PreprintPDF Available
Preprints and early-stage research may not have been peer reviewed yet.

Abstract and Figures

We introduce a method for Intrusion Detection based on the classification, understanding and prediction of behavioural deviance and potential threats, issuing recommendations, and acting to address eminent issues. Our work seeks a practical solutions to automate the process of identification and response to Cybersecurity threats in hybrid Distributed Computing environments through the analysis of large datasets generated during operations. We are motivated by the growth in utilisation of Cloud Computing and Edge Computing as the technology for business and social solutions. The technology mix and complex operation render these environments target to attacks like hijacking, man-in-the-middle, denial of service, phishing, and others. The Autonomous Intrusion Response System implements innovative models of data analysis and context-aware recommendation systems to respond to attacks and self-healing. We introduce a proof-of-concept implementation and evaluate against datasets from experimentation scenarios based on public and private clouds. The results present significant improvement in response effectiveness and potential to scale to large environments.
Content may be subject to copyright.
1
Autonomic Intrusion Response in
Distributed Computing using Big Data
Kleber Vieira1, Fernando Koch1,2, Jo˜
ao Bosco Mangueira Sobral1,
Carlos Becker Westphall1, and Jorge Lopes de Souza Le˜
ao3
1Network and Management Laboratory (LRG), Federal University of Santa Catarina (UFSC), Brazil
2School of Computing and Information Systems, The University of Melbourne, Australia
3Technology Centre, Federal University of Rio de Janeiro (UFRJ), Brazil
We introduce a method for Intrusion Detection based on the classification, understanding and prediction of behavioural deviance
and potential threats, issuing recommendations, and acting to address eminent issues. Our work seeks a practical solutions to
automate the process of identification and response to Cybersecurity threats in hybrid Distributed Computing environments through
the analysis of large datasets generated during operations. We are motivated by the growth in utilisation of Cloud Computing
and Edge Computing as the technology for business and social solutions. The technology mix and complex operation render these
environments target to attacks like hijacking, man-in-the-middle, denial of service, phishing, and others. The Autonomous Intrusion
Response System implements innovative models of data analysis and context-aware recommendation systems to respond to attacks
and self-healing. We introduce a proof-of-concept implementation and evaluate against datasets from experimentation scenarios
based on public and private clouds. The results present significant improvement in response effectiveness and potential to scale to
large environments.
Index Terms—Intrusion Detection Systems, Cybersecurity, Distributed Computing, Big Data, Autonomic Computing
I. INTRODUCTION
There is a growing number of cybersecurity threats related
to the extended utilisation of Cloud Computing and Edge
Computing. The Brazilian Center for Studies, Response and
Treatment of Security Incidents (CERT.br), which monitors
attacks attempts and their types, shows the growing tendency
of Cyberattack incidents such as Distributed Denial of Service
(DDoS) attacks [1], [2] whose incidents grew by 125.36%
between the first quarter of 2016 with the same period of
2015. Such attempts, successful or not, result in economic,
reputation, and social impact. A report from PwC Consulting
describes the economic impact of Cybersecurity breaches in
areas like disruption of operations and manufacturing, compro-
mise of sensitive data, negative impact to product and services,
damage of physical property, and harm to human life [3].
The scaling number of virtual crimes and the exploitation of
vulnerabilities in Distributed Computing demand new forms
of preventive measures to preserve security and privacy.
We are motivated by the need for effective Cybersecurity
strategies for intrusion detection and fast response, aiming
to prevent disruption, preserve privacy and security, and op-
timise operations. Cybersecurity threats are primarily linked
to storage and transfer of large chunks of information, along
with their importance and vulnerability [4]. The most common
security threats in Distributed Computing include hijacking,
man-in-the-middle, denial of service, phishing, and others [5],
[6], [7]. Buyya et al [8] points the lack of a well-defined
security strategies in heterogeneous environments combining
Cloud Computing and Edge Computing. This issues is mostly
due to the characteristics of the environment involving dis-
tributed architectures, complex and heterogeneous elements,
and large scale operations.
We are looking into a combination of Autonomic Computing
[9], [10] and Big Data to deal with the large volume of
information collected from the audits of the various system
components and to provide rapid response. This work con-
tributes to the state-of-the-art by:
Providing a reference architecture for Autonomic Intru-
sion Response System based on a combination between
Autonomic Systems and Big Data.
