Framework for Distributed and Self-healing Hybrid
Intrusion Detection and Prevention System
Fauzia Idrees1,2, Muttukrishnan Rajarajan1, A.Y. Memon2 1School of Engineering and Mathematical Sciences, City University
London, UK
2National University of Sciences & Technologies Karachi, Pakistan
{Fauzia.Idrees.1, r.muttukrishnan} @city.ac.uk, attaullah@pnec.edu.pk Abstract—Intrusion detection is a versatile security paradigm
which can avert most of the computer and network related attacks, if efficiently employed. This paper presents a novel solution for detection and prevention of known and unknown network and cloud computing vulnerabilities. The proposed framework is an amalgamation of some of the existing state-of-the-art intrusion detection and prevention technologies. The design of this novel system is adaptable with little customization by complicated networks, cloud computing, Voice over IP and Next Generation Networks in order to abate the versatile threat environments.
Keywords—Intrusion detection and prevention; Cloud computing; Classification; Clustering; Misuse and Anomaly based detection.
I. INTRODUCTION
Intrusion detection technology is gaining an indubitable appreciation after undergoing revolutionary changes. It has become the basic foundation of network security structure. Its primary role is to evaluate the information collected on a host or network points against the security policies, generate early warnings and responses thereafter to mitigate the intrusions. With the rapid developments and increasing reliance on computer and network technologies, the attack landscape has also expanded with new threat models to gain unauthorized access to lucrative resources and monetary benefits [1].
With the popularity of cloud computing, Voice over Internet Protocol (VoIP) and other bandwidth hungry applications, network speed and traffic have also tremendously increased alongside the security concerns to accommodate the performance challenges. The traditional Intrusion Detection Systems (IDS) technology relying on the single detection approach is insufficient to fulfill the ever demanding requirements. New techniques are being exploited to make attack detections efficient and effective [2] [3]. Still there is a dire need to have a compact intrusion detection and prevention system with all in one flavor to keep up with the network throughput and speed as well as to deal with the varying environments effectively.
In this paper, we present the design of a multi-threaded distributed detection and prevention system with self-healing hybrid detection engines and Intrusion Detection and Prevention Operation Centre (IDPOC). This framework uses
NIDS and HIDS at distributed locations augmented with a central operation centre to monitor and coordinate their operations besides the individual detection and prevention capabilities. Two self-healing detection engines (misuse and anomaly based) are integrated in the system with multi-threaded functionality to cope up with the throughput and speed bottlenecks. Our detection model consists of Snort and supervised and unsupervised classification and clustering stages based on Bayesian classification, Decision tree and Naïve Bayes algorithms. Different deployment scenarios including the cloud computing (IaaS, SaaS and PaaS) and VoIP are evaluated for the proof of concept.
The rest of this paper is organized as follows: In section II related work is investigated. Sections III and IV present the proposed architecture, its components and suitable deployment scenarios respectively. Finally, section V concludes the work with the possible future work.
II. LITERATURE REVIEW
The earliest intrusion detection systems were performing two functions of data capture and analysis. Analysis part was based on signatures of known attacks [3] [4]. Later on anomaly based intrusion detection was introduced along with the prevention functionality to actively respond against the attacks rather passively monitoring of systems. Additionally, those architectures were centralized thereby relying on a single point of failure [5]. With the technology advancements, distributed IDS functionality was explored by various researchers [6] [9] [12] [13]. Different designed architectures have pros and cons while operating in their basic mode. However, researcher started integrating various methodologies to get best performance out of it. A comparative study on previously integrated solutions is presented in Table I.
III. SYSTEMDESIGN
The aim of proposed design is to develop a comprehensive detection and prevention model for accurate and fast intrusion mitigation at a par with the ever demanding network diversity and speed issues.
A. Main Operations
The idea behind this system design is to perform the detection and prevention operations on network and host machines efficiently and in a cooperative manner.
