Documents

Cloud Computing Based Forensic Analysis for Collaborative Network Security Management Systems

Description
Network Security Paper
Categories
Published
of 25
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  Cloud Computing based Forensic Analysis for Collaborative Network Security Management Systems Zhen Chen, Fuye an, !unwei Cao, and Shuo Chen esearch #nstitute of #nformation $echnology %epartment of Computer Science & $echnologies %epartment of Automation $singhua National 'aboratory for #nformation Science and $echnology ($N'ist) $singhua *niversity, +eiing -.../0, 12 2 China Abstract  - Internet security problems are still a big challenge as there are many security events occurred, such as Internet worms, Spam and phishing attacks etc. Botnet, a well-organized distributed network attack, consists of a large volume of bots, which generates huge volumes of spam or launching Distributed Denial-of-Service DDoS! attacks to victim hosts. his new emerging botnet attack makes Internet security status even worse. o address these problems, a practical #ollaborative $etwork Security %anagement System is proposed with well deployed collaborative & % &nified hreat %anagement! and traffic probers. Such distributed security overlay network with a centralized Security #enter leverage a 'eer-to-'eer communication protocol used in & %(s collaborative module and virtually interconnect them to e)change network events and security rules. *lso security functions for & % are retrofitted to share security rules. In this paper, we propose a design and implementation of cloud based Security #enter for network security forensic analysis. +e propose to use cloud storage to keep collected traffic data and processing it with cloud computing platform to find the malicious attacks. * workable case, phishing attack forensic analysis is presented and the reuired computing and storage resources are evaluated based on real trace data. #loud based Security #enter can instruct each collaborative & % and prober to collect events and raw traffic, sent them back for deep analysis and to generate new security rules. hese new security rules are enforced by collaborative & % and the feedback events of such security rules are also returned to Security #enter. By this type of close-loop control, the #ollaborative $etwork Security %anagement System can identify and address new distributed attacks more uickly and effectively. Key word:  #loud #omputing, verlay $etwork, #ollaborative $etwork Security System, #omputer forensics, *nti-Botnet, *nti-'hishing, adoop /ile System, 0ucalyptus, *mazon +eb Service. -2 #ntroduction and +ackground *s Internet plays a more and more key role as information infrastructure, e-business and e-pay in Internet is booming due to its convenience and benefits for users. Internet security problems are still a big challenge as there are many security events occurred. he underground economics based on Internet Scam and /raud is also booming. hese attackers initiate more and  more 0-crime attacks and abuse, such as Spams, 'hishing attack, Internet worms etc. /irewalls, Intrusion Detection System IDS! and *nti-1irus 2ateway are now widely deployed in edge-network to protect end-systems from the attacks. +hen the malicious attacks have fi)ed patterns, they can be easily identified and matching these patterns345-678. owever, sophisticated attacks are distributed over the Internet, and have fewer characteristics and evolved uickly. /or e)ample, the Distributed Denial of service DDoS! contains very few, if any, signatures strings to identify.$owadays DDoS attacks are likely launched by a large volume of bots which forms a Botnet controlled by bot master. he bots are commanded to generate attack new victim machine and enlarge botnet. he bots also commanded to conduct other issues such as disseminating spam or launching Distributed Denial-of-Service DDoS! attacks to victim hosts. o countermeasure botnet, secure overlay is proposed. o prevent such distributed attacks, collaboration is a way need to be taken. #ollaborative intrusion detection system is reviewed by researches in 3498. By collaboration, the network security system could realize scalability, teamwork, and has a bigger picture of events in the whole network. +ith collaboration, an algorithm is presented to improve the alert event(s accuracy by aggregate information from different sources in 34:8. * similar alert correlation algorithm 34;8 is put forward which is based on Distributed ash ables D !. he #ollaborative $etwork Security %anagement System #$S%S! 37;8 aims to develop a new collaboration system to integrated well deployed & % such as $etSecu 37:8. Such distributed security overlay network coordinated