MULTI-LEVEL INTRUSION DETECTION AND LOG MANAGEMENT SYSTEM IN CLOUD COMPUTING
ABSTRACT
Cloud
Computing is a new type of service which provides large scale computing
resource to each customer. Cloud Computing systems can be easily threatened by
various cyber-attacks, because most of Cloud Computing systems provide services
to so many people who are not proven to be trustworthy.Therefore, a Cloud
Computing system needs to contain some Intrusion Detection Systems (IDSs) for
protecting each Virtual Machine (VM) against threats. In this case, there
exists a trade-off between the security level of the IDS and the system
performance. If the IDS provide stronger security service usingmore rules or
patterns, then it needs much more computing resources in proportion to the
strength of security. So the amount of resources allocating for customersdecreases.
Another problem in Cloud Computing is that, huge amount of logs makes system
administrators hard to analyse them. In this project, we propose a method that
enables Cloud Computing system to achieve both effectiveness of using the
system resource and strength of the security service without trade-off between
them.
1.0 INTRODUCTION
As Green IT has been issued, many
companies have started to find ways to decrease IT cost and overcome economic
recession. Cloud Computing service is a new computing paradigm in which people
only need to pay for use of services without cost of purchasing physical
hardware. For this reason, Cloud Computing has been rapidly developed along
with the trend of IT services. It is efficient and cost economical for
consumers to use computing resources as much as they need or use services they
want from Cloud Computing provider. Especially, Cloud Computing has been
recently more spotlighted than other computing services because of its capacity
of providing unlimited amount of resources. Moreover, consumers can use the
services wherever Internet access is possible, so CloudComputing is excellent
in the aspect of accessibility. Cloud Computing systems have a lot of resources
and private information, therefore they are easily threatened by attackers.
Especially, System administrators potentially can become attackers. Therefore,
Cloud Computing providersmust protect the systems safely against both insiders
and outsiders. IDSs are one of the most popular devices for protecting Cloud
Computing systems from various types of attack. Because an IDSobserves the
traffic from each VM and generates alert logs, it can manage Cloud Computing
globally. Another important problem is log management. Cloud Computing systems
are used by many people, therefore, they generate huge amount of logs. So,
system administrators should decide to which log should be analysed first.
Cloud Computing is a fused-type
computing paradigm which includes Virtualization, Grid Computing,
UtilityComputing, Server Based Computing(SBC), and Network Computing, rather
than an entirely new type of computing technique. Cloud computing has evolved
through a number of implementations. Moving data into the cloud provides great
convenience to users. Cloud computing is a collection of all resources to
enable resource sharing in terms of scalable infrastructures, middleware and
application development platforms, and value-added business applications. The
characteristics of cloud computing includes: virtual, scalable, efficient, and
flexible. In cloud computing, three kinds of services are provided: Software as
a Service (SaaS) systems, Infrastructure as a Service (IaaS) providers, and
Platform as a Service (PaaS). In SaaS, systems offer complete online
applications that can be directly executed by their users; In IaaS, providers
allow their customers to have access to entire virtual machines; and in SaaS,
it offers development and deployment tools, languages and APIs used to build,
deploy and run applications in the cloud.
A cloud is subject to several
accidental and intentional security threats, including threats to the
integrity, confidentiality and availability of its resources, data and
infrastructure. Also, when a cloud with large computingpower and storage
capacity is misused by an ill-intentioned party for malicious purposes, the
cloud itself is a threat against society. Intentional threats are imposed by
insiders and external intruders. Insiders are legitimate cloud users who abuse
their privileges by using the cloud for unintended purposes and we consider
this intrusive behaviour to be detected. An intrusion consists of an attack
exploiting a security flaw and a consequent breach which is the resulting
violation of the explicit or implicit security policy of the system. Although
an intrusion connotes a successful attack, IDSs also try to identify attacks
that don't lead to compromises. Attacks and intrusions? are commonly considered synonyms in
the intrusion detection context. The underlying network infrastructure of a cloud,
being an important component of the computing environment, can be the object of
an attack. Grid and cloud applications running on compromised hosts are also a
security concern. We consider attacks against any network or host participating
in a cloud as attacks against that, since they may directly orindirectly affect
its security aspects. Cloud systems are susceptible to all typical network and
computer securityattacks, plus specific means of attack because of their new
protocols and services.
IDSs are software or hardware systems
that automate the process of monitoring the events occurring in a computer
system or network, analysing them for signs of security problems. IDSs are one
of widely used security technologies. An IDS alerts to system administrators,
generate log about attack when it detects signature of accident according to
host or network security policy. IDS can be installed in a host or a network
according to purpose. Thus, the aim of the IDS is to alert or notify the system
that some malicious activities have taken place and try to eliminate it.
According to the method of the
collection of intrusion data, all the intrusion detection systems can be
classifiedinto two types: host-based and network-based IDSs. Hostbased
intrusion detection systems (HIDSs) analyse audit data collected by an
operating system about the actions performed by users and applications; while
network-based intrusion detection systems (NIDSs) analyse data collected from
network packets.
