
and cloud computing environment. It must mon- Intrusion Detection sidebar).
itor each node and, when an attack occurs, alert Here, we take a careful look at the cloud
other nodes in the environment. This kind of case in particular. We propose the Grid and
communication requires compatibility between Cloud Computing Intrusion Detection System
heterogeneous hosts, various communication (GCCIDS), which has an audit system designed to
mechanisms, and permission control over system cover attacks that network- and host-based sys-
maintenance and updatestypical features in tems cant detect. GCCIDS integrates knowledge
grid and cloud environments.2 Cloud middleware and behavior analysis to detect specific intrusions.
38 IT Pro July/August 2010 Published by the IEEE Computer Society 1520-9202/10/$26.00 2010 IEEE
Related Work in Intrusion Detection
computer.org/ITPro 39
CYBERSECURIT Y
Event auditor
Analyzer Analyzer
might represent an attack.
Alert system Alert system
The audited data is sent to the IDS
Storage service Storage service
service core, which analyzes the be-
havior using artificial intelligence to
detect deviations. The analyzer uses
Knowledge Behavior Knowledge Behavior a profile history database to deter-
base base base base
mine the distance between a typical
user behavior and the suspect behav-
ior and communicates this to the IDS
Grid node service.
Service
The rules analyzer receives audit
packages and determines whether a
IDS service
rule in the database is being broken.
Event auditor
Analyzer
It returns the result to the IDS service
Alert system
core. With these responses, the IDS
Storage service calculates the probability that the ac-
tion represents an attack and alerts
the other nodes if the probability is
Knowledge Behavior
sufficiently high.
base base
Event Auditor
Alert system To detect an intrusion, we need
Synchronize audit data describing the environ-
Communication service ments state and the messages being
Service
exchanged. The event auditor can
monitor the data that the analyzers
Database are accessing. The first component
monitors message exchange between
nodes. Although audit information
Figure 1. The architecture of grid and cloud computing intrusion about the communication between
detection. Each node identifies local events that could represent nodes is being captured, no network
security violations and sends an alert to the other nodes. data is taken into accountonly
node information.
communication mechanisms to send alerts The second component monitors the middle-
to the other nodes. The middleware synchro- ware logging system. For each action occurring
nizes the known-attacks and user-behavior in a node, a log entry is created containing the
databases. actions type (such as error, alert, or warning), the
The storage service holds the data that the IDS event that generated it, and the message. With
service must analyze. Its important for all nodes this kind of data, its possible to identify an ongo-
to have access to the same data, so the middle- ing intrusion.
ware must transparently create a virtualization of
the homogeneous environment. Behavior Analysis
Numerous methods exist for behavior-based
IDS Service intrusion detection, such as data mining, ar-
The IDS service increases a clouds security tificial neural networks, and artificial immu-
level by applying two methods of intrusion nological systems. We use a feed-for ward
detection. The behavior-based method dictates artificial neural network, becausein contrast
how to compare recent user actions to the usual to traditional methodsthis type of network can
behavior. The knowledge-based method detects quickly process information, has self-learning
computer.org/ITPro 41
CYBERSECURIT Y
6
False positive
5
Number of false positives
False negative
actions as attacksthere were always
and false negatives
4
more false negatives than false posi-
3
tives when using the same quantity of
2 input data.
1 No false alarms occurred when
we started the training with 16 days
0
10 12 14 16 18 20 22 24 26 28 30 of simulation, although the uncer-
Number of training examples tainty level was still high, with sev-
eral outputs near zero. With input
Figure 2. The behavior score results. The algorithm had the lowest periods of 28, 29, and 30 days, the
number of false positives for input periods with 2830 days. algorithm showed a low number of
false positives, but after several repe-
titions, the quantity of false positives
of false negatives and a high level of uncertainty. varied, again representing the nondeterministic
Increasing the sample period for the learning nature of neural networks.
phase improved the results.
Evaluating the Knowledge-Based System
Evaluating the Behavior-Based System In contrast to the behavior-based system, we used
To measure IDS efficiency,1 we considered ac- audit data from both a log system and the com-
curacy in terms of the systems ability to de- munication system to evaluate the knowledge-
tect attacks and avoid false alarms. A system based system. We created a series of rules to
is imperfect if it accuses a legitimate action of illustrate security policies that the IDS should
being malicious. So, we measured accuracy monitor.
using the number of false positives (legitimate We collected audit data referring to a route-
actions marked as attacks) and false negatives discovery service, service discovery, and service
(the absence of an alert when an attack has request and response. The series of policies we
occurred). created tested the systems performance, al-
The performance test we designed also eval- though our scope didnt include discovering new
uated the analysis techniques cost. We per- kinds of attacks or creating an attack database.
formed a load test where the program analyzed Our goal was to evaluate our solutions function-
1 to 100,000 actions. The simulation involving ality and the prototypes performance.