Presenting a proof-of-concept implementation of a full-
cycle attack-response interaction in heterogeneous Dis-
tributed Computing environments.
Analysing this approach’s performance for accuracy, ef-
ficiency, and scalability to real-world scenarios.
In what follows, we elaborate on the background, state-of-
the-art, and technology gap. Section III outlines our proposal.
Section IV describes the results from executing a proof-of-
concept implementation upon experimentation environments
of private and public clouds. We discuss the results and
opportunities in Section V.
II. BACKGRO UND A ND RELATED WORK
System administrators demand approaches of Intrusion De-
tection Systems (IDS) to minimise the harms of hackers,
crackers, and other cyber-criminals [11], [12], [13]. In general,
preventive systems employ techniques to analyse the behaviour
and origin of the attempts to then define whether the action is
allowed [14]. Response time is crucial to prevent intrusions.
Cohen et al [15] points out that for a skillful intruder his
attack will have 80% chance of success if the response time
is around 10 hours, 95% chance if the intruder has 20 hours,
and for over 30 hours the attack renders virtually infallible;
however, if the response is immediate, then the chances of
arXiv:1811.05407v1 [cs.DC] 13 Nov 2018
2
the intruder’s success are practically nil. Nonetheless, current
approaches present a significant time gap between detection
and response, mostly due to the need for manual intervention
[16], [17], [18].
There is a cohort of research looking into how to improve
IDS towards quick detection of malicious or unauthorised
actions [19], [20], and intelligent management methods of Dis-
tribute Computing [6], [21]. In general, an IDS encompasses:
1) Detection, usually performed automatically by monitor-
ing patterns in the systems’ log entries and behaviour of
the elements.
2) Warning, triggered via analysis of behaviour patterns and
raising awareness of potential issues to system adminis-
trators.
3) Decision making, provides decision making support based
on data analytics systems.
4) Response, implementing actions upon the elements, along
with evaluation of the their results.
Buyya et al [8] argues that existing strategies for attack de-
tection and response still fail to provide satisfactory results for
Distributed Computing environments. Notably, current imple-
mentations presents a delay between Detection and Response.
Moreover, current developments tend to focus on Detection
and Warning, whereas there is a critical demand to optimise the
manual intervention in Decision Making and Response [14].
Hence, there is a technology gap between strategies for
detecting attack attempts and existing response mechanisms.
Although fast response is a clear demand, current implemen-
tations mostly depend on manual interventions rending these
solutions slow and ineffective. In this context, the motivation
for this work encompasses:
define the requirements for an effective autonomic attack
response;
outline the required decision-making algorithms to sup-
port this systems;
field test proposed approaches in controlled environments
in order to evaluate performance, applicability to real-
world scenarios, and scaleability to large Distribute Com-
puting systems.
III. PROPO SAL
The Autonomic Intrusion Response System (SARI) follows
the vision of autonomic computing around self-healing, self-
protection and self-optimising. The solution works based on
the Monitor-Analyse-Plan-Execute-Knowledge (MAP-K) ar-
chitecture to efficiently analyse large amounts of data about
the utilisation of Distribute Computing resources.
Figure 1 depicts the system architecture. We devised an
approach to collect system log datasets about network traffic,
system information, and sensors, following the proposal by
Suthaharan et al [22]. The solution pre-processes these datasets
to consolidate information and remove noise. The cycles for
analysis and planning implement the MapReduce strategy to
correlate the information – this is a programming model
designed to process large volumes of data in parallel, dividing
the work into a set of independent tasks [23], [24]. Our
architecture encompasses the following components:
Fig. 1. Architecture of the Autonomic Intrusion Response System
Monitoring Module implements probes to collect infor-
mation about behaviour changes of the managed ele-
ments, and other execution information; these datasets
include e.g. system log and other monitoring systems
installed in the Virtual Machines such as Snort, OSSEC,
Hypervisor, network traffic, system settings, and SMNP
data [11], [25]; sensors are designed to collect data
from Hypervisors and VM instances through the library
jNetPcap.
Analysis Module implements the processes for cate-
gorisation (or mapping) and reduction; in this module,
MapReduce is applied to (i) identify the signatures of
known attacks and (ii) extract significant data such as the
origin of the attack, features of the data packages, and
others. This process analyses and classifies data packages
in relation to their protocol. Then, the process applies
different algorithms to specific protocols that implement
the process to reduce data volumes. The solution results in
a data hierarchy for analysis and a compilation of possible
issues causing the attacks.
