Zombie Attack Detection and Countermeasure Selection in Cloud

Home , Zombie (computing)

ZOMBIE ATTACK DETECTION AND COUNTERMEASURE SELECTION IN CLOUD ENVIRONMENT Rakshitha C M M tech (computer networks), Department of Computer Science and Engineering, Siddaganga Institute of Technology, Tumkur, Karnataka, India. [email protected]

Abstract traditional data centers and they have handled the Cloud security is one of the most evolving sub vulnerabilities in a centralized manner. where domain of recent research and development in cloud users has privilege to control software network security. attackers explore the installed on their Virtual Machines(VMs). So vulnerabilities in cloud system intially, later it that the cloud user can install vulnerable software compromise the virtual network to deploy on their VMs, it may violate the Service Level large scale Distributed Denial of Agreement(SLA) sometimes and there will be a Service(DDoS). Distributed Denial of Service security breach in Cloud. Attackers always try to attacks usually include multistep exploitation, attack and compromise multiple virtual low frequency vulnerability scanning and machines. Proposed system has network intrusion detection and prevention measures for compromising vulnerable virtual machines as virtual network systems. It constructs a defense zombies. the detection of zombie attacks are in depth intrusion detection framework. The extremely difficult in the Infrastructure as a design of proposed system does not intend to Clouds(IaaS) since cloud user gets access to enhance the existing intrusion detection install the vulnerable applications to their mechanisms, instead it employs the managed virtual machines. proposed reconfigurable virtual networking approach for framework uses a multiphase vulnerability intrusion detection and counter measures to detection and counter measure selection to prevent it, hence the proposed mechanism prevent zombie attacks, where proposed prevents the zombie attack. This framework has system incorporates attack graph analytical less computational overhead over proxy based model and reconfigurable virtual networking intrusion detection mechanisms. techniques. this framework also exhibits the Proposed framework has 2 main phases. It feature of Open Flow network programming employs a light weight network intrusion APIs and open flow protocol manages both the detection agent on cloud server to monitor the control plane and forwarding plane efficiently cloud traffic and scans the vulnerabilities, attacks Index Terms: Network security, cloud to establish Scenario Attack Graph(SAG). Based computing, intrusion detection, attack graph, on how onerous the attack is, the framework zombie detection. decides that virtual network should be under I. INTRODUCTION inspection state or not. If a virtual network goes Cloud security is the most important factor so under inspection, Deep Packet Inspection is that the users can rely on cloud. Cloud Security applied and virtual network reconfiguration Alliance(CSA) is an organization which gives takes place. the security measures for cloud usage. CSA II. EXISTING WORK survey shows that the iniquitous use of cloud Many existing counter attacks are there computing is the top most security threat among for zombie detection and prevention. all the security issues. System administrators had A. Securing Cloud Computing Environment complete control over host machines in Against DDoS Attacks

ISSN(PRINT): 2454-406X,(ONLINE): 2454-4078,VOLUME-2,ISSUE-4,2016 6 INTERNATIONAL JOURNAL OF ADVANCES IN CLOUD COMPUTING AND COMPUTER SCIENCE (IJACCCS)

In this paper[1], they used Cloud trace back model[1] to verify the request coming from legitimate user, which is based on Deterministic Packet Marking algorithm(DPM). It marks the ID field and reserved flag within IP header and incoming packet will be marked, it also traverse the packet through out the network.CTB is placed at the edge routers, if no security services are there, the system becomes vulnerable to attacks.CTB does not directly eliminate DDoS attack instead it uses cloud protector which has virtual firewall. Where virtual firewall maintains white list and black list of source IP addresses. White list is used to tack the authenticated source IP addresses and this will be allowed to pass the firewall towards destined services and black list holds the unauthenticated source IP addresses Fig 1: SPOT and does not allowed to pass the firewall. C. MulVAL: A Logic-Based Network Security Analyzer,” Proc. 14th USENIX Security B. Detecting spam zombies by monitoring Symp., pp. 113-128, 2005: outgoing messages(IEEE Trans 2012) MULVAL[3] is constructed by accumulating Duan introduces SPOT[2] approach to detect the true facts of the monitored network system. compromised machines in a network that are Where Datalog is the modeling language of involved in spamming activities, by monitoring MULVAL. The reasoning engine consists of a outgoing messages. SPOT is based on the collection of Datalog rules that captures the powerful statistical tool called sequential operating system behavior and the interaction of probability ratio test(SPRT). SPRT is a random various components in the network. The walk between false +ve and false –ve error rates, reasoning engine in MulVAL goes well with the where these error rates are user defined. When size of the network. Once the whole information walk reaches either of the boundaries for the first is collected, the analysis can be performed with time, the walk will be terminated and thousands of machines in a few seconds. But this corresponding hypothesis will be taken into process will terminate efficiently, because the consideration. SPRT requires large number of facts are polynomial in nature, so proposed observations before it reaches smaller error rates. system approach modifies this and uses extended Evaluation studies shows that the SPOT is an mulval. effective system in automatically detecting D. Automated generation and analysis of Attack compromised machines in a network. SPOT has Graphs: 2 different algorithms to detect the zombie Attack graph[4] is able to represent a series of attack. one is Count Threshold(CT) detection exploits called atomic attacks. There are many algorithm which is based on the number of spam automation tools to construct an attack graph. messages and another one is Percentage And these attack graph can generate all possible Threshold(PT) detection algorithm which is attack paths but scalability is a big issue. To based on the number of spam messages sent from evaluate this we have Dynamic security risk the internal machine. management using Bayesian Attack Graphs(BAG):conventional network security planning and management starts with risk analysis, which decides threats to critical resources and the corresponding loss. But majority of the conventional models failed to achieve this by using attack graphs and attack trees. BAG selects the notion of Bayesian belief networks which gives the different security Conditions during the system compromise. This model includes the cause and consequence

