Abstract: Security has become the greatest issue, both within and outside the organizations which are on cloud. The use of user ID’s, passwords and firewalls are the common steps that are taken in order to secure the computers. However, these are not proven to be so effective solutions in current unsecure era. The need of efficient security systems led to development of Intrusion Detection Systems. Intrusion Detection System (IDS) aims at providing secure data transmission by detecting intrusions on the network that an organization is connected to or its database or the devices which are being used. Wireshark is used in this work for detection of intrusion in the network so that the data can flow in a safe manner. The data is classified as abnormal and normal data after it is analyzed by Wireshark which is a tool for Intrusion Detection.
Keywords: Cloud Computing, Intrusion Detection System, Host Based Intrusions, Network Based Intrusions, DoS Attack, Wireshark.
1. Introduction
Cloud Computing is considered to be the next generation paradigm in Information Technology. Cloud computing environment provides both resources and applications through the Internet as a service on demand. Cloud Computing is defined by NSIT (National Institute of Standards and Technology) as a service that is used to provide data storage capacity and computing power over the internet [1]. Five basic features of cloud as specified by The National Institute of Standards and Technology (NIST) are ubiquitous network access, on-demand self-service, rapid elasticity, resource pooling, and measured service. The major services provided by cloud computing are Platform as a Service (PaaS), Software as a Service (SaaS) and Infrastructure as a Service (IaaS). Cloud Computing is an amalgamation of many computing concepts such as Web 2.0, Service Oriented Architecture (SOA) and virtualization on Internet. It helps the business houses by providing a common computing platform although their data and software are present on the remote servers [2].
Cloud Computing relies on the virtualization technology where virtual copies of the actual hardware resources such as processor, memory etc. are provided to the users in a dynamic manner. Due to this the single physical resource can be accesses simultaneously by multiple users and hence the resource utilization increases. Due to remote access nature of the cloud computing services it is very vulnerable to attacks. These attacks can range from being network based to host based to attack on the data which is stored at varies sites. The major reason for this vulnerability is the distributed nature of the network itself [3]. Therefore, there is a need for detection of the attacks.
One method of handling these attacks is by extending the capabilities of the firewalls. But there are some inherent problems with the capabilities of firewalls the most significant being that it can detect attacks that are coming from outside the network. It cannot detect a security violation that is internal to the organization. The other method is intrusion detection which complements the facilities provided by the firewall. It extends the security management aspect by empowering the system administrators to monitor the network so that they can recognize the attack and take corrective measures for the same.
An intrusion detection system analyses a set of discrete events at regular intervals to find patterns of misuse. These systems are classified as host-based and network-based. The activities being analysed in both types of system are sequential records that give us an idea about what activities are taking place and hence reflects the behaviour. This in turn helps in detecting any sort of attack. Host-based approach looks at events like files that were accessed and applications that were executed. Network-based approach on the other hand looks at events as packets being exchanged between computers which means that it is monitoring the network traffic.
One of the most important aspects cloud management is analysis of traffic over the network. This is necessary to make the system secure and to provide the guaranteed quality of services. The flow of network shows the behavior of users in cloud computing systems in service operation or their use. The required information can be obtained by creating a model for service usage or obtaining patterns which can further be analyzed for detecting normal and abnormal behavior of the system. Upon analysis, flow of network traffic gives an idea of how the applications are performing in the cloud environment. Development of these network traffic analysis techniques helps in improving the availability, security and performance in the cloud environment [4].
Basic elements of Intrusion Detection System are:
(1) Network Traffic Monitoring: The activities of the user and the system are monitored and data is collected for analysis.
(2) Data Analysis and Detection of possible Intrusion: The collected data is analyzed to build a prediction model which can help in detecting whether any intrusion has occurred or not.
(3) Generation of alert: In the event of any malicious activity being detected, an alert is generated to inform the administrator about the intrusion
The remainder of the paper is organized as follows: Section 2 gives the review of literature in the area of intrusion detection. Section 3 discusses in detail the various types of intrusion detection system. Section 4 talks about the various techniques that are employed for Intrusion Detection. The implementation details using Wireshark and the analysis of the results is given in section 5. Finally, Section 6 gives the conclusions derived from the study and the future scope.
