CIDS: A framework for Intrusion Detection in Cloud Systems
Hisham A. Kholidy
Dipartimento di Informatica
Università di Pisa, Pisa, Italy
hkholidy@di.unipi.it, hisham_dev@yahoo.com
Fabrizio Baiardi
Dipartimento di Informatica
Università di Pisa, Pisa, Italy
baiardi@di.unipi.it
Abstract
By impersonating legitimate users, intruders can use the
abundant resources of cloud computing environments.
This paper develops a framework for "CIDS" a cloud
based intrusion detection system, to solve the deficiencies
of current IDSs. CIDS also provides a component to
summarize the alerts and inform the cloud administrator.
CIDS architecture is scalable and elastic with no central
coordinator. This paper describes the components,
architecture, detection models, and advantages of CIDS.
Key Words: cloud computing, security, intrusion
detection, attacks, masquerade.
1. Introduction
Cloud computing has a broad appeal because it
enables IT managers to provision services to users faster
and in a cost-effective way. However, it does raise some
concerns and chief among them is securing data in the
cloud because of their operational models, the enabling
technologies, and their distributed nature, clouds are easy
targets for intruders. While intrusions can be handled by
an Intrusion Detection System (IDS) [1], current IDSs
have many deficiencies which hinder their adoption in a
cloud environment. This paper describes CIDS, a
framework for a C
loud based Intrusion Detection System
to deal with attacks like: (1) Masquerade attacks: where
threats impersonate legitimate users, (2) Host-based
attacks: these can be a consequence of masquerade attacks
and generally result in an observable user behavior
anomaly and (3) Network-based attacks. CIDS
also
summarizes the intensive network based IDS alerts
according to the attack signature and target. Section 2
briefly introduces a cloud security and the seven known
top threats to cloud computing systems. Then, it classifies
vulnerabilities of the cloud computing paradigm. The next
section surveys the related works. Section 4 describes the
components, architecture, detection models, and
advantages of our CIDS framework. Section 5 outlines
future work.
2. Cloud computing security
Threats of cloud computing systems differ from those
of traditional IT solutions. CSA (Cloud Security
Alliance)[2] ranks seven threats that apply across cloud
computing SPI models [3]: (1) Abuse and nefarious use of
cloud computing, (2) Insecure interfaces and APIs, (3)
Malicious insiders, (4) Shared technology issues, (5) Data
loss or leakage, (6) Account or service hijacking, (7)
Unknown risk profile. [4] defines seven risks a user
should raise before committing: (1) Sensitive data should
be processed outside the enterprise only with the
assurance that they are only accessible and propagated to
privileged users, (2) One customer data should be fully
segregated from those of another customer, (3) A
customer needs to verify if the infrastructure complies
with some regulatory security requirements, (4) The cloud
provider should commit to store and process data in
specific jurisdictions and obey local privacy requirements
on behalf of the customer who do not know where data is
stored, (5) The cloud provider should offer replication and
disaster recovery mechanisms, (6) Investigative support
needs to be ensured, (7) Data should be accessible even
when the provider is acquired by another company or if
the user moves to another provider.
3. Related work
IDSs may be classified according to the source of data
into: (1) Host-based IDS (HIDS), where sensors that
detect an intrusion are focused on a single host. (2)
Network-based IDS (NIDS), where sensors are focused
on a network segment. (3) Distributed IDS (DIDS) which
integrates both types of sensors, DIDS can be categorized
as Mobile Agent IDS (MAIDS), Grid based IDS (GIDS),
and recently Cloud based
IDS. Traditional NIDS and
HIDS cannot identify suspicious activities in a cloud
environment. As an example, a NIDS can not detect an
attack anytime node communication is encrypted. Attacks
can also be invisible to HIDS, because they may not leave
traces in the node operating system where the IDS resides.
Since in clouds, distinct users share computing and
communication resources, attacks may be originated from
and be directed against several resources within the cloud
infrastructure. Hence, only a distributed strategy may be
appropriate. The adoption of DIDS solutions [5] is still
challenging in cloud computing because the complex
architecture of the infrastructure and the distinct kinds of
users lead to different requirements and possibilities for
being secured. Some of these IDSs are scalable but they
have the problem of single point of failure as most
2012 Ninth International Conference on Information Technology- New Generations
978-0-7695-4654-4/12 $26.00 © 2012 IEEE
DOI 10.1109/ITNG.2012.94
379
2012 Ninth International Conference on Information Technology - New Generations
978-0-7695-4654-4/12 $26.00 © 2012 IEEE
DOI 10.1109/ITNG.2012.94
379