Planning Module implements the MAPE-K loop strategy
based on the theory of expected utility. The planning
component collects data from the Analysis module to
characterise the current situation. Then, the planning
process applies algorithms to select the response action
that is most likely to work in the determined scenario. The
process applies the theory of expected utility is applied to
select the best response. The to the attack. The method
works by analysing diverse alternatives applicable to the
situation possible In this technique, the various possible
alternatives are analysed and the one that brings the high-
est response value to a given environment configuration
is selected [26].
Execution Module performs the notification or response
action on detected intrusions depending on the configu-
ration.
Knowledge Module holds the information requires for
system’s operations, such as: collected data; known signa-
tures; time values; cost and probability of each response;
applied response techniques; environment settings, and
more.
The solution employs a knowledge based approach to detect
3
Fig. 2. Analysis module with MapReduce
known attacks by comparing attack signatures to suspicious
actions [27], [28]. Figure 2 depicts the operation. The strategy
applies MapReduce to allow working on large datasets through
parallel execution on a cluster of machines. Files are split into
smaller pieces to be distributed through the cluster during the
partition step. Each fragment is distributed to an instance that
will execute the map algorithm (see Algorithm 10) and the
reduce algorithm (see Algorithm 9), sequentially. The output
is put forward to the Planning Module for rule-based analysis
on the consolidated information.
Data: data packet
Result: Attack Alert, Data Packet
1begin
2Separate packets by protocol into a Hash Map; repeat
3Checks whether the packet has a known attack
for this protocol ;
4if there is attack then
5Saves IP source, IP Destination, Protocol,
Attack ;
6else
7next package ;
8end
9until end of packages;
10 end
Algorithm 1: Analysis Algorithm: Map portion
A. Response Strategy
The response strategy follows the concept of expected utility
principle [29]. Decisions are made based on the probability
of positive intrusion events versus uncertainty about response
effectiveness [26]. For the decision process, the model takes in
consideration environmental elements, such as: parameters of
the cloud environment; target virtual machines; parameters of
the attack set, and; response parameters such as cost of actions,
effect time, success probability, effectiveness history, and
others. The system model includes the following parameters:
N={n2N|n>0}: environmental parameters;
Data: Attack Alerts, Data Package
Result: Source, attack target, protocol, signature, attack
type, amount
1begin
2Separate packets per protocol in a Hash Map; repeat
3if Already Registered then
4sum amount of retries
5else
6adds new attack ;
7end
8until end of packages;
9end
Algorithm 2: Analysis Algorithm: Reduce portion
E={ei|i:states, i 2N}: parameters of the attack set;
A={ai|i:actions,i2N}: parameters of the response set.
O={oi|i:result, i in mathbbN }: result of the actions.
The expected utility formula is given as follows:
UE(ai)= X
oi2O
Pai(oi).U(oi)(1)
where: Ois the result set; Pai(oi)is the probability of the
result oiconditioned to the action ai; and U(oi)is the utility
of the result (response) oi. Translating to the construction of
the AIRS system, we have the components defined as:
E: set of attacks.
A: set of actions that are responses to attacks.
O: result set depending on whether or not they work.
C: set of costs of executing (processing) actions-responses to
attacks.
T: set of time durations for action-response execution.
P: set of probabilities of a result to be action-response
success.
Other definitions involve costs, elapsed times and probabil-
ities, as follows:
4
C={ci|i:costof action, i 2N}
T={ti|i:timeof action, i 2N}
P={pi|i:probability, i 2N}
Given these definitions, the expected utility UE(ai)of a
response-action aiconsidering a result oiis given by:
UE(ai)=
m2N
X
i=1
p(oi)
(ci+ti+ 1) (2)
Where mis the number of actions defined in the system;
ai2Ais an action-response; p(oi)is the effectiveness
probability of oi, and U(oi)is the expected utility of oi.
Normalisation is implemented by shifting the values of each
resource so that the minimum value is 0and then dividing by
the new maximum value, which is the difference between the
original maximum and minimum values. The system applies
the following method to normalise the utility calculation:
z=xmin(x)
[max(x)min(x)] (3)
Let Abe the set of all possible actions in a processing
environment, such that an ai2Aelement is an action that can
be performed, and; Rrepresents the set of possible responses.
