evaluation of intrusion detection systems in clouds
play

Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , - PowerPoint PPT Presentation

Nov 06, 2023 •482 likes •719 views

Problem statement Methodology Testbed and Experimental Results Conclusion Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Ka aniche, V. Nicomette LAAS-CNRS - Dependable Computing and Fault Tolerance (TSF)

  1. Problem statement Methodology Testbed and Experimental Results Conclusion Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Kaˆ aniche, V. Nicomette LAAS-CNRS - Dependable Computing and Fault Tolerance (TSF) team Journ´ ee SEC 2 - June 30th, 2015 Evaluation of Intrusion Detection Systems in Clouds 1 / 22

  2. Problem statement Methodology Testbed and Experimental Results Conclusion Problem statement 1 Methodology 2 Cloning Analysis of accessibilities IDS/IPS evaluation Testbed and Experimental Results 3 Conclusion 4 Evaluation of Intrusion Detection Systems in Clouds 2 / 22

  3. Problem statement Methodology Testbed and Experimental Results Conclusion Outline Problem statement 1 Methodology 2 Testbed and Experimental Results 3 Conclusion 4 Evaluation of Intrusion Detection Systems in Clouds 3 / 22

  4. Problem statement Methodology Testbed and Experimental Results Conclusion Context and problem statement Cloud computing Deploy and manage applications, development and execution platforms, virtual infrastructures hosted by a provider. On-demand self-service, broad network access, resource pooling, rapid elasticity, measured service. Security concerns Many actors and technologies → many possible threats. Security mechanisms deployed in virtual infrastructures : firewalls (network filtering), IDS/IPS (attack detection). ⇒ How to assess their efficiency ? Evaluation of Intrusion Detection Systems in Clouds 4 / 22

  5. Problem statement Methodology Testbed and Experimental Results Conclusion Overview of the Approach Objective Allow the automated evaluation and analysis of security mechanisms deployed in virtual infrastructures : ⇒ Provide the client and provider security reports on network accessibilities and IDS/IPS performance. Main assumptions Service model : Infrastructure as a Service (IaaS). Considered firewall types : Edge firewall and Hypervisor-based firewall The audit process should not disturb client’s business. Evaluation of Intrusion Detection Systems in Clouds 5 / 22

  6. Problem statement Methodology Testbed and Experimental Results Conclusion Overview of the Approach Three-phase approach 1 Retrieval of information and cloning of infrastructure. 2 Determination of accessibilities in two ways and analysis of discrepancies in the results. 3 Construction and execution of attack campaigns. Evaluation of Intrusion Detection Systems in Clouds 6 / 22

  7. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Outline Problem statement 1 Methodology 2 Cloning Analysis of accessibilities IDS/IPS evaluation Testbed and Experimental Results 3 Conclusion 4 Evaluation of Intrusion Detection Systems in Clouds 7 / 22

  8. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Preparation of the infrastructure Objective From the client ID/name, clone the virtual infrastructure (virtual datacenters, edge firewalls and virtual networks) Create the different VMs from a template Avoid IP conflicts due to cloning in external networks. Evaluation of Intrusion Detection Systems in Clouds 8 / 22

  9. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Analysis of network access controls Accessibility : Authorized service from a source to a destination. First support of attack vectors. Accessibility matrix : Set of VMs ← → VMs and external location ← → VMs accessibilities. User- defined in a security policy and implemented on equipments (firewalls) as filtering rules. 2 methods to derive it : Statically → configured accessibilities. Dynamically → observed accessibilities. Discrepancy : accessibility not noticed in all 3 matrices. Evaluation of Intrusion Detection Systems in Clouds 9 / 22

  10. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Static analysis Accessibility predicate : accessibility(X, SPORT, Y, PROTO, DPORT) Static analysis : determination of all accessibility predicates from cloud components configuration : configured accessibilities. Evaluation of Intrusion Detection Systems in Clouds 10 / 22

  11. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Dynamic analysis Dynamic analysis : network packet exchanges between VMs (client → server) to determine accessibilities : observed accessibilities Design of an algorithm to perform all client-server sessions in a the smallest possible number of iterations ⇒ run sessions in parallel when possible. Evaluation of Intrusion Detection Systems in Clouds 11 / 22

  12. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Evaluation trafic Automata based modelisation To generate and replay legitimate and malicious packets exchanges To avoid installing, running and stopping applications during the attack campaigns To be free of Windows licences Evaluation of Intrusion Detection Systems in Clouds 12 / 22

  13. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Evaluation trafic Automata generation Process before attack campaigns. Use of Metasploit (malicious trafic) and various tools (legitimate trafic) to interact with vulnerable applications Evaluation of Intrusion Detection Systems in Clouds 13 / 22

  14. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Attack campaigns Principle Execution of attacks and legitimate activity sessions for each accessibility discovered during the previous phase. Try to parallelize as much as possible the sessions Use of attacks dictionnary Alarms from the different NIDS are collected, backed-up and analysed to calculate usual IDS metrics Evaluation of Intrusion Detection Systems in Clouds 14 / 22

  15. Problem statement Cloning Methodology Analysis of accessibilities Testbed and Experimental Results IDS/IPS evaluation Conclusion Attack campaigns NIDS metrics True Positive if : Duration between alarm and attack < Threshold. IP adresses, protocols and ports included in the alarm correspond to those of the attack. The alarm is serious. The CVEs of the alarm correspond to the CVE of the attack. False Positive if a raised alarm does not correspond to an attack False Negative if no alarm raised for an attack TP DR = TP + FN . TP PR = TP + FP . Evaluation of Intrusion Detection Systems in Clouds 15 / 22

