Designing Network Intrusion and Detection System using Signature-Based Method for Protecting OpenStack Private Cloud

Transcription

1 Designing Network Intrusion and Detection System using Signature-Based Method for Protecting OpenStack Private Cloud Berkah I. Santoso, M. Rien S. I, Irwan P. Hotel, Yogyakarta Monday, August 1st, 2016 Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

2 Table of Contents 1 Introduction 2 Literature Review Cloud Computing OpenStack 3 Research Method Performance Evaluation Scenarios Evaluation 4 Results and Discussion Performance Evaluation for NIDS Functionality Evaluation for NIDS computing resource Evaluation for NIDS Accuracy 5 Conclusion 6 References Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

3 Abstract Abstract Cloud computing has become a preferred solution for start-up businesses and corporations. Unfortunately, cloud computing user usually does not pay attention to security aspect of cloud services. Cloud computing security is a mandatory requirement that must be fulfilled by the cloud provider. One of the solution for improving the security aspect of cloud computing services is using Network-based Intrusion Detection System (NIDS). In this research, the authors designed, implemented and evaluated the performance of configured NIDS. The authors also perform analysis of the result and performance evaluation of NIDS on OpenStack private cloud. The aim of this research is to evaluate the NIDS performance and its accuracy in classifying attacks. The results reveal that the model is functioning securely and accurately. The real-time alert of NIDS is able to detect the classified attacks through network successfully. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

4 Introduction Introduction Cloud computing technology is driving a fundamental change in todays computing industry. The technology enables IT managers to treat infrastructure as a common substrate, on which they can provide services to users faster in a much more flexible and cost-effective way - without having to re-design or add the underlying infrastructure. The advantages of cloud computing are: 1) Customized services capacity based on user requirement and needs; 2) Save IT infrastructure investment according to the user budget; 3) Help the IT department transformation that focus on innovation versus maintenance and implementation; 4) Ease the related parties in accessing IT services [1]. Cloud provider can offer private cloud services for corporate and individual user through open source software platform such as Eucalyptus, OpenNebula and OpenStack [2]. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

5 Introduction When the cloud services are connected to the internet, its providers are vulnerable to some potential security risks such as Denial of Service (DoS) attack, traffic flooding, etc. Cloud provider could not rely on firewall and antivirus for mitigating those security attacks. Instead, they could deploy a network-based intrusion detection system (NIDS) on their cloud infrastructure for such purpose. In this paper, we discuss the design, implementation and evaluation of NIDS on private cloud and its characteristics. We also present a case study of private cloud infrastructure deployment using OpenStack which could be monitored using signature-based NIDS. This paper is organized as follows. In Section 3, we discuss the fundamental theory for our research. This is then followed by Section 4 on the design, implementation, and evaluation method for the proposed NIDS-monitored private cloud infrastructure. The results of our experiment and its analysis is given in Section 5, leading to a conclusion presented in Section 6. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

6 Literature Review Literature Review I According to National Institute of Standards and Technology (NIST), cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [3]. The private cloud deployment model is dedicated especially for specific user who accessed and managed their cloud infrastructure. They usually require the controlled-private cloud infrastructure for running their business applications [4]. OpenStack is an open source software platform that can be used to provide cloud infrastructure services. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

7 Literature Review Literature Review II This open source software is under Apache 2.0 license for personal and corporate usage. The private cloud administrator can manage his/her cloud computing resources through a web-based Graphical User Interface [5]. The OpenStack software consists of 3 (three) main components: Compute (Nova), Network (Neutron) and Storage (Swift). Nova manages various processes and Central Processing Unit (CPU) allocation. Neutron manages IP address allocation, traffic controller and devices interconnection. Last but not least, Swift manages the storage capacity [6]. These OpenStack components can be summarized in Figure 1. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

8 Literature Review Literature Review III Figure: The OpenStack main components [6] Intrusion Detection System (IDS) monitors network or systems for malicious activities, signs of anomalies or policy violations. The IDS also analyzes security incident symptoms for infrastructure threat and security policy violation [7, 8]. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

9 Literature Review Literature Review IV NIDS refer to security mechanisms which is placed in strategic point across network for monitoring purposes. An example of NIDS placement on the network is shown in Figure 2. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

10 Literature Review Literature Review V Figure: The NIDS placement across network [9] Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

