IDS Techniques in Cloud Computing

The vulnerability of Cloud Computing from a security and privacy perspective cannot work effectively and securely without using protection techniques such as IDS and IPS. [Vieira et al., 2010]. IDS/IPS in Cloud Computing can have a production of alerts which is based on the true alarms; however, false alarms are still existed in case of detection by IDS/IPS [Bakshi and Yogesh, 2010]. This is due to the fact that IDS/IPS can be judged by the degree of the identity and the lesser number of false alarms There can be a detection of intrusion patterns in Cloud Computing by the inspection of network packets through the use of signatures (pre-defined rules) and generation of alarms for system administrators [Lo et al., 2010].

There are two approaches for IDS and IPS: Anomaly Detection (AD) and Signature Detection (SD). AD is a system that detects misuse and those detectors look for any differences in activity on the network. It is based on the assumption that all of these attacks are different from any normal attack and if there is a need for identification of all the differences. These kinds of detectors are helpful in the detection of profiles that have a representation of the users, host and the other kinds of systems [Bosin et al., 2009]. These profiles are seen to be collected from the normal data over a certain period of time. This can be helpful in understanding the deviation from the criterion. There are various measures that are useful in the detection of anomalies such as threshold detection, statistical measures, rule-based measures and other kinds of measures [Karen and Mell, 2010].

Foster et al. [2009] proposed a system named Grid and Cloud Computing Intrusion Detection Systems (GCCIDS). This system was designed to cover the attacks for the host based IDS systems (HIDS) which cannot monitor intrusions. This method analyse knowledge and behaviour of intrusions that take place [Foster et al., 2009]. However, this system cannot detect any new kinds of attack nor have the creation of a database that needs to be taken into the consideration while creating the IDS.

Xin and Yun-jie [2010] argued that with the increasing popularity of a network, issues with security have become increasingly severe; and therefore,the traditional kind of intrusion and firewall systems has generally been sufficient to deal with the technology; yet there is a need to develop a new type of IPS. Such an opinion was supported by Jansen and Grance [2011] who claimed that the IPS is deemed to be an advanced combination of ID, personal firewalls and anti-viruses. The function of IPS is not only to detect the interruption of the services by an attacker, but also to take preventative action. This

should include the features such as logging off the user, the initiation of system shut- down, the process of halting the system and disabling of connections. Xin and Yun-jie [2010] also mentioned that the rational types of ID have a functioning style not unlike anti-virus software. This is an example of passive mode of data testing. Hence, if there is a detection of an attack, the prevention of attacks takes place in the traffic of data. Waxman [2011] stated that computer network attack, also known as Cyber-Attack, refers to any unwanted or unethical activity that is intended to disturb, alter or hit someone’s privacy or to steal others’ important data either secretly or publically. These types of attacks are usually performed by anonymous hackers and it is very difficult to recognise the hackers or to catch them [Levy, 2010]. Cyber-attacks are performed using multi- ple ways such as, secretly installing spy software in the targeted systems [Runthala, 2010], secretly attempting to log in the targeted system successfully [Puzmanova and Mikhailovsky, 2014] or secretly monitoring the internet traffic of the targeted system [Garber, 2010]. Cyber-attacks include, but are not limited to Malware, Phishing, Pass- word Attack, Denial-of-Service (DoS) Attack, Man in the Middle (MITM) Attack, Drive by Downloads, Malvertising, Rogue Software and many more [Pipyros et al., 2014]. Alqahtani et al. [2014a,b] proposed two models based on IDS/IPS called SIDSCC5 and SIPSCC6 in order to evaluate IDS/IPS detection and prevention once they detect/pre- vent the attacks within cloud computing (namelySaaSCloud). Theses two models were investigated separately depending on different methods of protection, levels, techniques, scenarios, and attacks. The main motivation to conduct these studies was to evaluate the efficiency of IDS/IPS within SaaSCloud based on three perspectives; the vulnera- bility detection, average time, and false negative. However, these two models need to be validated further against IDS/IPS dataset such as (DARPA, KDD, or ISCX) in order to re-evaluate and validate the functionality, working and the capability of IDS/IPS within cloud computing. These datasets generally have various known and unknown attacks with different protocols scenarios. The main deference between these mechanisms is that IDS is unlike IPS whereby IPS is considered as an extension of IDS and blocks connections or drop abnormal packets if they consist of unauthorised data.

v

5

This Service is an Intelligent Service of Intrusion Detection System for Cloud Computing (SIDSCC)