Designing an efficient security framework for detecting intrusions in virtual network of cloud computing
Introduction
Cloud computing has grown for various IT applications such as IoTs, Mobile Computing, Smart IT, etc. Network virtualization is a key enabler of the growing cloud computing technology. It allows to run multiple independent virtual networks over the shared infrastructure. As shown in Fig. 1, the cloud has mainly three different networks such as; virtual network, internal network and external network. The virtual network allows a communication among VMs on same physical server. Through the internal network, different cloud components such as management systems, storage systems, network servers, etc., can communicate with each other. The external network is a primary interface between the front end (cloud user) and back end (cloud service provider). All these networks make a successful provisioning of cloud services to the users. However, the vulnerabilities in the existing network technologies, and the distributed and dynamic nature of cloud pose various security concerns. For instance, the sharing of network infrastructure increases the vulnerabilities in DNS servers, DHCP, IP, ARP protocols, etc. In addition, the virtual network has many vulnerabilities like vSwitch software bugs, poor network isolation between VMs, open ports, insecure network channels, and poor design and bugs in network protocols (Chowdhury and Boutaba, 2009). The successful exploitation of such vulnerabilities leads to many attacks like Denial of Service (DoS) attacks, port scanning, sniffing, spoofing, network probing, etc.
In literature (Modi, Patel, Borisaniya, Patel, Rajarajan, 2013a, Modi, Patel, Borisaniya, Patel, Patel, Rajarajan, 2013b, Subashini, Kavitha, 2011), various security issues at different layers of cloud computing have been investigated and it is recommended to extend or reinvestigate the traditional security solution for securing cloud computing. Recently, many network attacks such as IP spoofing, Ransomware, Cryptomining, Data breach, DoS/DDoS attacks have targeted the private as well as public cloud services. The Microsoft Security Intelligence Report states that the number of account sign-ins attempted from malicious IP addresses are increased by 44% during first quarter of 2016 to first quarter of 2017.1 The cloud services such as Microsoft Azure are frequently targeted to compromise VMs and other services. It was observed that over two-thirds of the attacks on Azure services in the first quarter 2017 are performed from China. In May 2017, the worse ransomware attack “WannaCry” was performed on the National Health Service (NHS) in UK2. It infected over 0.3 million computer systems within just four days at NHS by scanning the connected LANs and WANs. Skybox Security Incorporation states that poor configuration is a key source of security risk in cloud networks.3 In February 2018, Tesla’s Amazon Web Services (AWS) cloud system was maliciously accessed via a vulnerable Kubernetes console through malicious cryptomining.4 In addition, many cyber threats are evolving, and cloud servers are the major target. In May 2017, a data breach on OneLogin affected 1.4 billion records on cloud servers.5 In July 2017, Equifax credit reporting agency in U.S. detected and blocked suspicious network activities associated with a consumer web portal. The security vulnerability (CVE-2017-5638) in Apache Struts was exploited to perform such malicious activity and over 145.5 Million accounts were hacked.6
Recently, many DoS/DDoS attacks are reported. In January 2016, BBC experienced the biggest DDoS attack which took the BBC’s global website down7. In February 2018, the code hosting GitHub website was hit with the largest DDoS attack8. In general, public cloud services are potentially targeted through DDoS attacks. It is observed that the magnitude of such attacks is increased with time and technologies. In last decade, the DDoS attack rate is increased from 70 GBps to 1.35 TBps.
One of the traditional solutions to the above security problems is to deploy a firewall in the virtual network. However, the firewall works at a network boundary, and thus, it cannot detect the insider attacks (Modi et al., 2013b). Although the network intrusion detection system (NIDS) as another solution works well in the traditional networks, its deployment in the cloud is a major challenge (Modi and Acha, 2017). If NIDS is deployed at each VM, it can detect intrusions for that VM only, and thus, it is required to deploy multiple instances of NIDS. However, managing multiple NIDSs is a complex process. NIDS on each physical server can help to inspect network traffic of all the VMs through the vSwitch. However, it should have a fast detection capability to handle high network traffic. NIDS on the physical switch can help to inspect the traffic destined for all the physical servers. However, VM to VM traffic cannot be monitored and thus, insider attacks cannot be detected. In addition, single NIDS may fail to detect the coordinated or distributed attacks in the cloud due to the distributed and shared nature of the cloud. Here, it is required to deploy NIDS on each physical server and alerts from each server should be correlated with the reduced computational and communication overhead.
