21-12-2012, 04:54 PM
Intrusion Detection for Grid and Cloud Computing
Intrusion Detection.pdf (Size: 1.03 MB / Downloads: 33)
Our Proposed Service
In our solution, each node identifies local events
that could represent security violations and alerts
the other nodes. Each individual IDS cooperatively
participates in intrusion detection. Figure 1
depicts the sharing of information between the
IDS service and the other elements participating
in the architecture: the node, service, event auditor,
and storage service.
The node contains the resources, which are
accessed homogeneously through the middleware.
The middleware sets the access-control
policies and supports a service-oriented
environment.
The service provides its functionality in the
environment through the middleware, which
facilitates communication.
Event Auditor
To detect an intrusion, we need
audit data describing the environment’s
state and the messages being
exchanged. The event auditor can
monitor the data that the analyzers
are accessing. The first component
monitors message exchange between
nodes. Although audit information
about the communication between
nodes is being captured, no network
data is taken into account—only
node information.
The second component monitors the middleware
logging system. For each action occurring
in a node, a log entry is created containing the
action’s type (such as error, alert, or warning), the
event that generated it, and the message. With
this kind of data, it’s possible to identify an ongoing
intrusion.
IDS Service
The IDS service increases a cloud’s security
level by applying two methods of intrusion
detection. The behavior-based method dictates
how to compare recent user actions to the usual
behavior.
Evaluating the Event Auditor
The event auditor captures all requests received
by a node and the corresponding responses,
which is fundamental for behavior analysis.
For each action a node performs, a log entry
is generated to register the methods and parameters
invoked during the action.
In the experiments with the behavior-based
IDS, we considered using audit data from both a
log and a communication system. Unfortunately,
data from a log system—with the exception of
the message element—has a limited set of values
with little variation. This made it difficult to find
attack patterns, so we opted to explore communication
elements to evaluate this technique.
We evaluated the behavior-based technique
using artificial intelligence enabled by a feedforward
neural network.6 In the simulation environment,
we monitored five intruders and five
legitimate users.