The Proposed Solution

Our solution is presented in Figure 35. For illustration purpose, a private cloud with a front-end and three nodes is set up. Whilst the detection stage is executed within the nodes, more precisely inside the virtual machines (VMs), where the Intrusion Detection Systems (IDSs) are installed and configured; the attack’s assessment phase is handled inside the front-end server, in the Cloud Fusion Unit (CFU) [R 126].

The first step of our solution was the deployment stage of a private cloud using Eucalyptus open-source version 2.0.3. The topology of the implemented private cloud was: a front-end (with Cloud Controller, Walrus, Cluster Controller, Storage Controller) and a back-end (i.e. three nodes) [R 124]. The Managed networking mode was chosen because of the advanced features that it provides and Xen hypervisor was used for virtualization [R 126].

Then, the VM-based IDS were created, by installing and configuring Snort into each VM. The reason for choosing this IDS location is to avoid the overloading problems and to reduce the impact of possible attacks [R 136] [R 179] [R 126]. In [R 128] are detailed the 6 steps involved in the creation of the VMs-based IDS (Figure 36).

These IDSs yield alerts, which are stored into the Mysql database placed within the Cloud Fusion Unit (CFU) of the front-end server. A single database was used to reduce the risk of losing data, to maximize the resource usage inside the VMs and to simplify the work of cloud administrator, who will have all the alerts situated in the same place.

There are similar solutions that use the idea of obtaining and controlling the alerts received from the IDS Sensor VMs using an IDS Management Unit [R 179] [R 42] but our solution adds the capacity to analyse the results using the Dempster-Shafer theory of evidence in 3-valued logic.

As showed in Figure 37, the Cloud Fusion Unit (CFU) comprises 3 components:

Mysql database, bpa’s calculation and attacks assessment [R 126].

Figure 35 IDS Cloud Topology [R 126] Step 1: Register Debian pre-packeged VMs into private cloud Step 2: Deploy instances

Step 3: Create the Eucalyptus storage volume and attach it to the instance Step 4: Install and configure Snort into the VMs

Step 5: Detach the Eucalyptus volume Step 6: Deploy snapshot of the volume

Figure 36 VM-based IDS Deployment [R 128]

Figure 37 Relationships of the centralization components in CFU [R 128]

Figure 37 is an extended scheme of the CFU component from Figure 36. The BASE - Basic Analysis and Security Engine was introduced between Mysql the storing server) and the Bpa’s component. BASE is the successor of ACID (Analysis Control for Intrusion Detection) [], and was chosen because is a web server analysis tool for monitoring the alerts received from the VM-based IDS sensors [R 172]. Additionally, its reporting strategy facilitates the procedure of obtaining the Basic probabilities assignment (Bpa’s) [R 128].

The DDoS attacks against the VMs-based IDS were simulated using the Stacheldraht DDoS tool, which s based on the ‘Client’, ‘Handler (s)/Master (s)’,

‘Agent(s)/Daemon(s)’, ‘Victim(s)’ architecture. This 3 layers architecture includes the collaboration of three distributed servers (i.e. client –telnetc, master- mserv, daemon - td). Stacheldraht combines the characteristics of both Trinoo and TFN (Tribe Flood Network) DDoS attack tools and provides 2 additional features: an encrypted client to handler communication and the agents that are automated remotely updated [R 45] [R 33] [R 128].

The types of DDoS attacks involved in this experiment are: bandwidth depletion attacks (i.e. ICMP- Internet Control Message Protocol flood attacks, UDP-User Datagram Protocol flood attacks) and resource depletion attacks (i.e. TCP SYN – Transfer Control Protocol Synchronize attacks) [R 128].

3.5.3.1 Mysql database

The Mysql database was introduced for storing the alerts received from the VM-based IDS. These alerts are converted into Basic Probabilities Assignments (bpa’s). In [R 128], a quantitative analysis of the TCP SYN flooding attacks, UDP flooding attacks and ICMP flooding attacks was realized, in order to reduce the large amounts of false alarms rates produced by the Intrusion Detection Systems. Our snort database is described in [R 128], together with the created Join Database Tables (Fig.4 from [R 128])

Therefore, first the mass assignments for all 3 states of each sensor illustrates [R 128]:

mx(T), the DDoS attack occurs

mx(F), the DDoS attack doesn’t occur (3.18) mx(T, F), the “unknown” classification of the DDoS attacks.

where x Î {TCP, UDP, ICMP} flood attack in the private cloud

Figure 38 presents the mass assignments calculated for two VM-based IDS, which were realized by implementing the pseudocode proposed in Figure 36.

