Various Network Attacks and Alert Systems for Virtual

International Journal of Innovations & Advancement in Computer Science IJIACS ISSN 2347 – 8616 Volume 6, Issue 9 September 2017

Various Network Attacks and Alert Systems for Virtual Network Systems – A Survey [1]

R N Devendra Kumar, [2]A Praveena, [3]K Ramalakshmi, [4]P Kanmani, [1][2][3][4] Assistant Professor [1][3][4] Department of Computer Science and Engineering, Sri Ramakrishna Institute of Technology, Coimbatore, India [2] Department of Computer Science and Engineering, Jansons Institute of Technology,Coimbatore, India

INTRODUCTION Computer security (Also known as cyber security or IT Security) is information security as applied to computers and networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction. Computer security also includes protection from unplanned events and natural disasters. Otherwise, in the computer industry, the term security -- or the phrase computer security -- refers to techniques for ensuring that data stored in a computer cannot be read or compromised by any individuals without authorization. Most computer security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible without a deciphering mechanism. A password is a secret word or phrase that gives a user access to a particular program or system. This paper presents a survey on different types of attacks with different kind of intrusion detection techniques, approaches parameters. 1.1 NEEDS IN THE SECURE COMPUTING: If you don't take basic steps to protect your work computer, you put it and all the information on it at risk. You can potentially compromise the operation of other computers on your organization's network, or even the functioning of the network as a whole. 1.1.1 Physical security: Technical measures like login passwords, anti-virus are essential. (More about those below) However, a secure physical space is the first and more important line of defense.

1

Is the place you keep your workplace computer secure enough to prevent theft or access to it while you are away? While the Security Department provides coverage across the Medical center, it only takes seconds to steal a computer, particularly a portable device like a laptop or a PDA. A computer should be secured like any other valuable possession when you are not present. Human threats are not the only concern. Computers can be compromised by environmental mishaps (e.g., water, coffee) or physical trauma. Make sure the physical location of your computer takes account of those risks as well. 1.1.2 Access passwords: The University's networks and shared information systems are protected in part by login credentials (user-IDs and passwords). Access passwords are also an essential protection for personal computers in most circumstances. Offices are usually open and shared spaces, so physical access to computers cannot be completely controlled. To protect your computer, you should consider setting passwords for particularly sensitive applications resident on the computer (e.g., data analysis software), if the software provides that capability. 1.1.3 Prying eye protection: Because we deal with all facets of clinical, research, educational and administrative data here on the medical campus, it is important to do everything possible to minimize exposure of data to unauthorized individuals.

R N Devendra Kumar, A Praveena, K Ramalakshmi, P Kanmani

International Journal of Innovations & Advancement in Computer Science IJIACS ISSN 2347 – 8616 Volume 6, Issue 9 September 2017

1.1.4 Anti-virus software: Up-to-date, properly configured antivirus software is essential. While we have serverside anti-virus software on our network computers, you still need it on the client side (your computer). 1.1.5 Firewalls: Anti-virus products inspect files on your computer and in email. Firewall software and hardware monitor communications between your computer and the outside world. That is essential for any networked computer. 1.1.6 Software updates: It is critical to keep software up to date, especially the operating system, anti-virus and antispyware, email and browser software. The newest versions will contain fixes for discovered vulnerabilities. Almost all anti-virus have automatic update features (including SAV). Keeping the "signatures" (digital patterns) of malicious software detectors up-to-date is essential for these products to be effective. 1.1.7 Keep secure backups: Even if you take all these security steps, bad things can still happen. Be prepared for the worst by making backup copies of critical data, and keeping those backup copies in a separate, secure location. For example, use supplemental hard drives, CDs/DVDs, or flash drives to store critical, hard-to-replace data. 1.1.8 Report problems: If you believe that your computer or any data on it has been compromised, you should make a information security incident report. That is required by University policy for all data on our systems, and legally required for health, education, financial and any other kind of record containing identifiable personal information. 2. LITERATURE SURVEY 2.1.1 BotSniffer: detecting botnet command and control channels in network traffic[1] AUTHORS: G. Gu, J. Zhang, and W. Lee Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This

2

makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatialtemporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate 2.1.2 Automated generation and analysis of attack graphs[2] AUTHORS: O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing An integral part of modeling the global view of network security is constructing attack graphs. Manual attack graph construction is tedious, error-prone, and impractical for attack graphs larger than a hundred nodes. In this paper we present an automated technique for generating and analyzing a ttack graphs. We base our technique on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently. We also describe two analyses to help decide which attacks would be most cost-effective to guard against. We implemented our technique in a tool suite and tested it on a small network example, which includes models of a firewall and an intrusion detection system. 2.1.3 A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs[3] AUTHORS: S. H. Ahmadinejad, S. Jalili, and M. Abadi Managing and analyzing a huge number of low-level alerts is very difficult and exhausting for network administrators. Alert correlation methods have been proposed to decrease the number of alerts

