Advances in Networks2013; 1(2): 26-33Published online June 10, 2013 ( 10.1...
Advances in Networks 2013; 1(2): 26-33 27software, networking, etc., attracts attackers to compromisemultiple VMs.In this ...
28 S. Uvaraj et al.: Secure Intrusion Detection and Attack Measure SelectionIn Virtual Network Systemsoptimal countermeasu...
Advances in Networks 2013; 1(2): 26-33 294.1. System Design OverviewThe proposed NICE framework is illustrated in Figure1....
30 S. Uvaraj et al.: Secure Intrusion Detection and Attack Measure SelectionIn Virtual Network SystemsA countermeasure poo...
Advances in Networks 2013; 1(2): 26-33 316.1. Security Performance AnalysisTo demonstrate the security performance of NICE...
32 S. Uvaraj et al.: Secure Intrusion Detection and Attack Measure SelectionIn Virtual Network SystemsFig 5. ROI evaluatio...
Advances in Networks 2013; 1(2): 26-33 33[13] S. Roschke, F. Cheng, and C. Meinel, “A new alertcorrelation algorithm based...
Upcoming SlideShare
Loading in...5

Secure intrusion detection and attack measure selection


Published on

Secure intrusion detection and attack measure selection

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secure intrusion detection and attack measure selection

  1. 1. Advances in Networks2013; 1(2): 26-33Published online June 10, 2013 ( 10.11648/ intrusion detection and attack measure selectionin virtual network systemsS. Uvaraj 1, S. Suresh2, N. Kannaiya Raja31Arulmigu Meenakshi Amman College of Engineering, Kanchipuram2Sri Venkateswara College of Engineering, Kanchipuram3Defence Engineering College, EthiopiaEmail Uvaraj), Suresh), KannaiyaRaja)To cite this article:S. Uvaraj, S. Suresh, N. Kannaiya Raja, Secure Intrusion Detection and Attack Measure Selection in Virtual Network Systems. Advancesin Networks. Vol. 1, No. 2, 2013, pp. 26-33. doi: 10.11648/ Cloud security is one of most important issues that have attracted a lot of research and development effort inpast few years. Particularly, attackers can explore vulnerabilities of a cloud system and compromise virtual machines todeploy further large-scale Distributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such asmulti-step exploitation, low frequency vulnerability scanning, and compromising identified vulnerable virtual machines aszombies, and finally DDoS attacks through the compromised zombies. Within the cloud system, especially theInfrastructure-as a-Service (IaaS) clouds, the detection of zombie exploration attacks is extremely difficult. This is becausecloud users may install vulnerable applications on their virtual machines. To prevent vulnerable virtual machines frombeing compromised in the cloud, we propose a multi phase distributed vulnerability detection, measurement, andcountermeasure selection mechanism called NICE, which is built on attack graph based analytical models andreconfigurable virtual network-based countermeasures. The proposed framework leverages Open Flow networkprogramming APIs to build a monitor and control plane over distributed programmable virtual switches in order tosignificantly improve attack detection and mitigate attack consequences. The system and security evaluations demonstratethe efficiency and effectiveness of the proposed solution.Keywords: Performance of Systems, Computer Systems Organization, Network-Level Security and Protection, General,Communication/Networking and Information Technology1. IntroductionA recent Cloud Security Alliance (CSA) survey showsthat among all security issues, abuse and nefarious use ofcloud computing is considered as the top security threat[1],in which attackers can exploit vulnerabilities in clouds andutilize cloud system resources to deploy attacks. Intraditional data centers, where system administrators havefull control over the host machines, Vulnerabilities can bedetected and patched by the system administrator in acentralized manner. However, patching known securityholes in cloud data centers, where cloud users usually havethe privilege to control software installed on their managedVMs, may not work effectively and can violate the ServiceLevel Agreement (SLA).Furthermore, cloud users can install vulnerable softwareon their VMs, which essentially contributes to loopholes incloud security. The challenge is to establish an effectivevulnerability/attack detection and response system foraccurately identifying attacks and minimizing the impact ofsecurity breach to cloud users.In[2], M. Armbrust et al. addressed that protecting“Business continuity and services availability” fromservice outages is one of the top concerns in cloudcomputing systems. In a cloud system where theinfrastructure is shared by potentially millions of users,abuse and nefarious use of the shared infrastructurebenefits attackers to exploit vulnerabilities of the cloud anduse its resource to deploy attacks in more efficient ways[3].Such attacks are more effective in the cloud environmentsince cloud users usually share computing resources, e.g.,being connected through the same switch, sharing with thesame data storage and file systems, even with potentialattackers[4]. The similar setup for VMs in the cloud, e.g.,virtualization techniques, VM OS, installed vulnerable