2. Literature Survey
Web applications contain many vulnerabilities which are used to cause many exploits and these can result in alarming impacts to the privacy of the organizations, as obtained by OSWAP communities. [5]. Data traffic over the internet can be monitored by collecting the information of network packet flow as most of the web application traffic is HTTP traffic. It is possible to analyze this traffic because it can be intercepted and monitored. An effective forensic model for network was proposed by Pilli et al. which was capable of acquiring and preserving digital evidence [5]. The issue of cloud security is discussed by Vaquero et al. in [6]. According to them there are many security issues in a cloud environment, most prominent being its multitenant nature. Basically this paper talks about the security issues in Infrastructure as a service (IaaS) clouds. The main concepts used in Infrastructure as a service model are that of machine virtualization and network virtualization. Most of these systems use access control and encryption techniques to secure the different components of a virtualized (multitenant) datacentre.
A security product of Alert Logic called Threat Manager which is a real-world cloud IDS is used by Amazon Web Services. According to the reports of Cloud Security 2014 given by Alert Logic the threats in the cloud are growing. The attacks which previously targeted the host environment are now attacking the cloud and hence the total number of attacks are increasing at a very fast pace [7]. In the cloud environment most of the resources are hosted at the service provider’s remote server and hence the users of these services over the cloud have a limited control over the resources Roschke et al. [8]. Therefore, it is the responsibility of the cloud service provider to provide the intrusion detection capability in the cloud environment.
Integration of Behavior-based and knowledge-based analysis are used in Grid and Cloud Computing Intrusion Detection System (GCCIDS) in order to detect some specific types of intrusions on the cloud. But these systems cannot store the information about the attacks in a database and hence they cannot analyze the available data to create a model for intrusion detection. Therefore, they cannot detect new types of attacks which is a required feature of intrusion detection system (IDS) [9]. Vieira et al proposed the Host Based IDS in 2010. In this model an IDS is present in each node of the cloud which provides the IDS services and interaction between these services [9]. Another model was proposed by Arshad et al. which consists of six different components: system call handler, detection module, security analysis module, profile engine, global components and intrusion response system [10]. This model is used for severity analysis along with intrusion detection.
According to Donadio et al reliability and security has to be viewed as a process and not as a product. We cannot use the same processes in a cloud environment which were being used in tradi¬tional IDS. The methods employed here have to be very crisp which can cater to the various issues specific to the cloud environment [11]. As suggested by Carl Endorf et.al. rule based IDS identifies attacks by analyzing elements such as variations in protocol behavior, signature, changes in files or directories, unusual system logs etc. [12]. Sudhir et al. [13] proposed an architecture which has a different intrusion detection system for each virtual machine and each of these IDS instances are managed by a separate controller. Intrusion detection is carried out by combining the signature and learning based methods. Distributed denial-of-service (DDoS) attack in the virtualized environment has been discussed in [14] by Hifaa et al.. Only known attacks can be detected by using signature-based intrusion detection technique. The external intrusions can be detected if this method is employed at the front-end of the cloud and external as well as internal intrusions can be detected if it is employed at the back-end. But as shown by Modi et al. [15], it cannot detect unknown attacks in cloud as it was possible in traditional networks
3. Intrusion Detection System
Cybersecurity has become a need since the society has become increasingly dependent on computerized environment in its application areas. Intrusion Detection becomes one of the most important aspect in cybersecurity. To prevent attacks, there is dire need of awareness of an attack at first hand. Awareness of attacks helps to react and defend against attackers. Cybersecurity involves security analytics of data to look for attack patterns which give the insights about the attacks. Intrusion Detection is also important for forensic purposes as it enables identification of successful breaches even after they have occurred [16].