TABLE I. COMPARATIVE STUDY OF PREVIOUS APPROACHES
Ref Year Detection
Technique Detection Time Response Architecture Coverage Prevention Pros Cons
This
work 2013 Misuse & Anomaly Based Online & Offline (Optional) Active Host Network Distributed Computers Networks Cloud computing VoIP NGN
Yes Hybrid detection,
Distributed and optional non- distributed operations, Multi- threaded processing for optimum speed and throughput, Versatile coverage scenarios, Real time detection and prevention functions.
High computation cost which could be controlled with efficient implementation.
[6] 2012 Misuse & Anomaly
Based
Online Active Host Networks
VM
Cloud
computing No Better accuracy of classifier No prevention functionality. Works only for Cloud computing.
[7] 2012 Misuse & Anomaly
Based
Offline Passive Network Networks No Better accuracy of classifier No prevention functionality. Works only for network. [8] 2012 Anomaly
Based Online Active Network Network Yes Good detection of well-known anomaly based attacks Works only for network. Misuse detection not included. Safety against internal attacks not included.
[9] 2012 Anomaly
Based Online Passive Distributed computingCloud No Fast computation due to multi- threaded operations. P2P structure used to avoid single point of failure.
No prevention functionality. Works only for Cloud computing.
[10] 2011 Anomaly
Based Online Passive Host Networks No Good detection accuracy of well-known attacks. No prevention functionality. Works only for Network. High Computation cost.
[11] 2011 Anomaly
Based Offline Passive VM computingCloud No User’s flexibility to choose between low and high security levels to control the speed and throughput.
No prevention functionality. Works only for Cloud computing. Management task increased due to monitoring of different security levels. [12] 2011 Misuse
Based Online Active NetworkHost Network Yes Can detect many known attacks Detects only known attacks. Works only for IPv6 networks.
Cannot detect unknown attacks. [13] 2010 Misuse & Anomaly Based Not
known Active NetworksHost Networks No Can detect known and unknown attacks with good accuracy and efficiently.
No prevention functionality. Works only for Networks and may be hosts.
[14] 2010 Anomaly
Based Online Active Network Networks No Performance not evaluated Detects only unknown attacks. Works only for cloud computing.
Safety against internal attacks not included.
[15] 2010 Misuse
Based Online Active Host computingCloud Yes Can detect many known attacks Cannot attacks. detect unknown Works only for cloud computing.
Safety against internal attacks not included.
[16] 2010 Misuse
Based Online Active VM computingCloud No Secures VM from DDoS attacks Detects only known attacks. No prevention. Works only for cloud computing.
[17] 2009 Anomaly
Based Offline Passive Networks Networks No Good accuracy for detection of unknown attacks Slow anomaly detection. No prevention functionality. Works only for Networks. Safety against internal attacks not included.
[18] 2008 Misuse & Anomaly
Based
Online Active Networks Networks No Can detect known and unknown
attacks. Slow processing and for large data anomaly detection.
No prevention functionality. Works only for Networks. Safety against internal attacks not included.
Following functions are incorporated as a one box solution which makes this work unique:-
• Distributed IDPS.
• Anomaly and misuse based detections.
• Detection and prevention operations.
• Centralized and cooperative logistics.
• Customizable design for various environments .
B. Proposed Architecture
The architecture of proposed model is shown in Figure 1. It consists of three main components namely hybrid Network Intrusion Detection & Prevention System (NIDPS), hybrid Host Intrusion Detection & Prevention Systems (HIDPS) and a centralized Intrusion Detection Prevention Operations Centre (IDPOC). Design of NIDPS and HIDPS are similar except the Multi-threading functionality introduced in NIDPS to efficiently process the large throughput and high speed network traffic. The detection engines’ of NIDPS and HIDPS are customized according to the specific threat domains of network and hosts.
Fig. 1. Architecture of proposed IDPS system.
In this framework, NIDPS is to be deployed on perimeter network point in the DMZ zone, whereas HIDPSs are
positioned on the critical machines/servers. Operations of NIDPS and HIDPS are supplemented by IDPOC, which coordinates with NIDPS and HIDPS for data logging, reporting, response and updating tasks.