  2. 2. Advances in Networks 2013; 1(2): 26-33 27software, networking, etc., attracts attackers to compromisemultiple VMs.In this paper, we propose Secure Intrusion Detection andAttack measure exquisite in Virtual Systems to establish adefense-in-depth intrusion detection framework. For betterattack detection, NICE incorporates attack graph analyticalprocedures into the intrusion detection processes. We mustnote that the design of NICE does not intend to improveany of the existing intrusion detection algorithms; indeed,NICE employs a reconfigurable virtual networkingapproach to detect and counter the attempts to compromiseVMs, thus preventing zombie VMs.In general, NICE includes two main phases: (1) deploy alightweight mirroring-based network intrusion detectionagent (NICE-A) on each cloud server to capture andanalyze cloud traffic. A NICE-A periodically scans thevirtual system vulnerabilities within a cloud server toestablish Scenario Attack Graph (SAGs), and then basedon the severity of identified vulnerability towards thecollaborative attack goals, NICE will decide whether or notto put a VM in network inspection state. (2) Once a VMenters inspection state, Deep Packet Inspection (DPI) isapplied, and/or virtual network reconfigurations can bedeployed to the inspecting VM to make the potential attackbehaviors prominent.The rest of paper is organized as follows. Section IIpresents the related work. Section III describes systemapproach and implementation. System models aredescribed in Section IV describes the approach tohardening the network in NICE. The proposed NICE ispresented in Section V and Section VI evaluates NICE interms of network performance and security. Finally,Section VII describes future work and concludes this paper.2. Related WorksThe contributions of NICE are presented as follows:We devise NICE, a new multi-phase distributed networkintrusion detection and prevention framework in a virtualnetworking environment that captures and inspectssuspicious cloud traffic without interrupting users’applications and cloud services.NICE incorporates a software switching solution toquarantine and inspect suspicious VMs for furtherinvestigation and protection. Through programmablenetwork approaches, NICE can improve the attackdetection probability and improve the resiliency to VMexploitation attack without interrupting existing normalcloud services.NICE employs a novel attack graph approach for attackdetection and prevention by correlating attack behavior andalso suggests effective countermeasures.NICE optimizes the implementation on cloud servers tominimize resource consumption. Our study shows thatNICE consumes less computational overhead compared toproxy-based network intrusion detection solutions.The area of detecting malicious behavior has been wellexplored. The work by Duan et al.[5] focuses on thedetection of compromised machines that have beenrecruited to serve as spam zombies. Their approach, SPOT,is based on sequentially scanning outgoing messages whileemploying a statistical method Sequential Probability RatioTest (SPRT), to quickly determine whether or not a hosthas been compromised. BotHunter[6] detects compromisedmachines based on the fact that a thorough malwareinfection process has a number of well defined stages thatallow correlating the intrusion alarms triggered by inboundtraffic with resulting outgoing communication patterns.BotSniffer[7] exploits uniform spatial-temporal behaviorcharacteristics of compromised machines to detect zombiesby grouping flows according to server connections andsearching for similar behavior in the flow.An attack graph is able to represent a series of exploits,called atomic attacks, that lead to an undesirable state, forexample a state where an attacker has obtainedadministrative access to a machine. There are manyautomation tools to construct attack graph. O. Sheyner etal.