completely distributed and are not able to respond to attacks against intrusion detection system itself. Cloud Environment. VM. VM. VM. Firewall. NIDS. Figure 1.
Int'l Conf. Par. and Dist. Proc. Tech. and Appl. | PDPTA'14 |
471
Framework to detect and repair distributed intrusions based on mobile agent in hybrid cloud 1
Abir KHALDI1, Kamel KAROUI1, Henda BEN GHEZALA1 RIADI Laboratory ENSI, University of Manouba, Manouba, Tunisia
Abstract- Cloud computing is an emerging paradigm based on distributed services. It is deployed in virtual resources to provide services to public customers and private organizations. Generally, without security measures, distributed cloud services are vulnerable. In this paper, we will propose a framework for detecting and repairing distributed intrusions in hybrid cloud. Our framework is based on secure mobile agents. Keywords: Cloud computing, security, IDS, Mobile Agent.
1. Introduction Cloud providers offer the customers’ services requirements. There are some security issues associated with cloud services. These issues fall into two broad categories: Security issues faced by cloud providers and security issues faced by customers. In most cases, the providers must ensure their infrastructure security and their clients’ data integrity while the customer must ensure that the provider has taken the proper security measures to protect his information. Because of its distributed nature, cloud computing environments are easy targets for intruders looking for exploring possible vulnerabilities. The first defense line to face attackers is to deploy a firewall to filter unauthorized access then an IDS (Intrusion detection system) in order to detect coming attacks.
Firewall VM
NIDS
VM
VM
Cloud Environment
Figure 1. Firewall and NIDS in the Cloud architecture
In figure 1, we have an NIDS (Network IDS) to monitor all cloud network traffics. When an attack occurs, NIDS alerts cloud administrator. In [1], we proposed a secure cloud architecture based on an NIDS as a second line of defense after the firewall. The NIDS performance is really approved for detecting attacks. But, attacks can be distributed between cloud nodes and be hidden for the NIDS. So to detect them, we will propose a framework implementing : - A HIDS (Host IDS) in every virtual machine (VM) - An intelligent process to correlate between HIDS alerts. - Secure Agents to execute the correlating process We will focus on deploying this framework on hybrid cloud environment to: - Phase 1 : Detect distributed attacks - Phase 2 : Evaluate the attacks risks - Phase 3 : Repair attacks In this paper, we will propose a framework based on secure mobile agents to detect distributed intrusions and repair the vulnerabilities in hybrid cloud. The repairing phase consists on adding a new security policy in the firewall. The reminder of this paper is organized as follows. The section 2 discusses some related works in the area of mobile agent based IDS. In the next sections, we will describe our proposed framework using mobile agents to detect and repair intrusions. Then we will explain implementation prototype in section 5 to evaluate results in section 6. Finally, we will give conclusions in section 7.
2. Related work The IDS is based on two simple components architecture: collection component and analyzer component. While this architecture is effective just for small collections of monitored hosts. In fact, centralized analysis limits the ability to scale up to handle larger collections. Therefore, Mobile Agent-based intrusion detection system, such as Autonomous Agents for Intrusion Detection (AAFID) [2], follows a hierarchical structure. So, if any part of the internal nodes is disabled, the functioning of that branch of IDS will be disqualified. In addition, those architectures are not flexible, not completely distributed and are not able to respond to attacks against intrusion detection system itself.
472
Int'l Conf. Par. and Dist. Proc. Tech. and Appl. | PDPTA'14 |
The IDS performance using mobile agents is considerably important to reduce the network load. In this case, agents communications should be secured. This issue, which has been neglected by most of related works, will be one of the main concern when we design our framework . It will be based on secure mobile agents to detect distributed intrusions in hybrid cloud . Table I illustrates a comparative study on related works.
managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. · Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed,
Table 1. Comparing properties of previous related work RELATE
ARCHITECTURE
D WORK
[2]
[3][4]
[5][6]
[7]
[8]
[9]
[10]
[11]
NETWORK
SCALABILITY
LOAD
Hierarchical
Hierarchical
Centralized
Low
Distributed towards root node
Low
low single point of failure
Distributed towards root node Distributed towards a gateway Agent
Hierarchical
Centralized
Hierarchical
Distributed towards root node
low single point of failure
Symmetrical
Distributed towards upper level
Peer to peer
Peer to peer
Symmetrical
Symmetrical
Moderate
Moderate
High
Low
High
High
3. Proposal mobile agent IDS framework in hybrid cloud In this section, we will define the cloud environment of our framework, its objectives, components and functions.
