Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Da-Wen Huang,Fengji Luo,Jichao Bi,Mingyang Sun

DOI: https://doi.org/10.1109/tifs.2022.3191491

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deploying Intrusion Detection Systems (IDSs) is an essential way to enhance the security of Multi-hop Clustered Wireless Sensor Networks (MCWSNs). The conventional IDS deployment architectural designs show limitations in ensuring the security of MCWSNs due to the limited monitoring range of the nodes. This paper proposes an efficient IDS deployment architecture for MCWSNs. The architecture is a hybrid design, in which the cluster heads and the sink collaboratively act as IDS agents to monitor the entire network and perform intrusion detection. Based on the new architecture, this paper proposes a resource allocation model to optimally allocate resources among the IDS agents so that the network’s security metric can be maximized. A comprehensive analytical framework is proposed to analyze the optimality of the model’s solution, and an efficient computational approach is developed to obtain the optimal resource allocation strategy. Extensive numerical simulation and comparison studies are conducted to validate the proposed method.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Zeng Zhao,Yangzhao Yang,Naijie Gu

DOI: https://doi.org/10.1109/icecc.2012.351

2012-01-01

Abstract:With the rapid development of cloud computing, cloud security issues are becoming more and more serious, which is the bottleneck of cloud computing. According to the characteristics of cloud computing architecture, an intrusion detection mechanism based on sampling and feedback for cloud computing (IDMSFC) is devised to make the IDS (intrusion detection system) for cloud more dynamic and intelligent. Principles of sampling are used to reduce the overhead of detection, and a feedback algorithm based on attack graphs is employed to ensure the accuracy of detection.

Zayed alhaddad, Mostafa Hanoune, Abdelaziz Mamouni

DOI: https://doi.org/10.17762/ijcnis.v8i3.1950

2022-04-17

International Journal of Communication Networks and Information Security (IJCNIS)

Abstract:In recent years, Cloud computing has emerged as a new paradigm for delivering highly scalable and on-demand shared pool IT resources such as networks, servers, storage, applications and services through internet. It enables IT managers to provision services to users faster and in a cost-effective way. As a result, this technology is used by an increasing number of end users. On the other hand, existing security deficiencies and vulnerabilities of underlying technologies can leave an open door for intruders. Indeed, one of the major security issues in Cloud is to protect against distributed attacks and other malicious activities on the network that can affect confidentiality, availability and integrity of Cloud resources. In order to solve these problems, we propose a Collaborative Network Intrusion Detection System (C-NIDS) to detect network attacks in Cloud by monitoring network traffic, while offering high accuracy by addressing newer challenges, namely, intrusion detection in virtual network, monitoring high traffic, scalability and resistance capability. In our NIDS framework, we use Snort as a signature based detection to detect known attacks, while for detecting network anomaly, we use Support Vector Machine (SVM). Moreover, in this framework, the NIDS sensors deployed in Cloud operate in collaborative way to oppose the coordinated attacks against cloud infrastructure and knowledge base remains up-to-date.

K. Sundaramoorthy,K E Purushothaman,Jeba Sonia J,N Kanthimathi

DOI: https://doi.org/10.1016/j.cose.2024.104081

IF: 5.105

2024-09-01

Computers & Security

Abstract:The evolution of cloud computing has revolutionized how users access services, simplifying the development and deployment of applications across various industries. With its pervasive adoption, robust security measures become imperative. Integrating Intrusion Detection Systems (IDSs) into cloud computing and Wireless Sensor Networks (WSNs) addresses these challenges. IDSs serve as attentive protectors, monitoring network traffic and responding to breaches promptly, enhancing security across industries reliant on cloud services. Similarly, IDS integration in WSNs ensures the security of mission-critical operations, despite resource constraints and dynamic topologies, facilitated by cloud computing. This research proposes a hybrid IDS approach, leveraging the NSL-KDD dataset and methodologies like Intrusion Support Scalar Impact Rate (ISSIR), Optimized Support Vector Machine (OSVM), Extended Long-Short-Term Memory (ELSTM), and Multilayer Perceptron Neural Network (MLPNN), enhancing intrusion detection efficacy. ISSIR aids in feature selection, OSVM mitigates localization errors, ELSTM enables precise anomaly detection, and MLPNN provides robust defense mechanisms. Each method is integrated into a collaborative framework to address specific challenges in detecting intrusions with higher accuracy and reduced false positives. The interplay between these methodologies strengthens the overall intrusion detection framework, addressing the dynamic nature of cybersecurity threats. Results demonstrate the superior performance of MLPNN across various metrics, showcasing its effectiveness in accurately predicting outcomes compared to other models. The proposed MLPNN hybrid system achieves an accuracy of 99.9%, surpassing state-of-the-art methods. This study underscores the significance of advancing IDSs in cloud computing and WSNs, offering insights into enhancing security and mitigating vulnerabilities in an interconnected digital landscape.