Each IDPS is integrated with SNORT based misuse detection engine and classification and clustering techniques based anomaly detection engine. Operations of individual IDPS are closely monitored, organized and upgraded with the help of a supervisor unit, which also communicates with the IDPOC for overall joint operations. Before elaborating the overall functionality of each of these components, the working methodologies of three common sub units of IDPS are discussed in the subsequent paragraphs.
1) Misuse Detection Engine: For misuse detection, we are
using open source SNORT tool to distinguish between the suspicious and normal traffic. It analyses the network traffic for patterns matching with a library of known signatures called SNORT rules, which can be modified by a text editor. These rules are generalized and updated with the help of anomaly detection classifiers and clustering algorithms to extricate novel attacks. Using updated and generalized alert rules, intrusion detection would be fast and efficient.
2) Anomaly Detection Engine: Anomaly detection model
consists of two stages of training and detection. In the training phase, the normal usage model is learnt by observing the normal traffic in a controlled environment. In the detection
phase, the target data is compared with the learnt normal model to detect any deviations. It generates an alert if the observed events are out of threshold.
In order to acquire the accurate classification and reduce the false positives, a layered scheme is developed. The architecture of proposed integrated classifier is shown in Figure 2. In first step, Decision Tree Algorithm is used to classify data as per anomalous attacks and other data. In the second layer, the unclassified data is further analyzed for the anomalous data with the help of Naïve Bayes technique. In the last step, Bayesian clustering is used to get advanced unknown attacks.
Fig. 2. Working model for Anomaly detection engine.
3) Supervisor: Supervisors are local controller of each
also acts as a coordinator with the IDPOC for centralized reporting and updating operations. Whenever there is an alert generated from any of the detection engines, it is sent to the supervisor which will report to IDPOC for further requisite response in accordance to the nature of threat and policy guidelines. Consequently, the rules and signatures databases are also updated with the new threat patterns.
C. NIDPS Architecture
The NIDPS architecture is shown in Figure 3. It uses the multi-threading approach to sustain the speed and performance bottlenecks. The network traffic is captured and parsed into multiple threads for concurrent execution and sent to the queue handler. By adopting the concurrent executing threads the performance could be optimized in terms of latency and packet loss. The data packets from the queue handler are processed by the two detection engines against the available signatures and pre-defined normal behavior rule set. The normal data packets are forwarded for further processing and the detected alerts are sent to the supervisor unit for preparation of alert reports for subsequent forwarding to IDPOC. NIDPS Multi Threads Signature based detection Intrusion Anomaly detection No Alert Yes Intrusion Supervisor IDPOC Anomaly Database Signature Database Internet Incoming Traffic Queue Handler Run No Yes
Fig. 3. Architecture of NIDPS. D. HIDPS Architecture
The HIDPS architecture is shown in Figure 4. It has same components as the NIDPS excluding the multi-threading and queue handler components. Its detection engines consist of customized signatures and rules specific to operating system and most common applications of host machines. These engines are designed with the self-healing feature to
constantly upgrade their knowledge database in coordination with supervisor. Internet HIDPS Run Signature based detection Intrusion Anomaly detection No Alert Yes Intrusion Yes Supervisor IDPOC Anomaly Database Signature Database Incoming Traffic
Fig. 4. Architecture of HIDPS. E. IDPOS Model
IDPOS is a central management console used to collect the alerts data from supervisors and log them. It also compiles and sends reports to the administrator and users.
IV. DEPLOYMENTSCENARIOS
Recognizing the importance of IDS to fit the security needs of underlying network is the basic essence of information security. However, the efficiency of IDS depends on the deployment and configuration efficacy as per the needs of a particular network [9]. Accurate and proper IDS deployments will ensure the timely counter measures against the intrusions. Some of the possible deployment scenarios are discussed in subsequent paragraphs.