3.1
RESISTIBILITY
Cloud environment
The deployment models of cloud computing are [12]: · Public cloud : The cloud infrastructure is provisioned for open use by the general public. It may be owned,
low single point of failure Moderate No single point of failure Moderate No single point of failure low single point of failure
Moderate No single point of failure Moderate No single point of failure
AGENT SECURITY
No security approach
DESCRIPTION Increasing the resistance to the failure of a specific component by Using data and function redundancy Using Mobile Agents to trace intruders among the various hosts involved in an intrusion Agents are composed dynamically using a genetic algorithm, which continually attempts to maximize the likelihood of discovering existing vulnerabilities. Approach was proposed to detect distributed intrusion among the network by various Agents. The presented intrusion detection system, DIDMA is designed by keeping in mind the notion of flexibility, scalability, platform independence They show how dynamic aggregation provides a mechanism for extending existing objects and allows us to quickly add new features to the system. A virtual neighborhood is created where neighbors take on the task of looking out for each other. Applying Mobile Agents technology to provide intrusion detection for Cloud applications regardless of their locations.
and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. · Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). • Community cloud : The cloud infrastructure is provisioned for exclusive use by a specific community of consumers
Int'l Conf. Par. and Dist. Proc. Tech. and Appl. | PDPTA'14 |
473
from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. In our proposed framework, we focus on detecting intrusions in hybrid cloud.
cloud. This agent dispatch a CMA to detect intrusions and go back with all the results of the correlation process. An Hybrid Cloud Agent (HCA): It is a static agent implemented in the administrator node in hybrid cloud. This agent query the PbCA and the PvCA to start with the detection process in order to evaluate the security level in the hybrid cloud. A Static Agent (SA) : The static agent is implemented in each VM to receive the CMA.
5.
6.
3.2
Framework objectives
The main framework objectives are : Distributing correlation and decreasing network load : To supervise all the network nodes, a central node should query them and collect detected intrusions information to analyze it. So the network traffic will increase. To do, we try to adopt a distributed correlated system based on mobile agents to reduce network load due to the migration of agents from one node to another. - Reducing CPU load for each Cloud node: We try to distribute the work load of detecting intrusions between nodes instead of centralized it on one principal node. - Securing communication: We want to adopt a secure mobile agents platform within an encrypted communication between agents in order to avoid any intrusion. - Detecting distributed intrusions: An attack against a cloud computing system can be silent and not detected just in only one node,. In fact, cloudspecific attacks don’t necessarily leave traces in one node. In this way, we propose to analyze IDS traces using data mining to detect new attacks. -
3.3
Framework components
Our framework is based on six actors described as follows (see figure2): 1. An IDS : An IDS is deployed in each node (VM) in the hybrid cloud (private and public). The IDS monitors the traffics, detects intrusions and saves it in its database. 2. Correlated Mobile Agent (CMA): it is a mobile agent dispatched to each node in the cloud area. The CMA contains the rules to verify in each node using the alerts saved in IDS database. In the same time, the framework supports two CMA every one in each cloud area (public, private) to have rapidly a hole idea about the hybrid cloud intrusions. 3. a Public Cloud Agent (PbCA) : It is a static agent implemented in the administrator node in public cloud. This agent dispatch a CMA to detect intrusions and go back with all the results of the correlation process. 4. A Private Cloud Agent (PvCA) : It is a static agent implemented in the administrator node in private
Hybrid Cloud
HCA
PvCA
PbCA CMA
CMA
CMA
CMA
SA
SA
SA
SA
SA
SA
IDS
IDS
IDS
IDS
IDS
IDS
VMn
VM1
CMA VM1
CMA
CMA VM2
Public Cloud
CMA VM2
VMn
Private Cloud
Figure 2. Mobile Agent IDS Framework in Hybrid Cloud
3.4
Framework Functions