IDSs analyse one or more events gotten
from the collected data. According to analysis techniques, IDSsystem is
classified into two different parts: misuse detection and anomaly detection.
Misuse detection systemsuse signature patterns of exited well-known attacks of
the system to match and identify known intrusions. Misusedetection techniques,
in general, are not effective against thelatest attacks that have no matched
rules or pattern yet.Anomaly detection systems identify those activities
whichdeviate significantly from the established normal behaviours as anomalies.
These anomalies are most likely regarded asintrusions. Anomaly detection
techniques can be effectiveagainst unknown or the latest attacks. However,
anomalydetection systems tend to generate more false alarms thanmisuse detection
systems because an anomaly may be a newnormal behaviour or an ordinary
activity.While IDS detects an intrusion attempt, IDS shouldreport to the system
administrator.
There are three ways toreport the
detection results. They are notification, manualresponse, and automatic
response. In notification responsesystem, IDS only generates reports and
alerts. In manualresponse system, IDS provides additional capability for
thesystem administrator to initiate a manual response. Inautomatic response
system, IDS immediately respond to anintrusion through auto response system.
1.1 PROBLEM STATEMENT
The
fully distributed and open structure of cloud computing and services becomes an
even more attractive target for potential intruders. It involves multi-mesh
distributed and service oriented paradigms, multi-tenancies, multi-domains, and
multi-user autonomous administrative infrastructures which are more vulnerable
and prone to security risks. Cloud computing service architecture combines
three layers of inter-dependent infrastructure, platform and application; each
layer may suffer from certain vulnerabilities which are introduced by different
programming or configuration errors of the user or the service provider. A
cloud computing system can be exposed to several threats including threats to
the integrity, confidentiality and availability of its resources, data and the
virtualized infrastructure which can be used as a launching pad for new attacks.
The problem becomes even more critical when a cloud with massive computing
power and storage capacity is abused by an insider intruder as an ill-intention
party which makes cloud computing a threat against itself.
1.2 SIGNIFICANCE OF THE STUDY
The
significance of this study includes the following:
1. It
helps in economic cost reduction in running a particular application.
2. It
provides humans with effective resource management.
3. It
will help organizations in focusing on core
business in the
sense that you only concentrate on what means most to you. Since your
applications will be run over the internet, you do not have to worry about
technical problems and other inconveniences associated with physical unified storage solution spaces.
4. It increasesperformance and support by
updating the fact
that all your software and applications automatically.
5.
It provides security and compliance.
6. It provides anytime
anywhere access to information.
1.3 Objective of the study
1. To
increase resource availability of Cloud Computing system.
2. To
handle the potential threats by deploying Multi-level IDS and managing user
logs per group according to anomaly level.
3. To
develop an address book application that will be launch as a cloud application.
1.4 Limitation
of the study
The problems encountered during the
course of carrying out this research work include:
1. Fund:
There was limited fund to take care of the research properly especially when
test running the application.
2. Research
Material: Lack of access to research materials on the topic in the school
library and even public libraries were also a major constraint in the cause of
this project.
SCOPE OF THE STUDY
Multi-level
intrusion detection and log management in cloud computing is an embracing topic in the determinant of how
applications are developed and installed on a server, intrusion detection
systems which acts as an antivirus is also installed to fight againstcyber-attacks. For the purpose of this research work, the
researcher shall be limited to developing an address book application which
will be installed on a server for us to be able to test the strength of
multilevel intrusion and log management in cloud computing.
REFERENCES
1. H.
Debar, M. Dacier, and A. Wespi, ?Towards a Taxonomy of Intrusion Detection
Systems, Int‘l J.Computer andTelecommunications Networking, vol. 31, no. 9, pp.
805–822,1999.
2. Jun
Ho Lee, Min Woo Park, Jung Ho Ecom ? Multi-level Intrusion Detection and Log
Management in Cloud Computing IEEE computer society, pp 552-555, Feb.2011.
3. Soumya
Mathew and Ann Preetha Jose ? Securing
Cloud from Attacks based on IntrusionDetection System, International Journal of Advanced Research in
Computer and Communication Engineering Vol. 1, Issue 10, December 2012
4. S.
Axelsson, Research in Intrusion-Detection Systems: A Survey,tech. report
TR-98-17, Dept. Computer Eng.,Chalmers Univ. of Technology, 1999.
5. S.
Kenny and B. Coghlan, ?Towards a Grid-Wide Intrusion Detection System, Proc. European
Grid Conf. (EGC 05),Springer, pp. 275–284,2005.
6. Vieira,
K. Schulter, A. Westphall, C.B. Westphall, C.M. ?IntrusionDetection for Grid
and Cloud Computing IEEE computer society,vol 12, issue 4, pp. 38 – 43,2010.