network intrusion detection and countermeasure selection in virtual
TRANSCRIPT
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
1/28
Presented By:
Heena Mathur
Network Intrusion Detection And
Countermeasure Selection In Virtual
Network System
1/14/15 1
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
2/28
Contents
Introduction
What is Intrusion
What is Network Intrusion Detection System
Objective
Eistin! System
Disadvanta!e o" eistin! System
#ro$osed System
%dvanta!e o" #ro$osed System
System %rchitecture
%&!orithm used
'odu&es(
'odu&e Descri$tion
)onc&usion
1/14/15 *
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
3/28
Introduction+,-E%+ +O NE+WO-. SE)-I+0
% si!ni"icant security $rob&em "or networked system is or at &east unwanted tres$ass by users or so"tware(
ser tres$ass can take "orm o" unauthori2ed &o!on to a machine
or in case o" an authori2ed user ac3uisition o" $rivi&e!es or$er"ormance o" action beyond these that have been authori2ed(
So"tware tres$ass can take "orm o" a virus worm or +rojan horse(
1/14/15
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
4/28
What is an Intrusion?De"initionAn intrusion can be defined as a subversion of security to
gain access to a system. This intrusion can use muti!e attac"
methods and can s!an ong !eriods of time.
+hese unauthori2ed accesses to com$uter or network systems are o"ten
desi!ned to study the system6s weaknesses "or "uture attacks(
Other "orms o" intrusions are aimed at &imitin! access or even
$reventin! access to com$uter systems or networks(
1/14/15 4
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
5/28
Ty!es of IntrudersIn an ear&y study o" intrusion %nderson identi"ied three c&asses o" intruders
'as3ueraders %n individua& who is not authori2ed to use the com$uter and who $enetrates a
system6s access contro&s to e$&oit a &e!itimate user6s account(
'is"easor % &e!itimate users who accesses data $ro!rams or resources "or
which such access is not authori2ed or who is authori2ed "or such access but
misuses his or her $rivi&e!es(
)&andestine user %n individua& who sei2es su$ervisory contro& o" the system
and uses this contro& to evade auditin! and access contro&s or to su$$ress
audit actions(
1/14/15 5
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
6/28
Methods of Intrusions+he methods used by intruders can o"ten contain any one or even combinations
o" the "o&&owin! intrusion ty$es
Distributed Denia& o" Service
+rojan ,orse
7iruses and Worms
S$oo"in!
Network/#ort Scans8u""er Over"&ow
1/14/15 9
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
7/28
Intrusion Detection System
.now&ed!e
8ase-es$onse
'ode&
Event #rovider
Other 'achine
%&ert Data
%na&ysis En!ine
1/14/15 :
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
8/28
#et$or" Intrusion %etection &ystem%efinition: In com$uter security a Network Intrusion Detection System ;NIDS< is an
intrusion detection system that attem$ts to discover unauthori2ed access to a com$uter
network by ana&y2in! tra""ic on the network "or si!ns o" ma&icious activity(
In a )&oud com$utin! environment attackers can determine the vu&nerabi&ities
in the c&oud systems and com$romise the virtua& machines to set out &ar!e sca&e
Distributed Denia&=o"=Service ;DDOS< attack( +o avert these machines "rom
concession we $ro$ose a mu&ti=$hase so&ution NI)E ;Network Intrusion
Detection and )ountermeasure se&ection in 7irtua& Network Systems
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
9/28
'b(ective: +he main aim o" this $roject is to $revent the vu&nerab&e virtua&
machines "rom bein! com$romised in the c&oud server usin!
mu&ti=$hase distributed vu&nerabi&ity detection measurement
and countermeasure se&ection mechanism ca&&ed NI)E(
1/14/15 ?
