Elsevier

Computers & Security

Volume 85, August 2019, Pages 402-422
Computers & Security

Designing an efficient security framework for detecting intrusions in virtual network of cloud computing

https://doi.org/10.1016/j.cose.2019.05.016Get rights and content

Abstract

Cloud computing has grown for various IT capabilities such as IoTs, Mobile Computing, Smart IT, etc. However, due to the dynamic and distributed nature of cloud and vulnerabilities existing in the current implementations of virtualization, several security threats and attacks have been reported. To address these issues, there is a need of extending traditional security solutions like firewall, intrusion detection/prevention systems which can cope up with high-speed network traffic and dynamic network configuration in the cloud. In addition, identifying feasible network traffic features is a major challenge for an accurate detection of the attacks. In this paper, we propose a hypervisor level distributed network security (HLDNS) framework which is deployed on each processing server of cloud computing. At each server, it monitors the underlying virtual machines (VMs) related network traffic to/from the virtual network, internal network and external network for intrusion detection. We have extended a binary bat algorithm (BBA) with two new fitness functions for deriving the feasible features from cloud network traffic. The derived features are applied to the Random Forest classifier for detecting the intrusions in cloud network traffic and intrusion alerts are generated. The intrusion alerts from different servers are correlated to identify the distributed attack and to generate new attack signature. For the performance and feasibility analysis, the proposed security framework is tested on the cloud network testbed at NIT Goa and using recent UNSW-NB15 and CICIDS-2017 intrusion datasets. We have performed a comparative analysis of the proposed security framework in terms of fulfilling the cloud network security needs.

Introduction

Cloud computing has grown for various IT applications such as IoTs, Mobile Computing, Smart IT, etc. Network virtualization is a key enabler of the growing cloud computing technology. It allows to run multiple independent virtual networks over the shared infrastructure. As shown in Fig. 1, the cloud has mainly three different networks such as; virtual network, internal network and external network. The virtual network allows a communication among VMs on same physical server. Through the internal network, different cloud components such as management systems, storage systems, network servers, etc., can communicate with each other. The external network is a primary interface between the front end (cloud user) and back end (cloud service provider). All these networks make a successful provisioning of cloud services to the users. However, the vulnerabilities in the existing network technologies, and the distributed and dynamic nature of cloud pose various security concerns. For instance, the sharing of network infrastructure increases the vulnerabilities in DNS servers, DHCP, IP, ARP protocols, etc. In addition, the virtual network has many vulnerabilities like vSwitch software bugs, poor network isolation between VMs, open ports, insecure network channels, and poor design and bugs in network protocols (Chowdhury and Boutaba, 2009). The successful exploitation of such vulnerabilities leads to many attacks like Denial of Service (DoS) attacks, port scanning, sniffing, spoofing, network probing, etc.

In literature (Modi, Patel, Borisaniya, Patel, Rajarajan, 2013a, Modi, Patel, Borisaniya, Patel, Patel, Rajarajan, 2013b, Subashini, Kavitha, 2011), various security issues at different layers of cloud computing have been investigated and it is recommended to extend or reinvestigate the traditional security solution for securing cloud computing. Recently, many network attacks such as IP spoofing, Ransomware, Cryptomining, Data breach, DoS/DDoS attacks have targeted the private as well as public cloud services. The Microsoft Security Intelligence Report states that the number of account sign-ins attempted from malicious IP addresses are increased by 44% during first quarter of 2016 to first quarter of 2017.1 The cloud services such as Microsoft Azure are frequently targeted to compromise VMs and other services. It was observed that over two-thirds of the attacks on Azure services in the first quarter 2017 are performed from China. In May 2017, the worse ransomware attack “WannaCry” was performed on the National Health Service (NHS) in UK2. It infected over 0.3 million computer systems within just four days at NHS by scanning the connected LANs and WANs. Skybox Security Incorporation states that poor configuration is a key source of security risk in cloud networks.3 In February 2018, Tesla’s Amazon Web Services (AWS) cloud system was maliciously accessed via a vulnerable Kubernetes console through malicious cryptomining.4 In addition, many cyber threats are evolving, and cloud servers are the major target. In May 2017, a data breach on OneLogin affected 1.4 billion records on cloud servers.5 In July 2017, Equifax credit reporting agency in U.S. detected and blocked suspicious network activities associated with a consumer web portal. The security vulnerability (CVE-2017-5638) in Apache Struts was exploited to perform such malicious activity and over 145.5 Million accounts were hacked.6

Recently, many DoS/DDoS attacks are reported. In January 2016, BBC experienced the biggest DDoS attack which took the BBC’s global website down7. In February 2018, the code hosting GitHub website was hit with the largest DDoS attack8. In general, public cloud services are potentially targeted through DDoS attacks. It is observed that the magnitude of such attacks is increased with time and technologies. In last decade, the DDoS attack rate is increased from 70 GBps to 1.35 TBps.

