Intrusion Detection System Using Node-Predictive Attack

Intrusion maculation System Using Node-Predictive AttackIntrusion Detection System Using Node-Predictive Attack graphical record computer simulation for bedimAmbikavathi C Dr.S.K.SrivatsaAbstract- The role of Intrusion Detection System (IDS) in security world is considered as a key requirement for any reckon model. This traditional methodology washbasin add its own contribution of security to the distributed profane environment. The purpose of this paper is to clarify the steps that argon needed to be taken in order to efficiently implement the IDS in bedim environment. The proposed ashes uses node predictive approach path chart to correlate the newly occurred fervencys with know attacks. The prediction steps are used to later monitor lizard the environment and control the attacks.Keywords-Attack Graph befog Computing IDS ,I. INTRODUCTIONA. What is demoralize computing?Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of con figurable computing re outsets (e.g., networks, servers, storage, applications, and services) that go off be rapidly provisioned and released with minimal guidance effort or service provider interaction1.This cloud model is co mposed of tether service models, four deploy ment models and five essential characteristics . The three service models are So ftware as a Service (SaaS), Platfo rm as a Se rvice (PaaS) and Infrastructure as a Service (IaaS). The four deployment models are private cloud, public cloud, hybrid cloud and community cloud. The five essential characteristics of cloud are on-demand self-service, broad network access, resource pooling, rapid elasticity and measurable service.B. What is IDS?Intrusion detection systems are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for venomous activities or policy violations and produces reports to a management station.IDSs a re innkeeper -based, network-based and distributed IDSs. Hos t based IDS (HIDS) monitors specific army gondolas, network-based IDS (NIDS) identifies intrusions on key network points and distributed IDS (DIDS) operates both on host as well as network 7.IDS can be a valuable addition to the security arsenal. IDS performs the fol milding functionalities Monitoring and analyzing both user and system activities .Analyzing system configurations and vulnerabilities .Assessing system and file integrity.Ability to recognize patterns typical of attacks.Analysis of abnormal activity patterns.Tracking user policy violations.The extensive use of virtualization in implementing cloud infrastructure brings unparalleled security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware. This introduces an additional layer virtualization that itself must be properly configured, managed and secured. proper(postnominal) concerns include the potential to compromise the virtualization software, or hypervisor. So virtual machine security is essential in cloud environment.C. Attack GraphAttack graphs are used to determine how vulnerable their systems are and to determine what security measures to deploy to defend their systems. In the predictive attack graph, a node spiels a host and an edge represents photograph. The predictive attack graph representation accurately forecasts the effect of removing vulnerabilities by removing edges from the attack graph. The predictive attack graph is the full attack graph with redundant paths removed. A path is considered redundant if the path contains the same vulnerability-host pair in two or mo replaces along the same attack path. In node predictive attack graph, a node can be host or a group of hosts, and an edge can be vulnerability or a group of vulnerabilities. The node predictive attack graph is a simplified version of the predictive attack graph. The node predictiv e attack graphs purpose is to mitigate the effects of firewall explosion. Firewall explosion causes redundancy in the predictive graph. frankincense, the node predictive attack graph mitigates this issue by merging nodes of the attack graph. Two nodes are merged if the attacker can compromise the two hosts from all hosts the attacker has already compromised. 16Rest of the paper is nonionised as follows. Section II discusses about the related work done. Proposed system is described briefly in divide III. Section IV, presents the implementation part of EIDS and section V concludes with references at the end.II. RELATED WORKIn this section, we present related research to our proposed work Intrusion detection in cloud and attack graph models.A. Anomaly based IDSAnomaly or conduct based detection 7 refers to techniques that define and characterize normal or acceptable behaviors of the system (e.g., CPU usage, gambol execution time , system ca lls). Behaviors that deviate fro m the exp ected normal behavior are considered intrusions.Generation of high trumped-up(prenominal) alarms is the major drawback of this lawsuit which leads to low detection efficiency. But it is able to detect new attack patterns. Here, Input parameter selection and analysis of ciphered data are tedious processes . It attains low throughput but high cost.Metrics and frame work to evaluate this IDS and compare with alternate IDS techniques is in