To address the above problems, we propose a hypervisor level distributed network security (HLDNS) framework which is deployed on each physical server of the cloud. It monitors the VM related traffic originated to and from the virtual network, internal network and external network. For intrusion detection, it incorporates the feasible feature selection and machine learning technique. We have extended the bio-inspired binary bat algorithm (BBA) (Mirjalili et al., 2014) by incorporating two new fitness functions for deriving the feasible features from cloud network traffic since network features play a major role in accurate detection of the intrusions. The fitness function can be the accuracy of a classifier or a correlation technique deriving a relationship between feature and a class label. We have considered both accuracy and feature-class label relationship parameters individually through Feature Similarity-based Fitness Function (FSFF) and Classifier Accuracy based Fitness Function (CAFF) respectively to derive the optimal features. The results of FSFF and CAFF are combined to get the final set of features. The derived features from cloud network traffic are applied to Random Forest (Breiman, 2001) classifier for detecting the intrusions and generating the alerts. For the performance evaluation and feasibility analysis, the proposed HLDNS framework is tested on cloud testbed at NIT Goa by performing different network attacks and using recent UNSW-NB15 (Moustafa and Slay, 2015) and CICIDS-2017 (Sharafaldin et al., 2018) intrusion datasets. The performance results are compared with the existing research works and validated the fulfillment of network security requirements in the cloud.
The rest of the paper is organized as follows: Section 2 investigates the existing approaches for cloud network security. A detailed discussion of the proposed security framework is given in Section 3. In Section 4, performance evaluation and feasibility analysis of the proposed security framework is given, while Section 5 concludes our research work with references at the end.
Section snippets
Existing approaches to intrusion detection in cloud
An intrusion can be any malicious activity attempting to affect confidentiality, integrity, and availability of computing resources and services. An intrusion detection system (IDS) monitors the network traffic or system activities for detecting any malicious activity (Rowland, 2002). NIDS in cloud monitors the network traffic to detect any malicious activity affecting the security of cloud resources (Vieira et al., 2010). There have been several works till date for detecting the network
Objective
The objective is to design an efficient security framework that can detect network intrusions in the cloud, while fulfilling the network security needs such as; handling high network traffic, analyzing the VM specific traffic, minimizing communication and computation overhead with high accuracy and low false alerts. In addition, it should be scalable automatically with dynamically changing scenario of the VMs without human intervention. The objective of the proposed security framework can be
Experimental results and analysis
For the performance validation and feasibility analysis, we have tested the proposed HLDNS framework on cloud testbed at NIT Goa as well as using recent intrusion datasets.
Conclusions and future work
Network security is a major concern for wide adoption of the cloud computing. There are several network vulnerabilities that pose different security risks. We have designed an efficient security framework that monitors the VM network traffic. It uses both the signature based and anomaly detection techniques, and thus capable of detecting known as well as unknown attacks. In addition, signature based detection is applied prior to anomaly detection, which helps in reducing overall computation
Declaration of competing interest
This is to state that all authors have participated in conception and design, analysis of the experimental results and interpretation, drafting the manuscript and revising it critically as per the reviewers comments; and approval of the final version for the possible publication in the Journal of Computers & Security, Elsevier. This manuscript has not been submitted to, nor is under review at, another journal or other publishing venue.
The authors have no affiliation with any organization with a
Acknowledgment
This work is a part of the project titled-Designing out-of-VM Monitoring based Virtual Machine Introspection Framework for Securing Virtual Environment of Cloud Computing [ECR/2017/001221], with research funding support from Science and Engineering Research Board (SERB), Department of Science and Technology, Government of India.
Mr. Rajendra Patil is presently a full-time research scholar in the department of computer science and engineering at National Institute of Technology Goa since 2015. He has received B.E. degree in computer science and engineering from Shivaji University, Maharashtra, India in 2008, M.Tech. degree in computer science and engineering from National Institute of Technology Surathkal, India in 2014. His research interests include Cloud Computing, Virtualization Security, Network Security. He has
References (46)
- et al.
A cooperative and hybrid network intrusion detection framework in cloud computing based on snort and optimized back propagation neural network
Procedia Comput Sci
(2016) - et al.
