Automating reconfiguration of intrusion detection probes for cloud computing
© Inria / Photo J. Wallace
Anti-intrusion probes help oversee security for cloud computing. For these tools to functions properly, they must be carefully adapted to the services that are hosted. The operation remains manual. Problem: virtual machines reassemble themselves continually on the servers. It is thus difficult for the operators to continually implement the necessary modifications. Hence the need to automate the process. This is the purpose of SAIDS, a tool developed by the Myriads research team at the Inria Rennes – Bretagne Atlantique centre.
Many companies and organisations today have the services of their information system hosted in the cloud as an infrastructure as a service (IaaS). They directly manage these services, which are executed in virtual machines on servers. On the other hand, they do not have access to the physical infrastructure. Only the cloud operator manages the server. It is thus the operator who is responsible for assuring the security of services hosted on behalf of its customers. Among its attributions, it must notably adapt intrusion-detection probes to protect the virtual machines depending on the services they contain. That’s where the problem lies.
Confronted with the very dynamic nature of virtual machines, the operator has real difficulty in continuing to adapt the detection probes. In other words, a virtual machine that initially had the best protection for certain services may have been moved to a server whose probe is not ideally configured for the services in question. “These probes must thus be adapted automatically,” concludes Christine Morin , leader of the Myriads research team, “and this is precisely the objective of a self-adaptable intrusion detection system (SAIDS). ”
Focussed for the present on network intrusion detection probes, SAIDS oversees their adaptation according to events on the cloud. “When the virtual machines have to be consolidated, for example, to save energy, improve performance or maintain the server, certain virtual machines are moved. They are thus no long monitored by the initial probe. SAIDS will automatically adapt the entry and exit probes according to the hosted services. This cannot be done manually. A human cannot follow the large number of events that are part of the life cycle of these virtual machines in an attempt to adapt all the probes as needed. Without SAIDS, after a migration for example, many attacks would not be detected because the intrusion detection probes have not been correctly reconfigured. ” There are two types of network intrusion detection probes: those based on the signatures of known attacks and those based on their behaviour. “For now, we have prototypes for the former. We have conducted our experiences with three types of open source probes: Bro, Suricata and Snort. The goal here was to show the genericity of our approach. To manage virtual machines, we chose OpenStack, a well-known platform for cloud computing deployed as an IaaS. ” All the work that we’ve been discussing is the subject of a doctoral thesis that will be defended in July by Anna Giannakou .
A performance indicator for detection quality
In passing, it can be noted that such a measurement could one day also serve as an ICP performance indicator for cloud operators and their customers who wish to agree on a detection quality stipulated explicitly in the service licence agreement (SLA). This second topic is being covered in a doctoral thesis currently being prepared by Amir Teshome Wonjiga .
The two theses around which this research is based are being funded respectively by DGA-MI and the Cyber Centre of Excellence created by the Ministry of Defence and the Brittany region. “Both are co-supervised by Louis Rilling , an engineer at DGA-MI who serves on our team as an outside collaborator and provides his expertise in the area of security. ”
These articles could interest you:
Myriads is a project-team Inria, university of Rennes 1, ENS Rennes, CNRS, Insa Rennes.