[8] proposed a technique based on a modified symbolicmodel checking NuSMV[9] and Binary Decision Diagrams(BDDs) to construct attack graph. Their model cangenerate all possible attack paths; however, the scalabilityis a big issue for this solution. P. Ammann et al.[10]introduced the assumption of monotonicity, which statesthat the precondition of a given exploit is never invalidatedby the successful application of another exploit. In otherwords, attackers never need to backtrack. With thisassumption, they can obtain a concise, scalable graphrepresentation for encoding attack tree. X. Ou et al.proposed an attack graph tool called MulVAL[11], whichadopts a logic programming approach and uses Dataloglanguage to model and analyze network system. IntrusionDetection System (IDS) and firewall are widely used tomonitor and detect suspicious events in the network.However, the false alarms and the large volume of rawalerts from IDS are two major problems for any IDSimplementations. In order to identify the source or target ofthe intrusion in the network, especially to detect multi-stepattack, the alert correction is a must-have tool. The primarygoal of alert correlation is to provide system support for aglobal and condensed view of network attacks by analyzingraw alerts[12]. Many attack graphs based alert correlationtechniques have been proposed recently. L. Wang et al.[13]devised an in-memory structure, called queue graph (QG),to trace alerts matching each exploit in the attack graph.However, the implicit correlations in this design make itdifficult to use the correlated alerts in the graph for analysisof similar attack scenarios. Roschke et al.[14] proposed amodified attack-graph-based correlation algorithm to createexplicit correlations only by matching alerts to specificexploitation nodes in the attack graph with multiplemapping functions, and devised an alert dependenciesgraph (DG) to group related alerts with multiple correlationcriteria. Several solutions have been proposed to select
  3. 3. 28 S. Uvaraj et al.: Secure Intrusion Detection and Attack Measure SelectionIn Virtual Network Systemsoptimal countermeasures based on the likelihood of theattack path and cost benefit analysis. A. Roy et al.[15]proposed an attack countermeasure tree (ACT) to considerattacks and countermeasures together in an attack treestructure.[16] Proposed a Bayesian attack graph (BAG) toaddress dynamic security risk management problem andapplied a genetic algorithm to solve countermeasureoptimization problem.3. Nice ModelsIn this section, we describe how to utilize attack graphsto model security threats and vulnerabilities in a virtualnetworked system, and propose a VM protection modelbased on virtual network reconfiguration approaches toprevent VMs from being exploited.3.1. Threat ModelIn our attack model, we assume that an attacker can belocated either outside or inside of the virtual networkingsystem. The attacker’s primary goal is to exploit vulnerableVMs and compromise them as zombies. Our protectionmodel focuses on virtual-network-based attack detectionand reconfiguration solutions to improve the resiliency tozombie explorations.Our work does not involve host-based IDS and does notaddress how to handle encrypted traffic for attackdetections. Our proposed solution can be deployed in anInfrastructure- s-a-Service (IaaS) cloud networking system,and we assume that the Cloud Service Provider (CSP) isbenign. We also assume that cloud service users are free toinstall whatever operating systems or applications.3.2. Attack Graph ModelAn attack graph is a modeling tool to illustrate allpossible multi-stage, multi-host attack paths that are crucialto understand threats and then to decide appropriatecountermeasures [17]. In an attack graph, each noderepresents either precondition or consequence of an exploit.Attack graph is helpful in identifying potential threats,possible attacks and known vulnerabilities in a cloudsystem.Definition 1 (Scenario Attack Graph). An Scenario AttackGraph is a tuple SAG= (V, E), where,• V = NC[ND[NR denotes a set of vertices thatinclude three types namely conjunction node NC torepresent exploit, disjunction node ND to denoteresult of exploit, and root node NR for showinginitial step of an attack scenario.