A. Cloud Computing
The advantages of cloud computing make it most wanted facility but due to its multi-tenant nature, security has been the biggest concern. Well-known cloud computing threats include abuse and nefarious use of cloud computing services, denial of service, shared technology related issues, insecure Interfaces and APIs, malicious insiders, data loss or leakage including insufficient authentication, authorization or audit controls, operational failures, and data center reliability, account and service hijacking, phishing, fraud, unknown risk profile and eavesdropping etc. These threats can, however, be surmounted with adequate security measures.
The offered solution is depicted in Figure 5. It consists of NIDPS installed at the perimeter to monitor, detect, and alert on incoming traffic. Additionally, HIDPS are installed on individual hosts/hypervisors to monitor the hypervisor and traffic between the VMs on that hypervisor. In this deployment, appropriate filters are to be implemented to avoid
the overload of IDSs. IDPOS is processing the alerts from NIDPS and HIDPSs and generate the reports for the cloud provider and users (optional). This framework is workable for SaaS, PaaS and IaaS models of cloud computing. An additional layer of HIDPSs can be applied on individual VMs to monitor, detect and alert its activity. The proposed architecture can be custom installed to fit in the public, private or internal clouds scenarios.
Fig. 5. Deployment model for cloud computing. B. VoIP
VoIP being a heterogeneous and real time application it is a bit challenging for the detection of malicious activities. Its use of multiple protocols (SIP, RTP, MGCP etc) for each call session and distributed operations (Servers, clients, gateways) make it different from other internet applications. VoIP specific attacks include Denial of Service, billing frauds, eavesdropping, session hijacking, registration hijacking, session tearing down, registration flooding, masquerading, buffer overflow and media stream-based attacks.
A customized VoIP rule engine module based on stateful, cross-protocol, and VoIP specific signaling and media protocols (SIP and RTP) is proposed to detect the VoIP specific threats. The protocol based rules are generated from standard specifications of SIP and RTP defined in their respective RFCs and used to derive legitimate behavior of VoIP traffic. The normal behavior model is also trained on the session’s legitimate transitions to cover the cross protocol states as well as the interactions. Once the legitimate behavior is built and the related attribute features are identified, this rule engine not only lowers the number of false alarms but is also capable of detecting unknown attacks.
Our proposed architecture is shown in Figures 6 and 7 respectively for two typical VoIP configurations. The NIDPS are to be installed at intermediate nodes like servers, proxies or gateways and HIDPS at the vital clients (optional depending on the vulnerability of the client). The captured
VoIP traffic is processed in VoIP rule engine. The detection engine compares with the legitimate behavior and looks for the deviations. It generates and sends the alerts to IDPOS for further analysis and countermeasure in case of finding intrusive activities. With multi- threading feature of IDS multiple calls can be monitored simultaneously with minimum processing delay to avoid the inherent issues of jitter and latency. NIDPS IDPOS PBX VoIP clients VoIP clients Gateway VoIP Serever Analog Phones
Fig. 6. Deployment model for Voice over IP.
C. Organizational/ Ordinary Networks
The IDS deployment in organizational networks is challenging not only due to the versatility of attacks and number of endpoint machines but also the diverse locations of these endpoints as well as the high throughput and the multi-role nature. Organizations must deal with the issue of setting the IDS to capture relevant data only and block or ignore the intrusions [17]. Most common network related attacks include social engineering attacks, network sniffing, packet spoofing, session-hijacking Packet, cyber-threats & bullying , automated probes and scans, distributed denial of attacks, industrial espionage, executable code attacks, DNS attacks, stealth scanning, remote access attacks, email spams, trojan distribution, worms, botnet command and control attacks etc.
One possible deployment scenario for typical organization network is shown in Figure 8. An organization with geographically diverse locations and multiple departments might need to deploy NIDS at each distinct location. An additional layer of HIDS might be added to sensitive points. Alerts from all the deployed systems are centrally administered by IDPOS.
Figure 8. Deployment model for organizational networks.
V. CONCLUSION
Intrusion detection systems form a necessary layer of a defense in-depth strategy and play a critical role in a comprehensive information protection program [9] [15]. In this paper, we proposed an integrated and hybrid IDPS
solution comprising of NIDPS and HIDPS each with misuse and anomaly detection engines based on Snort, Bayesian classifier, Decision tree and Naïve Bayes techniques. The system is designed to detect known and unknown attacks in cloud, VoIP and standard networks as well as Next Generation Networks (NGN) with customized databases for each scenario.