We will describe the different functions and interactions between agents to detect distributed intrusions in the figure 3. The HCA can manage all the hybrid cloud towards its cloud area: public cloud and private cloud. The management can only be done for one cloud area or the two area in the same time depending on the Cloud status. Therefore, HCA asks the PbCA (11) or the PvCA (21) or both of them in the same time to report it the distributed intrusions detection in their cloud to audit the hybrid cloud. The PbCA and the PcCA create a CMA with all the rules implemented in its code and dispatch it to the Cloud VM (12,22). The CMA migrates to the SA (13,23). The SA receives The CMA and asks password. This step is very important because AS reject CMA if it is not authenticated. After receiving CMA (14,24), CMA asks information stored in the IDS database. It hasn’t permissions to access directly to IDS database so SA is the middleware. CMA applies all the rules in its data base to detect distributed intrusions in the VM. When finished, CMA moves to the next VM to repeat the same steps done in the first VM. After finishing the detection in all the cloud VM, CMA reports the results to its Cloud Agent (PbCA (15) or
474
Int'l Conf. Par. and Dist. Proc. Tech. and Appl. | PDPTA'14 |
PvCA(25)) ). The Cloud Agent gives report to the HCA (16,26) to supervise the hybrid cloud. If any VM is not connected or broken down, the CMA discovers the VM status and migrate to the next VM to continue its work. The distributed detection process can be launched by the HCA , the PbCA or the PVCA. HCA
11. HCA demands the intrusions detected in public cloud to PbCA
16 PbCA gives report to HCA
26 PVCA gives report to HCA 21.HCA demands the intrusions detected in private cloud to PvCA
RMA
Protects VM
SA SA
Vulnerable VM
Policy rule to apply
Firewall
PvCA 15 CMA1 gives report to PbCA
CMA1 13 CMA1 migrates to VM
RMA
Figure 4. Repairing of vulnerability in cloud environment
PbCA
12 PbCA dispatch CMA1
HCA
22 PvCA dispatch CMA2
25 CMA2 gives report to PvCA
CMA2 14 SA receives CMA1
23 CMA2 migrate to VM
24 SA receives CMA2
SA
SA
Public Cloud
Private Cloud
Figure 3. Agent IDS Framework intercommunication
4. Mobile agent based framework fixing vulnerabilities in hybrid cloud When the HCA detects distributed intrusion, the cloud network administrator should take the necessary security measures and apply it immediately. For that, we propose to extend the IDS Framework in section III to fix vulnerabilities and avoid intrusions (see figure 4) . If intrusions occurs, it means that there is a vulnerability in the VM or a missing policy security in the firewall. So HCA could dispatch a Reparation mobile agent (RMA) to: - the vulnerable VM to repair it if there is any service to close or to reject any established communication with a malicious user. - the firewall to apply new security rules to avoid intrusions detected. In this way, firewall should implement a Static Agent to receive the RMA in order to get rules and apply them.
5. Prototype Implementation The proposed framework in the previous section is illustrating how specific features of the Mobile Agents can increase the efficiency of the system and decrease the network load as well (see figure 5). Bee-Gent Mobile Agent has been used for implementation. Bee-Gent technology was first released in 1999 by Toshiba [13], as a new type of pure agent development framework for the advanced network society. Its communication framework is based on the multi-agents model. The Bee-gent framework is comprised of two types of agents: agent wrappers and mediation agents. • Agent Wrappers are used to ‘agentify’ existing applications. The agent wrappers manage the states of the applications, which are wrapped around, and invoke the applications when necessary. • Mediation Agents support inter-application co-ordination by handling all communications among applications. The mediation agents move from the site of an application to another where they interact with the remote agent wrappers. For The IDS, we deployed SNORT[14] in each VM to monitor the system and the network intrusions. We configured snort to save alerts in its mysql database to deal with analyzed phase by CMA. We choose iptables as a firewall in a linux machine to manage the repairing of vulnerability and the application of new security rules. To implement our architecture, we‘ve chosen the VMware vSphere Hypervisor 5 composed of an ESXi and vSphereClient. The choice of VMWare ESXI was made based on following reasons : - Freeware version - Solution qualified by the internet community as ‘stable’ and portable - Fully managed through vSphere. - Supports hot migration. The figure 5 shows all the framework components to detect and avoid distributed intrusions in the cloud area.
Int'l Conf. Par. and Dist. Proc. Tech. and Appl. | PDPTA'14 |
Firewall (iptables) Bee-Gent (AS) Bee-Gent (RMA) Cloud Manager Bee-Gent (SA)
Bee-Gent (CMA)
Bee-Gent (CMA) VM VM
Bee-Gent (SA)
Bee-Gent (RMA)
Bee-Gent (SA)
475
Consequently, the mobile agent concept becomes relatively interesting especially when the count of VMs increases. the Bee-Gent mobile agent approach offers two important agent features: - When the mobile agent migrates to a broken VM, it moves to an another to continue its work. So due to this property, we avoid the single point of failure. - The mobile agent intercommunication should be authenticated and encrypted. This property avoid any attempted attack aiming to intercept agent communication. Using mobile agents allows to fix vulnerabilities either in the VM or in the firewall by adding new security rules.
