SlideShare a Scribd company logo

Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT

Hassan EL ALLOUSSI
Hassan EL ALLOUSSI

This document discusses intrusion detection systems (IDS) in cloud computing environments. It begins by defining cloud computing and describing its essential characteristics and deployment and service models. It then addresses security concerns in cloud computing, including threats from both insiders and outsiders. Next, it provides an overview of traditional IDS approaches, including host-based, network-based, and virtual machine-based systems. The document proposes several architectures for implementing IDS in clouds, including distributing sensors across cloud nodes, using a third-party monitoring service, integrating detection engines into cloud services, and taking a virtual machine-based approach. It concludes that the best approach combines behavioral and signature-based detection methods and can be implemented either by cloud providers or tenants

Related slideshows

Information risk management
Information risk managementInformation risk management
Information risk management
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
FortiWeb
FortiWebFortiWeb
FortiWeb
 
1 of 33
CLOUD-BASED IDS ARCHITECTURES APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT @halloussi Par M. EL ALLOUSSI
Summary 1. 2. 3. 4. 5. Cloud Computing : Definition and Trends Security in the Cloud Computing : Barriers to adoption? Intrusion Detection Systems Application of IDS in Cloud Environment Conclusion
Definition of Cloud Computing (NIST) “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “
5 Essential Cloud Characteristics 1. 2. 3. On-demand self-service Broad network access Resource pooling (Location independence) 4. 5. Rapid elasticity Measured service
3 Cloud Service Models 1. Cloud Software as a Service (SaaS)  2. Cloud Platform as a Service (PaaS)  3. Use provider’s applications over a network Deploy customer-created applications to a cloud Cloud Infrastructure as a Service (IaaS)  Rent processing, storage, network capacity, and other fundamental computing resources
4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
All of this TOGETHER: The Cloud Hybrid Clouds Deployment Models Service Models Community Cloud Private Cloud Software as a Service (SaaS) Public Cloud Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Essential Characteristics Rapid Elasticity Resource Pooling Measured Service Massive Scale Common Characteristics Broad Network Access Resilient Computing Homogeneity Geographic Distribution Virtualization Service Orientation Low Cost Software Advanced Security
And security? Are there Cloud security issues?
Security: Barrier to Adoption?
Companies are still afraid to use clouds
12 What is Different about Cloud?
13 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
Traditional systems security vs Cloud Computing Security Securing a house Biggest user concerns Securing perimeter Checking for intruders Securing a motel Biggest user concern Securing room against (the bad guy in next room | hotel
15
Cloud “Threats” (CSA) 1. 2. 3. 4. 5. 6. 7. Abuse & Nefarious Use of Cloud Computing Insecure Interfaces & APIs Malicious Insiders Shared Technology Issues Data Loss or Leakage Account or Service Hijacking Unknown Risk Profile 16
17 Cloud Risks (ENISA) 1. 2. 3. 4. 5. 6. 7. 8. Loss of governance Lock-in Isolation failure Compliance risks Management interface compromise Data protection Insecure or incomplete data deletion Malicious insider
Who is the attacker? Insider? • Malicious employees at client • Malicious employees at Cloud provider (or Cloud provider itself) Outsider? •Intruders •Network attackers
Intrusion Detection Systems?
IDS OVERVIEW   Intrusion Detection System (IDS) : a system that monitors network for suspicious activity and alerts the administrator of the system or network. 3 Approaches :  Network Intrusion Detection Systems (NIDS)  Host Intrusion Detection Systems (HIDS)  Virtual Machine Intrusion Detection Systems (VM-IDS)  2 techniques :  Statistical anomaly based (Behavioral)  Signature based (Scenario)