computer science, information systems

Hassen Mohammed Alsafi,Wafaa Mustafa Abduallah,Al-Sakib Khan Pathan

DOI: https://doi.org/10.48550/arXiv.1203.3323

2012-03-15

Abstract:Today, many organizations are moving their computing services towards the Cloud. This makes their computer processing available much more conveniently to users. However, it also brings new security threats and challenges about safety and reliability. In fact, Cloud Computing is an attractive and cost-saving service for buyers as it provides accessibility and reliability options for users and scalable sales for providers. In spite of being attractive, Cloud feature poses various new security threats and challenges when it comes to deploying Intrusion Detection System (IDS) in Cloud environments. Most Intrusion Detection Systems (IDSs) are designed to handle specific types of attacks. It is evident that no single technique can guarantee protection against future attacks. Hence, there is a need for an integrated scheme which can provide robust protection against a complete spectrum of threats. On the other hand, there is great need for technology that enables the network and its hosts to defend themselves with some level of intelligence in order to accurately identify and block malicious traffic and activities. In this case, it is called Intrusion prevention system (IPS). Therefore, in this paper, we emphasize on recent implementations of IDS on Cloud Computing environments in terms of security and privacy. We propose an effective and efficient model termed as the Integrated Intrusion Detection and Prevention System (IDPS) which combines both IDS and IPS in a single mechanism. Our mechanism also integrates two techniques namely, Anomaly Detection (AD) and Signature Detection (SD) that can work in cooperation to detect various numbers of attacks and stop them through the capability of IPS.

Networking and Internet Architecture,Cryptography and Security

Weicheng Qiu,Yinghua Ma,Xiuzhen Chen,Haiyang Yu,Lixing Chen

DOI: https://doi.org/10.1016/j.cose.2022.102709

IF: 5.105

2022-01-01

Computers & Security

Abstract:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.

Peyman Khordadpour,Saeed Ahmadi

DOI: https://doi.org/10.48550/arXiv.2305.16389

2023-05-26

Abstract:In recent times, I've encountered a principle known as cloud computing, a model that simplifies user access to data and computing power on a demand basis. The main objective of cloud computing is to accommodate users' growing needs by decreasing dependence on human resources, minimizing expenses, and enhancing the speed of data access. Nevertheless, preserving security and privacy in cloud computing systems pose notable challenges. This issue arises because these systems have a distributed structure, which is susceptible to unsanctioned access - a fundamental problem. In the context of cloud computing, the provision of services on demand makes them targets for common assaults like Denial of Service (DoS) attacks, which include Economic Denial of Sustainability (EDoS) and Distributed Denial of Service (DDoS). These onslaughts can be classified into three categories: bandwidth consumption attacks, specific application attacks, and connection layer attacks. Most of the studies conducted in this arena have concentrated on a singular type of attack, with the concurrent detection of multiple DoS attacks often overlooked. This article proposes a suitable method to identify four types of assaults: HTTP, Database, TCP SYN, and DNS Flood. The aim is to present a universal algorithm that performs effectively in detecting all four attacks instead of using separate algorithms for each one. In this technique, seventeen server parameters like memory usage, CPU usage, and input/output counts are extracted and monitored for changes, identifying the failure point using the CUSUM algorithm to calculate the likelihood of each attack. Subsequently, a fuzzy neural network is employed to determine the occurrence of an attack. When compared to the Snort software, the proposed method's results show a significant improvement in the average detection rate, jumping from 57% to 95%.

Cryptography and Security

Xiaoyu Ma,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom38437.2019.9013771

2019-01-01

Abstract:Security is critical to cloud services, this paper introduces a design of firewall, which based on IDS's feedback t change rules in order to detect attack flexible. It combines firewall and Intrusion Detection Systems(IDS) by using Intrusion Detection Systems, which detects ICMP, TCP, UDP attacks. Usually, a cloud service is a service built on a virtual machine. The virtual device is virtualized to achieve the purpose of multiplexing. Therefore, if you want to implement cloud security detection, you can listen to the physical device's network card. There are two types of Intrusion Detection System, one is host-based intrusion detection system(HIDS) and another is network intrusion detection system(NIDS). What's more, in order to highlight the importance of the firewall, the IDS monitoring data is analyzed and added to the firewall's defense strategy automatically. Finally, we measure the effectiveness of the system by False Negative(FN) and False Positive(FP), and verify that feedback plays a crucial role in improving the effectiveness of the system, improving the efficiency of the entire system filtering attacks.