ISSN(PRINT): 2454-406X,(ONLINE): 2454-4078,VOLUME-2,ISSUE-4,2016 7 INTERNATIONAL JOURNAL OF ADVANCES IN CLOUD COMPUTING AND COMPUTER SCIENCE (IJACCCS)

relationships between the different network represents exploit, ND is a disjunction node states. It also gives the possible ways to exploit which represents result of exploit, NR is a root such relationships. The estimation mechanism node which represents initial step of attack. has been proposed to evaluate the security risks E=Epre U Epost denotes the set of directed edges. from various vulnerability factors based on the These edges exist when Nc satisfied to achieve N metrics defined in the Common Vulnerability D and ND can be obtained if Nc is satisfied. Scoring System(CVSS). This model has genetic Definition2: Alert correlation graph(ACG) is to algorithm. The algorithm comprises the correlate the alerts.ACG is a 3 tuple structure. i.e mitigation plans for both single and multi ACG=(A,E,P), where A is a set of aggregated objective analysis. At last this model provide a alerts i.e a ϵ A is a data structure (src,dst,cls,ts). platform for both static and dynamic risk analysis Contains source IP address, destination ip in network. Above all these scalability is the address, type of the alert and time stamp of the issue here. alert. E is a set of directed edges which represents Disadvantages of Existing System: correlation 1 between two alerts (a,a ). P is a set But all these approaches concentrates on static of paths i.e Si C P which represents set of related attack scenarios and predefined solution for each alerts in chronological order. There is a attack. And these are inefficient to handle new algorithm for alert correlation to keep track of vulnerabilities. No detection and new alerts, correlated alerts and paths. prevention framework in a virtual networking Algorithm 1. Alert_Correlation Require: alert ac, environment. SAG,ACG No accuracy mechanism in the attack detection. 1: If(ac is a new alert) then 2: Create node ac in ACG III. PROPOSED WORK 3: n1<-Vc ϵ map(ac) The proposed framework uses defence in depth 4: for all n2 ϵ parent(n1) do intrusion detection, which incorporates attack 5: create edge(n2.alert,a1) graph analytical procedures. This framework is 6: for all Si containing a do not improving any of the existing algorithms; 7: if a is the last item in Si then instead it employs a reconfigurable virtual 8: append ac to Si networking approach to prevent attempts to 9: else compromise virtual machines. Proposed system 10: create path Si+1={subset(Si,a),ac} utilizes a new network control approach called 11: end if Software Defined Networking(SDN). In SDN, networking functions can be programmed 12: end for through software switch and open flow 13: add ac to n1.alert protocol[6]. Proposed system built on attack 14: end for graph-based analytical models and 15: end if reconfigurable virtual network using Alert 16: return S correlation, SAG and DPI. It does not involve Mitigation strategies for zombie attack host based IDS. And it assumes that hypervisor Counter measure strategies: Attack analyzer is free of any vulnerabilities. initiates the counter measure selections for Proposed framework has 2 models. zombie attacks in cost effective manner. Threat model: This model assumes that attacker Proposed framework is able to construct the can be located either outside or inside of the mitigation strategies in response to detected virtual networking system. Attacker’s major alerts. This strategy has countermeasure pool, concern is about exploiting vulnerable virtual which is defined as follows. machines and compromise them as zombies. Countermeasure pool: A counter measure pool Attack graph model: This is a modelling tool to CM={Cm1,Cm2,.....Cmn} is a set of find all possible multistage, multiport attack countermeasures. Each cm £ CM is a tuple cm = paths and it is helpful to decide appropriate (cost, intrusiveness, condition, effectiveness), counter measures. This model extend the notation of MULVAL and construct it as where Cost is the unit that describes the expenses Scenario Attack Graph(SAG). require to apply the counter measure, its value Definition1: SAG is a 2 tuple structure i.e ranges from 1 to 5, and higher metric means SAG=(V,E) where V=NC U ND U N R these 3 are higher cost. set of vertices. NC is a conjunction node which

