Content uploaded by Carlos Becker Westphall
Author content
All content in this area was uploaded by Carlos Becker Westphall on Jun 12, 2015
Content may be subject to copyright.
A preview of the PDF is not available
Providing Response to Security Incidents in the Cloud Computing with Autonomic Systems and Big Data
Abstract and Figures
This article provides a real-time intrusion response system in order to reduce the consequences of the attacks in the Cloud Computing. Our work proposes an autonomic intrusion response technique that uses a utility function to determine the best response to the attack providing self-healing properties to the environment. To achieve this goal, we propose the Intrusion Response Autonomic System (IRAS), which is an autonomic intrusion response system, using Big Data techniques for data analysis. I. INTRODUCTION As a complement to the work presented in [1], the object of this article is to present the results and details of its implementation. Because of their distributed nature, cloud computing environments are a great target for intruders interested in exploring possible vulnerabilities in their services and consequently using the abundant resources maliciously. The growing number of attacks and vulnerability exploitation techniques requires preventative measures by system administrators. In this context, the need for a highly effective and rapid reactive security system gains importance. These measures are getting more complex with the growth of data heterogeneity and the increasing complexity of the attacks. In addition, slow reaction time from human agents and the huge amount of data and information generated, makes the decision making process an arduous task. In response to this, there is an increase in the usage of Intrusion Detection Systems (IDS) [2], as a way to identify attack patterns, malicious actions and unauthorized access to an environment [3]. The need for IDS is growing due to limitations in Intrusion Preventing Systems (IPS)-which focus on alerting administrators when a vulnerability is detected, connectivity and threat evolution, as well as the financial appeal of cybercrime [4]. Despite their growing importance, currently available IDS solutions have limited response mechanisms. While the research focus is on better intrusion detection techniques, response and effective threat reaction are still mostly manual and rely on human agents to take effect [5]. Recently, some intrusion detection tools have begun providing limited sets of automated responses, but with the growing complexity of intrusions, the need for more effective response system strategies has increased. Due to implementation limitations , research on intrusion detection techniques advance faster than intrusion response systems [3].
Figures - uploaded by Carlos Becker Westphall
Author content
All figure content in this area was uploaded by Carlos Becker Westphall
Content may be subject to copyright.
Supplementary resources (2)
... Recently, there have been some efforts to address intrusion response in cloud environments [9], [10], [11]. However, those studies do not investigate attack propagation patterns, and do not consider interactions among compromised VMs. ...
... There are some attack response methods that are presented for cloud infrastructure. Vieira et al. [10] proposed intrusion response autonomic system (IRAS) that uses a utility function to suggest the best response in order to reduce the consequences of the attacks in the cloud. Raju and Geethakumari [11] proposed a framework for detecting the attacker. ...
Cloud computing is a dynamic environment that offers variety of on-demand services with low cost. However, customers face new security risks due to shared infrastructure in the cloud. Co-residency of virtual machines on the same physical machine, leads to several threats for cloud tenants. Cloud administrators are often encountered with a more challenging problem since they have to work within a fixed budget for cloud hardening. The problem is how to select a subset of countermeasures to be within the budget and yet minimize the residual damage to the cloud caused by malicious VMs. We address this problem by introducing a novel multi-objective attack response system. We consider response cost, co-residency threat, and virtual machines interactions to select optimal response in face of the attack. Optimal response selection as a multi-objective optimization problem calculates alternative responses, with minimum threat and cost. Our method estimates threat level based on the collaboration graph and suggests proper countermeasures based on threat type with minimum cost. Experimental result shows that our system can suggest optimal responses based on the current state of the cloud.
... The solution employs a knowledge based approach to detect known attacks by comparing attack signatures to suspicious actions [27], [28]. Figure 2 depicts the operation. ...
We introduce a method for Intrusion Detection based on the classification, understanding and prediction of behavioural deviance and potential threats, issuing recommendations, and acting to address eminent issues. Our work seeks a practical solutions to automate the process of identification and response to Cybersecurity threats in hybrid Distributed Computing environments through the analysis of large datasets generated during operations. We are motivated by the growth in utilisation of Cloud Computing and Edge Computing as the technology for business and social solutions. The technology mix and complex operation render these environments target to attacks like hijacking, man-in-the-middle, denial of service, phishing, and others. The Autonomous Intrusion Response System implements innovative models of data analysis and context-aware recommendation systems to respond to attacks and self-healing. We introduce a proof-of-concept implementation and evaluate against datasets from experimentation scenarios based on public and private clouds. The results present significant improvement in response effectiveness and potential to scale to large environments.
