Intrusion Detection System for Cloud Computing 1

Intrusion Detection System Implementation for Cloud Computing

Dani Wafaul Falah

University of Vermont

Dani Wafaul Falah

Intrusion Detection System for Cloud Computing 2

Intrusion Detection System for Cloud Computing

Dani Wafaul Falah

University of Vermont

Cloud computing is a new trend in data center industry. Many companies shift their

application to this new infrastructure. Cloud computing composes of virtualization and utility

computing. It provides infrastructure as a service, platform as a service, and software as a service

that possible for the customer to used it on-demand basis. Cloud computing customers just need

to pay for service that they use so the cost for new infrastructure can be reduced. They do not need

to invest for the new machine for infrastructure. Furthermore, Cloud computing customers just use

an internet connection to connect to their application in cloud infrastructure or establish a secure

connection to access a confidential data.

Since cloud computing uses the internet as the backbone communication to connect cloud

service provider and their customers, there come some security and privacy issues. These issues

have been mentioned by Brodkin in Gartner: Seven cloud-computing security risks (Brodkin,

2008). The mentioned risks explain about data segregation and user access in cloud computing.

These risk concern about how cloud service provider can provide assurance for an access to

sensitive data just for privileged users. The other risks cover regulation and security compliance.

In this risk, cloud service providers have to comply with some security regulatory requirements.

For an example, there can be some threat and security issue that can be used to attack the cloud

infrastructure. These threats are the similar threat that happens in traditional infrastructures such

as ARP poisoning, Man in the middle attack, port scanning, IP spoofing, and denial of service. In

Dani Wafaul Falah

Intrusion Detection System for Cloud Computing 3

order to protect this type of attack, many cloud providers put some security measurement to fortify

their cloud infrastructure. They also provide additional firewall and security services that can be

integrated into customer infrastructure. Commented [G1]: Inserted: d

In network and security architecture, firewall solution is the first line of defense. This is

not enough if we talk about public infrastructure and shared infrastructure. So there is need a

solution to strengthen the protection in cloud computing. The integration of Intrusion Detection

System (IDS) in cloud computing can be used as a second line defense to add protection. IDS can

detect network attack and malicious activity that try to compromise the system. Comparing to

traditional IDS deployment, there is need some modification to deploy IDS in cloud computing so

it can provide maximum protection for cloud infrastructure. Common IDS implementation has

several components such as IDS monitoring component, IDS detection & analysis module, IDS

control center & alarm module.

IDS monitoring component uses captured packet and then analyzes it using several

detection methods, this including how IDS monitoring component collects traffic packet from the

network. In the virtualization environment, physical devices cannot be accessed directly because

the customer just gets the virtual machine and simple wiring network. However, many cloud

provider and cloud technologies provide tools for customization. These tools can be used by cloud Commented [G2]: Inserted: the

customer to modify the network design. An additional modification is needed to successfully

integrate an IDS in virtualization. This modification is one of the possible solutions to implements

IDS monitoring component in the virtualization environment.

There are two common implementations of IDS monitoring component that can be placed

in virtualization, Host-based IDS (HIDS) and Network-based IDS (NIDS). HIDS can be deployed

in a virtual machine and a host machine and act to monitor intrusion dedicated to a particular

Dani Wafaul Falah

Intrusion Detection System for Cloud Computing 4

machine. HIDS has several methods that can use packet capture engine to collect host network

traffic or use special software to collect the virtual machine log or audit trail. This deployment type

does not need modification to the standard network but needs to deployed on every virtual Commented [G3]: Inserted: s

machine. Some modification is needed to deploy NIDS because this type of deployment needs IDS

monitoring component to capture traffic flow from one network to another network. Commented [G4]: Inserted: s

The captured packet is analyzed for detection of intrusions by IDS detection & analysis

module. This module performs some detection method such as signature-based detection, Commented [G5]: Inserted: s
Commented [G6]: Inserted: s
anomaly-based detection and hybrid detection (combination of signature based and anomaly based

detection). Signature-based detection uses predefined rules to evaluate every packet captured by

monitor component. If there are matching rules with the evaluated packet, a message sends to

control center or alarm module to report the intrusion. In another way, anomaly-based detection Commented [G7]: Inserted: the
Commented [G8]: Inserted: are
uses a different way to evaluate packet. It performs a heuristic algorithm to calculates the deviation Commented [G13]: Deleted:is

from every captured packet. The deviation predicts whether the packet classifies into normal

behavior or attack. Using this method, anomaly-based detection can learn for new and unknown Commented [G9]: Inserted: the
Commented [G10]: Inserted: a
attack pattern. This feature can be used with signature based to performs higher rate and faster Commented [G11]: Inserted: a
Commented [G14]: Deleted:s
detection. This combination called as a hybrid detection method. It combines signature-based

detection for known attack pattern and anomaly-based detection for unknown attack pattern. To

complete IDS implementation, after an intrusion detected by IDS detection module, a control

center & alarm module raise a message to notify the security administrator. This control center

also performs decision making whether the captured packet with intrusion mark should be denied

or allowed. Commented [G12]: Inserted: -

Some research has been conducted to integrate IDS in cloud computing. Each of research Commented [G25]: Deleted:es

has focused on different IDS component to form a solution to integrates IDS in cloud computing.