Then, a response is defined as a possibly effective action
where: Ois the result set; P(a)is the conditional probability
of the result ogiven the action A; and U(o)is the utility of
o.
TABLE I
UTILITY CALCULATION EXAMPLE
AState
Attack1Attack2... AttacknExpected Utility
a1UE(a11)UE(a12)... UE(a1n)UE(a1)=PUE(o1n)
a2UE(a21)UE(a22)... UE(a2n)UE(a2)=PUE(o2n))
a3p(o31)
(c31+t31+1)
p(o32
(c32+t32+1) ... p(o3n)
(c3n+t3n+1) UE(a3)=PUE(o3n)
am
p(om1)
(cm1+tm1+1)
p(om2)
(cm2+tm2+1) ... p(omn)
(cmn+tmn+1) UE(am)=PUE(omn)
In sum, the method applies cost cin, time t1nand prob-
ability pin, where nis the possible number of attacks. The
utilities U(amn)is calculated as:
U(amn)= p(amn )
(cmn +tmn + 1) (4)
Where mcorresponds to an action-response; ncorresponds
to a determined attack as per the examples in Table III-A; Ois
the result set; P(a)is the conditional probability of the result
ogiven the action A; and U(a)is the utility of a.
In the proposed model, the largest sum max U(ai)corre-
sponds to the most useful action-response, which means that
we inferred a preferable action-response ai. That is, aiis more
likely to be effective than its peers.
B. Application Example
Table II presents an application example of the expected
utility method considering: a knowledge base Kwith previ-
ously estimated utility costs C, elapsed time T, and success
probabilities P, for the attacks E.
TABLE II
EXAMPLE OF KNOWLEDGE BASE
E1E2E3
A T C P T C P T C P
a12 2 0,1 3 4 0,3 20 10 0,5
a25 6 0,2 3 5 0,1 30 10 0,4
a31 1 0 5 7 0,2 20 10 0,1
Let us assume that attacks E1and E3are detected. The first
step is to normalise the values of Tand C. Table III presents
the normalised values. Next, we apply the utility formula for
each set am, resulting in the values depicted in Table IV.
TABLE III
EXAMPLE OF NORMALISED KNOWLEDGE BASE
E1E2E3
A T C P T C P T C P
a10.034 0.111 0.100 0.068 0,333 0.300 0.655 1.000 0.500
a20.137 0.555 0.200 0.068 0.444 0.100 1.000 1.000 0.400
a30.000 0.000 0.000 0.137 0.666 0.200 0.655 1.000 0.000
TABLE IV
EXAMPLE OF INFERRED KNOWLEDGE BASE
E1E2E3
a10.087 0.213 0.188
a20.118 0.066 0.133
a30.000 0.110 0.037
Next, you must make the 2 sum of the utilities that corre-
spond to the amactions for the Enattacks, and choose the
highest value utility.
TABLE V
UTILITY CALCULATION
E1E3P
a10.087 0.188 0.275
a20.118 0.133 0.251
a30.000 0.037 0.037
In the example above, the action a1has the best utility
and will be selected within the proper context. Moreover,
it is possible to adjust the values based on observation of
effectiveness of actions in given contexts. One important factor
to observe is the elapsed time to implement the actions aiming
at effective and efficient delivery.
IV. RESULTS
We developed a proof-of-concept implementation to eval-
uate the approach and executed it in two scenarios: (i) VMs
running on a private cloud in our Lab, and; (ii) VM running
on Amazon public cloud. For both cases, we generated two
sets of data representing (a) legitimate access and (b) security
attacks. The implementation utilises Java 8 and the JnetPCap
library. Dedicated attack nodes and legitimate nodes were used
to perform the tests. The experiment generated considerable
amount of data and demanded extensive processing time.
The script to generate attacks was implemented upon
Scapy [30], which allows to generate network traffic and
inject attacks. The script dynamically mounts a TCP packet
5
informing data, such as source port, destination port, source ip,
destination IP, payload, and the ack package. The configuration
included the target machine and a payload parameter of
QLInject with large data volumes, forming a typical DDoS
attack, presented in Code 1.
Sensors were installed at specific capturing points to test the
Monitoring Module. Then, the environment was configured to
choose the network interface to be monitored. The captured
data was stored in files containing packages. Two criteria
were established: elapsed time and data volume. If one of the
criteria was triggered, the monitoring files would be sent to
the analysis module. The SARI process entails:
collecting the log file from the VMs;
transferring the files to the detection server, and;
executing the detection algorithm.