... The solution employs a knowledge based approach to detect known attacks by comparing attack signatures to suspicious actions [27], [28]. Figure 2 depicts the operation. ...
We introduce a method for Intrusion Detection based on the classification, understanding and prediction of behavioural deviance and potential threats, issuing recommendations, and acting to address eminent issues. Our work seeks a practical solutions to automate the process of identification and response to Cybersecurity threats in hybrid Distributed Computing environments through the analysis of large datasets generated during operations. We are motivated by the growth in utilisation of Cloud Computing and Edge Computing as the technology for business and social solutions. The technology mix and complex operation render these environments target to attacks like hijacking, man-in-the-middle, denial of service, phishing, and others. The Autonomous Intrusion Response System implements innovative models of data analysis and context-aware recommendation systems to respond to attacks and self-healing. We introduce a proof-of-concept implementation and evaluate against datasets from experimentation scenarios based on public and private clouds. The results present significant improvement in response effectiveness and potential to scale to large environments.
... This approach can only guarantee local optimal response action selection because the look-ahead is limited to a single action and therefore it does not take full advantage of a stateful model. The work has been then extended in [25] with the concrete implementation of the approach, but the MDP model has been replaced with a stateless utility function. ...
The quantity and sophistication of cyber attacks have increased year by year, thus it is infeasible to manually process Intrusion Detection Systems (IDSs) alerts. Intrusion Response Systems (IRSs) extend IDSs by providing automatic protection mechanisms. The core of an IRS is its planning algorithm, in charge of selecting the best response action to counter the detected attacks. However, the planning algorithm has to be carefully designed and implemented in order to exhibit a low overhead and not to compromise the scalability of the protected system. In this paper we present the performance evaluation of an IRS based on Markov Decision Process (MDP), which leverages many-core co-processors. Such an IRS produces optimal long-term response policies evaluated according to a multi-criteria objective function. We show that, despite the complexity of the MDP modeling, the proposed IRS is able to protect large systems while introducing little to no overhead on the protected hosts.
We present a method for autonomic intrusion detection and response to optimize processes of cybersecurity in large distributed systems. These environments are characterized by technology fragmentation and complex operations making them highly susceptible to attacks like hijacking, man-in-the-middle, denial-of-service, phishing, and others. The autonomic intrusion response system introduces models of operational analysis and reaction based on the combination of autonomic computing and big data. We implemented a proof-of-concept and executed experiments that demonstrate significant improvement in effectiveness and scalability of the method in complex environments.
Os principais problemas associados à implementação e uso da gerência de redes e serviços ocorrem devido à grande quantidade de proposições, padrões e de diferentes produtos oferecidos no mercado, dificultando consideravelmente a tomada de decisão no que se refere a utilização da abordagem de gerência de redes e serviços mais adequada. Além disso, novas tendências na área de gerência de redes e serviços vêm sendo pesquisadas, entre estas destacam-se atualmente: gerência de redes sem fio, de sensores, óticas, futura internet, internet das coisas, internet espacial...; áreas funcionais de segurança, configuração, desempenho, contabilidade...; gerência de serviços de multimídia, data centers, grid, cloud, fog, edge virtualização...; e gerência centralizada, autonômica, distribuída, auto-gerência, baseada em políticas... Estas novas tendências vêm sendo pesquisadas no Laboratório de Redes e Gerência (LRG) da UFSC e a partir deste projeto as mesmas poderão ser aperfeiçoadas através das seguintes atividades deste projeto: A - Aperfeiçoamentos na Gerência Autonômica para Fog e IoT; B - Aperfeiçoamentos na Qualidade de Serviço para Aplicações de Tempo Real em IoT e Fog; C Aperfeiçoamentos na Segurança para Fog e IoT; D - Aperfeiçoamentos no Sistema de Resposta de Intrusão Autonômica em Cloud e IoT; E - Aperfeiçoamentos na Privacidade em Gerência de Identidade para Federações Dinâmicas em Cloud e IoT; e F - Aperfeiçoamentos no Controle de Acesso Dinâmico Baseado em Risco para uma Federação de Nuvem e IoT..