  16. Problem statement Methodology Testbed and Experimental Results Conclusion Outline Problem statement 1 Methodology 2 Testbed and Experimental Results 3 Conclusion 4 Evaluation of Intrusion Detection Systems in Clouds 16 / 22

  17. Problem statement Methodology Testbed and Experimental Results Conclusion Testbed environment Evaluation of Intrusion Detection Systems in Clouds 17 / 22

  18. Problem statement Methodology Testbed and Experimental Results Conclusion Dynamic analysis of accessibilities : example Evaluation of Intrusion Detection Systems in Clouds 18 / 22

  19. Problem statement Methodology Testbed and Experimental Results Conclusion NIDS Evaluation : attacks dictionnary exploit id cve proto port date description N sl N sm 35660 2014-9567 TCP 80 2014-12-02 ProjectSend Arbitrary File Upload 3 3 34926 2014-6287 TCP 80 2014-09-11 Rejetto HttpFileServer Remote Command Exe- 12 12 cution 33790 N/A TCP 80 2014-05-20 Easy File Management Web Server Stack Buffer 7 8 Overflow 25775 2013-2028 TCP 80 2013-05-07 Nginx HTTP Server 1.3.9-1.4.0 - Chuncked En- 3 8 coding Stack Buffer Overflow 16970 2002-2268 TCP 80 2010-12-26 Kolibri 2.0 - HTTP Server HEAD Buffer Over- 2 2 flow 16806 2007-6377 TCP 80 2007-12-10 BadBlue 2.72b PassThru Buffer Overflow 9 3 28681 N/A TCP 21 2013-08-20 freeFTPd PASS Command Buffer Overflow 11 4 24875 N/A TCP 21 2013-02-27 Sami FTP Server LIST Command Buffer Over- 11 3 flow 17355 2006-6576 TCP 21 2011-01-23 GoldenFTP 4.70 PASS Stack Buffer Overflow 13 7 16742 2006-3952 TCP 21 2006-07-31 Easy File Sharing FTP Server 2.0 PASS Overflow 11 6 16713 2006-2961 TCP 21 2006-06-12 Cesar FTP 0.99g MKD Command Buffer Over- 11 6 flow 16821 2007-4440 TCP 25 2007-08-18 Mercury Mail SMTP AUTH CRAM-MD5 Buffer 9 8 Overflow 16822 2004-1638 TCP 25 2004-10-26 TABS MailCarrier 2.51 - SMTP EHLO Overflow 6 6 16476 2006-1255 TCP 143 2006-03-17 Mercur 5.0 - IMAP SP3 SELECT Buffer Over- 7 4 flow 16474 2005-4267 TCP 143 2005-12-20 Qualcomm WorldMail 3.0 IMAPD LIST Buffer 2 2 Overflow Evaluation of Intrusion Detection Systems in Clouds 19 / 22

  20. Problem statement Methodology Testbed and Experimental Results Conclusion NIDS evaluation : example with Snort and Suricata Detection rate and precision Snort detects more attacks than Suricata. Suricata is more accurate than Snort. Considering only serious alarms decreases the detection rate but improves the precision. Evaluation of Intrusion Detection Systems in Clouds 20 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik Sengupta, Ankur Chowdhary, Subbarao Kambhampati Dijiang Huang SNAC Secure Networking and Yochan AI Lab Computing Lab Intrusion Detection Systems?

681 views • 38 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Motivation: MSA Motivation: MSA Current attacks to distributed systems involve multiple steps

Motivation: MSA Motivation: MSA Current attacks to distributed systems involve multiple steps

Secure Configuration of Intrusion Detection Secure Configuration of Intrusion Detection Sensors for Changing Enterprise Systems Gaspar Modelo-Howard, Jevin Sweval, Saurabh Bagchi Presented by Amiya Kumar Maji Dependable Computing Systems Lab

611 views • 12 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray

Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray

Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray continually; give thanks in all circumstances, for this is Gods will for you in Christ Jesus. I Thessalonians 5:16-18 For the kingdom of God is

332 views • 19 slides
15 20 years ago Internet starting to reach a wider audience most people did not

15 20 years ago Internet starting to reach a wider audience most people did not

10/19/2010 15 20 years ago Internet starting to reach a wider audience most people did not have emails Mitigating Cyber Attacks computer security an afterthought The typical hacker, often portrayed as teenager,

588 views • 25 slides
IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler,

IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler,

IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler, Universitt Potsdam Co-Financed By: Project Goals Independently assess the true, current risks of IPv6 attacks Develop intrusion detection tools for

447 views • 17 slides
SDN / NFV panel @ SBRC Sbastien Tandel sta@hpe.com slideshare.net/standel May 2017

SDN / NFV panel @ SBRC Sbastien Tandel sta@hpe.com slideshare.net/standel May 2017

SDN / NFV panel @ SBRC Sbastien Tandel sta@hpe.com slideshare.net/standel May 2017 Sbastien Tandel Working within HPE Aruba CTO as a Principal Architect Technologist with sound business knowledge Software engineer with sound

492 views • 21 slides
Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com &lt;http://www.cymru.com&gt; Network Forensics what does it mean? network forensics is the analysis of network events in order to discover the source of problem

997 views • 43 slides
CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

THE cloud data feed CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC - Erik Christensen Damn-fast and effective malware info sharing with MISP by Christophe Vandeplas http://misp-project.org

692 views • 47 slides
Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday, March 11, 12 Introduction Chris Davis Emerging Threats &amp; University of Toronto Fellow IPTrust, DefIntel, Damballa... Mariposa, Conficker,

158 views • 15 slides
Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE

Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE

Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE Teacher of the Year 2017 NYS Health Education Amazing Person of the Year IGOR ELEVANCE ELATIONSHIPS Snack Time What was most memorable? Why are

863 views • 85 slides

More recommend