Listing 1. Script for Attack Simulation
from scapy.all import *
seq = 12345
sport = 1040
dport = 80
ip_packet = IP(dst=’172.31.17.62’)
syn_packet = TCP(sport=sport,dport=dport,flags=’S’,
seq=seq)
packet = ip_packet/syn_packet
synack_response = sr1(packet)
next_seq = seq + 1
my_ack = synack_response.seq + 1
ack_packet = TCP(sport=sport, dport=dport, flags=’A’
,seq=next_seq, ack=my_ack)
send(ip_packet/ack_packet)
payload_packet = TCP(sport=sport, dport=dport, flags
=’A’, seq=next_seq, ack=my_ack)
payload = "GET / HTTP/1.0\r\nHOST: 172.31.17.62\r\n\
rSQL INJECT\n"
for iin range(100):
sr(ip_packet/payload_packet/payload, multi
=1, timeout=1)
TABLE VI
EXPERIMENTATION DATASETS
Size in MB Number
of Packets
Number
of Attacks
10 130,000 306
50 700,000 803
100 1,400,000 1,481
200 3,625,000 1,851
400 7,250,000 2,138
600 8,845,000 2,822
800 11,600,000 3.442
1.000 14,500,000 4,275
Table VI presents variations of datasets generated through
multiple experimentation configurations.
The Analysis and Planning module is implemented in Java
using the Hadoop library to support MapReduce. For each
experiment a cluster was created to process the analysis. This
module receives the datasets for processing and generates
Fig. 3. Private cloud environment
results like the one depicted in Table VII. Table VIII presents
the parameters for the utility calculation.
TABLE VII
RESULT OF THE ANALYSIS MODULE
Source IP IP Destination Attack Quantity
1 150.162.63.200 150.162.63.23 E1275
2 150.162.63.205 150.162.63.23 E22000
3 150.162.63.202 150.162.63.23 E32000
TABLE VIII
PARAMETERS FOR THE UTILITY CALCULATION
Actions Probability Normalised Cost Normalised Elapsed Time
a10.01 0.00157 0.01023
a20.15 0.00166 0.01063
a30.34 0.00375 0.02127
a40.41 0.00583 0.03191
a50.48 0.00791 0.04255
A. Experimenting on a Private Cloud
Figure 3 depicts the testing environment implemented over
a private cloud computing in our laboratory. The environment
is composed of a CloudStack hypervisor and Xen orchestration
system running on Debian. We created: (a) a set of VMs
representing the invaders; (b) a set of VMs with WEB servers
and databases representing the target, and; (c) a cluster of 3
computers to execute SARI processes.
Figure 4 shows the behaviour of the analysis module against
the different configurations. Figure 5 depicts the normalised
ratios in the testing environment experiments. There are two
values close to the maximum utility (0.637 and 0.650), since
they represent actions where the probability is the same (95
6
Fig. 4. Total processing time on the Private Cloud
Fig. 5. Ratio utility versus cost on the Private Cloud
%). The execution the cost presents small variation (0.443 and
0.451). However, the execution time presents ample variation
(9.118 and 42.011). We conclude that the thread with the
smallest processing time has the greatest utility (0.650).
B. Experimenting on a Public Cloud
The public cloud experimentation setup is similar to the
private cloud one. The implementation was on the Amazon
Web Services (AWS) platform, simulating legitimate and in-
trusive users against 4 target machines as service providers.The
SARI system is represented by an interface for monitoring and
analysis, along with a cluster for planning and execution and
the knowledge base.
Figure 6 presents the results from the execution on the
public cloud. Figure 7 presents the utility function for the cost
of actions. The most useful action has value U=0.340309094
and was process in 950 seconds at a cost of 1900 units.
Fig. 6. Total processing time on the Public Cloud
Fig. 7. Ratio utility versus cost on the Production Cloud
The key difference between the public and private cloud
experiments is the time lag between the steps, which is shorter
in the public cloud environment due to the larger availability
of computational resources.
Hence, we concluded for significant improvement in re-
sponse effectiveness and potential to scale to large environ-
ments.
V. C ONCLUSIONS
We presented a reference architecture for Automated Intru-
sion Detection based on methods of Big Data for the classifica-
tion, understanding and prediction of behavioural deviance in
Distributed Computing environments. The proposed solution
covers for the technology gap attack detection strategies that
provide satisfactory results in Distributed Computing environ-
ments.