11 Literature Review Literature Review VI Signature-based IDS recognizes intrusion by using pattern-matching mechanism for classified attack to the IDS database. If a packet contains some patterns that match one or several attack pattern registered in IDS database, the IDS would identify the packet as an attack. The signature-based mechanism is effective in detecting attack without causing fake alert [9]. Denial of Service (DoS) is an attack to the computer system and computer network which diminish and limit legitimate access to computer resources by users. Cloud computing infrastructure may potentially be disrupted by DoS attack because of their internet shared resources [10, 11]. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

12 Literature Review Literature Review VII Closer to this work are [8, 12, 9]. While [8] showed the application of a conceptual clustering technique for filtering alerts generated in a real large scale SaaS cloud system: authors performed analysis of result and performance evaluation of NIDS on OpenStack private cloud. The authors [12] proposed an artificial neural network-based intrusion detection system and [9] evaluated a robust intrusion detection scheme with the goal of developing stand-alone device that can be deployed in a plug-and-play manner to existing systems. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

13 Research Method Research Method I In the research, the Dev Stack community version for Open Stack private cloud is installed in Computer Network Laboratory: Intel R -based servers, the Cisco R Catalyst TM 2960 access switch, and one desktop PC for accessing the web-based GUI. There are three components which constructs the private cloud infrastructure using Open Stack. The components consist of : 1) The server for constructing the private cloud. We are using the Intel R i5 TM CPU GHz-based processor, 8 GB RAM, 1 TB RAID 10 local disk, single 1 Gbps Network Interface Card. 2) The Cisco R Catalyst TM Gbps 24 port, Layer 2 (L2) switch. 3) The client PC (HP R Compaq TM 5700) for accessing the web-based control manager. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

14 Research Method Research Method II The Dev Stack community version of Open Stack is included in the Ubuntu LTS kernel generic stable, which allow for implementation of a private cloud infrastructure. We added the signature-based NIDS Snort version for monitoring the communications. The logical design of OpenStack private cloud and signature-based NIDS can be summarized in Figure 3. Figure: The logical design of Open Stack private cloud and signature-based NIDS Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

15 Research Method Research Method III We needed the port mirroring mechanism in access switch for monitoring the traffic by NIDS. The access switch use Switched Port Analyzer (SPAN) for port mirroring configuration. We selected the switch source port for the server and switch destination port for the signature-based NIDS, so that the source port network traffic would be mirrored to destination port. SPAN configuration can be seen in Figure 4. Figure: The Port mirroring configuration Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

16 Research Method Research Method IV For our research purpose, we configured the NIDS modules in several different modes: sniffer mode, logger mode, and NIDS mode. The NIDS modules consist of the following supporting tools: 1 Snort Engine the module analyzes network traffic and examine incoming packet for Snort rules pattern matching; 2 Snort Rule the module consists of rules set which were predefined to detect the attack; We set the DoS rules for detecting the possible attacks such as UDP echo+chargen bomb attack, UDP Bay/Nortel Nautica Marlin attack, etc; 3 Pulledpork the module updates the Snort rules when latest attack is detected; 4 Alert or Unified Log the module logged the incoming attack in a log file; Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

17 Research Method Research Method V 5 Barnyard2 the module analyzes Snort binary log file and makes the database record; and 6 Snorby the module interprets the result of Snort log to web-based interface. The NIDS modules mechanism is summarized in Figure 5. Figure: The NIDS modules mechanism Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

18 Research Method Research Method VI The performance of OpenStack private cloud and the signature-based NIDS is expressed in terms of the following: Functionality. CPU usage. Memory usage. The performance is observed under three different settings: normal, NIDS-attached, and under attack. The functionality scenario is used to examine detection rate of NIDS whether the basic Unified Datagram Protocol (UDP) flooding in DoS attack host objects performed. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

19 Research Method Research Method VII The CPU usage scenario is used to examine changes of signature-based NIDS CPU usage before and during the attacks. Similary, we would also examine the changes in memory usage by NIDS. We used the GNU top and iptraf application tools for measuring the CPU and memory usage as well as network traffic in every condition. The evaluation of the installed NIDS was conducted to examine its accuracy. We used the confusion matrix [12] to examine the accuracy of signature-based NIDS performance in detecting any possible attacks. The confusion matrix is shown in Table 1. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