Architecture of an IDS Normal internal user Internal Intruder Sensor Classification Package Actions Analyser Clustering Normal External user External user Sensor Data Mining    The sensor : collects information on the evolution of the state of the system and provides a sequence of events that reflect this evolution. The analyzer : determines which part, fitting to a pattern of events provided by the sensor, is characteristic of a malicious activity. The manager : collects the received alerts from the sensor and presents them to the operator for further actions.
The IDS Matrix diagram TRUE FALSE POSITIVE True-Positive (Rule matched and attack present) False-Positive (Rule matched and no attack present) NEGATIVE True-Negative (No rule matched and no attack present) False-Negative (No rule matched and attack present)
Behavioral approach +++ The ability to detect new attacks. Types of monitoring systems Host Based IDS Analysis types Network Based IDS Scenario approach Phase 1 : Training Behavior approach Phase 2 : détection Real Activities Compared Model of normal behavior (Trafic, System performance, memory performance…) --- Many false positives because attacks can be new normal activities. Normal behavior Undeflected Defleclected Possible attack
Scenario approach +++ Techniques are easy and quick to implement. Types of monitoring systems Host Based IDS Analysis types Network Based IDS Scenario approach Behavior approach Ex: if (src_ip = dst_ip) then “land a ack” Real Activities Signatures (rules, patterns) known attacks --- Problem of reliability remains valid for false alarms Normal Not matched Matched attack
Intrusion Detection Systems in the Cloud, is it possible?
Architecture 1 : Distributed the IDS on the nodes of grid +++ Apply the two methods of intrusion detection (Scenario Based & Behavioral Based) --- The prototype is expensive in terms of resource consumption, --- It cannot discover new types of attacks and creating an attack database which must be considered during implementing IDS
Architecture 2 : Distributed Cloud Intrusion Detection Model +++ high performance in terms of processing and execution time. CSP Infrastructure Cloud User Organization Network Cloud Cloud IDS Intrusion Alarm Alert reports --- it is difficult to discover new types of attacks and create a new scenario while it still needs many works to be done to improve the concept. Advisory Reports Third party IDS monitoring & Advisory Service
Architecture 2 : Distributed Cloud Intrusion Detection Model Input Packets ICMP IP UDP Multi-Threaded Queue Thread 0 - n TCP Rule Set Matching False Reject True IDS Rule Set Intrusion alarm/ Log Cloud User CSP
Architecture 3 : Cloud Intrusion Detection System Service Collector Event Publisher IDS Controller Detection Engine Intrusion Detection System Component Cloud Computer Service Component +++ Quick and fast analyse and detection Cloud Computer Service Component Secure Connection (VPN) Agent Agent Group Agent Agent Group User Internal Network --- detecting many falsepositive
Architecture 4 : Cloud-based intrusion detection service framework (CBIDS) Cloud IDS Cloud Intrusion Detection Component Analysis Engine Service Console Detection Engine / Signature Database User database Cloud Service Component Cloud Service Component VPN Users Cloud User Data Collector User Network --- detecting many falsepositive
Architecture 5 : VM-integrated IDS Management +++ Can be implemented on the three levels --- The use of centralized collector can be a target of Denial of Service.
Architecture 5 : VM-integrated IDS Management
Conclusions Many IDS solutions have emerged for Cloud environment  It could be implemented either by the provider or the tenant  Combining Behavior and Scenario approaches is the best way to get rid of intrusion. 
Questions? THANK YOU @halloussi fr.slideshare.net/alloussi