Snort (DB)
Bee-Gent (CMA)
Bee-Gent (CMA) VM
VM
Bee-Gent (SA)
Bee-Gent (SA)
Snort (DB)
Bee-Gent (CMA)
Snort (DB)
Number of request
Snort (DB)
450 400 350 300 250 200 150 100 50 0
Client/Server Mobile Agent
1 2 3 4 5 6 7 8 9 10 11 Number of VM
Figure 5. IDS Framework components in hybrid cloud
6. Framework Evaluation In this section, our mobile agent IDS framework performance will be challenged while we are comparing it with the performance of client/server IDSs approach. Our aim is to verify our IDS features and effectiveness. The IDS with Mobile Agent approach claims the less network load compared to the client/server approach, by shipping code to data instead of shipping data to code . In figure 6, we compare the network load (number of request exchanged in the network) for the client-server approach and the mobile agent approach according to the number of machines. So the mobile agent (CMA) is dispatched from the cloud manager (PbCM or PvCM) to each VM in the cloud to detect distributed intrusion and return back results. The number of request in this case is: RequestNumber = VMNumber + 1 But when we use the client/server approach, the cloud manager should query each VM to receive response so: RequestNumber = VMNumber *2
Figure 6. Evaluation of mobile agent versus client/server in IDS Framework
7. Conclusion Cloud computing takes the essence of both Mobile agents and virtualization in a way to combine their key benefits. The VMs are the ideal platforms for agents to execute safely, based on the fact that virtual machine can be used to provide secure, isolated sand boxes for the Mobile Agents. In our framework, Clouds and Virtualization can benefit from IDS approach which mobile agents makes it scalable, flexible and cost effective. In our future work, we will test this framework for detecting DDOS attacks in the cloud environment.
8. References [1] A. khaldi, k. Karoui, N. Tanbène. H. Ben ghezala, “Secure cloud architecture design”, 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering, 2014 April, Oxford..
476
Int'l Conf. Par. and Dist. Proc. Tech. and Appl. | PDPTA'14 |
[2] J.Balasubramainyan, J.O. Garcia-Fernandez, D.Isacoff, E.H. Spafford, D.Zamboni, “An architecture of intrusion detection using autonomous Agents”, Department of Computer Science, Purdue University coast TR 98-05, 1998. [3] Wayne Jansen, Peter Mell, Tom Karygiannis, Don Marks, “Applying Mobile Agents to Intrusion Detection and Response”, NIST Interim Report (IR) – 6416 October 1999. [4] M.Asaka, S.Okazawa, A.Taguchi, and S.Goto, "A Method of Tracing Intruders by Use of Mobile Agents," INET'99, June 1999. [5] Michael Conner, Chirag Patel, Mike Little, “Genetic Algorithm/Artificial Life Evolution of Security Vulnerability Agents,” Army Research Laboratory Federal Laboratory 3rd Annual Symposium on Advanced Telecommunications & Information Distribution Research Program (ATIRP), February 1999. [6] Barrett, Michael, W. Booth, M. Conner, D. Dumas, M. Gaughan, S, Jacobs, M. Little, “Intelligent Agents System Requirements and Architecture,” Report to ATIRP, p. 5, October 1998. [7] P. C. Chan and Victor K. Wei, “Preemptive Distributed Intrusion Detection using Mobile Agents”, Department of Information. [8] Pradeep Kannadiga and Mohammad Zulkernine , “A Distributed Intrusion Detection System Using Mobile Agents”, School of Computing Queen’s University, Kingston Ontario, Canada K7L 3N, DIDMA:, 2005 IEEE. [9] G. Helmer et al., Lightweight ,”Agents for intrusion detection”, The Journal of Systems and Software 67 (2003) 109–122. [10] Geetha Ramachandran and Delbert Hart, “A P2P Intrusion Detection System based on Mobile Agents”, 2004 ACM 1-58113-870-9/04/04. [11] Dastjerdi, Amir Vahid, Kamalrulnizam Abu Bakar, and Sayed Gholam Hassan Tabatabaei. “Distributed intrusion detection in clouds using mobile agents.” Advanced Engineering Computing and Applications in Sciences, 2009. ADVCOMP'09. Third International Conference on. IEEE, 2009. [12] Mell, P. &Grance, T., 2011, “The NIST Definition of Cloud Computing”, NIST Special Publication 800-145 (Draft). Retrieved 2013-10-11)
[13] Bee-Gent, Online: http://flylib.com/books/en/4.4.1.92/1/ (January 2014) [14] Snort, Online: http://www.snort.org/, ( December 2013).
