CLOUD-BASED IDS
ARCHITECTURES
APPLYING THE IDS APPROACHES
INTO THE CLOUD ENVIRONMENT

@halloussi

Par M. EL ALLOUSSI
Summary
1.

2.

3.
4.

5.

Cloud Computing : Definition and
Trends
Security in the Cloud Computing :
Barriers to adoption?...
Definition of Cloud Computing (NIST)

“Cloud computing is a model for enabling
convenient, on-demand network access
to a s...
5 Essential Cloud Characteristics
1.
2.
3.

On-demand self-service
Broad network access
Resource pooling (Location

indepe...
3 Cloud Service Models
1.

Cloud Software as a Service (SaaS)


2.

Cloud Platform as a Service (PaaS)


3.

Use provide...
4 Cloud Deployment Models
Private cloud
Enterprise owned or leased

Community cloud
Shared infrastructure for specific com...
All of this TOGETHER: The
Cloud
Hybrid Clouds
Deployment
Models
Service
Models

Community
Cloud

Private
Cloud
Software as...
And security?

Are there Cloud security issues?
Security: Barrier to Adoption?
Companies are still afraid to use
clouds
12

What is Different about Cloud?
13

What is Different about Cloud?

SERVICE OWNER

SaaS

PaaS

IaaS

Data

Joint

Tenant

Tenant

Application

Joint

Join...
Traditional systems security
vs Cloud Computing Security

Securing a house
Biggest user
concerns
Securing perimeter
Checki...
15
Cloud “Threats” (CSA)
1.

2.
3.
4.
5.
6.

7.

Abuse & Nefarious Use of Cloud
Computing
Insecure Interfaces & APIs
Maliciou...
17

Cloud Risks (ENISA)
1.
2.
3.
4.
5.
6.
7.
8.

Loss of governance
Lock-in
Isolation failure
Compliance risks
Management ...
Who is the attacker?
Insider?
• Malicious employees at client
• Malicious employees at Cloud provider (or
Cloud provider i...
Intrusion Detection Systems?
IDS OVERVIEW




Intrusion Detection System (IDS) : a system that
monitors network for suspicious activity and alerts
th...
Architecture of an IDS
Normal internal user
Internal Intruder

Sensor

Classification
Package Actions

Analyser
Clustering...
The IDS Matrix diagram
TRUE

FALSE

POSITIVE

True-Positive
(Rule matched and attack present)

False-Positive
(Rule matche...
Behavioral approach
+++ The ability to detect new attacks.

Types of monitoring
systems

Host Based
IDS

Analysis types

N...
Scenario approach
+++ Techniques are easy and quick to
implement.
Types of monitoring
systems

Host Based
IDS

Analysis ty...
Intrusion Detection Systems in the
Cloud, is it possible?
Architecture 1 : Distributed the IDS
on the nodes of grid

+++ Apply the two methods
of intrusion detection
(Scenario Base...
Architecture 2 : Distributed Cloud
Intrusion Detection Model
+++ high performance in terms of processing and execution
tim...
Architecture 2 : Distributed Cloud
Intrusion Detection Model
Input Packets

ICMP

IP

UDP

Multi-Threaded Queue
Thread 0 -...
Architecture 3 : Cloud Intrusion
Detection System Service
Collector
Event Publisher

IDS Controller

Detection Engine

Int...
Architecture 4 : Cloud-based
intrusion detection service
framework (CBIDS)
Cloud IDS

Cloud Intrusion Detection Component
...
Architecture 5 : VM-integrated IDS
Management
+++ Can be implemented
on the three levels

--- The use of centralized
colle...
Architecture 5 : VM-integrated IDS
Management
Conclusions
Many IDS solutions have emerged for Cloud
environment
 It could be implemented either by the
provider or the ...
Questions?