Figure 38 Mass Assignments in DST [R 128].

First, the detection rate (mx(T)) for each flooding attack against each VM-based IDS [R 128] was computed as defined in [R 217]:

Detection Rate (DR) = (•&•‘’ “” •’•‘ –••–—˜™ ’‘š“’•‘›

(•&•‘’ “” •“•–œ “•™‘’•–•œ‘ –••–—˜™ (3.19) Then, the computation of the probabilities for (True, False) element [R 128] was realized based on [R 217]. mx(F) will be calculating by the help of DST, based on [sum of all masses] = 1:

mx(F) = 1-mx(T)- mx(T, F) (3.20) The results from Figure 4 reveal a high detection rate (my(F) > 0.65) and mx(F) Î [0.07, 0.25], obtained from the VM-based IDS, which were configured with proper rules and thresholds against the DDoS attackers.

3.5.3.2 Basic probabilities assignment (bpa’s) calculation

For calculating the basic probabilities assignment, first we decide to the state space W.

So, we have choosen to use DST operations in 3-valued logic {True, False, (True, False)} suggested by [R 214] for the following flooding attacks: TCP-flood, UDP-flood, ICMP-flood, for each VM-based IDS. Thus, the analyzed packets were: TCP, UDP and ICMP. Further, a pseudocode (Figure 39) for converting the alerts received from the VM-based IDS into bpa’s was provided, to obtain the following probabilities of the alerts received from each VM-based IDS:

• ( mUDP(T), mUDP(F), mUDP(T,F) )

• ( mTCP(T), mTCP(F), mTCP(T,F) )

• ( mICMP(T), mICMP(F), mICMP(T,F) )

For each node Begin

For each X Î {UDP; TCP; ICMP}:

Begin

1: Query the alerts from the database when a X attack occurs for the specified hostname

2: Query the total number of possible X alerts for each hostname 3: Query the alerts from the database when X attack is unknown

4: Calculate the Belief (True) for X, by dividing the result obtained at step 1 with the result obtained at step 2

5: Calculate the Belief (True, False) for X, by dividing the result obtained at step 3 with the result obtained at step 2

6: Calculate Belief (False) for X: {1- Belief (True) – Belief (True, False)}

end end

Figure 39 Pseudocode for converting the alerts into bpa’s [R 128

Figure 40 Bpa's calculation [R 126]

Furthermore, after obtaining the probabilities for each attack packet (i.e. UDP, TCP, ICMP) for each VM-based IDS, the probabilities for each VM-based IDS should be calculated following the fault-tree as shows in Figure 40, that reveals only the calculation of the probabilities (i.e. mS1(T), mS1(F), mS1(T,F) ) for the first VM-based IDS [R 128]. The calculus will be done based on the results obtained in Figure 38 and is given in [R 128].

Thus, using the DST with fault-tree analysis we can calculate the belief (Bel) and plausibility (Pl) values for each VM-based IDS:

Bel(S1) = mS1(T) (3.21)

Pl (S1) = mS1(T)+ mS1(T, F) (3.22)

3.5.3.3 Attacks assessment

The attacks assessment consists of data fusion of the evidences obtained from sensors by using the Dempster’s combination rule, with the purpose of maximizing the DDoS true positive rates and minimizing the false positive alarm rate. mS1,S2(T) can be calculated using Table 16 and equation (3.16).

m_S1(T) m_S1(F) m_S1(T, F)

m_S2(T) m_S1(T) * m_S2(T) m_S1(F) * m_S2(T) m_S1(T, F) * m_S2(T) m_S2(F) m_S1(T) * m_S2(F) m_S1(F) * m_S2(F) m_S1(T, F) * m_S2(F) m_S2(T, F) m_S1(T) * m_S2(T, F) m_S1(F) * m_S2(T, F) m_S1(T, F) * m_S2(T, F)

Table 16 mS1,S2 calculation [R 126]

As a conclusion of our work, we affirm that by using DST our proposed solution has the following advantages: to accommodate the uncertain state, reduce the false negative rates, increase the detection rate, resolve the conflicts generated by the combination of information provided by multiple sensors and alleviate the work for cloud administrators.

4 RESOURCE ALLOCATION