Mhamad Bakro,Rakesh Ranjan Kumar,Mohammad Husain,Zubair Ashraf,Arshad Ali,Syed Irfan Yaqoob,Mohammad Nadeem Ahmed,Nikhat Parveen

DOI: https://doi.org/10.1109/access.2024.3353055

IF: 3.9

2024-01-01

IEEE Access

Abstract:The adoption of cloud computing has become increasingly widespread across various domains. However, the inherent security vulnerabilities of cloud computing pose significant risks to its overall safety. Consequently, intrusion detection systems (IDS) play a pivotal role in identifying malicious activities within a cloud system. The considerable volume of network traffic data may contain redundant and irrelevant features that can impact the classification performance of the classifier. In addition, the complexity and time consumption increase while processing such a substantial volume of data in the cloud intrusion detection process. To enhance the performance of the IDS, this study proposes a hybrid feature selection approach, combining two bio-inspired algorithms, namely the grasshopper optimization algorithm (GOA) and the genetic algorithm (GA). The combination of these two algorithms ensures a more efficient search for optimal solutions. A random forest (RF) classifier is trained using those optimal features. Moreover, the proposal addresses the challenge of imbalanced data by employing a hybrid approach: over-sampling the minority classes using an adaptive synthetic (ADASYN) algorithm, while implementing random under-sampling (RUS) for the majority class as needed. This integrated strategy significantly influences each category, enhancing the true positive rate (TPR) while minimizing the false positive rate (FPR), thus improving the overall system performance. The proposed approach was evaluated using three datasets: UNSW-NB15, CIC-DDoS2019, and CIC Bell DNS EXF 2021. The recorded accuracies for these datasets were 98%, 99%, and 92%, respectively. The hybrid feature selection-based IDS demonstrated superior performance in multi-class classification, along with exemplary results for individual classes within the datasets. The proposed strategy exhibited a marked superiority with the random forest classifier, especially when compared to other classifiers including SVM, LR, FLN, LSTM, AlexNet, DNN, DBN, DT, and XGBoost. Moreover, this performance remained consistent and commendable even when benchmarked against contemporary state-of-the-art methodologies across multiple evaluation metrics.

computer science, information systems,telecommunications,engineering, electrical & electronic

Frederico Araujo,Gbadebo Ayoade,Khaled Al-Naami,Yang Gao,Kevin W. Hamlen,Latifur Khan

DOI: https://doi.org/10.1016/j.jisa.2021.102880

IF: 4.96

2021-09-01

Journal of Information Security and Applications

Abstract:<p>Most conventional cyber defenses strive to reject detected attacks as quickly and decisively as possible; however, this instinctive approach has the disadvantage of depriving intrusion detection systems (IDSes) of learning experiences and threat data that might otherwise be gleaned from deeper interactions with adversaries. For IDS technology to improve, a next-generation cyber defense is proposed in which cyber attacks are unconventionally reimagined as free sources of live IDS training data. Rather than aborting attacks against legitimate services, adversarial interactions are selectively prolonged to maximize the defender's harvest of useful threat intelligence. Enhancing web services with deceptive attack-responses in this way is shown to be a powerful and practical strategy for improved detection, addressing several perennial challenges for machine learning-based IDS in the literature, including scarcity of training data, the high labeling burden for (semi-)supervised learning, encryption opacity, and concept differences between honeypot attacks and those against genuine services. By reconceptualizing software security patches as feature extraction engines, the approach conscripts attackers as free penetration testers, and coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web streams.</p><p>Prototype implementations are showcased for two feature set models to extract security-relevant network- and system-level features from cloud services hosting enterprise-grade web applications. The evaluation demonstrates that the extracted data can be fed back into a network-level IDS for exceptionally accurate, yet lightweight attack detection.</p>

