cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Bruce <precious.king...@gmail.com>
Subject Re: Distributed Intrusion Detection System in Cloud Computing
Date Mon, 25 Nov 2013 10:47:36 GMT
Hi John,

Thank you so much for your valuable suggestions and directions.

I will set up snort/suricata on management station as well as on each guest
VM, where it will monitor the incoming/outgoing network packets for
intrusions.

*Here I am confused about network intrusions vs system intrusions.* what
should we call these intrusions?

After local correlation on each VM, NIDS on guest VMs will send the alerts
to management station (MS) if they can not identify an intrusion. Global
level of correlation will take place at MS and so on so forth, as you
already mentioned.

Moreover, I will be using CloudStack networking with VLANs.

I need further guidance regarding selection of some efficient "correlation
algorithm" which can help in detection of distributed intrusions. Can you
please quote some best algorithm that show good performance in terms of
computation and accuracy?

Thanking you in anticipation.

Regards,
Robert



On Fri, Nov 22, 2013 at 6:46 AM, John Kinsella <jlk@stratosec.co> wrote:

> Hey Robert!
>
> On Nov 16, 2013, at 11:53 AM, Robert Bruce <precious.king123@gmail.com>
> wrote:
>
> > Hi, hope all of you will be fine and doing your best for the development
> of
> > open source community.
> >
> > I want your suggestions and help regarding my project. I am going to
> start
> > my master's thesis in the domain of Cloud Computing
> > I want to develop a Signature Based Distributed Intrusion Detection
> System
> > (DIDS) to detect distributed intrusions in Cloud environment.
> > Yes, I intend to deploy it in CloudStack.
>
> First thought: signature-based systems are useless. They're great for
> low-hanging fruit, but anybody who takes the time to craft packets/binaries
> will circumvent it. Or worse, they'll craft packets to set it off and kill
> detection performance while they go about their real attack. For the early
> stages of your project they'll work fine, but architect things so you can
> swap that out for anomaly-based detection (or a mixture)
>
> (Insert rant on signature based AV systems, the amount of money we've paid
> Symantec et al, and the increase - not decrease - in infected systems)
>
> The main thing to consider - you might want to do some correlation on each
> host, but really you need a separate system to correlate between events
> seen by various hosts.
>
> Also - what are you attempting to detect? Network intrusions? System
> intrusions? Public Internet or activity between hosts? Are you looking to
> work in CloudStack's basic network model, advanced with VLANs, or something
> with SDN? Also consider all the event data being generated by ACS itself.
>
> Plenty of space for you to do research in here, just thinking you might
> want to define things a little more narrow…also, look around - some of the
> three-letter government agencies are working on big-data analytics, not
> sure if any of the work is public or not yet[1].
>
> John
> 1: This wasn't meant as a Snowden joke

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message