One of the traditional solutions to the above security problems is to deploy a firewall in the virtual network. However, the firewall works at a network boundary, and thus, it cannot detect the insider attacks (Modi et al., 2013b). Although the network intrusion detection system (NIDS) as another solution works well in the traditional networks, its deployment in the cloud is a major challenge (Modi and Acha, 2017). If NIDS is deployed at each VM, it can detect intrusions for that VM only, and thus, it is required to deploy multiple instances of NIDS. However, managing multiple NIDSs is a complex process. NIDS on each physical server can help to inspect network traffic of all the VMs through the vSwitch. However, it should have a fast detection capability to handle high network traffic. NIDS on the physical switch can help to inspect the traffic destined for all the physical servers. However, VM to VM traffic cannot be monitored and thus, insider attacks cannot be detected. In addition, single NIDS may fail to detect the coordinated or distributed attacks in the cloud due to the distributed and shared nature of the cloud. Here, it is required to deploy NIDS on each physical server and alerts from each server should be correlated with the reduced computational and communication overhead.

To address the above problems, we propose a hypervisor level distributed network security (HLDNS) framework which is deployed on each physical server of the cloud. It monitors the VM related traffic originated to and from the virtual network, internal network and external network. For intrusion detection, it incorporates the feasible feature selection and machine learning technique. We have extended the bio-inspired binary bat algorithm (BBA) (Mirjalili et al., 2014) by incorporating two new fitness functions for deriving the feasible features from cloud network traffic since network features play a major role in accurate detection of the intrusions. The fitness function can be the accuracy of a classifier or a correlation technique deriving a relationship between feature and a class label. We have considered both accuracy and feature-class label relationship parameters individually through Feature Similarity-based Fitness Function (FSFF) and Classifier Accuracy based Fitness Function (CAFF) respectively to derive the optimal features. The results of FSFF and CAFF are combined to get the final set of features. The derived features from cloud network traffic are applied to Random Forest (Breiman, 2001) classifier for detecting the intrusions and generating the alerts. For the performance evaluation and feasibility analysis, the proposed HLDNS framework is tested on cloud testbed at NIT Goa by performing different network attacks and using recent UNSW-NB15 (Moustafa and Slay, 2015) and CICIDS-2017 (Sharafaldin et al., 2018) intrusion datasets. The performance results are compared with the existing research works and validated the fulfillment of network security requirements in the cloud.

The rest of the paper is organized as follows: Section 2 investigates the existing approaches for cloud network security. A detailed discussion of the proposed security framework is given in Section 3. In Section 4, performance evaluation and feasibility analysis of the proposed security framework is given, while Section 5 concludes our research work with references at the end.

Section snippets

Existing approaches to intrusion detection in cloud

An intrusion can be any malicious activity attempting to affect confidentiality, integrity, and availability of computing resources and services. An intrusion detection system (IDS) monitors the network traffic or system activities for detecting any malicious activity (Rowland, 2002). NIDS in cloud monitors the network traffic to detect any malicious activity affecting the security of cloud resources (Vieira et al., 2010). There have been several works till date for detecting the network

Objective

The objective is to design an efficient security framework that can detect network intrusions in the cloud, while fulfilling the network security needs such as; handling high network traffic, analyzing the VM specific traffic, minimizing communication and computation overhead with high accuracy and low false alerts. In addition, it should be scalable automatically with dynamically changing scenario of the VMs without human intervention. The objective of the proposed security framework can be

Experimental results and analysis

For the performance validation and feasibility analysis, we have tested the proposed HLDNS framework on cloud testbed at NIT Goa as well as using recent intrusion datasets.

Conclusions and future work

Network security is a major concern for wide adoption of the cloud computing. There are several network vulnerabilities that pose different security risks. We have designed an efficient security framework that monitors the VM network traffic. It uses both the signature based and anomaly detection techniques, and thus capable of detecting known as well as unknown attacks. In addition, signature based detection is applied prior to anomaly detection, which helps in reducing overall computation

Declaration of competing interest

This is to state that all authors have participated in conception and design, analysis of the experimental results and interpretation, drafting the manuscript and revising it critically as per the reviewers comments; and approval of the final version for the possible publication in the Journal of Computers & Security, Elsevier. This manuscript has not been submitted to, nor is under review at, another journal or other publishing venue.