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
10/28
)*isting &ystem )&oud users can insta&& vu&nerab&e so"tware on their 7's which
essentia&&y contributes to &oo$ho&es in c&oud security( +he cha&&en!e is
to estab&ish an e""ective vu&nerabi&ity/attack detection and res$onsesystem "or accurate&y identi"yin! attacks and minimi2in! the im$act o"
security breach to c&oud users( In a c&oud system where the
in"rastructure is shared by $otentia&&y mi&&ions o" users abuse and
ne"arious use o" the shared in"rastructure bene"its attackers to e$&oit
vu&nerabi&ities o" the c&oud and use its resource to de$&oy attacks in
more e""icient ways
1/14/15 1@
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
11/28
Such attacks are more e""ective in the c&oud environment since
c&oud users usua&&y share com$utin! resources e(!( bein!
connected throu!h the same switch sharin! with the same data
stora!e and "i&e systems even with $otentia& attackers( +he simi&ar
setu$ "or 7's in the c&oud e(!( virtua&i2ation techni3ues 7'
OS insta&&ed vu&nerab&e so"tware networkin! etc( attractsattackers to com$romise mu&ti$&e 7's(
1/14/15 11
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
12/28
%isadvantage of )*isting &ystem
1(No detection and $revention "ramework in a virtua&
networkin! environment(
*(Not accuracy in the attack detection "rom attackers(
1/14/15 1*
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
13/28
Pro!osed &ystem
We $ro$ose NI)E ;Network Intrusion detection and )ountermeasure
se&ection in virtua& network systems< to estab&ish a de"ense=in=de$th
intrusion detection "ramework( Aor better attack detection NI)Eincor$orates attack !ra$h ana&ytica& $rocedures into the intrusion
detection $rocesses( We must note that the desi!n o" NI)E does not
intend to im$rove any o" the eistin! intrusion detection a&!orithmsB
indeed NI)E em$&oys a recon"i!urab&e virtua& networkin! a$$roach to
detect and counter the attem$ts to com$romise 7's thus $reventin!
2ombie 7's(
1/14/15 1
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
14/28
Advantage of Pro!osed &ystem
We devise NI)E a new mu&ti=$hase distributed network intrusion
detection and $revention "ramework in a virtua& networkin!
environment that ca$tures and ins$ects sus$icious c&oud tra""ic without
interru$tin! users6 a$$&ications and c&oud services(
NI)E incor$orates a so"tware switchin! so&ution to 3uarantine and
ins$ect sus$icious 7's "or "urther investi!ation and $rotection(
+hrou!h $ro!rammab&e network a$$roaches NI)E can im$rove the
attack detection $robabi&ity and im$rove the resi&iency to 7'
e$&oitation attack without interru$tin! eistin! norma& c&oud services(
1/14/15 14
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
15/28
NI)E em$&oys a nove& attack !ra$h a$$roach "or attack
detection and $revention by corre&atin! attack behavior and
a&so su!!ests e""ective countermeasures(
NI)E o$timi2es the im$&ementation on c&oud servers to
minimi2e resource consum$tion( Our study shows that NI)E
consumes &ess com$utationa& overhead com$ared to $roy=
based network intrusion detection so&utions(
1/14/15 15
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
16/28
&ystem Architecture
1/14/15 19
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
17/28
Agorithm +sed
%&ert )orre&ation %&!orithm
)ountermeasure Se&ection %&!orithm
1/14/15 1:
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
18/28
Modues1( Nice=%
*( 7' #ro"i&in!
( %ttack %na&y2er4( Network )ontro&&er
1/14/15 1>
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
19/28
Modue %escri!tion
#ice,A:
+he NI)E=% is a Network=based Intrusion Detection System ;NIDS< a!ent insta&&ed in
each c&oud server( It scans the tra""ic !oin! throu!h the brid!es that contro& a&& the tra""ic
amon! 7's and in/out "rom the $hysica& c&oud servers( It wi&& sni"" a mirrorin! $ort on
each virtua& brid!e in the O$en 7'switch( Each brid!e "orms an iso&ated subnet in the
virtua& network and connects to a&& re&ated 7's( +he tra""ic !enerated "rom the 7's on
the mirrored so"tware brid!e wi&& be mirrored to a s$eci"ic $ort on a s$eci"ic brid!e usin!