20 Research Method Research Method VIII Table: Confusion Matrix Prediction Attack Normal Attack TP FN Normal FP TN There are 4 (four) categories in classified detection: True Positive (TP): the detected package by NIDS. False Positive (FP): the iptraf package which detected by NIDS. True Negative (TN): the detected package by iptraf application tools. False Negative (FN): the detected package by iptraf application tools and they bypassed by NIDS. We used the following parameters to evaluate NIDS performance: Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

21 Research Method Research Method IX 1 Classification Rate (CR) the ratio of classified real event which consist of intrusion and normal traffic compared to total event: CR = TP + TN TP + TN + FP + FN (1) 2 Detection Rate (DR) the ratio of accurate detection compared to total event: TP DR = (2) TP + FN 3 False Positive Rate (FPR) the ratio of detected normal event compared to total event: FPR = FP FP + TN (3) Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

22 Research Method Research Method X 4 Precision Rate (PR) the ratio of true positive intrusion detected compared to total event: PR = TP TP + FP (4) Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

23 Results and Discussion Results and Discussion I The performance of signature-based NIDS was analysed with respect to functionality and computing resources usage (CPU and memory), as outlined by the scenario given in Sec. 1. We also investigated the accuracy of this signature-based NIDS by means of the parameters given in Sec. 2. The signature-based Snort NIDS testing in a private cloud environment involved three different scenarios: 1) normal condition, 2) condition with NIDS attached, and 3) under attack situation with NIDS implemented. In each scenario, we observed the network traffic, CPU usage and memory usage for OpenStack host, FedoraCore Linux based Virtual Machine (VM), and Ubuntu Linux based VM. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

24 Results and Discussion Results and Discussion II The attack was based on basic UDP flooding, and we took a minute-by-minute observation on NIDS functionality during one hour of simulation. The time range would represent sufficient evaluation for this research purpose and we evaluated the scenarios for 4 days. The memory and CPU usage were examined by GNU top application tool. The network traffic which consists of internet protocol (IP), transport control protocol (TCP), unified datagram protocol (UDP) and internet control message protocol (ICMP) were examined by iptraf application tool. We have the signature-based NIDS alert based on the above scenarios, which represent the classified DoS attack detection. We may conclude that there were DoS attack using the UDP flood by the intruder ( ip address). Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

25 Results and Discussion Results and Discussion III The NIDS alert records were saved using Barnyard2 database and the log files were located in /var/log/snort directory. The summary of alert records were then interpreted by Snorby via a web-based interface. The information related to Snorby web-based interface is shown in Figure 6. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

26 Results and Discussion Results and Discussion IV Figure: The Snorby web-based interface Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

27 Results and Discussion Results and Discussion V The observation on UDP traffic in our experiments on each of the OpenStack host, Fedora VM and Ubuntu VM are summarised in Figure 7 9. As expected, the UDP traffic was increased significantly when they were all under attack (Exp. 3 in these figures). The difference of the number packets between this particular scenario with the other two scenarios (Exp. 1 and Exp. 2) is inevitable from our observation. It is also worth noting that both Ubuntu and Fedora VMs were down not long after the attack started. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

28 Results and Discussion Results and Discussion VI Figure: OpenStack host UDP-flooded attack Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

29 Results and Discussion Results and Discussion VII Figure: Ubuntu VM UDP-flooded attack Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

30 Results and Discussion Results and Discussion VIII Figure: Fedora VM UDP-flooded attack Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

31 Results and Discussion Results and Discussion IX The UDP flooding attack simulation did not influence the computing resource such as CPU and memory because the classified UDP flooding attack were bandwidth depletion DoS. The bandwidth depletion DoS flooded the network using unwanted traffic [13]. NIDS average CPU usage is given in Figure 10. We observed that there were a slight increase in average CPU usage (from 0.93% to 2.55% ) following the UDP flooding attack. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

32 Results and Discussion Results and Discussion X Figure: The average of NIDS CPU usage in percentage A similar pattern is also shown by NIDS average memory usage in Figure 11 which shows that there were a slight increase in average memory usage (from 50% to 51%) following the attack. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

33 Results and Discussion Results and Discussion XI Figure: The average of NIDS memory usage in percentage The results of NIDS classification to the UDP flooding attack and its accuracy were summarised in Table 2 and Table 3, respectively. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