THANK
YOU
@halloussi
fr.slideshare.net/alloussi
Upcoming SlideShare
Loading in …5
×

Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT

3,079 views

Published on

Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT

Published in: Technology, Business
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,079
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
9
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide
  • This is an oversimplification of the cloud security issues but it is definitely correct on a high level: there is only so much you can do to improve security if you use a software as a service provider (SaaS), who is hell bent on not being supportive of your security requirements
  • Source: CSA standard slideThis is where the mysteries of PCI in the cloud start to come to life : Especially note those yellow boxes with the word JOINT (which, sadly, often means finger pointing and glaring security holes)Also, note that for cloud security (and for cloud Payment security as well as PCI ) you will have to trust the provider in regards to physical security.
  • It is funny that this view of the world and of the cloud also has a hidden implication : if you neighbor is hacked in a traditional environment , you have a perfectly good grounds for saying “I don’t care.” But in case of shared infrastructure – cloud! – Being able to say that because more and more rare – or more and more risky.
  • https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdfThe purpose of this document, “Top Threats to Cloud Computing”, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to “Security Guidance for Critical Areas in Cloud Computing”. As the first deliverable in the CSA’s Cloud Threat Initiative, the “Top Threats” document will be updated regularly to reflect expert consensus on the probable threats which customers should be concerned about. There has been much debate about what is “in scope” for this research. We expect this debate to continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus emerging from those debates. While many issues, such as provider financial stability, create significant risks to customers, we have tried to focus on issues we feel are either unique to or greatly amplified by the key characteristics of Cloud Computing and its shared, on-demand nature. We identify the following threats in our initial document: Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk ProfileThe threats are not listed in any order of severity. Our advisory committee did evaluate the threats and each committee member provided a subjective ranking of the threats. The exercise helped validate that our threat listing reflected the critical threat concerns of the industry, however the cumulative ranking did not create a compelling case for a published ordered ranking, and it is our feeling that greater industry participation is required to take this step. The only threat receiving a consistently lower ranking was Unknown Risk Profile, however the commentary indicated that this is an important issue that is simply more difficult to articulate, so we decided to retain this threat and seek to further clarify it in future editions of the report
  • LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computingCOMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud providerDATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is
  • Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT

    1. 1. CLOUD-BASED IDS ARCHITECTURES APPLYING THE IDS APPROACHES INTO THE CLOUD ENVIRONMENT @halloussi Par M. EL ALLOUSSI
    2. 2. Summary 1. 2. 3. 4. 5. Cloud Computing : Definition and Trends Security in the Cloud Computing : Barriers to adoption? Intrusion Detection Systems Application of IDS in Cloud Environment Conclusion
    3. 3. Definition of Cloud Computing (NIST) “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “
    4. 4. 5 Essential Cloud Characteristics 1. 2. 3. On-demand self-service Broad network access Resource pooling (Location independence) 4. 5. Rapid elasticity Measured service
    5. 5. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS)  2. Cloud Platform as a Service (PaaS)  3. Use provider’s applications over a network Deploy customer-created applications to a cloud Cloud Infrastructure as a Service (IaaS)  Rent processing, storage, network capacity, and other fundamental computing resources
    6. 6. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds
    7. 7. All of this TOGETHER: The Cloud Hybrid Clouds Deployment Models Service Models Community Cloud Private Cloud Software as a Service (SaaS) Public Cloud Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Essential Characteristics Rapid Elasticity Resource Pooling Measured Service Massive Scale Common Characteristics Broad Network Access Resilient Computing Homogeneity Geographic Distribution Virtualization Service Orientation Low Cost Software Advanced Security
    8. 8. And security? Are there Cloud security issues?
    9. 9. Security: Barrier to Adoption?
    10. 10. Companies are still afraid to use clouds
    11. 11. 12 What is Different about Cloud?
    12. 12. 13 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
    13. 13. Traditional systems security vs Cloud Computing Security Securing a house Biggest user concerns Securing perimeter Checking for intruders Securing a motel Biggest user concern Securing room against (the bad guy in next room | hotel
    14. 14. 15
    15. 15. Cloud “Threats” (CSA) 1. 2. 3. 4. 5. 6. 7. Abuse & Nefarious Use of Cloud Computing Insecure Interfaces & APIs Malicious Insiders Shared Technology Issues Data Loss or Leakage Account or Service Hijacking Unknown Risk Profile 16
    16. 16. 17 Cloud Risks (ENISA) 1. 2. 3. 4. 5. 6. 7. 8. Loss of governance Lock-in Isolation failure Compliance risks Management interface compromise Data protection Insecure or incomplete data deletion Malicious insider
    17. 17. Who is the attacker? Insider? • Malicious employees at client • Malicious employees at Cloud provider (or Cloud provider itself) Outsider? •Intruders •Network attackers
    18. 18. Intrusion Detection Systems?
    19. 19. IDS OVERVIEW   Intrusion Detection System (IDS) : a system that monitors network for suspicious activity and alerts the administrator of the system or network. 3 Approaches :  Network Intrusion Detection Systems (NIDS)  Host Intrusion Detection Systems (HIDS)  Virtual Machine Intrusion Detection Systems (VM-IDS)  2 techniques :  Statistical anomaly based (Behavioral)  Signature based (Scenario)
    20. 20. Architecture of an IDS Normal internal user Internal Intruder Sensor Classification Package Actions Analyser Clustering Normal External user External user Sensor Data Mining    The sensor : collects information on the evolution of the state of the system and provides a sequence of events that reflect this evolution. The analyzer : determines which part, fitting to a pattern of events provided by the sensor, is characteristic of a malicious activity. The manager : collects the received alerts from the sensor and presents them to the operator for further actions.
    21. 21. The IDS Matrix diagram TRUE FALSE POSITIVE True-Positive (Rule matched and attack present) False-Positive (Rule matched and no attack present) NEGATIVE True-Negative (No rule matched and no attack present) False-Negative (No rule matched and attack present)
    22. 22. Behavioral approach +++ The ability to detect new attacks. Types of monitoring systems Host Based IDS Analysis types Network Based IDS Scenario approach Phase 1 : Training Behavior approach Phase 2 : détection Real Activities Compared Model of normal behavior (Trafic, System performance, memory performance…) --- Many false positives because attacks can be new normal activities. Normal behavior Undeflected Defleclected Possible attack
    23. 23. Scenario approach +++ Techniques are easy and quick to implement. Types of monitoring systems Host Based IDS Analysis types Network Based IDS Scenario approach Behavior approach Ex: if (src_ip = dst_ip) then “land a ack” Real Activities Signatures (rules, patterns) known attacks --- Problem of reliability remains valid for false alarms Normal Not matched Matched attack
    24. 24. Intrusion Detection Systems in the Cloud, is it possible?
    25. 25. Architecture 1 : Distributed the IDS on the nodes of grid +++ Apply the two methods of intrusion detection (Scenario Based & Behavioral Based) --- The prototype is expensive in terms of resource consumption, --- It cannot discover new types of attacks and creating an attack database which must be considered during implementing IDS
    26. 26. Architecture 2 : Distributed Cloud Intrusion Detection Model +++ high performance in terms of processing and execution time. CSP Infrastructure Cloud User Organization Network Cloud Cloud IDS Intrusion Alarm Alert reports --- it is difficult to discover new types of attacks and create a new scenario while it still needs many works to be done to improve the concept. Advisory Reports Third party IDS monitoring & Advisory Service
    27. 27. Architecture 2 : Distributed Cloud Intrusion Detection Model Input Packets ICMP IP UDP Multi-Threaded Queue Thread 0 - n TCP Rule Set Matching False Reject True IDS Rule Set Intrusion alarm/ Log Cloud User CSP
    28. 28. Architecture 3 : Cloud Intrusion Detection System Service Collector Event Publisher IDS Controller Detection Engine Intrusion Detection System Component Cloud Computer Service Component +++ Quick and fast analyse and detection Cloud Computer Service Component Secure Connection (VPN) Agent Agent Group Agent Agent Group User Internal Network --- detecting many falsepositive
    29. 29. Architecture 4 : Cloud-based intrusion detection service framework (CBIDS) Cloud IDS Cloud Intrusion Detection Component Analysis Engine Service Console Detection Engine / Signature Database User database Cloud Service Component Cloud Service Component VPN Users Cloud User Data Collector User Network --- detecting many falsepositive
    30. 30. Architecture 5 : VM-integrated IDS Management +++ Can be implemented on the three levels --- The use of centralized collector can be a target of Denial of Service.
    31. 31. Architecture 5 : VM-integrated IDS Management
    32. 32. Conclusions Many IDS solutions have emerged for Cloud environment  It could be implemented either by the provider or the tenant  Combining Behavior and Scenario approaches is the best way to get rid of intrusion. 
    33. 33. Questions? THANK YOU @halloussi fr.slideshare.net/alloussi

    ×