need. Also it is poor in defending themselves from attacks.To avoid false alarms in anomaly based systems the system must be trained to create the appropriate user profiles. It requires extensive training to characterize normal behavior patterns.B. Signature based I DSSignature or Misuse based detection refers to techniques that characterize cognize methods to penetrate a system. These penetrations are characterized as a pattern or a pinch that the IDS looks for. The pattern/signature might be a static string or a wad installment of actions9.It can only detect known attacks. Frequent updation is needed in the database for signatures of new attacks.The advantages of this IDS are, it generates less number of false alarms. A single signature can detect a group of attacks. It does not require extensive training.C. Fuzzy based IDSFuzzy logic can be used to mitt with inexact description of intrusions. It provides nearly flexibility to the uncertain problem of intrusion detection.Fuzzy logic techniques5 are used for classification techniques. The classification algorithm is use to audit data collected which learns to classify new audit data as normal or abnormal data. It allows greater complexity for IDS while it provides some flexibility to the uncertain problem of IDS. Most fuzzy IDS require human intervention to determine fuzzy sets and set of fuzzy rules .D. Artificial Neural mesh basedThe goal of using ANNs for intrusion detection5 is to be able to generalize data from incomplete data and to be able to classify data as be ing normal or intrusive.It is best because of its self learning capabilities , quick touch and can find small behaviour deviations.But its downside is it requires more tra ining sa mples and time consuming.E. Data Mining based IDSSome intrusion attacks are formed based on known attacks or variant of known attacks. To detect such signatures or attacks, signature apriori algorithm can be used, which finds frequent subset (containing some features of original attack) of given attack set.In Cloud, association rules can be used to generate new signatures. Using newly generated signatures, variations of known attacks can be detected in real time5.F. Profile based IDSIn VM profile based IDS12, a profile is created for each virtual machine in cloud that describes network behavior of each clouduser. The behavior gathered is therefore used for detection of network attacks on cloud. It detects the attacks early with robustness and minimum complexity.G. Entropy based IDSEntropy is, in genera l, used for measuring the datas degree of impurity using a Threshold value.Entropy based anomaly detection system14 is mainly proposed to block DDoS attacks. This is done in two steps. get-go users are allowed to pass through a router in network site. It detects for legitimate user using detection algorithm. Second again it passes through a router in cloud site. In this methodology confirmation algorithm is incorporated to detect the intruder by checking a threshold value.H. Multithreaded IDSMultithreading technique improves IDS performance within Cloud computing environment to handle large number of data packet flows.The proposed multi-threaded NIDS84 is based on three modules named capture module, analysis module and reporting module. The initiative one is responsible of capturing data packets and sending them to analysis part which snaps them efficiently through matching against pre-defined set of rules and distinguishes the bad packets to generate alerts. Finally, the report ing module can read alerts and immediately prepare alert report. The authors conducted simulation experiments to show the effectiveness of their proposed method and compared it with single thread which presented high performance in terms of processing and execution time. However, the problem of detecting new types of attacks still needs many works to be done.I. Integrated model IDSIt uses the combination two or more o f above techniques. It is advantageous since each technique has some advantages and drawbacks.Grid and Cloud Computing Intrusion Detection System (GCCIDS)10 proposed the integration of friendship and behavior analysis to detect specific intrusions. However, the proposed prototype cannot discover new types of attacks or create an attack database which must be considered during implementing IDS.A new co-ordinated intrusion detection approach, called FCA NN13 is proposed based on ANN and fuzzy clustering. Through fuzzy clustering technique, the heterogeneous training se t is divided to several homogenous subsets. Thus complexity of each sub training set is reduced and consequently the detection performance is increased.J. Graph based IDSA graph is constructed in which nodes represent state of attack and edges represent the correlations between attacks. Queue graph, Dependency graph and Attack graph are the existing works done on IDS.To prevent vulnerable virtual machines from be ing compromised in the cloud, a multiphase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE2 is proposed, which is built on attack graph-based analytical models and reconfigurable virtual network-based countermeasures.III. sustain OSED WORKIn this section, we describe how to construct and utilize node