ISSN(PRINT): 2454-406X,(ONLINE): 2454-4078,VOLUME-2,ISSUE-4,2016 8 INTERNATIONAL JOURNAL OF ADVANCES IN CLOUD COMPUTING AND COMPUTER SCIENCE (IJACCCS)

Intrusiveness is the negative effect that a counter running, open ports and so on. Care must be measure brings to the SLA and its value ranges taken for ports since port-scanning program can from 1(least intrusive) to 5(most intrusive). be used by attacker to check open ports. Value of intrusiveness will be 0 if the Attack analyzer performs the major functions countermeasure has no impacts on SLA. which includes constructing the attack graph, Condition is the requirement for the alert correlation and counter measures for corresponding countermeasure. particular attack. Effectiveness is the percentage of probability The detection and mitigation of zombie attack changes of the node, for the particular can be achieved from the following scenario. countermeasure is applied. Network intrusion detection: Intrusion There are many counter measures that can be detection is a software agent implemented on applied to the cloud environment. But our aim is each cloud server. It captures and filter malicious to select optimal countermeasure. The optimal traffic. countermeasure selection is a multi-objective Control centre : Intrusion detection alerts are optimization problem, where it needs to find the sent to control centre. it deploys the counter MIN(impact, cost) and MAX(benefit). 1 to 5,and measures for attack according to decision made higher metric means higher cost. by the attack analyzer. Intrusiveness is the negative effect that a counter Attack graph: Attack graph is established measure brings to the SLA and its value ranges according to the vulnerability information. from 1(least intrusive) to 5(most intrusive). Attack analyzer: Attack analyzer evaluates how Value of intrusiveness will be 0 if the dangerous the alert is, based on attack graph, It countermeasure has no impacts on SLA. decides about the counter measure strategies, Condition is the requirement for the then invokes the strategies through the network corresponding countermeasure. controller. Effectiveness is the percentage of probability changes of the node, for the particular Dynamic nature of attack graph: countermeasure is applied. Attack graph will be reconstructed dynamically based on new There are many countermeasures that can be vulnerabilities. applied to the cloud environment. But our aim is to select optimal countermeasure. The optimal V. SYSTEM CONFIGURATION countermeasure selection is a multi-objective Hardware requirements: optimization problem, where it finds the Processor : Pentium –IV MIN(impact, cost) and MAX(benefit) using Speed : 2.4 GHz Return of Investement(ROI) mechanism. RAM : 500 MB(min) Hard Disk : 20 IV. SYSTEM ARCHITECTURE GB(min) This section describes the system design Software overview and detailed description of its requirements: components. The proposed framework is Operating system : Windows illustrated in the figure. Tool : Eclipse Platform: Java/Swings Database : Oracle VI. CONCLUSION NICE framework is proposed to detect and mitigate the attacks in the virtual networking environment. The framework uses the attack graph model for attack detection and this framework uses the programmability of software switches to improve detection accuracy and Fig 2: NICE defeat the attacks. hence proposed framework Network controller is responsible for demonstrates the feasibility of NICE compared deploying counter measures for attacks based to other existing system and the framework has on the decision made by the attack analyzer. following contributions. Dynamic nature of VM profiling in the cloud is there to get detailed attack graph is the most important feature in information about the network state, services detecting new type of attacks. It captures and

ISSN(PRINT): 2454-406X,(ONLINE): 2454-4078,VOLUME-2,ISSUE-4,2016 9 INTERNATIONAL JOURNAL OF ADVANCES IN CLOUD COMPUTING AND COMPUTER SCIENCE (IJACCCS) inspects the malicious cloud traffic without Zombies by Monitoring Outgoing Messages,” interrupting the ongoing user’s cloud services. It IEEE Trans. Dependable and Secure also optimizes the implementation on cloud Computing, vol. 9,no. 2, pp. 198-210, Apr. environment from minimized resource 2012. consumption. [4] X. Ou, S. Govindavajhala, and A.W. Appel, REFERENCES “MulVAL: A Logic- Based Network Security [1] Coud Sercurity Alliance, “Top Threats to Analyzer, ” Proc. 14th Cloud Computing v1.0,” USENIX Security Symp., pp. 113-128, 2005 https://cloudsecurityalliance.org/topthreats/cs [5] Dynamic Security Risk Management Using athreats. v1.0.pdf, Mar. 2010. Bayesian Attack Graphs IEEE transactions on [2] B. Joshi, A. Vijayan, and B. Joshi, “Securing dependable and secure computing, vol. 9, no. Cloud Computing Environment Against 1, january/february 2012 DDoS Attacks,” Proc. IEEE Int’l [6] Open Networking Fundation, “Software- Conf.Computer Comm. and Informatics Defined Networking: The New Norm for (ICCCI ’12), Jan. 2012. Networks, ” ONF White Paper, Apr. 2012. [3] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J.Barker, “Detecting Spam

ISSN(PRINT): 2454-406X,(ONLINE): 2454-4078,VOLUME-2,ISSUE-4,2016 10