An Intrusion Detection System is used for monitoring the network traffic and protecting the communications over the network from the intruders. Organization’s internal systems are used by malicious users or hackers to gather information and exploit the weaknesses, thereby leaving the systems to default configuration. The role of intrusion detection is to keep a check on the use of network assets and detect any unusual behavior or use of network in an inappropriate manner [17]. Hence, there is an alarming need for security of these systems from the intruders. The security in a computer network is enhanced by the use of these intrusion detection systems.
IDSs can be classified based upon the method used for data collection:
• NIDS (Network Intrusion Detection System): is the detection system based on analysis of network data. NIDS captures the traffic over the network for analysis and looks for abnormalities in the captured traffic which contains activities of monitored hosts on the network.
• HIDS (Host-based Intrusion Detection System): is the intrusion detection system which keeps a check on the activities of a local host like personal computer. It can use databases or log files for analysis. The goal of HIDS is to track any attempts of unauthorized access on the system or any possible attack that has been done on the system. Here, machine monitor has the IDS on itself.
Integration of both IDS types (HIDS and NIDS) can also be done for implementation of cloud security as per the need. Both IDS types have the properties of anomaly-based and signature-based detection. Therefore, this approach will give better accuracy of detection in unknown as well as known attacks.
4. Intrusion Detection Techniques
There are two basic techniques of intrusion detection:
4.1 Anomaly based intrusion detection
Anomalies are indicated as any type of outlier which can be some exceptions in the data pattern or deviation from its normal behavior. An intrusion detection system which identifies activities as normal and abnormal and then generates an alarm for any abnormal activity is known as Anomaly Detection System (ADS) [18]. Anomaly based approaches involve the collection of data which is studied and observed as the behavior of legitimate users, and then statistical tests are applied over this data to observe the behavior. Therefore, we can conclude whether that behavior is legitimate or not [15]. Generally, a profile representing the stochastic behavior of the network is created by capturing the network traffic activity. Unknown attacks at different levels of cloud can be detected using anomaly detection techniques. It is difficult to monitor intrusions in a cloud environment because of variety and large number of events occurring in it [15].
4.2 Signature based intrusion detection
Another approach for intrusion detection is the one which is based on pre-defined rules developed from analysis of previous attacks. This approach is known as misuse detection system approach or signature based intrusion detection. This type of detection system can detect only known attacks because it has information about these attacks in its database. In this approach a dataset is maintained which has information about each data being either normal or abnormal. A set of rules or model is developed using this information. So, when a new data comes in it is designated as normal or intruder data by using this model. The set of rules here are also known as signature and hence the name signature-based detection approach. This pattern-based approach is used in both host and network-based IDS to monitor any malicious activity. However, as there are no patterns or signatures available for unknown attacks so this system is not able to detect these attacks. Same is the case for variants of known attacks also [15].
4.3 Hybrid intrusion detection
The detection system which combines the approach of anomaly-based detection and signature-based detection is known as hybrid IDS. The advantage of this approach is that the detection rate is higher for known attacks and the false positive rate is lower for unknown attacks.
5. Taxonomy of Anomalies
Unusual patterns detected in network traffic are used by the network administrators to locate the reason for faults in the network. These unusual patterns known as anomalies can be categorized into three types:
5.1 Point Anomalies
If only a single instance deviates from the normal pattern then this type of anomaly is known as point anomaly.
Figure A: Illustration of point anomaly
Figure A above illustrates point anomaly. As shown in it the two regions N1 and N2 are the regions of normal activity. Whatever lies outside it is an anomaly. Here points O1 and O2 and points in region O3 are all point anomalies. A real-life example for this could be travel expenses incurred by an individual. Suppose in general the expense per day is Re 200 and on any particular day it goes to Re 2000, then this is a case of point anomaly.
5.2 Contextual Anomalies
If there is some variation in the information obtained for the exact context as the other instances then it is known as contextual anomaly. This unwanted behavior occurs for an individual data instance. The contextual anomaly is depicted in figure B. In this example the points labeled t1 and t2 represent the same temperature value. Though, point t2 is considered an outlier, while point t1 is not.