• E = Epre [Epost denotes the set of directed edges.An edge e 2 Epre _ ND _ NC represents that NDmust be satisfied to achieve NC. An edge e 2 Epost_ NC _ ND means that the consequence shown byND can be obtained if NC is satisfied.Node vc NC is defined as a three tuple (Hosts; vul; alert)representing a set of IP addresses, vulnerability informationsuch as CVE[18], and alerts related to vc, respectively. NDbehaves like a logical OR operation and contains details ofthe results of actions.NR represents the root node of the scenario attack graph.For correlating the alerts, we refer to the approachdescribed in and define a new Alert Correlation Graph(ACG) to map alerts in ACG to their respective nodes inSAG. To keep track of attack progress, we track the sourceand destination IP addresses for attack activities.Definition 2 (Alert Correlation Graph).An ACG is a three tuple ACG = (A; E; P), where• A is a set of aggregated alerts. An alert a 2 A is adata structure (src; dst; cls; ts) representing sourceIP address, destination IP address, type of the alert,and timestamp of the alert respectively.• Each alert a maps to a pair of vertices (vc; vd) inSAG using map (a) function,• E is a set of directed edges representing correlationbetween two alerts• P is set of paths in ACG.Algorithm 1 Alert CorrelationRequire: alert ac , SAG, ACGif (ac is a new alert) then create node ac in ACGn1 ← vc 2 map (ac)for all n2 parent(n1) docreate edge (n2,alert,ac )for all Si containing a doif a is the last element in Si thenappend ac to Sielsecreate path Si + 1 ={ subset(Si a)a c}end ifend foradd ac to n1 alertend forend ifreturn SDefinition 3 (VM State). Based on the informationgathered from the network controller, VM states can bedefined as following:• Stable: there does not exist any known vulnerabilityon the VM.• Vulnerable: presence of one or more vulnerabilitieson a VM, which remains unexploited.• Exploited: at least one vulnerability has beenexploited and the VM is compromised.• Zombie: VM is under control of attacker.4. Nice System DesignIn this section, we first present the system designoverview of NICE and then detailed descriptions of itscomponents.
  4. 4. Advances in Networks 2013; 1(2): 26-33 294.1. System Design OverviewThe proposed NICE framework is illustrated in Figure1.It shows the NICE framework within one cloud servercluster. Major components in this framework aredistributed and light-weighted NICE-A on each physicalcloud server, a network controller, a VM profiling server,and an attack analyzer. The latter three components arelocated in a centralized control center connected tosoftware switches on each cloud server (i.e., virtualswitches built on one or multiple Linux software bridges).Fig 1. NICE framework within one cloud server cluster4.2. System ComponentsIn this section we explain each component of NICE.4.2.1. Nice-AThe NICE-A is a Network-based Intrusion DetectionSystem (NIDS) agent installed in either dom0 or domU ineach cloud server. It scans the traffic going through Linuxbridges that control all the traffic among VMs and in/outfrom the physical cloud servers. NICEA is a software agentimplemented in each cloud server connected to the controlcenter through a dedicated and isolated secure channel,which is separated from the normal data packets usingOpen Flow tunneling or VLAN approaches. The networkcontroller is responsible for deploying attackcountermeasures based on decisions made by the attackanalyzer.4.2.2. VM ProfilingVirtual machines in the cloud can be profiled to getprecise information about their state, services running,open ports, etc.VM profiles are maintained in a database and containcomprehensive information about vulnerabilities, alert andtraffic. The data comes from:Attack graph generator: while generating the attackgraph, every detected vulnerability is added to itscorresponding VM entry in the database.NICE-A: the alert involving the VM will be recorded inthe VM profile database.Network controller: the traffic patterns involving theVM are based on 5 tuples (source MAC address,destination MAC address, source IP address, destination IPaddress, protocol). We can have traffic pattern wherepackets emanate from a single IP and are delivered tomultiple destination IP addresses, and vice-versa.4.2.3. Attack AnalyzerThe major functions of NICE system are performed byattack analyzer, which includes procedures such as attackgraph construction and update, alert correlation andcountermeasure selection.The process of constructing and utilizing the ScenarioAttack Graph (SAG) consists of three phases: informationgathering, attack graph construction, and potential exploitpath analysis. With this information, attack paths can bemodeled using SAG.In summary, NICE attack graph is constructed based onthe following information:Cloud system information is collected from the nodecontroller and VM’s Virtual