Your SlideShare is downloading. ×
0
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Cloudslam09:Building a Cloud Computing Analysis System for  Intrusion Detection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection

3,323

Published on

In order to resolve huge amount of anomaly …

In order to resolve huge amount of anomaly
information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique,
named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes
the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the
performance of ICAS is suitable for analyzing and reducing large alerts.

Published in: Technology
2 Comments
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,323
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
235
Comments
2
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Hello every body, I am wei-yu chen, the other one is yao-tsung wang. We are umpired by nchc in beautiful Taiwan. I am very glad to present the talk,”Building a cloud computing analysis system for instrusion detection system”, that is mention about using cloud computing technique to solve security issue. ? Because of this session is the last session, I would introduce this talk as soon as possible.
  • Transcript

    • 1. Building a Cloud Computing Analysis System for Intrusion Detection System DATE:4/14/09 Wei-Yu Chen, Yao-Tsung Wang National Center for High-Performance Computing, Taiwan {waue,jazz}@nchc.org.tw
    • 2. Taiwan Introduction
    • 3. NCHC Introduction The NCHC is responsible for Taiwan’s cyberinfrasructure, R&D in HPC and networking applications 3 Business Units located in science parks to support local high tech industry The NCHC integrates information, engineering and scientific disciplines The NCHC provides computing, networking and storage services National Center for High-performance Computing
    • 4. Outline <ul><li>Motivation </li></ul><ul><li>The IDEA </li></ul><ul><li>Architecture </li></ul><ul><li>Procedure </li></ul><ul><li>Results </li></ul><ul><li>Pros and Cons </li></ul><ul><li>Conclusions </li></ul>
    • 5. Current Situation of IDS <ul><li>Intrusion Detection System IDS (IDS) </li></ul><ul><ul><li>Detecting unwanted attempts at accessing, manipulating or disabling of computer systems through Internet. </li></ul></ul><ul><li>IDS Detect Rate </li></ul><ul><ul><li>“ false positive” </li></ul></ul><ul><ul><li>“ false negative” </li></ul></ul><ul><li>Accuracy = top mission of IDS ? </li></ul>
    • 6. Alerts <ul><li>Alert is produced when IDS detect something as malicious. </li></ul><ul><li>Two method of alert storage </li></ul><ul><ul><li>A Text Log -&gt; terrible </li></ul></ul><ul><ul><li>In Database -&gt; mostly </li></ul></ul>
    • 7. What’s the problem about Alert ? <ul><li>Enormous Data  less Efficient </li></ul><ul><li>Ignore the crucial information easily !!! </li></ul><ul><li>Got Nothing if the database were crash </li></ul>
    • 8. Our Motivation <ul><li>To resolve above problems come with huge amount of anomaly information generated by IDS </li></ul>
    • 9. Our IDEA - ICAS <ul><li>ICAS, IDS Cloud Analysis System </li></ul><ul><li>Applying Cloud Computing technique </li></ul><ul><li>Improve higher performance of analysis </li></ul><ul><ul><li>reducing redundancy </li></ul></ul><ul><ul><li>Merge relation </li></ul></ul>
    • 10. System Architecture ICAS Overview
    • 11. System Architecture <ul><li>SNORT is an open source network intrusion prevention and detection system </li></ul><ul><li>The most widely deployed intrusion detection </li></ul>Snort
    • 12. System Architecture <ul><li>Apache Hadoop Core is a software platform that lets one easily write and run applications that process vast amounts of data. </li></ul><ul><li>Inspired by Google&apos;s MapReduce and Google File System (GFS) papers </li></ul><ul><li>Implements MapReduce and Hadoop Distributed File System (HDFS) </li></ul><ul><li>Operates &lt;key, value&gt; pairs </li></ul>Hadoop
    • 13. System Architecture <ul><li>HBase is the Hadoop database </li></ul><ul><li>An open-source, distributed, column-oriented store modeled after the Google paper, BigTable </li></ul>HBase
    • 14. System Architecture <ul><li>Regular Parser </li></ul><ul><ul><li>Parsing original snort log and transfer to HDFS (hadoop file system) </li></ul></ul><ul><li>Analysis Procedure </li></ul><ul><ul><li>Dispatch job if pool is not empty and insert the result into database </li></ul></ul><ul><li>Data Mapper </li></ul><ul><ul><li>&lt;key, value&gt; mapping </li></ul></ul><ul><li>Data Reducer </li></ul><ul><ul><li>&lt;“key1”, value1…valueN&gt; </li></ul></ul><ul><ul><li>&lt;“key2”, value1…valueN&gt; </li></ul></ul>Four Components
    • 15. Program Procedure
    • 16. Alert Integration Procedure
    • 17. Key - Values The victim IP addresses A unique ID used to identify attack method in Snort rules The time when the attack was launghed TCP/IP protocol Attack was lunched from this port Victim ports The IP address where malicious one launghed attack
    • 18. Alert Merge Example 6007,6008 5002 4077,5002 T5 T4 T1,T2,T3 53 443 80,443 tcp, udp tcp tcp Sip3,Sip4,Sip5 ,Sip6 D.D.O.S. Host_3 Sip1 Trojan Host_2 Sip1,Sip2 Trojan Host_1 Values Key T5 tcp 6008 53 Sip6 D.D.O.S Host_3 T5 udp 6007 53 Sip5 D.D.O.S Host_3 T5 tcp 6008 53 Sip4 D.D.O.S Host_3 T5 udp 6007 53 Sip3 D.D.O.S Host_3 T4 tcp 5002 443 Sip1 Trojan Host_2 T3 tcp 5002 443 Sip1 Trojan Host_1 T2 tcp 4077 80 Sip2 Trojan Host_1 T1 tcp 4077 80 Sip1 Trojan Host_1 Timestamp Packet Protocol Source Port Destination Port Source IP Attack Signature Destination IP
    • 19. Experiment Environment <ul><li>Machine: </li></ul><ul><ul><li>CPU : Intel quad-core, Memory : 2g, </li></ul></ul><ul><li>OS : Linux : Ubuntu 8.04 server </li></ul><ul><li>Software </li></ul><ul><ul><li>Hadoop : core 0.16.4 </li></ul></ul><ul><ul><li>Hbase : 0.1.3 </li></ul></ul><ul><ul><li>Java : 6 </li></ul></ul><ul><li>Alerts Data Sets </li></ul><ul><ul><li>MIT Lincoln Laboratory, Lincoln Lab Data Sets </li></ul></ul><ul><ul><li>Computer Security group at UCDavis, tcpdump file </li></ul></ul>
    • 20. Experimental Result The Consuming Time of Each Number of Data Sets
    • 21. Experimental Result Throughput Data Overall
    • 22. Pros &amp; Cons <ul><li>Legible </li></ul><ul><li>Efficient </li></ul><ul><li>Scalable </li></ul><ul><li>Economical </li></ul><ul><li>Reliable </li></ul><ul><li>Non-realtime </li></ul><ul><li>Latency </li></ul><ul><li>immature </li></ul>
    • 23. Conclusions v.s. Future Works <ul><li>ICAS supplies a efficient way to analyze and merge huge number of alerts based on cloud platform. </li></ul><ul><li>Including more IDS logs </li></ul><ul><li>The best final result is graphical </li></ul><ul><li>Prepare more large-scale and complete experiment </li></ul>
    • 24. Thank You ! &amp; Question ? DATE:4/14/09

    ×