34 Results and Discussion Results and Discussion XII These tables show that NIDS has managed to detect the incoming packet as an intrusion. However, the NIDS also exhibit some false intrusions because it falsely recognised some applications on OpenStack host and both VMs as intrusions. Hence the false positive rate on each of the OpenStack host and both VMs. Table: The amount of packet for classified DoS attack Evaluation TP TN FP FN OpenStack host VM Ubuntu, 5 threads VM Fedora, 1 thread Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

35 Results and Discussion Results and Discussion XIII Table: NIDS accuracy Evaluation CR DR FPR PR OpenStack host 99.6 % 100 % 0.07 % 99.9 % VM Ubuntu, 5 threads 88.3 % 100 % 23.3 % 81.1 % VM Fedora, 1 thread 94.4 % 100 % 10.9 % 90 % Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

36 Conclusion Conclusion I In this present study, the signature-based NIDS deployment for OpenStack private cloud was implemented to detect the basic DoS attack. The main goal is to effectively monitor the possible-classified attack on private cloud computing resource. The real-time alert of signature-based NIDS is useful for the private cloud administrator to become aware of any possible classified attacks. The UDP flooding attack did not give significant impact on CPU and memory usage for all the OpenStack host and both VMs. The same kind of attack, however, gave significant impact for the network traffic, resulting in a communication failure between the host and VMs with legitimate clients. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

37 Conclusion Conclusion II Future work could include developing and enhancing features of intrusion prevention for private cloud infrastructure, especially for other security approach and high availability aspects that are suitable for predefined environment. Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

38 References References I A. Gajbhiye and K. M. P. Srivastva, Cloud computing: Need, enabling technology, architecture, advantages and challenges, in Proceedings of the 5th International Conference - Confluence The Next Generation Information Technology Summit (Confluence). Amity School of Engineering & Technology, Amity University, India, 2014, pp A. Pillai and L. Swasthimathi, A study on open source cloud computing platforms, EXCEL International Journal of Multidisciplinary Management Studies, vol. 2, no. 7, pp , P. Mell and T. Grance, The national institute of standards and technology (NIST) definition of cloud computing, NIST, NIST Recommendation, [Online]. Available: nistpubs/legacy/sp/nistspecialpublication pdf Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

39 References References II S. Singh and T. Jangwal, Cost breakdown of public cloud computing and private cloud computing and security issues, International Journal of Computer Science & Information Technology (IJCSIT), vol. 4, no. 2, pp , A. Sehgal, Introduction to OpenStack - running a cloud computing infrastructure with OpenStack, in Proceedings of the 6th International Conference on Autonomous Infrastructure, Management & Security. University of Luxembourg, 2012, pp OpenStack, About OpenStack, accessed Dec 15th, [Online]. Available: Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

40 References References III K. Scarfone and P. Mell, Guide to intrusion detection and prevention systems (IDPS), NIST, NIST Recommendation, [Online]. Available: S. S. A. Paudice and D. Cotroneo, An experiment with conceptual clustering for the analysis of security alerts, in Proceedings of the 14th IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). Federico II University of Naples, Italy, 2014, pp W. E. B. J. Sun-il Kim, N. Nwanze and P. Field, On network intrusion detection for deployment in the wild, in Proceedings of the IEEE Network Operations and Management Symposium (NOMS). Maui, Hawaii, USA, 2012, pp Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

41 References References IV P. T Gunasekhar, K.Thirupathi Rao and P. Lakshmi, A survey on denial of service attacks, International Journal of Computer Science & Information Technologies (IJCSIT), vol. 5, no. 2, pp , R. Vanathi and S. Gunasekaran, Comparison of network intrusion detection systems in cloud computing environment, in Proceedings of the International Conference on Computer Communication & Informatics (ICCCI). Coimbatore Institute of Engineering & Technology, Coimbatore, India, 2012, pp S. Kumar and A. Yadav, Increasing performance of intrusion detection system using neural network, in Proceedings of the IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT). Syed Amal Engineering College, India, May 2014, pp Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

42 References References V S. M. Specht and R. B. Lee, Distributed denial of service: Taxonomies of attacks, tools, and countermeasures, in Proceedings of the 17th International Conference on Parallel & Distributed Computing Systems. Princeton University, 2004, pp Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43

43 References Thank You Berkah I. Santoso, M. Rien S. I, Irwan P. Gunawan InAES 2016 Presentation Monday, August 1st, / 43