predictive attack graph model to handle vulnerabilities in cloud environ ment. whatever attack has some set of predefined steps to incorporate it. An attack can only be accomplished when all its pre-conditions are met 11. S o that by exquisite monitoring the attack can be prevented.An attack graph is an abstraction that represents the ways an attacker can violate a security policy by leveraging interdependencies among discovered vulnerabilities. An attack graph can be generated from network configuration details and known vulnerabilities within the network. An attack path is a sequence of steps that starts from an attackers initial state to the attackers goal state (security policy violation) in an attack graph. Every virtual machine has its own logfile for recording the actions of that virtual machine. Th is logfile along with the knowledge base provides information for constructing attack graph.Fig. 1. Proposed ArchitectureIV. IMPLEMENTATIONEIDS is implemented using Openebula15 and OSSIM (Open quotation Security Information Management)3 which comprises of traffic analyzers, vulnerability scanners. OS-SIM is embedded as a virtual mach ine in the c loud environment. The ro le of this virtual machine is to monitor all otherwise virtual machines running in the environment.OSSIM provides a Security Information and Event Management (SIEM) solution. It is a one-stop solution and integrated the open source softwares NTOP, Mrtg, Snort, Open VAS, and Nmap. OSSIM is a cost effective solution in the area of monitoring network health and security of network/hosts compared to other propriety products6.A. Attack AnalyzerAttack Analyzer is built on the top the traffic Analyzer of OS-SIM. It uses each virtual machines logfile to analyze and extract attack trace steps. Whenever an attack occurs it is added to the attack graph as a node along with its state and correlation function is invoked.AttackGraphAttackGraph generatorAlertSystemKnowledgeBaseAttackAnalyzerB. Correlation functionCorrelation function correlates this new attack with known attacks and gives the prediction steps for this attack. These prediction steps for each attack are used to monitor the further attacks in future.C. Attac k Graph GeneratorEach node in the graph defines an attack and the edge between nodes represent the correlation between that two attacks.V. CONCLUSIONDefending distributed environment is difficult. forever and a day prevention is better than cure. Prediction of Intrusions in prior enhances the security of cloud environment. So that predictive attack graph model is chosen for providing security to the distributed cloud environment. At any point the known attacks are correlated with each other to predict new attacks.REFERENCES1 NIST (National Institute of Standards and Technology ) http//csrc.nist.gov/p ublications/nistp ubs/800-145/SP800-145.p df2 Chun-Jen Chung, Pankaj Khatkar, Tiany i Xing Jeongkeun Lee, Dijian g Huan g, NICE cyberspace Intrusion Detection and Countermeasure Selection in Virtual Network Systems, IEEE Transactions On Dependable And Secure Computing, Vol. 10, No. 4, pp. 198 211, July /August 2013.3 OSSIM , https//www.alienvault.com/4 Ms. Parag K. Shelke, M s. Sneh a Sontakke, Dr. A. D. Gawande, Intrusion Detection Sy stem for Cloud Comp uting, foreign Journal of Scientific Technology Research Volume 1, Issue 4, M ay 2012.5 M odi, C., Patel, D., Patel, H., Borisaniy a, B., Patel, A. Rajarajan, M ., A survey of intrusion detection techniques in Cloud, Journal of Network and Computer App lications.6 OSSIM , http //www.op ensourceforu.com/2014/02 /top -10-op en-source-security -tools/7 Amirreza Zarrabi, Alireza Zarrabi, Internet Intrusion Detection Sy stem Service in a Cloud IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 5, No 2, Sep tember 2012.8 I. Gul and M . Hussain, Distributed Cloud Intrusion Detection M odel, International Journal of Advanced Science and Technology, vol. 34, pp. 71-82, 2011.9 R. Bhadauria, R. Chaki, N. Chak i, and S. Sany al A Survey on Secur ity Issues in Cloud Comp uting, Available at http //arxiv.org/abs/1109.538810 K. Vieira, A. Schulter, C.B. Westp hall, and C.M . Westphall, Intrusion Detecti on for Grid and Cloud comp uting, IT Professional, Volume 12 Issue 4, p p. 38-43, 2010.11 X. Ou and A. Singhal, Quantitative Secur ity Risk Assessment of Enterp rise Networks, Sp ringerBriefs in Comp uter Scien ce, DOI 10.1007/978-1-4614-1860-3_2, The Author(s) 201212 Sanchik a Gupta, Padam Kumar and Ajith Abraham, A Profile Based Network Intrusion Detection and Prevention System for Secur in g Cloud Env ironment, International Journal of Distributed Sensor Networks, Feb 201313 Swati Ramteke, Rajesh Dongare, Ko mal Ramteke, Intrusion Detection System for Cloud Network Using FC-ANN Algorithm, Int. Journal of Advanced R esearch in Comp uter and Communication En gineeringVo l. 2, Issue 4, April 2013.14 A.S.Sy ed Navaz, V.San geetha, C.Prabhadevi, Entropy based Anomaly Detection System to Prevent DDoS Attacks in Cloud, Int. Journal of Computer Applications (0975 8887) Volume 62 No.15, January 201315 Op ennebula, http //opennebula.org16 Nwokedi C. Idika, Characterizin g and A ggregatin g Attack Grap h-based Security M etrics, CERIAS Tech repp ort 2010