A GA-LR wrapper approach for feature selection in network intrusion detection
Comput Secur
(2017) - et al.
A survey of intrusion detection techniques in cloud
J Netw Comput Appl
(2013) - et al.
Naive Bayes-guided bat algorithm for feature selection
Sci World J
(2013) A comparison of header and deep packet features when detecting network intrusions
DRUM Technical Report;
(2018)- et al.
A collaborative network intrusion detection system (C-NIDS) in cloud computing
Int J Commun Netw Inf Secur
(2016) - et al.
Experimental evaluation of a multi-layer feed-forward artificial neural network classifier for network intrusion detection system
Proceedings of the first IEEE international conference on new trends in computing sciences (ICTCS)
(2017) - et al.
An enhanced intrusion detection framework for securing network layer of cloud computing
Proceedings of the IEEE Asia security and privacy conference
(2017) - et al.
A multiclass cascade of artificial neural network for network intrusion detection
J Intel Fuzzy Syst
(2017) - et al.
Enhanced intrusion detection and prevention system on cloud environment using hybrid classification and OTS generation
J Netw Softw Tools Appl
(2017)
Ramp loss k-support vector classification-regression; a robust and sparse multi-class approach to the intrusion detection problem
Knowl Based Syst
Xen and the art of virtualization
Proceedings of the 19th ACM Symposium on Operating Systems Principles
Random forests
Machine learning
Classification and regression trees
A new penalty-based wrapper fitness function for feature subset selection with evolutionary algorithms
J Inf Telecommun
Network virtualization: state of the art and research challenges
IEEE Commun Mag
A comparative evolution of unsupervised techniques for effective network intrusion detection in hadoop
Proceedings of the second international conference on advances in computing and data sciences
Intelligent feature selection method rooted in binary bat algorithm for intrusion detection
Proceedings of the IEEE teth jubilee international symposium on applied computational intelligence and informatics (SACI)
Intrusion detection in cloud computing
Proceedings of the eighth IEEE international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC)
A new feature selection IDS based on genetic algorithm and svm
Proceedings of the eighth IEEE international symposium on telecommunications (IST)
Data mining: Concepts and techniques
The BSD packet filter: a new architecture for user-level packet capture
Proceedings of the winter USENIX conference
Binary bat algorithm
Neural Comput Appl
Cited by (0)
Mr. Rajendra Patil is presently a full-time research scholar in the department of computer science and engineering at National Institute of Technology Goa since 2015. He has received B.E. degree in computer science and engineering from Shivaji University, Maharashtra, India in 2008, M.Tech. degree in computer science and engineering from National Institute of Technology Surathkal, India in 2014. His research interests include Cloud Computing, Virtualization Security, Network Security. He has significant contribution in the field of cloud computing security.
Ms. Harsha Dudeja is presently working as a Research Fellow at National Institute of Technology Goa under the DST, SERB, GOI funded research project titled “Designing out of VM Monitoring based Virtual Machine Introspection Framework for securing virtual environment of cloud computing” (ECR/2017/001221). She has received B.Tech and M.Tech degrees in the field of computer science and engineering from Rajasthan Technical University, India in the year 2013 and 2017, respectively. Her research interests include Cloud Computing security, Data Mining, Machine Learning and Security.
Dr. Modi Chirag Navinchandra obtained his Ph.D. (2010–2014) and M.Tech (2008–2010) in Computer Engineering from National Institute of Technology Surat (NIT Surat), India and did his B.E, in Computer Engineering from Sardar Patel University, India. He is currently working as an assistant professor in the department of computer science and engineering at National Institute of Technology Goa, India. His research interest includes Information Security and Privacy, Cryptography, Cloud Security, Network Security, Intrusion Detection and prevention and Blockchain and DLT. He has published many papers in reputed journals and international conference proceedings, with good number of citations. He has received the Young scientist award in specialization of Cloud Computing (2015) from VIFRA, Chennai, India. He holds Best Review Paper Award (2015), from Journal of Network and Computer Applications (JNCA), Elsevier, San Diego, USA. It is a active member in many of the journal editorial board and review committees. He holds research funded project titled “Designing out of VM Monitoring based Virtual Machine Introspection Framework for securing virtual environment of cloud computing” (ECR/2017/001221) from the DST, SERB, GOI.