with a centralized Security #enter leverage a 'eer-to-'eer communication protocol used in & %(s collaborative module and virtually interconnect them to e)change network events and security rules. #$S%S also has a huge output from operation e)perience, e.g., traffic data collected by multiple sources in different vantage point, operating reports and security events generated from different collaborative & %s etc. *s such data is so huge and not easy to analyze in real-time mode, it need to be keep them archived for further forensic analysis.In this paper, we evaluate cloud based solution in Security #enter for traffic data forensic analysis. he main contribution of our paper is that we propose a practical solution to collect data trace and analyze these data in parallel in a #loud #omputing platform. +e propose to use cloud storage to keep huge traffic data and processing it with cloud computing platform to find the malicious attacks. *s we already operate #ollaborative $etwork Security %anagement System which has big data output. * workable case, phishing attack forensic analysis is presented and the reuired computing and storage resource are investigated. +e have concluded that this phishing filter functions can be effectively scale to analyze a large volume of trace data for phishing attack detection with #loud computing. he results also show that this solution is economical for large scale forensic analysis for traffic data.  32 Collaborative Network Security Management System 2.1 System Design and Implementation #ollaborative $etwork Security %anagement System #$S%S! 37;8 deployed in multisite is shown in /igure <. %ultisite deployment, includes Bei=ing #apital-Info network, ID# #entury->ink, an enterprise network and a campus network, is to demonstrate the workability of our system. hese four sites are all managed by #ollaborative $etwork Security %anagement System in Security #enter over Internet. In each site, there are several $etSecu nodes 37:8 which take charge in different network environment to adapt to different physical link respectively. Multisite2 During the system(s operating, the collaborative mechanism runs as we e)pected to share security events and rulesets, and new rulesets are enforced on demands as instructed by Security #enter. perating reports from each $etSecu node and 'rober have been collected and send back to Security #enter. *lso there are a lot of network security events have been observed and recorded in the deployment, such as DDoS reflect attacks, Spam scatter and ad hoc '7' protocols etc. Figure -2 $he deployment of Collaborative Network Security Management System in  3. Analysis/Rule Genera tion   Figure 32 $he work principle of Collaborative Network Security Management System withCloud based Security Center2 /igure 7 illustrates the whole procedure of network security events processing. In general speaking, it is an information control cycle which divides several steps. #ollaborative & % and 'rober acts as sensors and report the security events and traffic data to Security #enter. he Security #enter aggregates all the events and digs into the collected traffic data. *fter a detailed analysis and with the assistance of e)pertise manager, Security #enter generates new policy or ruleset to disseminate to each collaborative & % and 'rober for enforcement, and receive the feedback information. 2.1.1 Traffic Prober * traffic probe is the building block for recording the raw Internet traffic in connection level. yperion 3758, ime %achine 34?-4<8 and $'robe 3478 are all well-known representative pro=ect in this function area. raffic probe can be designed to focus on specified traffic incurred by certain security event when needed.+e enhance ime%achine and deployed with I/* 37@-798 act as prober in separated device or #ollaborative & % and. he key strategy for efficiently recording the contents of a high volume network traffic stream comes from e)ploiting the heavy-tailed nature of network trafficA %ost network connections are uite short, with a small number of large connections the heavy tail! accounting for the bulk of total volume 34<8. hus, by recording only the first $ bytes of each connection the cutoff is <@ ilobyte!, we can record most connections in their entirety, while still greatly reducing the volume of data we must retain. /or large connections, only the beginning of a connection is recorded as the beginning of such connection is the 6. Feedback of 2. Even ts repor Rule  Enforcemen t aggregga tion Collaborative UTM . !attern atc#ing $raffic capture Cloud based Security Control Center Traffic Prober C .$raffic capture%. !olicy/&ecure  Rule enforcement 
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x