S#%N -S#%N or E-S#%N methods( It6s more e""icient to scan the tra""ic in c&oud
server since a&& tra""ic in the c&oud server needs !o throu!h itB however our desi!n is
inde$endent to the insta&&ed 7'( +he "a&se a&arm rate cou&d be reduced throu!h our
architecture desi!n((1/14/15 1?
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
20/28
-M Profiing
7irtua& machines in the c&oud can be $ro"i&ed to !et $recise in"ormation
about their state services runnin! o$en $orts etc( One major "actor that
counts towards a 7' $ro"i&e is its connectivity with other 7's( %&so
re3uired is the o" services runnin! on a 7' so as to veri"y the authenticity
o" a&erts $ertainin! to that 7'( %n attacker can use $ort scannin! $ro!ram
to $er"orm an intense eamination o" the network to &ook "or o$en $orts on
an 7'( So in"ormation about any o$en $orts on a 7' and the history o"
o$ened $orts $&ays a si!ni"icant ro&e in determinin! how vu&nerab&e the
7' is( %&& these "actors combined wi&& "orm the 7' $ro"i&e( 7' $ro"i&es
are maintained in a database and contain com$rehensive in"ormation about
vu&nerabi&ities a&ert and tra""ic(
1/14/15 *@
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
21/28
Attac" Anayer:
+he major "unctions o" NI)E system are $er"ormed by attack ana&y2er
which inc&udes $rocedures such as attack !ra$h construction and u$date
a&ert corre&ation and countermeasure se&ection( +he $rocess o" constructin!
and uti&i2in! the Scenario %ttack Cra$h ;&A/0 consists of three $hases
in"ormation !atherin! attack !ra$h construction and $otentia& e$&oit $ath
ana&ysis( With this in"ormation attack $aths can be mode&ed usin! S%C(
+he %ttack %na&y2er a&so hand&es a&ert corre&ation and ana&ysis
o$erations( +his com$onent has two major "unctions
1/14/15 *1
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
22/28
;1< )onstructs %&ert )orre&ation Cra$h ;AC/01
;*< #rovides threat in"ormation and a$$ro$riate countermeasures
to network contro&&er "or virtua& network recon"i!uration(
NI)E attack !ra$h is constructed based on the "o&&owin!
in"ormation )&oud system in"ormation 7irtua& network
to$o&o!y and con"i!uration in"ormation 7u&nerabi&ity
in"ormation(
1/14/15 **
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
23/28
#et$or" Controer:
+he network contro&&er is a key com$onent to su$$ort the $ro!rammab&e networkin!
ca$abi&ity to rea&i2e the virtua& network recon"i!uration( In NI)E we inte!rated the
contro& "unctions "or both O7S and OAS into the network contro&&er that a&&ows the
c&oud system to set security/"i&terin! ru&es in an inte!rated and com$rehensive
manner( +he network contro&&er is res$onsib&e "or co&&ectin! network in"ormation o"
current O$en A&ow network and $rovides in$ut to the attack ana&y2er to construct
attack !ra$hs(
In NI)E the network contro& a&so consu&ts with the attack ana&y2er "or the "&ow
access contro& by settin! u$ the "i&terin! ru&es on the corres$ondin! O7S and OAS(
Network contro&&er is a&so res$onsib&e "or a$$&yin! the countermeasure "rom attack
ana&y2er( 8ased on -M &ecurity Inde* and severity of an aert1 countermeasures are
se&ected by NI)E and eecuted by the network contro&&er( 1/14/15 *
-
8/10/2019 Network Intrusion Detection and Countermeasure Selection in Virtual
24/28
&ystem Configuration
,ardware )on"i!uration=
#rocessor = #entium I7
S$eed = 1(1 C,2
-%' = *59 '8;min