The Autonomic Intrusion Response System follows the vi-
sion of autonomic computing and works based on the Monitor-
Analyse-Plan-Execute-Knowledge (MAP-K) architecture to
efficiently analyse large amounts of data about the utilisation
of Distribute Computing resources. The solution employs
a knowledge based approach to detect known attacks by
comparing attack signatures to suspicious actions The strategy
applies MapReduce to allow working on large datasets through
parallel execution on a cluster of machines.
We evaluated the proposed approach through a prototype
implementation against two scenarios: (i) VMs running on a
private cloud in our Lab, and; (ii) VM running on Amazon
public cloud. The results demonstrate the effectiveness of
the solution allowing to process large volumes of access
information in acceptable time delays for both the private
cloud and the public cloud experiment. We demonstrated that
the approach is able to handle real-world scenarios and deliver
low latency response results, aligned with the requirements for
Automated Intrusion Detection. Hence, we concluded for sig-
nificant improvement in response effectiveness and potential
to scale to large environments.
We argue that a product-grade implementation based on
the proposed reference architecture would effectively reduce
the damage caused by diverse forms of Cyber attacks on
Distributed Computing environments.
As a limitation, the proposed approach does not contemplate
optimisation upon the algorithmic complexity of the expected
utility theory. That is, given an attack, the algorithm needs
7
to calculate the sum of the utility of each response. This
calculation grows exponentially given the number of responses
implemented in the model. Another limitation is the appli-
cation of rules for knowledge-based detection methods using
known attacks within the scope of this work. We consider
these limitations acceptable, as the purpose of the project was
to demonstrate the feasibility of using Big Data strategies
and provide a reference architecture for the implementation.
Further work will have to extend on this discussion to attain
product-grade implementations.
Further work may also involve research in the application
of Machine Learning and Cognitive Computing to detect
attacks beyond the scope of the implemented rules. New
attack signatures could be discovered and incorporated to the
architecture’s knowledge base thus continuously improving the
system’s effectiveness overtime. This strategy would progress
the solution towards a self-learning and self-adjustable system,
laying the ground for a future Cognitive Intrusion Detection
Systems.
ACKNOWLEDGEMENT
This work was conducted by Dr. Kleber Vieira in the
scope of his doctorate program in Computer Sciences at the
Network and Management Laboratory (LRG), Department of
Informatics and Statistics, Federal University of Santa Catarina
(UFSC), Brazil. The research was supervised by Prof. Dr.
Carlos Becker Westphall and counted with valuable input
from LRG’s colleagues. Special thanks to Prof. Dr. Joao
Bosco Sobral and Prof. Dr. Jorge Lopes de Souza Leao for
their input and contribution. Dr. Fernando Koch contributed
with putting this paper together and provided extensive input
during the elaboration of the research. Dr. Koch is a Visiting
Researcher at LRG/UFSC, Honorary Senior Fellow with The
University of Melbourne, Australia, and supported by the
Brazilian CNPq Productivity in Technology and Innovation
Grant (CNPq 307275/2015-9).
REFERENCES
[1] F. Lau, S. H. Rubin, M. H. Smith, and L. Trajkovic, “Distributed
denial of service attacks,” in Systems, Man, and Cybernetics, 2000 IEEE
International Conference on, vol. 3, pp. 2275–2280, IEEE, 2000.
[2] R. K. Chang, “Defending against flooding-based distributed denial-of-
service attacks: a tutorial,” IEEE communications magazine, vol. 40,
no. 10, pp. 42–51, 2002.
[3] C. Castelli, B. Gabriel, J. Yates, and P. Booth, “Strengthening digital
society against cyber shocks,” tech. rep., PwC Consulting, 2018.
[4] A. D. Smith and W. T. Rupp, “Issues in cybersecurity; understanding
the potential risks associated with hackers/crackers,” Information Man-
agement & Computer Security, vol. 10, no. 4, pp. 178–183, 2002.
[5] C. P. Pfleeger and S. L. Pfleeger, Security in computing. Prentice Hall
Professional Technical Reference, 2002.
[6] S. Subashini and V. Kavitha, “A survey on security issues in service
delivery models of cloud computing,Journal of network and computer
applications, vol. 34, no. 1, pp. 1–11, 2011.
