NICE : Network Intrusion detection and Counter measure selection in virtual network systems

NICE : Network Intrusion detection and Counter measure selection in virtual network systems 51 Votes
   


NICE (Network Intrusion detection and Counter measure) is a new multiphase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud services. Cloud security is one of most important issues that has attracted a lot of research and development effort in past few years. In traditional data centres, where system administrators have full control over the host machines, vulnerabilities can be detected and patched by the system administrator in a centralized manner. However, patching known security holes in cloud data centres, where cloud users usually have the privilege to control software installed on their managed VM's, may not work effectively and can violate the service level agreement (SLA).

The attackers can explore vulnerabilities of a cloud system and compromise virtual machines to deploy further large-scale Distributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such as multi step exploitation, low-frequency vulnerability scanning, and compromising identified vulnerable virtual machines as zombies, and finally DDoS attacks through the compromised zombies. Within the cloud system, especially the Infrastructure-as-a-Service (IaaS) clouds, the detection of zombie exploration attacks is extremely difficult. This is because cloud users may install vulnerable applications on their virtual machines.

To prevent vulnerable virtual machines from being compromised in the cloud, a multiphase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE is proposed, which is built on attack graph based analytical models and reconfigurable virtual network-based countermeasures. Whenever a new vulnerability is discovered or there are changes in the network connectivity and services running through them, the updated information is provided to attack graph generator and old attack graph is updated to a new one. The proposed framework leverage's OpenFlow network programming APIs to build a monitor and control plane over distributed programmable virtual switches to significantly improve attack detection and mitigate attack consequences. The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution.

In traditional data centers, the system administrators have full control over the host machines and hence the vulnerabilities can be detected and patched by the system administrator in a centralized manner. But patching known security holes in cloud data centers, where cloud users usually have the privilege to control software installed on their managed VMs, may not work effectively and can violate the service level agreement (SLA). Installing vulnerable software on the VMs can contribute to loopholes in cloud security.In a cloud system, where the infrastructure is shared by potentially millions of users, abuse and nefarious use of the shared infrastructure benefits attackers to exploit vulnerabilities of the cloud and use its resource to deploy attacks in more efficient ways because the number of facts is polynomial in system.

The proposed solution utilizes a new network control approach called SDN, where networking functions can be programmed through software switch and OpenFlow protocol. Flow based switches, such as OVS and OpenFlow Switch(OFS), support fine-grained and flow-level control for packet switching. With the help of the central controller, all OpenFlow based switches can be monitored and configured.The flow-based switching (OVS) and network controller help to apply the selected network countermeasures in the proposed solution.

NICE is a new multiphase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects suspicious cloud traffic without interrupting users applications and cloud services. It employs a reconfigurable virtual networking approach to detect and counter the attempts to compromise VMs, thus preventing zombie VMs. It incorporates a software switching solution to quarantine and inspect suspicious VMs for further investigation and protection. Through programmable network approaches, NICE can improve the attack detection probability and improve the resiliency to VM exploitation attack without interrupting existing normal cloud services. Attack graph approach is used for attack detection and prevention by correlating attack behaviour and effective countermeasures are suggested. It optimizes the implementation on cloud servers to minimize resource consumption and consumes less computational overhead compared to proxy-based network intrusion detection solutions. 

Following are the two main phases of NICE. Deploy a lightweight mirroring-based network intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual system vulnerabilities within a cloud server and establish Scenario Attack Graph (SAGs). A VM is put in network inspection state based on the severity of identified vulnerability toward the collaborative attack goals. Once a VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the inspecting VM to make the potential attack behaviours prominent.