REFERENCES
[1] A. Patcha, J. Park, “An overview of anomaly detection techniques: existing solutions and latest technological trends,” Int. J. Computer Networks, vol. 12, no. 51, pp. 348-357, 2007.
[2] R. Goel, A. Sardana, R. C. Joshi, “Parallel misuse and anomaly detection model,” Int. J. Network Security, vol. 14, no. 4, pp. 211-222, July 2012.
[3] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel and M. Rajarajan, “A survey of intrusion detection techniques in cloud,” Int. J. Network and Comp. Apps., 2012, pp. 42-57.
[4] Y. K. Penya, P.G. Bringas, “Integrating Network misuse and anomaly prevention,” 6th IEEE Int. Conf. Ind. Informatics South Korea, 2008, pp. 586-591.
[5] Xuedou Yu, “A new model of intelligent hybrid network intrusion detection system,” Int. Conf. Bioinformatics and Biomedical Tech. China, 2010, pp. 386-389.
[6] N.M. Chirag, R.P. Dhiren, A. Patel, R. Muttukrishnan, “Baysian classifier and Snort based Network Intrusion Detection system in cloud computing,” Third Int. Conf. Computing, Communication and Networking Tech., 2012, pp. 1-7.
[7] H. Om, A. Kundu, “A hybrid system for reducing the false alarm rate of anomaly intrusion detection system,” 1st Int. Conf. Advances in Info. Tech., 2012, pp. 131-136.
[8] N. Wattanapongsakorn, S. Srakaew, E. Wonghirunsombat, C. Sribavonmongkol, T. Junhom, P. Jongsubsook, C. Charnsripinyo, “A Practical Network-based Intrusion Detection and Prevention System,” 11th Int. Conf. Trust, Security and Privacy in Computing and Comm.,
2012, pp. 209-214.
[9] H.A. Kholidy, F. Baiardi, “CIDS: A Framework for Intrusion Detection in Cloud Systems,” Int. J. Cloud Computing Services and Architecture, vol. 2, no. 6, 2012, pp. 379-385.
[10] E.W.T. Ferreira, G.A. Carrijo, R. de Oliveira, N.V. de Souza, “Intrusion Detection System with wavelet and neural artificial network approach for network computers,” IEEE Latin America Transactions, 2011, vol. 9 , No. 5, pp. 832-837.
[11] Jun-Ho Lee, Min-Woo Park, Jung-Ho Eom, Tai-Myoung Chung, “Multi-level Intrusion Detection System and log management in Cloud Computing,” 13th Int. Conf. on Advanced Communication Technology, 2011, pp. 552-555.
[12] Ke Yun, Zhu Jian Mei, “Research of Hybrid Intrusion Detection and Prevention System for IPv6 Network,” Int. Conf. on Digital Object Identifier, 2011, pp. 1-3.
[13] D. Zhao, Q. Xu, Z. Feng, “Research and Design for Intrusion Detection System with Hybrid Detector and Apriori Algorithm,” 2nd Int. Conf. on e-Business and Information system security, 2010, pp. 1-4. [14] C. Mazzariello, R. Bifulco, R. Canonoco, “Integrating a network IDS
into an open source cloud computing,” Sixth int. conf. information assurance and security (IAS), 2010, pp. 265-270.
[15] A. Bakshi, B. Yogesh, “Securing cloud from DDOS attacks using intrusion detection system in virtual machine,” Second Int. Conf. Comm. software and networks, 2010, pp. 260-264.
[16] H. Lu, J. Xu, “Three-level Hybrid Intrusion detection system,” Int. Conf. Info. Engg. Comp. Science, 2009, pp. 1-4.
[17] Y. K. Penva, P. G. Bringas, “Integrating Network misuse and anomaly prevention,” Sixth Int. Conf. Industrial Informatics, 2008, pp. 586-591.