The authors have no affiliation with any organization with a

Acknowledgment

This work is a part of the project titled-Designing out-of-VM Monitoring based Virtual Machine Introspection Framework for Securing Virtual Environment of Cloud Computing [ECR/2017/001221], with research funding support from Science and Engineering Research Board (SERB), Department of Science and Technology, Government of India.

Mr. Rajendra Patil is presently a full-time research scholar in the department of computer science and engineering at National Institute of Technology Goa since 2015. He has received B.E. degree in computer science and engineering from Shivaji University, Maharashtra, India in 2008, M.Tech. degree in computer science and engineering from National Institute of Technology Surathkal, India in 2014. His research interests include Cloud Computing, Virtualization Security, Network Security. He has

References (46)

  • S.M.H. Bamakan et al.

    Ramp loss k-support vector classification-regression; a robust and sparse multi-class approach to the intrusion detection problem

    Knowl Based Syst

    (2017)
  • P. Barham et al.

    Xen and the art of virtualization

    Proceedings of the 19th ACM Symposium on Operating Systems Principles

    (2003)
  • L. Breiman

    Random forests

    Machine learning

    (2001)
  • L. Breiman et al.

    Classification and regression trees

    (1984)
  • B. Chakraborty et al.

    A new penalty-based wrapper fitness function for feature subset selection with evolutionary algorithms

    J Inf Telecommun

    (2018)
  • N.M.K. Chowdhury et al.

    Network virtualization: state of the art and research challenges

    IEEE Commun Mag

    (2009)
  • P. Dahiya et al.

    A comparative evolution of unsupervised techniques for effective network intrusion detection in hadoop

    Proceedings of the second international conference on advances in computing and data sciences

    (2018)
  • A.-C. Enache et al.

    Intelligent feature selection method rooted in binary bat algorithm for intrusion detection

    Proceedings of the IEEE teth jubilee international symposium on applied computational intelligence and informatics (SACI)

    (2015)
  • M. Ficco et al.

    Intrusion detection in cloud computing

    Proceedings of the eighth IEEE international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC)

    (2013)
  • H. Gharaee et al.

    A new feature selection IDS based on genetic algorithm and svm

    Proceedings of the eighth IEEE international symposium on telecommunications (IST)

    (2016)
  • J. Han

    Data mining: Concepts and techniques

    (2005)
  • S. McCanne et al.

    The BSD packet filter: a new architecture for user-level packet capture

    Proceedings of the winter USENIX conference

    (1993)
  • S. Mirjalili et al.

    Binary bat algorithm

    Neural Comput Appl

    (2014)
  • Cited by (0)

    Mr. Rajendra Patil is presently a full-time research scholar in the department of computer science and engineering at National Institute of Technology Goa since 2015. He has received B.E. degree in computer science and engineering from Shivaji University, Maharashtra, India in 2008, M.Tech. degree in computer science and engineering from National Institute of Technology Surathkal, India in 2014. His research interests include Cloud Computing, Virtualization Security, Network Security. He has significant contribution in the field of cloud computing security.

    Ms. Harsha Dudeja is presently working as a Research Fellow at National Institute of Technology Goa under the DST, SERB, GOI funded research project titled “Designing out of VM Monitoring based Virtual Machine Introspection Framework for securing virtual environment of cloud computing” (ECR/2017/001221). She has received B.Tech and M.Tech degrees in the field of computer science and engineering from Rajasthan Technical University, India in the year 2013 and 2017, respectively. Her research interests include Cloud Computing security, Data Mining, Machine Learning and Security.

    Dr. Modi Chirag Navinchandra obtained his Ph.D. (2010–2014) and M.Tech (2008–2010) in Computer Engineering from National Institute of Technology Surat (NIT Surat), India and did his B.E, in Computer Engineering from Sardar Patel University, India. He is currently working as an assistant professor in the department of computer science and engineering at National Institute of Technology Goa, India. His research interest includes Information Security and Privacy, Cryptography, Cloud Security, Network Security, Intrusion Detection and prevention and Blockchain and DLT. He has published many papers in reputed journals and international conference proceedings, with good number of citations. He has received the Young scientist award in specialization of Cloud Computing (2015) from VIFRA, Chennai, India. He holds Best Review Paper Award (2015), from Journal of Network and Computer Applications (JNCA), Elsevier, San Diego, USA. It is a active member in many of the journal editorial board and review committees. He holds research funded project titled “Designing out of VM Monitoring based Virtual Machine Introspection Framework for securing virtual environment of cloud computing” (ECR/2017/001221) from the DST, SERB, GOI.

    View full text