Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Published byAdele Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network."— Presentation transcript:

1 Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India cnmodi.956@gmail.com dhiren29p@gmail.com Ph. D Colloquium, CSI-2011 Signature Apriori based Network Intrusion Detection System in Cloud

2 Outline Introduction Problem Statement Proposed Work Goals of Proposed Work Proposed Framework Design of NIDS Module Signature Generation Theoretical Analysis Summary References C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 2

3 Introduction Cloud Computing: providing convenient, on-demand network access to a shared pool of configurable computing resources via Internet [1]. Services: SaaS, PaaS, IaaS. Cloud-Integration of many technologies. Each has some bugs or vulnerabilities [2][3]. Exploitation of existing vulnerabilities affects confidentiality, availability and integrity of Cloud resources as well as services. Most of the intrusion activities are attempted over network. Well known intrusions: Insider attacks, flooding attack, DoS/DDoS attacks [4][5], User to Root Attacks (U2R), Scan, VM level attacks etc. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 3

4 Introduction For preventing cloud from such attacks, use of only traditional firewall is not an efficient solution [6]. Another solution is to incorporate an efficient network based intrusion detection system (NIDS) module in Cloud computing. It should have following properties: Completeness, Scalability and Compatibility. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 4

5 Problem Statement To incorporate an efficient NIDS module in Cloud, in such a way that it can detect intrusions from external as well as internal network of Cloud. Challenges to NIDS in Cloud: Detection of known as well as unknown network attacks on each layer (front end, back end or VM) of Cloud Low computational cost High detection rate Low false positive and false negative alarm rate Scalability Compatibility C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 5

6 Goals of Proposed Work Detection of known attacks as well as variation of known attacks at front end and back end of Cloud. Variation of known attack- examples [7][8]: Content: "|2F646566 1756C74 2E696461 3F4E4E4E|" (Code Red-I) Content: "|2F646566 1756C74 2E696461 3F585858|" (Code Red-II) Same pattern: 2F646566 1756C74 2E696461. Content: "/iisadmpwd/aexp2.htr".(WEB-IIS access) Content: "scripts/iisadmin/default.htm". (WEB- IIS/scripts/iisadmin/default.htm access) Same pattern: /iisadm. Low computational cost than other anomaly techniques Low false positive alarm rate Scalability C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 6

7 Proposed Framework Three possibilities for positioning NIDS in cloud. On cloud front point: On each server: On each VM: Each has some advantages and drawbacks. Figure 1: Positioning NIDS in Cloud. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 7

8 Design of NIDS Module Network External network Internal network Snort [9] Used to capture packets. Detects intrusions based on configured rules. Known signature DB Contains known attacks patterns or part of them. Signature Apriori [8] For snort, generates new signatures from captured packets and part of known signatures. Figure 2: Design of our NIDS module. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 8

9 Working of NIDS Module in Cloud Capture Packets Snort Known Signature DB Known Signature Signature Apriori New Signatures Update Snort Rules Network Any match found? Allow or deny packet Figure 3: Working of NIDS module. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 9

10 Working of NIDS Module Packets passing through network are captured. Captured packets are monitored by snort and matched with configured rules. If any matches found, it is allowed or denied based on configured rules. Also, captured packets are given as a input to signature apriori algorithm [8]. Signature apriori algorithm takes two inputs: (1) Packet captures from network. (2) Part of known signatures. It generates new possible attack signatures which are derivative of known attacks. Generated signatures are updated as rules into snort configuration file for detecting derivative attack in future. So, snort can detect some partially unknown attacks. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 10

11 Signature Generation IDPacket Contents 1A B C D E F G Q 2M N A B C D F G 3M A B C E F G P Q 4N A B C D E F G Q 5J B C D E F G 6P Q I C D E A C D E B C D E C C D E D C D E E C D E F C D E G Part of Known Sig.- “C D E” & 0.7 threshold Frequent content set: {A, B, C, D, E, F, G} Frequent content set: {C D E F} C D E F A C D E F B C D E F C C D E F D C D E F E C D E F F C D E F G Frequent content set: {C D E F G} C D E F G A C D E F G B C D E F G C C D E F G D C D E F G E C D E F G F C D E F G G A C D E F G B C D E F G C C D E F G D C D E F G E C D E F G F C D E F G G C D E F G Frequent content: {} Frequent content set: {B C D E F G} A B C D E F G B B C D E F G C B C D E F G D B C D E F G E B C D E F G F B C D E F G G B C D E F G Signature: {A B C D E F G} Table 1: Captured Packets.Table 2: First iteration.Table 3: Second iteration. Table 4: Third iteration.Table 5: Fourth iteration.Table 6: Fifth iteration. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 11

12 Signature Generation The possible number of attack signatures are as follows: C D E F C D E F G B C D E F G A B C D E F G Use of longer string as a signature for snort have greater detection accuracy than shorter string [8]. So, “A B C D E F G” can be used as a new derivative signature. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 12

13 Theoretical Analysis Detection of known attacks as well as variation of attacks: Since combination of snort and signature apriori algorithm used, proposed framework can detect known as well as variation of known attacks. Also, it can detect intrusion passing through external network as well as internal network. False positive rate: We used longer signature for snort rules, which reduces false positive rate since probability of a shorter signature in normal traffic is high. Computational cost: It has low computational cost than other anomaly techniques since once rules are generated, there is no need to generated those rules again. Multiple instances to IDS are not required. Further it can be reduced by reducing number of database scans. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 13

14 Theoretical Analysis Scalability: New rules can be easily added into snort without modifying existing rules. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 14

15 Summary There are various intrusions in Cloud, which affect the confidentiality, availability and integrity of cloud resources. Integration of only firewall in Cloud is not an efficient solution for preventing such attacks. We proposed a framework incorporating NIDS into Cloud. Our proposed framework can be used to detect network attacks (known attacks as well as variation of known attacks) at front end and back end of Cloud. It has very low false positive alarm rate with reasonable computational cost since signature based technique is used. However, it can not detect fully unknown attacks. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 15

16 References 1. P. Mell, and T. Grance, “The nist definition of cloud computing (draft),” NIST, [Online]. Available: http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800- 145_cloud-definition.pdf (2011). 2. “Top threats to cloud computing,” [Online]. Available: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2010). 3. “National Vulnerability Database,” NIST, [Online]. Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733 4. C. Brooks, “Amazon EC2 Attack Prompts Customer Support Changes,” Tech Target, [Online]. Available: http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci137 1090,00.html (2009). 5. M. Slaviero, “Black Hat presentation demo vids: Amazon,” [Online]. Available: http://www.sensepost.com/blog/3797.html (2009). 6. S. Beg, U. Naru1, M. Ashraf, and S. Mohsin, “Feasibility of Intrusion Detection System with High Performance Computing: A Survey,” International Journal for Advances in Computer Science, vol. 1, no. 1, 2010. C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 16

17 References 7. H. Han, X. L. Lu, L. Y. Ren, Using Data Mining To Discover Signatures In Network- Based Intrusion Detection, Proceedings of the First International Conference on Machine Learning and Cybernetics, Beijing vol. 1. 2002. 8. H. Zhengbing, L. Zhitang, W. Jumgi, A Novel Intrusion Detection System (NIDS) Based on Signature Search of DataMining, WKDD First International Workshop on Knowledge discovery and Data Ming, 2008, pp. 10-16. 9. Snort-Home page, Website, [Online]. Available: https://www.snort.org/ (2011). C. N. Modi, Ph. D Colloquium, CSI-2011 8/28/2015 17

18 Thank You

Download ppt "Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network."

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google