100,000 actions is hypothetical. It surpasses The rule below characterizes an attack in any
the usual data volume and served as a base for message related to the storage service. The func-
understanding system behavior in an overload- tions of the rule are as follows:
ing condition. An action took approximately
0.000271 seconds to be processed with our 1. At start-up, the rules stored in an XML file
setup. are loaded into a data structure.
The training time for an input of 30 days of 2. The auditor starts to capture data from the
sample behavior took 1.993 seconds. However, log and communication systems.
the training was sporadicwe had to plan up- 3. The data is preprocessed to create a data
dates to the behavior profile database according structure dividing log data from communi-
to a routine in the execution environment (since cation data to provide easy access to each
a users behavior tends to change with time). element.
This helped us identify a convenient period of 4. The corresponding policy for the audit pack-
days for determining the profile of a legitimate age is verified.
user. Artificial neural networks arent determin- 5. An alert is generated if an attack or violation
istic, so the number of false positives and false occurred.
negatives didnt represent a linear decreasing
progression. We performed a load test for this algorithm
Figure 2 shows the results. The neural net- simulating the analysis of 10 to 1,000,000
work tended to avoid identifying legitimate rules for an action. We verified the textual or
I
n testing our prototype, we learned that it interests include information systems, software engi-
has a low processing cost while still provid- neering, distributed systems, and security. Vieira re-
ing a satisfactory performance for real-time ceived his MSc in computer science from the Federal
implementation. Sending data to other nodes for University of Santa Cataria. Contact him at kleber@
processing didnt seem necessary.7 The individ- inf.ufsc.br.
ual analysis performed in each node reduces the
complexity and the volume of data in compari- Alexandre Schulter is an IT analyst for a Brazilian
son to previous solutions, where the audit data is government company. Previously, he was a researcher
concentrated in single points. and software developer at several laboratories in the
In the future, well implement our IDS, help- Technological Centre at the Federal University of Santa
ing to improve green (energy-efficient), white Catarina, Brazil. His research interests include infor-
(using wireless networks), and cognitive (using mation systems, component-based systems, software
cognitive networks) cloud computing environ- engineering, distributed systems, and security. Schulter
ments. We also intend to research and improve received his MSc in computer science from the Federal
cloud computing security. University of Santa Cataria. Contact him at schulter@
inf.ufsc.br.
References
1. H. Debar, M. Dacier, and A. Wespi, Towards a Tax- Carlos Becker Westphall is a full professor in the
onomy of Intrusion Detection Systems, Intl J. Com- Department of Informatics and Statistics at the Fed-
puter and Telecommunications Networking, vol. 31, no. 9, eral University of Santa Catarina, Brazil, where he
1999, pp. 805822. is the leader of the Networks and Management Labo-
2. I. Foster et al., A Security Architecture for ratory. His research interests include network man-
Computational Grids, Proc. 5th ACM Conf. Com- agement, security, and grid and cloud computing.
puter and Communications Security, ACM Press, 1998, Westphall received his DSc in computer science from
pp. 8392. the Paul Sabatier University, France. Contact him at
3. S. Axelsson, Research in Intrusion-Detection Systems: A westphal@inf.ufsc.br.
Survey, tech. report TR-98-17, Dept. Computer Eng.,
Chalmers Univ. of Technology, 1999. Carla Merkle Westphall is a professor in the
4. A. Schulter et al., Intrusion Detection for Department of Informatics and Statistics at the Federal
Computational Grids, Proc. 2nd Intl Conf. New University of Santa Catarina, Brazil. Her research
Technologies, Mobility, and Security, IEEE Press, 2008, interests include distributed security, identity manage-
pp. 15. ment, and grid and cloud security. Westphall received
5. H. Franke et al., Grid-M: Middleware to Integrate her PhD in electrical engineering from the Federal
Mobile Devices, Sensors and Grid Computing, Proc. University of Santa Cataria. Contact her at carlamw@
3rd Intl Conf. Wireless and Mobile Comm. (ICWMC 07), inf.ufsc.br.
IEEE CS Press, 2007, p. 19.
6. N.B. Idris and B. Shanmugam, Artificial Intelligence
Techniques Applied to Intrusion Detection, Proc.
2005 IEEE India Conf. (Indicon) 2005 Conf., IEEE Press, Selected CS articles and columns are available
2005, pp. 5255. for free at http://ComputingNow.computer.org.
computer.org/ITPro 43