In this chapter, it concludes this proposed mechanism with the motivation, overview of methodology and the performance. It provides some works could be studied in the future.
5.1. Conclusion
With the advent of the cloud computing, a number of issues are discussed and among them, security is an important one. This thesis concentrates on intrusion detection. It studies how to apply the intrusion detection systems (IDS) in cloud and makes them cooperate with each other to provide a more secure solution.
A two-phase collaborative mechanism is proposed to enhance the security in cloud. The first phase is constructing the trust management model. Such model is designed to establish the trustworthiness relationships between each IDS. It is contributed by three steps, sending test messages, encouraging replying, and considering the transitivity of trust. With such steps, an IDS can evaluate the trust values for others and it is encouraged to provide benign feedback when communicating. The second phase is collaborating. The trustworthiness between each system, derived at first phase, is used to strengthen the quality of collaboration. There are two ways to collaborate, alert correlation and symptoms sharing. With alert correlation an IDS can derive more precise ranking of suspicious symptoms. And with symptoms sharing an IDS can detect some attacks which has not contacted before.
Both are used to increase the performance of IDSs by making them share information with each other.
Eventually, a simulation environment is designed with IDS simulators (OSSEC, snort and bro) and the event (malicious attacks or normal activities) generator. The
54
proposed mechanism eliminates the difference of trust value for different types of simulators in both honest and dishonest environment. And with observing the average detection accuracy in the honest environment, it is 4%, 9% and 15% better in OSSEC, snort and bro separately than non-cooperation condition while it is 2%, 2% and 2% in Fung et al. The detection accuracy can be increased to 98%. Although with the dishonest nodes the detection accuracy is decreased in the dishonest environment, it still performs as well as Fung et al. and non-cooperation in the honest environment.
Even 90% of nodes are dishonest. But this is based on the rest of honest nodes are all different types.
5.2. Future works
In the future, there are a number of issues can be discussed. For instance, the mechanism can be modified to handle the problems that how a node detects another node merely sends fake responses to it. Or how the mechanism handles a node with normal behaviors but sends out fake symptoms to confuse others. And the fault alarm rate should be considered in simulation. Moreover, how the mechanism works with actual IDSs is also an interesting issue.
55
References
[1] A. Abdui-Rahman, S. Hailes, “A Distributed Trust Model,” Proceedings of the 1997 workshop on New security paradigms, 1997
[2] U. Aickelin, P. Bentley, S. Cayzer, J. Kim, J. McLeod, “Danger Theory: The Link between AIS and IDS,” Lecture Notes in Computer Science, Vol. 2787, pp.
147-155, 2003
[3] M. Armbrust, et al. “Above the Clouds: A Berkeley View of Cloud computing,”
Technical Report No. UCB/EECS-2009-28, University of California at Berkley, USA, 2009
[4] C. R. Attanasio, “Virtual machines and data security,” Proceedings of the workshop on virtual computer systems, New York, USA, ACM, pp. 206-209, 1973
[5] G. Casella, R. L. Berger, “Statistical Inference,” New Delhi: Wadsworth, 2nd edition, 2002
[6] T. Crothers, “Implementing Intrusion detection Systems: A Hands-On Guide for Securing the Network,” Wiley Publishing Inc., Indiana, 2003
[7] H. Debar, D. Curry, and B. Feinstein, “Rfc 4765 - the intrusion detection message exchange format (idmef),” Internet draft, IETF, 2007
[8] H. T. Elshoush and I. M. Osman, “Alert correlation in collaborative intelligent intrusion detection systems-A survey,” Applied Soft Computing, Article in press, 2010
[9] C. J. Fung, O. Baysal, J. Zhang, I. Aib, and R. Boutaba, “Trust Management for
56
Host-based Collaborative Intrusion Detection,” Lecture Notes in Computer Science, Vol. 5273, pp. 109-122, 2008
[10] J. Koziol, L. Bump, J. Waston, “Intusion Dtection with Snort,” Sams Publishing, USA, 2003
[11] R. L. Krutz, and R.D. Vines, “Cloud Security: A Comprehensive Guide to Secure Cloud Computing,” Wiley Publishing, Inc., Indiana, 2010
[12] M. Laureano, C. Maziero, and E. Jamhour, “Protecting host-based intrusion detectors through virtual machines,” Computer Networks, Vol. 51, No. 5, pp.
1275-1283, 2007
[13] P. Mell, and T. Grance, “The NIST Definition of Cloud Computing,” National Institute of Standards and Technology (NIST), Vol. 53, Issue 6, pp. 50, 2009 [14] B. Morin, et al. “A logic-based model to support alert correlation in intrusion
detection,” Information Fusion, Vol. 10, Issue 4, pp. 285-299, 2009
[15] S. Subashini, V.Kavitha, “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications, Vol. 34, Issues 1, pp. 1-11, 2011
[16] A. N. Toosi, and M. Kahani, “A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers,” Computer Communications, Vol. 30, Issue 10, pp. 2201-2212, 2007
[17] S. X. Wu, W. Banzhaf, “The use of computational intelligence in intrusion detection systems: A review ,” Applied Soft Computing, Vol. 10, Issue 1, pp.
1-35, 2010
[18] D. Xu, and P. Ning, “Correlation Analysis of Intrusion Alerts,” Intrusion
57
Detection Systems, Series on Advances in Information Security, Vol. 38, pp.
65-92, 2008
[19] J. Zhang, and R. Cohen, “Trusting advice from other buyers in e-marketplaces:
the problem of unfair ratings,” ICEC '06 Proceedings of the 8th international conference on Electronic commerce: The new e-commerce: innovations for conquering current barriers, obstacles and limitations to conducting successful business on the internet, New York, USA, 2006
[20] C. V. Zhou, C. Leckie, and S. Karunasekera, “A survey of coordinated attacks and collaborative intrusion detection,” Computers & Security, Vol. 29, Issue 1, pp124-140, 2010
[21] C. V. Zhou, C. Leckie, and S. Karunasekera, “Decentralized multi-dimensional alert correlation for collaborative intrusion detection,” Journal of Network and Computer Applications, Vol. 38, Issue 5, pp. 1106-1123, 2009
[22] C. V. Zhou, S. Karunasekera and C. Leckie, “Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection,” Proceedings of IFIP / IEEE International Symposium on Integrated Network Management, Munich, Germany, 2007
[23] U. Zurutuza, and R. Uribeetxeberria, “Intrusion detection alarm correlation: a survey,” Proceedings of the IADAT International Conference on Telecommunications and Computer Networks, Donostia, Spain, 2004
[24] Home of OSSEC, http://www.ossec.net/
[25] Home of snort, http://www.snort.org/
[26] Home of bro, http://www.bro-ids.org/