Interface (VIF) information.Virtual network topology and configuration informationis collected from the network controller, every VM’s IPaddress, MAC address, port information, and traffic flowinformation.Vulnerability information is generated by both ondemand vulnerability scanning.4.2.4. Network ControllerThe network controller is a key component to supportthe programmable networking capability to realize thevirtual network reconfiguration feature based on Open-Flow protocol[19]. In NICE, within each cloud server thereis a software switch, for example, Open vSwitch (OVS)[5],which is used as the edge switch for VMs to handle trafficin & out from VMs. The network controller is responsiblefor collecting network information of current Open Flownetwork and provides input to the attack analyzer toconstruct attack graphs.5. Mitigation and CountermeasuresIn this section, we present the methods for selecting thecountermeasures for a given attack scenario. Thecountermeasure serves the purpose of 1) protecting thetarget VMs from being compromised; and 2) making attackbehavior stand prominent so that the attackers’ actions canbe identified.5.1. Mitigation StrategiesBased on the security metrics defined in the previoussubsection, NICE is able to construct the mitigationstrategies in response to detected alerts. First, we define theterm countermeasure pool as follows:Definition 4 (Countermeasure Pool)
  5. 5. 30 S. Uvaraj et al.: Secure Intrusion Detection and Attack Measure SelectionIn Virtual Network SystemsA countermeasure pool CM = (cm1; cm2; cmn) is a setof countermeasures. Where• Cost is the unit that describes the expenses requiredto apply the countermeasure in terms of resourcesand operational complexity, and it is defined in arange from 1 to 5, and higher metric means highercost;• intrusiveness is the negative effect that acountermeasure brings to the Service LevelAgreement (SLA) and its value ranges from theleast intrusive (1) to the most intrusive (5), and thevalue of intrusiveness is 0 if the countermeasurehas no impacts on the SLA;• Condition is the requirement for the correspondingcountermeasure;• Effectiveness is the percentage of probabilitychanges of the node, for which this countermeasureis applied.Table 1. Possible Countermeasure TypesNo. Countermeasure Intrusiveness Cost1 Traffic redirection 3 32 Traffic isolation 4 23 Deep packet Inspection 3 34 Creating filtering rules 1 25 MAC address change 2 16 IP address change 2 17 Block port 4 18 Software patch 5 49 Quarantine 5 210 Network reconfiguration 0 511 Network topology change 0 55.2. Countermeasure SelectionAlgorithm 2 presents how to select the optimalcountermeasure for a given attack scenario. Input to thealgorithm is an alert, attack graph G, and a pool ofcountermeasures CM. The algorithm starts by selecting thenode vAlert that corresponds to the alert generated by aNICE-A. The countermeasure which when applied on anode gives the least value of ROI, is regarded as theoptimal countermeasure. Finally, SAG and ACG are alsoupdated before terminating the algorithm.Fig 2. Virtual network topology for security evaluationAlgorithm 2 Countermeasure SelectionRequire: Alert’s(E; V );CMLet vAlert = Source node of the Alertif Distance to Target(vAlert) > threshold thenUpdate ACGReturnend ifLet T = Descendant(vAlert) U vAlertSet Pr(vAlert) = 1Calculate Risk Prob(T)Let benefit[jTj; jCMj] = Øfor each t E T dofor each cm E CM doif cm:condition(t) thenPr(t) = Pr(t) (1-cm:effectiveness)Calculate Risk Prob(Descendant(t))benefit[t; cm] = Pr(target node): (7)end ifend forend forLet ROI[jTj; jCMj] = Øfor each t E T dofor each cm E CM doROI[t; cm]end forend forUpdate SAG and Update ACGreturn Select Optimal CM(ROI)Table 2. Vulnerabilities in the virtual networked systemHost Vulnerability Node CVEBaseScofeVM groupLICQ buffer overflow 10CVE2001-04390.75MS Video ActiveXStack buffer overflow5CVE2008-00150.93GNUC Library loaderflaw22CVE2010-38470.69AdminServerMS SMV serviceStack buffer overflow2CVE2008-40500.93GatewayserverOpenSSL usespredictable randomvariable15CVE2008-01660.78Heap corruption inOpenSSH4CVE2003-06931Improper cookieshandler in OpenSSH9CVE2007-47520.75MailserverRemote codeexecution in SMTP21CVE2004-08401Squid port scan 19CVE2001-10300.75WebserverWebDAVvulnerability in IIS13CVE2009-15350.766. Performance EvaluationIn this section we present the performance evaluation ofNICE. Our evaluation is conducted in two directions: thesecurity performance, and the system computing andnetwork reconfiguration overhead due to introducedsecurity mechanism.
