CIDS Architecture

The main idea underlying the proposed architecture is to enable each node to identify its local events that could represent
security violations and then alerts and exchanges its audit data with other nodes.
Each node has two IDSs detectors, CIDS and HIDS, and cooperatively participates in intrusion detection.
Figure 2 shows the sharing of information among the following CIDS components.

Cloud nodes: contains the resources, which are accessed homogeneously through the cloud middleware.
The middleware sets the access-control policies and supports a service-oriented environment.

Guest task: it is submitted by the cloud user to an instance of VM.
 It can be a sequence of actions and commands run by the user.

Logs & audit collector: it acts as a sensor for both CIDS and HIDS detectors and collects logs, audit data, and
sequence of user actions and commands.

VM: it encapsulates the guest system to be monitored using VMM. The intrusion detection mechanisms are
implemented outside the VM, i.e. out of reach of intruders. A single instance of a VM monitors can observe several VMs


 
                                                                    Figure 1


 Type II Virtual Machine Monitor (VMM):

CIDS uses type II VMM implemented as a process of an underlying operating system of the host machine.

VMMs  properties:

  •  Isolation : the software in a VM cannot access or modify the monitor or other VM.
  • Inspection: the monitor can access the entire VM state.
  • Interposition: the monitor can intercept and modify operations issued by a VM. VMM collects logs, audit data, and sequence
    of actions and commands collected by the logs & audit collector component and stores them to the audit system.


Audit System:
 

  • The audit system component implements three main functions
    First of all, it monitors message exchanges among nodes and extracts from them the behavior of the cloud user.
  • The second function is the monitoring of the middleware logging system in the node itself.

 

CIDS correlator and detector:

It is responsible of correlating user behaviors, e.g. sequence of commands or actions collected from several sources,
then,it analyses them according to our new heuristic semi-global alignment approach (HSGAA) to determine the distance between a typical user behavior and the suspect one, and communicates this to the alert system.
We will briefly explain later how HSGAA approach works with CIDS.

HIDS correlator and detector

It correlates between user's logs and signatures collected from several sources, then it analyses them to detect
known trails left by attacks or predefined sequences of user actions that might represent an attack.
To apply this technique, we use OSSEC IDS tool  that receives user's logs and signatures and determines
whether a rule in the knowledge based database in Figure 1 is being broken.

After that, it computes the probability that a user action represents an attack, and it communicates this to the alert
system that alerts the other nodes if the probability is sufficiently high.

Behavior-based database:

It is a profile history database for the behavior, e.g., sequence of written commands or actions, of cloud users.
It is important that all nodes share the same behavior database or exchange these behaviors to update the databases
of each node for the same user.
This helps in correlating the normal behaviors of a specific user to detect a suspected behavior distributed among
several nodes.

Knowledge-based database:

It is a database with a set of rules and signatures for known attacks. It supports the description of a malicious behavior with a rule by comparing it against rules in the database. Like the behavior-based database, all nodes should share or exchange the same knowledge base, through the homogeneous environment and synchronization services provided by the middleware.

Alert System:

The alert system uses the middleware's communication mechanisms to alert other nodes if the CIDS or HIDS correlator and detector components signal an attack. It also communicates its alerts to the report producer component in the scheduler machine.

Parser and summarizer:

This component parses and summarizes the large number of alerts fired by NIDS IDS in a physical or virtual switch inside the cloud virtual network. We will briefly explain later, the algorithm to summarize these alerts. 

Report producer:

It collects alert messages from any IDS in the cloud and sends a report about attacks to the cloud scheduler to take an action according to cloud administrator decisions. It helps also service providers to know if their infrastructure is being used to penetrate other victims.

 

 

 

 

 

CIDS