computer science, information systems

Ming Liu,Zhi Xue,Xiangjian He,Jinjun Chen

DOI: https://doi.org/10.48550/arxiv.2109.11821

2021-01-01

Abstract: Following the current big data trend, the scale of real-time system call traces generated by Linux applications in a contemporary data center may increase excessively. Due to the deficiency of scalability, it is challenging for traditional host-based intrusion detection systems deployed on every single host to collect, maintain, and manipulate those large-scale accumulated system call traces. It is inflexible to build data mining models on one physical host that has static computing capability and limited storage capacity. To address this issue, we propose SCADS, a corresponding solution using Apache Spark in the Google cloud environment. A set of Spark algorithms are developed to achieve the computational scalability. The experiment results demonstrate that the efficiency of intrusion detection can be enhanced, which indicates that the proposed method can apply to the design of next-generation host-based intrusion detection systems with system calls.

Navya Iyengar

DOI: https://doi.org/10.48550/arXiv.2007.11654

2020-07-22

Networking and Internet Architecture

Abstract:Cloud-based and network-based technology has witnessed an exponential rise in development. Adaptation of these latest technologies has opened flood gates for data breaches, an increase in sophistication of cyber threats, and, a multitude of new attack vectors. Numerous tools and solutions are currently available for detection of these threats. Network-based Intrusion Detection Systems is one of the most effective tools implemented to maintain confidentiality, integrity, and, availability of networks. While there are several open source tools in the offing, this paper evaluates two open-source NIDS Snort and Suricata, along with strategic placement of multi sensor IDS in a WAN environment, in combination with NIDS, for in time threat detection and protection of systems.

Guangfeng Guo,Junxing Zhang,Zhanfei Ma

DOI: https://doi.org/10.2298/csis200206049g

2021-01-01

Computer Science and Information Systems

Abstract:As traditional networks, the software-defined campus network also suffers from intrusion attacks. Current solutions for intrusion prevention cannot meet the requirements of the campus network. Existing methods of attack traceback are either limited to specific protocols or incur high overhead. To protect the data center (DC) of the campus network from internal and external attacks, we propose an Intrusion Prevention System (IPS) based on the coordinated control between the detection engine, the attack traceback agent, and the software-defined control plane. Our solution includes a novel algorithm to infer the best switch port for defending different attacks of varied scales based on the inverse HSA (Header Space Analysis) and the global view of the software-defined controller. The proposed scheme can effectively and timely block the malicious traffic not only protecting victim hosts from attacks but also preventing the whole network from suffering unwanted transmission burden. The proposed IPS is deployed on the bypass of the DC switch and collects network traffic by port mirroring. Compared with the traditional serial deployment, the new design helps defend the DC internal attacks, reduce the probability of network congestion, and avoid the single point of failure. The experimental results show that the overhead of our IPS is very low, which enables it to meet the real-time requirements. The average defense time is between 10 and 14 ms for the data center internal attacks of different scales. For external attacks, the maximum defense time is about 76 ms for a large-scale network with 100 switches.

computer science, information systems, software engineering

Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Ming Liu,Zhi Xue,Xiangjian He

DOI: https://doi.org/10.1109/trustcom50675.2020.00026

2020-01-01

Abstract:The host-based intrusion detection system (HIDS) is an essential research domain of cybersecurity. HIDS examines log data of hosts to identify intrusive behaviors. The detection efficiency is a significant factor of HIDS. Traditionally, HIDS is often installed with a standalone mode. Training detection engines with a large amount of data on a single physical computer with limited computing resources may be time-consuming. Therefore, this paper offers a unified HIDS framework based on Spark and deployed in the Google cloud. The framework includes a unified machine learning pipeline to implement scalable and efficient HIDS.

Emre Erturk,Mayank Kumar

DOI: https://doi.org/10.48550/arXiv.1802.02359

2018-02-07

Abstract:First, this case study explores an Intrusion Detection System package called Snort (provided by Cisco Systems) in a cloud environment. Snort is an open source and highly scalable signature-based intrusion detection system. Here, Snort is deployed on Ubuntu Server 16.0.4 running on a virtual machine within a Microsoft Azure cloud system. This paper provides details on installing Snort on the virtual machine and configuring it for intrusion detection. The architecture here is based on a VM integrated IDS on Azure and demonstrates how a VM instance in the cloud can be secured through an IDS. Firewalls may be considered the first line of defense but they fail to secure systems from inside attacks. Next, two other areas (where Snort is less widely used) are briefly explored, namely library systems and mobile devices. Finally, this paper makes further recommendations on how a cloud network can be secured by distributed placement of the IDS and on each VM instances.

Cryptography and Security