  6. 6. Advances in Networks 2013; 1(2): 26-33 316.1. Security Performance AnalysisTo demonstrate the security performance of NICE, wecreated a virtual network testing environment consisting ofall the presented components of NICE.6.1.1. Environment and ConfigurationTo evaluate the security performance, a demonstrativevirtual cloud system consisting of public (public virtualservers) and private (VMs) virtual domains is establishedas shown in Figure 2. Cloud Servers 1 and 2 are connectedto Internet through the external firewall.6.1.2. Attack Graph and Alert CorrelationThe attack graph can be generated by utilizing networktopology and the vulnerability information, and it is shownin Figure 3. As the attack progresses, the system generatesvarious alerts that can be related to the nodes in the attackgraph. Creating an attack graph requires knowledge ofnetwork connectivity, running services and theirvulnerability information. This information is provided tothe attack graph generator as the input.Fig 3. Attack graph for the test network.Definition 5 (VM Security Index). VSI for a virtualmachine k is defined as V SIk = (Vk + Ek) =2, where• Vk is vulnerability score for VM k. The score is theexponential average of base score from eachvulnerability in the VM or a maximum 10, i.e., Vk= minf10; lnPeBaseScore (v) g.• Ek is exploitability score for VM k. It is theexponential average of exploitability score for allvulnerabilities or a maximum 10 multiplied by theratio of network services on the VM, i.e., basically,vulnerability score considers the base scores of allthe vulnerabilities on a VM. The base score depictshow easy it is for an attacker to exploit thevulnerability and how much damage it may incur.The exponential addition of base scores allows thevulnerability score to incline towards higher basescore values and increases in logarithm-scale basedon the number of vulnerabilities.Apart from calculating the benefit measurements, wealso present the evaluation based on Return of Investment(ROI) using (8) and represent a comprehensive evaluationconsidering benefit, cost and intrusiveness ofcountermeasure. Figure 5 shows the ROI evaluations forpresented countermeasures. Results show thatcountermeasures CM2 and CM8 on node 5 have themaximum benefit evaluation; however their cost andintrusiveness scores indicate that they might not be goodcandidates for the optimal countermeasure and ROIevaluation results confirm this. The ROI evaluationsdemonstrate that CM4 on node 5 is the optimal solution.Fig 4. Benefit evaluation chart
  7. 7. 32 S. Uvaraj et al.: Secure Intrusion Detection and Attack Measure SelectionIn Virtual Network SystemsFig 5. ROI evaluation chart6.2. NICE System PerformanceWe evaluate system performance to provide guidance onhow much traffic NICE can handle for one cloud serverand use the evaluation metric to scale up to a large cloudsystem. In a real cloud system, traffic planning is needed torun NICE, which is beyond the scope of this paper. Due tothe space limitation, we will investigate the researchinvolving multiple cloud clusters in the future.Fig 6. CPU utilization of NICE-A7. Conclusion and Future WorkIn this paper, we presented NICE, which is proposed todetect and mitigate collaborative attacks in the cloudvirtual networking environment. NICE utilizes the attackgraph model to conduct attack detection and prediction.The proposed solution investigates how to use theprogrammability of software switches based solutions toimprove the detection accuracy and defeat victimexploitation phases of collaborative attacks. The systemperformance evaluation demonstrates the feasibility ofNICE and shows that the proposed solution cansignificantly reduce the risk of the cloud system from beingexploited and abused by internal and external attackers.NICE only investigates the network IDS approach tocounter zombie explorative attacks. In order to improve thedetection accuracy, host-based IDS solutions are needed tobe incorporated and to cover the whole spectrum of IDS inthe cloud system. This should be investigated in the futurework. Additionally, as indicated in the paper, we willinvestigate the scalability of the proposed NICE solutionby investigating the decentralized network control andattack analysis model based on current study.References[1] Coud Sercurity Alliance, “Top threats to cloud computingv1.0,”,March 2010.