R N Devendra Kumar, A Praveena, K Ramalakshmi, P Kanmani

International Journal of Innovations & Advancement in Computer Science IJIACS ISSN 2347 – 8616 Volume 6, Issue 9 September 2017

and make them more intelligible. Proposed methods for alert correlation are different in terms of their performance, accuracy and adaptivity. We present a new hybrid model not only to correlate alerts as accurately and efficiently as possible but also to be able to boost the model in the course of time. The model presented in this paper consists of two parts: (1) an attack graph-based method to correlate alerts raised for known attacks and hypothesize missed alerts and (2) a similarity-based method to correlate alerts raised for unknown attacks which cannot be correlated using the first part and also to update the attack graph. These two parts cooperate with each other such that if the first part could not correlate a new alert, the second part is applied. We propose two different methods for these two parts. In order to update the attack graph, we present a technique (using the similarity-based method in the second part of the model) which is actually the most salient feature of our model: capability of hypothesizing missed exploits and discovering defects in pre and post conditions of known exploits in attack graphs. We also propose an additional method named alerts bisimulation for compressing graphs of correlated alerts. 2.1.4 MulVAL: a logicbased network security analyzer[4] AUTHORS: X. Ou, S. Govindavajhala, and A. W. Appel To determine the security impact software vulnerabilities have on a particular network, one must consider interactions among multiple network elements. For a vulnerability analysis tool to be useful in practice, two features are crucial. First, the model used in the analysis must be able to automatically integrate formal vulnerability specifications from the bug-reporting community. Second, the analysis must be able to scale to networks with thousands of machines. We show how to achieve these two goals by presenting MulVAL, an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating-system permission and privilege model, etc.). We easily leverage existing vulnerabilitydatabase and scanning tools by expressing their output in Datalog and feeding it to our MulVAL reasoning engine. Once the information is collected,

3

the analysis can be performed in seconds for networks with thousands of machines. 2.1.5 Alert correlation survey: framework and techniques[5] AUTHORS: R. Sadoddin and A. Ghorbani Managing raw alerts generated by various sensors are becoming of more significance to intrusion detection systems as more sensors with different capabilities are distributed spatially in the network. Alert Correlation addresses this issue by reducing, fusing and correlating raw alerts to provide a condensed, yet more meaningful view of the network from the intrusion standpoint. Techniques from a diverse range of disciplines have been used by researchers for different aspects of correlation. This paper provides a survey of the state of the art in alert correlation techniques. Our main contribution is a two-fold classification of literature based on correlation framework and applied techniques. The previous works in each category have been described alongside with their strengths and weaknesses from our viewpoint. 3. CONCLUSION Cloud users can install vulnerable software on their VMs, which essentially contributes to loopholes in cloud security. The challenge is to establish an effective vulnerability/attack detection and response system for accurately identifying attacks and minimizing the impact of security breach to cloud users. In a cloud system where the infrastructure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways. Such attacks are more effective in the cloud environment since cloud users usually share computing resources, e.g., being connected through the same switch, sharing with the same data storage and file systems, even with potential attackers. The similar setup for VMs in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking, etc., attracts attackers to compromise multiple VMs. REFERENCES [1] G. Gu, J. Zhang, and W. Lee, “BotSniffer: detecting botnet command and control channels in network traffic,” Proc. of 15th Ann. Network and Distributed Sytem Security Symp. (NDSS ’08), Feb. 2008.

R N Devendra Kumar, A Praveena, K Ramalakshmi, P Kanmani

International Journal of Innovations & Advancement in Computer Science IJIACS ISSN 2347 – 8616 Volume 6, Issue 9 September 2017

[2] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Automated generation and analysis of attack graphs,” Proc. IEEE Symp. on Security and Privacy, 2002, pp. 273–284. [3] S. H. Ahmadinejad, S. Jalili, and M. Abadi, “A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs,” Computer Networks, vol. 55, no. 9, pp. 2221–2240, Jun. 2011.

4

[4] X. Ou, S. Govindavajhala, and A. W. Appel, “MulVAL: a logicbased network security analyzer,” Proc. of 14th USENIX Security Symp., pp. 113–128. 2005. [5] R. Sadoddin and A. Ghorbani, “Alert correlation survey: framework and techniques,” Proc. ACM Int’l Conf. on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (PST ’06), pp. 37:1–37:10. 2006.

R N Devendra Kumar, A Praveena, K Ramalakshmi, P Kanmani