Figure B: Illustration of contextual anomaly
Real life example of this could be the monthly expenditure of a family. Suppose, the normal expenditure each month is Re 50,000 and in the month of June this goes to Re 75,000. Now if there is some major festival in this month then this expense shall not be considered anomalous because contextually it is normal in nature. But on the other hand, if there was no festival or any other occasion then this expenditure will be considered to be anomalous. So basically, the same observation may be considered anomalous or non-anomalous based upon the context and hence the term contextual anomaly.
5.3 Collective Anomalies
If there is a collection of observations which are similar to each other but different from the entire remaining observations, then this is known as collective anomaly. If only a single instance varies from rest of the instances then it may not be considered to be an anomaly, but for a collection of instances it becomes an anomaly, therefore we call it as collective anomaly.
Figure C: Illustration of collective anomaly
This type of anomaly is depicted in Figure C. For a real-life example, we can consider the Human Electro-Cardio-Gram output. If there a small deviation at a single point it may be considered to be normal, but if there is an existence of an abnormal value for a considerable time then it indicates an anomaly and has to be studied carefully by the doctor for the proper diagnosis of the underlying cause.
Collective anomaly can occur in sequential, spatial as well as graph data.
6. Detection of Anomaly in Cloud Networks
Data can arrive from varies types of network in a cloud. Due to this different type of patterns are observed in the cloud data. This variation is also attributed to the varying behavior of the clients using this infrastructure and the type of services being provided by the cloud service provider. So, the anomaly detection is also a bigger challenge in the cloud environment. Apart from the traditional problems, a major concern in the cloud environment is that of misconfiguration.
Most of the time signature or rule based commercial off-the-shelf systems are used for intrusion detection. If these systems are deployed at the front end then they are capable of detecting external of incoming attacks, while if they are at the backend then they are capable of detecting both external as well as internal attacks.
Various Anomaly Detection Techniques Employed in Cloud Environment
A wide variation of techniques is available which can be used for anomaly detection in a cloud. Some of them are Statistical Analysis, Threshold Detection, Genetic Algorithms, Machine Learning, Neural Networks, Data Mining and Rule based systems. Each method has it’s own set of advantages and limitations.
6.1 Statistical Anomaly Detection Systems:
In this method of anomaly detection, the data over the network is observed and a profile is created to store the values which are generated. These profiles record the normal and the current behavior patterns. Then these are studied to check any kind of deviation from the normal behavior.
Statistical measures such as mean, standard deviation etc. are used to detect the anomaly here and hence it is known as Statistical Anomaly Detection System. This model is further categorized into the following types based upon the method employed for finding out the deviation.
a) Operational model or Threshold Metric: In this approach the cardinality of an event determines whether it has to be considered as an intrusion or not. For example, if a user tries a password 3 times and fails to login then the system is locked.
b) Markov Process Model or Marker Model: In this model the system is examined at fixed intervals and a track of its state is kept. The probability of occurrence of any event is computed at various time intervals. Whenever an event occurs its probability of occurrence at that time is checked against the recorded probability. If there is large difference between the two values, then the event is considered to be anomalous.
c) Statistical Moments or Mean and Standard Deviation Model: Any correlation between the data items such as mean, deviation etc. is known as a moment in statistics. All these moments have their range of permissible values and the data items that do not fall in this range are considered to be anomalous.
6.2 Data Mining Based Anomaly Detection System:
Data mining is the technique of extracting and analyzing large data sets in order to gain useful information. The detection of anomalies in the cloud environment can be achieved by using association rule mining, clustering as well as classification. The normal and abnormal activities in cloud are detected by using the analyst mechanism. In order to achieve this a threshold level is defined which differentiates between normal and abnormal activities.
6.3 Machine Learning Based Anomaly Detection System:
In this method the system learns from its own behavior for detection of anomaly. Here the system stores the data sequence and the defined rules and whenever any deviation from this occurs then the machine generates new rules by learning from the system behavior. Thus, the system keeps on learning and improving the performance. Some of the machine learning approaches that can be used are Genetic Algorithm, Neural Network, Support Vector Machine etc.