More Related Content

Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT

  • 1. CLOUD-BASED IDS ARCHITECTURES APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT @halloussi Par M. EL ALLOUSSI
  • 2. Summary 1. 2. 3. 4. 5. Cloud Computing : Definition and Trends Security in the Cloud Computing : Barriers to adoption? Intrusion Detection Systems Application of IDS in Cloud Environment Conclusion
  • 3. Definition of Cloud Computing (NIST) “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “
  • 4. 5 Essential Cloud Characteristics 1. 2. 3. On-demand self-service Broad network access Resource pooling (Location independence) 4. 5. Rapid elasticity Measured service
  • 5. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS)  2. Cloud Platform as a Service (PaaS)  3. Use provider’s applications over a network Deploy customer-created applications to a cloud Cloud Infrastructure as a Service (IaaS)  Rent processing, storage, network capacity, and other fundamental computing resources
  • 6. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
  • 7. All of this TOGETHER: The Cloud Hybrid Clouds Deployment Models Service Models Community Cloud Private Cloud Software as a Service (SaaS) Public Cloud Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Essential Characteristics Rapid Elasticity Resource Pooling Measured Service Massive Scale Common Characteristics Broad Network Access Resilient Computing Homogeneity Geographic Distribution Virtualization Service Orientation Low Cost Software Advanced Security
  • 8. And security? Are there Cloud security issues?
  • 10. Companies are still afraid to use clouds
  • 11. 12 What is Different about Cloud?
  • 12. 13 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
  • 13. Traditional systems security vs Cloud Computing Security Securing a house Biggest user concerns Securing perimeter Checking for intruders Securing a motel Biggest user concern Securing room against (the bad guy in next room | hotel
  • 14. 15
  • 15. Cloud “Threats” (CSA) 1. 2. 3. 4. 5. 6. 7. Abuse & Nefarious Use of Cloud Computing Insecure Interfaces & APIs Malicious Insiders Shared Technology Issues Data Loss or Leakage Account or Service Hijacking Unknown Risk Profile 16
  • 16. 17 Cloud Risks (ENISA) 1. 2. 3. 4. 5. 6. 7. 8. Loss of governance Lock-in Isolation failure Compliance risks Management interface compromise Data protection Insecure or incomplete data deletion Malicious insider
  • 17. Who is the attacker? Insider? • Malicious employees at client • Malicious employees at Cloud provider (or Cloud provider itself) Outsider? •Intruders •Network attackers
  • 19. IDS OVERVIEW   Intrusion Detection System (IDS) : a system that monitors network for suspicious activity and alerts the administrator of the system or network. 3 Approaches :  Network Intrusion Detection Systems (NIDS)  Host Intrusion Detection Systems (HIDS)  Virtual Machine Intrusion Detection Systems (VM-IDS)  2 techniques :  Statistical anomaly based (Behavioral)  Signature based (Scenario)
  • 20. Architecture of an IDS Normal internal user Internal Intruder Sensor Classification Package Actions Analyser Clustering Normal External user External user Sensor Data Mining    The sensor : collects information on the evolution of the state of the system and provides a sequence of events that reflect this evolution. The analyzer : determines which part, fitting to a pattern of events provided by the sensor, is characteristic of a malicious activity. The manager : collects the received alerts from the sensor and presents them to the operator for further actions.
  • 21. The IDS Matrix diagram TRUE FALSE POSITIVE True-Positive (Rule matched and attack present) False-Positive (Rule matched and no attack present) NEGATIVE True-Negative (No rule matched and no attack present) False-Negative (No rule matched and attack present)
  • 22. Behavioral approach +++ The ability to detect new attacks. Types of monitoring systems Host Based IDS Analysis types Network Based IDS Scenario approach Phase 1 : Training Behavior approach Phase 2 : détection Real Activities Compared Model of normal behavior (Trafic, System performance, memory performance…) --- Many false positives because attacks can be new normal activities. Normal behavior Undeflected Defleclected Possible attack
  • 23. Scenario approach +++ Techniques are easy and quick to implement. Types of monitoring systems Host Based IDS Analysis types Network Based IDS Scenario approach Behavior approach Ex: if (src_ip = dst_ip) then “land a ack” Real Activities Signatures (rules, patterns) known attacks --- Problem of reliability remains valid for false alarms Normal Not matched Matched attack
  • 24. Intrusion Detection Systems in the Cloud, is it possible?
  • 25. Architecture 1 : Distributed the IDS on the nodes of grid +++ Apply the two methods of intrusion detection (Scenario Based & Behavioral Based) --- The prototype is expensive in terms of resource consumption, --- It cannot discover new types of attacks and creating an attack database which must be considered during implementing IDS
  • 26. Architecture 2 : Distributed Cloud Intrusion Detection Model +++ high performance in terms of processing and execution time. CSP Infrastructure Cloud User Organization Network Cloud Cloud IDS Intrusion Alarm Alert reports --- it is difficult to discover new types of attacks and create a new scenario while it still needs many works to be done to improve the concept. Advisory Reports Third party IDS monitoring & Advisory Service
  • 27. Architecture 2 : Distributed Cloud Intrusion Detection Model Input Packets ICMP IP UDP Multi-Threaded Queue Thread 0 - n TCP Rule Set Matching False Reject True IDS Rule Set Intrusion alarm/ Log Cloud User CSP
  • 28. Architecture 3 : Cloud Intrusion Detection System Service Collector Event Publisher IDS Controller Detection Engine Intrusion Detection System Component Cloud Computer Service Component +++ Quick and fast analyse and detection Cloud Computer Service Component Secure Connection (VPN) Agent Agent Group Agent Agent Group User Internal Network --- detecting many falsepositive
  • 29. Architecture 4 : Cloud-based intrusion detection service framework (CBIDS) Cloud IDS Cloud Intrusion Detection Component Analysis Engine Service Console Detection Engine / Signature Database User database Cloud Service Component Cloud Service Component VPN Users Cloud User Data Collector User Network --- detecting many falsepositive
  • 30. Architecture 5 : VM-integrated IDS Management +++ Can be implemented on the three levels --- The use of centralized collector can be a target of Denial of Service.
  • 31. Architecture 5 : VM-integrated IDS Management
  • 32. Conclusions Many IDS solutions have emerged for Cloud environment  It could be implemented either by the provider or the tenant  Combining Behavior and Scenario approaches is the best way to get rid of intrusion. 