[7] A. Behl, “Emerging security challenges in cloud computing: An insight
to cloud security challenges and their mitigation,” in Information and
communication technologies (WICT), 2011 world congress on, pp. 217–
222, IEEE, 2011.
[8] R. Buyya, R. Calheiros, and X. Li, “Autonomic Cloud computing: Open
challenges and architectural elements,” Emerging Applications of .. . ,
pp. 3–10, 2012.
[9] J. O. Kephart and D. M. Chess, “The vision of autonomic computing,”
Computer, no. 1, pp. 41–50, 2003.
[10] P. Horn, “Autonomic computing: Ibm\’s perspective on the state of
information technology,” 2001.
[11] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan, “A
survey of intrusion detection techniques in cloud,” Journal of Network
and Computer Applications, vol. 36, no. 1, pp. 42–57, 2013.
[12] A. Schulter, F. Navarro, F. Koch, and C. B. Westphall, “Towards grid-
based intrusion detection,” in Network Operations and Management
Symposium, 2006. NOMS 2006. 10th IEEE/IFIP, pp. 1–4, IEEE, 2006.
[13] L. Dali, K. Abouelmehdi, A. Bentajer, H. Elsayed, E. Abdelmajid,
and B. Abderahim, “A survey of Intrusion Detection System,” in Web
Applications and Networking (WSWAN), 2015 2nd World Symposium
on, pp. 1–6, IEEE, 2015.
[14] N. Stakhanova, S. Basu, and J. Wong, “A taxonomy of intrusion response
systems,” International Journal of Information and Computer Security,
vol. 1, no. 1, pp. 169–184, 2007.
[15] F. Cohen, “Simulating cyber attacks, defences, and consequences,
Computers & Security, vol. 18, no. 6, pp. 479–518, 1999.
[16] S. Northcutt and J. Novak, Network intrusion detection. Sams Publish-
ing, 2002.
[17] C. A. Carver, “Intrusion response systems: A survey,” Department
of Computer Science, Texas A&M University, College Station, TX,
pp. 77843–3112, 2000.
[18] H. A. Kholidy, A. Erradi, S. Abdelwahed, and F. Baiardi, “A risk
mitigation approach for autonomous cloud intrusion response system,”
Computing, pp. 1–25, 2016.
[19] H. Debar, M. Dacier, and A. Wespi, “A revised taxonomy for intrusion-
detection systems,” in Annales des t´
el´
ecommunications, vol. 55, pp. 361–
378, Springer, 2000.
[20] U. Kumar and B. N. Gohil, “A survey on intrusion detection systems
for cloud computing environment,International Journal of Computer
Applications, vol. 109, no. 1, 2015.
[21] M. D. Assuncao, F. L. Koch, and C. B. Westphall, “Grids of agents for
computer and telecommunication network management,” Concurrency
and Computation: Practice and Experience, vol. 16, no. 5, pp. 413–
424, 2004.
[22] S. Suthaharan, “Big data classification: Problems and challenges in net-
work intrusion prediction with machine learning,” in Big Data Analytics
workshop, in conjunction with ACM Sigmetrics, 2013.
[23] J. Dean and S. Ghemawat, “Mapreduce: simplified data processing on
large clusters,” Communications of the ACM, vol. 51, no. 1, pp. 107–113,
2008.
[24] S.-H. Ahn, N.-U. Kim, and T.-M. Chung, “Big data analysis system con-
cept for detecting unknown attacks,” in 16th International Conference
on Advanced Communication Technology, pp. 269–272, IEEE, 2014.
[25] J. Werner, C. M. Westphall, and C. B. Westphall, “Cloud identity
management: A survey on privacy strategies,” Computer Networks,
vol. 122, pp. 29–42, 2017.
[26] R. F. Bordley and S. M. Pollock, “A decision-analytic approach to
reliability-based design optimization,” Operations research, vol. 57,
no. 5, pp. 1262–1270, 2009.
[27] K. Vieira, A. Schulter, C. Westphall, and C. M. Westphall, “Intrusion
detection for grid and cloud computing,” It Professional, vol. 12, no. 4,
pp. 38–43, 2010.
[28] K. M. Vieira, D. S. M. F. Pascal, C. B. Westphall, J. B. M. Sobral, and
J. Werner, “Providing response to security incidents in the cloud com-
puting with autonomic systems and big data,” in The Eleventh Advanced
International Conference on Telecommunications (AICT 2015)., 2015.