[2] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A.Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, andM. Zaharia, “A view of cloud computing,” Commun. ACM,vol. 53, no. 4, pp. 50–58, Apr. 2010.[3] B. Joshi, A. Vijayan, and B. Joshi, “Securing cloudcomputing environment against DDoS attacks,” inComputer Communication and Informatics (ICCCI), 2012International Conference on, Jan. 2012, pp. 1 –5.[4] H. Takabi, J. B. Joshi, and G. Ahn, “Security and privacychallenges in cloud computing environments,” IEEESecurity & Privacy, vol. 8, no. 6, pp. 24–31, Dec. 2010.[5] “Open vSwitch project,”, May 2012.[6] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson,and J. Barker, “Detecting spam zombies by monitoringoutgoing messages,” Dependable and Secure Computing,IEEE Transactions on, vol. 9, no. 2, pp. 198 –210, Apr.2012.[6] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee,“BotHunter: detecting malware infection through IDS-driven dialog correlation,” in Proceedings of 16th USENIXSecurity Symposium on USENIX Security Symposium, ser.SS’07. Berkeley, CA, USA: USENIX Association, 2007, pp.12:1–12:16.[7] G. Gu, J. Zhang, and W. Lee, “BotSniffer: detecting botnetcommand and control channels in network traffic,” inProceedings of 15th Ann. Network and Distributed SytemSecurity Symposium, ser. NDSS’08, 2008.[8] Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing,“Automated generation and analysis of attack graphs,” in2002 IEEE Symposium on Security and Privacy, 2002.Proceedings. IEEE, 2002, pp. 273– 284. “NuSMV: A newsymbolic model checker,”[9] S. H. Ahmadinejad, S. Jalili, and M. Abadi, “A hybridmodel for correlating alerts of known and unknown attackscenarios and updating attack graphs,” Computer Networks,vol. 55, no. 9, pp. 2221–2240, Jun. 2011.[10] X. Ou, S. Govindavajhala, and A. W. Appel, “MulVAL: alogicbased network security analyzer,” in Proceedings ofthe 14th conference on USENIX Security Symposium -Volume 14. Berkeley, CA, USA: USENIX Association,2005, pp. 8–8.[11] R. Sadoddin and A. Ghorbani, “Alert correlation survey:framework and techniques,” in Proceedings of the 2006International Conference on Privacy, Security and Trust:Bridge the Gap Between PST Technologies and BusinessServices, ser. PST ’06. New York, NY, USA: ACM, 2006,pp. 37:1–37:10.[12] L. Wang, A. Liu, and S. Jajodia, “Using attack graphs forcorrelating, hypothesizing, and predicting intrusion alerts,”Computer Communications, vol. 29, no. 15, pp. 2917–2933,Sep. 2006.
  8. 8. Advances in Networks 2013; 1(2): 26-33 33[13] S. Roschke, F. Cheng, and C. Meinel, “A new alertcorrelation algorithm based on attack graph,” inComputational Intelligence in Security for InformationSystems, ser. Lecture Notes in Computer Science. Springer,2011, vol. 6694, pp. 58–67.[14] Roy, D. S. Kim, and K. Trivedi, “Scalable optimalcountermeasure selection using implicit enumeration onattack countermeasure trees,” in Dependable SystemsNetworks (DSN), 2012 IEEE/IFIP 42st InternationalConference on, 2012.[15] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic securityrisk management using bayesian attack graphs,”Dependable and Secure Computing, IEEE Transactions on,vol. 9, no. 1, pp. 61 –74, Feb. 2012.[16] Open Networking Fundation, “Software-defined networking:The new norm for networks,” ONF White Paper, April 2012.“Openflow.” [Online]. Available:[17] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L.Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow:enabling innovation in campus networks,” SIGCOMMComput. Commun. Rev., vol. 38, no. 2, pp. 69–74, Mar.2008.[18] E. Keller, J. Szefer, J. Rexford, and R. B. Lee, “NoHype:virtualized cloud infrastructure without the virtualization,”in Proceedings of the 37th annual international symposiumon Computer architecture,ser. ISCA ’10. New York, NY,USA: ACM, 2010, pp. 350–361.[19] X. Ou, W. F. Boyer, and M. A. McQueen, “A scalableapproach to attack graph generation,” in Proceedings of the13th ACM conference on Computer and communicationssecurity, ser. CCS ’06. New York, NY, USA: ACM, 2006,pp. 336–345.Mitre Corporation, “Common vulnerabilitiesand exposures, CVE,”