Editor's Notes

  1. This is an oversimplification of the cloud security issues but it is definitely correct on a high level: there is only so much you can do to improve security if you use a software as a service provider (SaaS), who is hell bent on not being supportive of your security requirements
  2. Source: CSA standard slideThis is where the mysteries of PCI in the cloud start to come to life : Especially note those yellow boxes with the word JOINT (which, sadly, often means finger pointing and glaring security holes)Also, note that for cloud security (and for cloud Payment security as well as PCI ) you will have to trust the provider in regards to physical security.
  3. It is funny that this view of the world and of the cloud also has a hidden implication : if you neighbor is hacked in a traditional environment , you have a perfectly good grounds for saying “I don’t care.” But in case of shared infrastructure – cloud! – Being able to say that because more and more rare – or more and more risky.
  4. https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdfThe purpose of this document, “Top Threats to Cloud Computing”, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to “Security Guidance for Critical Areas in Cloud Computing”. As the first deliverable in the CSA’s Cloud Threat Initiative, the “Top Threats” document will be updated regularly to reflect expert consensus on the probable threats which customers should be concerned about. There has been much debate about what is “in scope” for this research. We expect this debate to continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus emerging from those debates. While many issues, such as provider financial stability, create significant risks to customers, we have tried to focus on issues we feel are either unique to or greatly amplified by the key characteristics of Cloud Computing and its shared, on-demand nature. We identify the following threats in our initial document: Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk ProfileThe threats are not listed in any order of severity. Our advisory committee did evaluate the threats and each committee member provided a subjective ranking of the threats. The exercise helped validate that our threat listing reflected the critical threat concerns of the industry, however the cumulative ranking did not create a compelling case for a published ordered ranking, and it is our feeling that greater industry participation is required to take this step. The only threat receiving a consistently lower ranking was Unknown Risk Profile, however the commentary indicated that this is an important issue that is simply more difficult to articulate, so we decided to retain this threat and seek to further clarify it in future editions of the report
  5. LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computingCOMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud providerDATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is