[29] R. Briggs, “Normative theories of rational choice: Expected utility,” in
The Stanford Encyclopedia of Philosophy (E. N. Zalta, ed.), Metaphysics
Research Lab, Stanford University, 2017.
[30] P. BIONDI, “Packet generation and network based attacks with scapy,”
CanSecWest/core05, 2005.
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
With the rise of cloud computing, thousands of users and multiple applications have sought to communicate with each other, exchanging sensitive data. Thus, for effectively managing applications and resources, the use of models and tools is essential for the secure management of identities and to avoid compromising data privacy. There are models and tools that address federated identity management, and it is important that they use privacy mechanisms to assist in compliance with current legislation. Therefore, this article aims to present a survey of privacy in cloud identity management, presenting and comparing main features and challenges described in the literature. At the end of this work there is a discussion of the use of privacy and future research directions.
Article
Full-text available
Cloud computing delivers on-demand resources over the Internet on a pay-for-use basis, intruders may exploit clouds for their advantage. This paper presents Autonomous Cloud Intrusion Response System (ACIRS), a proper defense strategy for cloud systems. ACIRS continuously monitors and analyzes system events and computes security and risk parameters to provide risk assessment and mitigation capabilities with a scalable and elastic architecture with no central coordinator. It detects masquerade, host based and network based attacks and selects the appropriate response to mitigate these attacks. ACIRS is superior to NICE (Network Intrusion Detection and Countermeasure Selection system) in reducing the risk by 38 %. This paper describes the components, architecture, and advantages of ACIRS.
Conference Paper
Full-text available
This article provides a real-time intrusion response system in order to reduce the consequences of the attacks in the Cloud Computing. Our work proposes an autonomic intrusion response technique that uses a utility function to determine the best response to the attack providing self-healing properties to the environment. To achieve this goal, we propose the Intrusion Response Autonomic System (IRAS), which is an autonomic intrusion response system, using Big Data techniques for data analysis. I. INTRODUCTION As a complement to the work presented in [1], the object of this article is to present the results and details of its implementation. Because of their distributed nature, cloud computing environments are a great target for intruders interested in exploring possible vulnerabilities in their services and consequently using the abundant resources maliciously. The growing number of attacks and vulnerability exploitation techniques requires preventative measures by system administrators. In this context, the need for a highly effective and rapid reactive security system gains importance. These measures are getting more complex with the growth of data heterogeneity and the increasing complexity of the attacks. In addition, slow reaction time from human agents and the huge amount of data and information generated, makes the decision making process an arduous task. In response to this, there is an increase in the usage of Intrusion Detection Systems (IDS) [2], as a way to identify attack patterns, malicious actions and unauthorized access to an environment [3]. The need for IDS is growing due to limitations in Intrusion Preventing Systems (IPS)-which focus on alerting administrators when a vulnerability is detected, connectivity and threat evolution, as well as the financial appeal of cybercrime [4]. Despite their growing importance, currently available IDS solutions have limited response mechanisms. While the research focus is on better intrusion detection techniques, response and effective threat reaction are still mostly manual and rely on human agents to take effect [5]. Recently, some intrusion detection tools have begun providing limited sets of automated responses, but with the growing complexity of intrusions, the need for more effective response system strategies has increased. Due to implementation limitations , research on intrusion detection techniques advance faster than intrusion response systems [3].
Conference Paper
Recently, threat of previously unknown cyber-attacks are increasing because existing security systems are not able to detect them. Past cyber-attacks had simple purposes of leaking personal information by attacking the PC or destroying the system. However, the goal of recent hacking attacks has changed from leaking information and destruction of services to attacking large-scale systems such as critical infrastructures and state agencies. In the other words, existing defence technologies to counter these attacks are based on pattern matching methods which are very limited. Because of this fact, in the event of new and previously unknown attacks, detection rate becomes very low and false negative increases. To defend against these unknown attacks, which cannot be detected with existing technology, we propose a new model based on big data analysis techniques that can extract information from a variety of sources to detect future attacks. We expect our model to be the basis of the future Advanced Persistent Threat(APT) detection and prevention system implementations.
Article
In this paper, we survey different intrusions affecting availability, confidentiality and integrity of Cloud resources and services. Proposals incorporating Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in Cloud are examined. We recommend IDS/IPS positioning in Cloud environment to achieve desired security in the next generation networks.