T2. Clouds and Security: A Scrutinized Marriage Presenters: Prof. Dr. Carlos Becker Westphall, Federal University of Santa Catarina, Brazil Prof. Dr. Carla Merkle Westphall, Federal University of Santa Catarina, Brazil Introduction Motivation Cloud security challenges and problems Basic concepts Cloud computing Security Cloud Security Concerns Identity and access management Privacy Trust management and federations Related work and Technologies Research questions Research proposals Current Technologies Conclusion
Event stream processing has been used to construct many mission-critical event-driven applications, such as business intelligence applications and collaborative intrusion detection applications. In this paper, we argue that event stream processing is also a good fit for autonomic computing and describe how to design such a system that is resilient to both hardware failures and malicious attacks. Based on a comprehensive threat analysis of event stream processing, we propose a set of lightweight mechanisms that help achieve Byzantine fault tolerant event processing for autonomic computing. The mechanisms consist of voting at the event consumers and an on-demand state synchronization mechanism triggered when an event consumer fails to collect a quorum of matching decision messages. We also introduce an evidence-based safe-guarding mechanism that prevents a faulty event consumer from inducing unnecessary rounds of state synchronization.
This paper analyzes real-time intrusion response systems in order to mitigate attacks that compromise integrity, confidentiality and availability in cloud computing platforms. Our work proposes an autonomic intrusion response technique enabling self-awareness, self-optimization and self-healing prop-erties. To achieve this goal, we propose IRAS, an Intrusion Response Autonomic System, using Big Data techniques for data analytics and expected utility function for decision taking.
The proliferation of digital devices in a networked industrial ecosystem, along with an exponential growth in complexity and scope, has resulted in elevated security concerns and management complexity issues. This paper describes a novel architecture utilizing concepts of autonomic computing and a simple object access protocol (SOAP)-based interface to metadata access points (IF-MAP) external communication layer to create a network security sensor. This approach simplifies integration of legacy software and supports a secure, scalable, and self-managed framework. The contribution of this paper is twofold: 1) A flexible two-level communication layer based on autonomic computing and service oriented architecture is detailed and 2) three complementary modules that dynamically reconfigure in response to a changing environment are presented. One module utilizes clustering and fuzzy logic to monitor traffic for abnormal behavior. Another module passively monitors network traffic and deploys deceptive virtual network hosts. These components of the sensor system were implemented in C++ and PERL and utilize a common internal D-Bus communication mechanism. A proof of concept prototype was deployed on a mixed-use test network showing the possible real-world applicability. In testing, 45 of the 46 network attached devices were recognized and 10 of the 12 emulated devices were created with specific operating system and port configurations. In addition, the anomaly detection algorithm achieved a 99.9% recognition rate. All output from the modules were correctly distributed using the common communication structure.
Cloud computing is an attractive model that provides the delivery of on-demand computing resources over the Internet and on a pay-for-use basis. However, while intruders may exploit clouds for their advantage, most IDS solutions are not suitable for cloud environments. This paper presents a hierarchical and autonomous cloud based intrusion detection system, HA-CIDS. The framework continuously monitors and analyzes system events and computes the security and risk parameters. An autonomous controller receives security parameters computed by the framework and selects the most appropriate response to protect the cloud against detected attacks, as well as recover any corrupted data or affected services. Beside autonomous response to detected attacks, HA-CIDS has several autonomous capabilities to provide self-resilience and fault tolerance. We developed a testbed to evaluate the performance and accuracy of the framework. The architecture, design, and deployment of HACIDS are given in this paper.
Cloud computing supports distributed service oriented paradigm, multi-domain and multi-users administrative infrastructure. Due to the distributed nature of the cloud environment, it has high intrusion prospects and suspect of security infringements because the intruders can exploit the large amount of resources in cloud for their attacks. Furthermore, most of current Intrusion Detection System (IDS) solutions do not offer features for cloud environments. This paper presents a hierarchical, autonomous, and forecasting cloud based IDS (HAF-CIDS) that continuously monitors and analyzes system events and computes the risk level. The proposed system improves the detection accuracy through the integration with a forecasting engine that runs the Holt-Winters (HW) algorithm. HAF-CIDS uses HW forecast feature in detecting network aberrant behaviours. Furthermore, it can recover any corrupted data or affected services by interacting with an autonomous controller that selects the most appropriate response to detected attacks.