Dani Wafaul Falah

Intrusion Detection System for Cloud Computing 5

According to Zarabi (Zarrabi & Zarrabi, 2012), they used Host-based IDS (HIDS) concept for

monitoring component and introduced collaborated HIDS in distributed configuration. This

distributed configuration use the mobile agent to be placed on a certain virtual machine as collector Commented [G15]: Inserted: the
Commented [G16]: Inserted: a
with a central service as decision module. This mobile agent acts as IDS monitoring component

and deploys to meet a certain purpose. In another way, Kholidy (Kholidy & Baiardi, 2012) Commented [G17]: Inserted: a
Commented [G18]: Inserted: s
proposed a different concept of Host-based IDS. This concept uses special software to collect log Commented [G19]: Inserted: s

and audit trail from the virtual machine instead of capture traffic from the network. This software Commented [G20]: Inserted: a
Commented [G21]: Inserted: the
implemented as a process in the underlying operating system of host machine or server. Some Commented [G22]: Inserted: the
Commented [G23]: Inserted: the
virtualization technology has included this software as standard Virtual Machine Monitor (VMM).
Commented [G24]: Inserted: the
Another research by Modi (C. N. Modi, Patel, Patel, & Muttukrishnan, 2012; Chirag N.

Modi, Patel, Patel, & Rajarajan, 2012) focused on detection module and analysis. They choose to

use a combination of Host-based IDS and Network-based IDS for IDS monitoring component that

capture packet from the network stream. This captured packet analyzed using the combination of Commented [G26]: Inserted: the

signature-based detection and anomaly-based detection. In their two different research, they

proposed two different for detection & analysis module, especially for algorithms in anomaly Commented [G27]: Inserted: -
Commented [G28]: Inserted: -
detection. In the first research (Chirag N. Modi et al., 2012), they run signature based detection Commented [G29]: Inserted: the

module and anomaly based detection module in parallel. They use Apriori algorithm as a heuristic Commented [G30]: Inserted: a

algorithm for anomaly detection that can detect unknown intrusion. When an unknown intrusion

detected, it creates a new rule for signature based detection database. In their next research (C. N.

Modi et al., 2012), they use Bayesian Classifier as a heuristic algorithm for anomaly detection

method. Although it has different flow from previous research, Bayesian classifier uses input from

signature detection module that does not match any predefined rule. It processes captured packet Commented [G31]: Inserted: s
Commented [G32]: Inserted: a
Commented [G33]: Deleted:ed

Dani Wafaul Falah

Intrusion Detection System for Cloud Computing 6

and classifies into several classes. The classified packet is then analyzed and calculated for

deviation. Finally, this deviation predicts the intrusion. Commented [G34]: Inserted: s a
Commented [G35]: Inserted: a
Some methods above can be used to design a solution for IDS in cloud computing. From

Kholidy method (Kholidy & Baiardi, 2012),it can be used Host-based IDS and virtual machine

monitor for IDS monitoring component. This Host-based IDS collects virtual machine log and

audit trail. For network monitor, Network-based IDS from Modi design concept can be used to Commented [G36]: Inserted: s

capture packet. It can be deployed at the network level as second IDS monitoring component. For

detection module & analysis, Signature-Apriori from Modi research (Chirag N. Modi et al., 2012)

also can be used to detect both known and unknown attack pattern. This method uses hybrid

detection module and has same rules database. The last part to complete IDS deployment, a general

IDS control center & analysis module can be used to send a notification to the security

administrator. Commented [G37]: Inserted: the

Commented [G38]: Inserted: a
The design above has several key factors for cloud customer. The first one is virtual Commented [G39]: Inserted: the
Commented [G40]: Inserted: s
machine monitor that is used for Host-based IDS. It uses a standard application from virtualization

technology. Another key factor is the Network-based IDS module that is used for network capture.

It can be integrated into firewall services to save resources. Finally, both of detection & analysis

module and control center & alarm module can be placed into the same dedicated virtual machine.

This IDS integration can save customer resources in their cloud infrastructure and prevent major

modification in standard network design.

Dani Wafaul Falah

Intrusion Detection System for Cloud Computing 7

References:

Brodkin, J. (2008, July 2). Gartner: Seven cloud-computing security risks. Retrieved December

2, 2016, from http://www.infoworld.com/article/2652198/security/gartner--seven-cloud-

computing-security-risks.html

Kholidy, H. A., & Baiardi, F. (2012). CIDS: A Framework for Intrusion Detection in Cloud

Systems. In 2012 Ninth International Conference on Information Technology - New

Generations (pp. 379–385). https://doi.org/10.1109/ITNG.2012.94

Modi, C. N., Patel, D. R., Patel, A., & Muttukrishnan, R. (2012). Bayesian Classifier and Snort

based network intrusion detection system in cloud computing. In 2012 Third

International Conference on Computing Communication Networking Technologies

(ICCCNT) (pp. 1–7). https://doi.org/10.1109/ICCCNT.2012.6396086

Modi, C. N., Patel, D. R., Patel, A., & Rajarajan, M. (2012). Integrating Signature Apriori based

Network Intrusion Detection System (NIDS) in Cloud Computing. Procedia Technology,

6, 905–912. https://doi.org/10.1016/j.protcy.2012.10.110

Zarrabi, A., & Zarrabi, A. (2012). Internet Intrusion Detection System Service in a Cloud.

Dani Wafaul Falah