6.4 Adaptive Anomaly Detection System:
An Adaptive Anomaly detection system does not rely on any previous history about the anomaly. It records the failure events at runtime and self-adapts based upon it. Wrong detection could also occur here and they are handled by using methods such as check pointing and redundant execution.
7. Analysis of Intrusions on Wireshark
Wireshark is a network protocol analyzer which can be considered as an application having several tools. This tool helps us in analyzing the structure of network traffic in order to track errors in configuration and security attacks. It is compatible with most computing platforms and has rich features. Using Wireshark, one can troubleshoot the network, analyze the software and develop communication protocol. The various tools available in Wireshark helps us capture, view and analyze the data packets. There are packet filters in Wireshark which are used to take out some packets from huge volume of packets captured based upon specified search criteria. These filters act as micro-programming language for which the code is compiled and executed at runtime for the packets which are captured using tools such as tools such as tcpdump and Wireshark (OpenLogic, 2008).
Packets travelling across the entire network at any time can be captured using Wireshark. Log maintenance is the strongest feature of Wireshark over other IDS devices [19]. The figure 1 shows the network traffic captured by wireshark interface. We are able to see the details of any packet by selecting that packet. From the header part we can obtain source and destination IP address, protocol information, header length and various other types of services. The data of the header field occurs in the decimal form whereas data of payload is displayed in hexadecimal form [20].
Automatic generation of alarm in real time does not take place in Wireshark as in other IDS devices. Instead the captured data is analyzed later on either manually or by using some applications. Intrusion information can be obtained from the following ways:
Figure 1: Simple Wireshark capture
a. Intrusion detection using expert information
The expert information gives us the log of anomalies. Expert information obtained by Wireshark is present in a capture file.
Figure 2: Expert Information
Figure 2, shows the expert information of our packet capture.
The contents of this expert information are:
Chat (grey in color): has the information about the normal flow of packets such as TCP packet with the SYN flag set.
Note (cyan in color): which contains any notable things e.g. an error code.
Warning (yellow in color): which contains any warning e.g. “unusual” error code as in the case of any connection problem.
Error (red in color): which shows any serious problem e.g. Malformed Packet.
b. Intrusion detection using expert information
Figure 3: Observing Chat messages
Chats are simply the steps or parts involved in any normal TCP connection. For usual TCP connection the chat messages have the sequence of SYN, SYN+ACK and ACK messages.
Figure 3 above shows the sequence of TCP connection with all the three required steps i.e. SYN, SYN+ACK, ACK messages which indicates normal connection. However, if there is any deviation in these steps, like if there are only SYN messages observed, there is a clear indication of DoS attack. In the case of DoS attack performed in our experiment, there is a continuous ping request shown as echo message from the sender to the server.
The server due to DoS attack is not able to forward the request to the destination. In case of DoS attack, a flow graph as shown in figure 4 below is obtained:
Figure 4: Observing DoS Attack
c. IO Graphs on Wireshark
The IO graphs are the most important facility provided by the Wireshark. IO graphs can be used to observe and compare the protocol performances and the normal packet flow can be observed by observing the peaks of the IO graph. The figure 5 shows the IO graph of the captured network traffic.
Figure 5: Wireshark IO graph.
8. Conclusion and Future Scope
The aim of an administrator is not only to monitor if there is any network failure and fix the network problem on time, but also to avoid failure of network due to outside threats. The information of network traffic is used to meet this requirement. In this paper the live network traffic is captured and detailed analysis on captured packets is performed using wireshark. The graphs of captured files show the details of network dynamics and insight into the problems.
Wireshark has by now proved to be a very effective tool as a Network Protocol Analyzer. However, there are still many chances and capabilities of development in it. The developments can include alert generation and heuristic developments. Required work is being done to introduce these changes in Wireshark so that it becomes capable of alert generation for effective detection of many attacks well on time and thus making organizations and their data more secure.