Hierarchical Secure Virtualization Model for cloud

Sina Manavi 21 May 2012

AGENDA

Cloud
Intrusion Detection System Virtualization Proposed Model (HSVM) Q&A

WHAT IS CLOUD

WHAT IS CLOUD

CLOUD CHARACTERISTICS

On-demand self-service
Ubiquitous network access Location independent resource pooling Rapid elasticity Measured service Pay as you go Abstract resources

SERVICE MODELS

Software as a Service (SaaS)

Racksapce.com Amazon Web Service (AWS)

Platform as a Service (PaaS)

Google apps engine Microsoft Azure

Infrastructure as a Service (IaaS)

Salesforce.com

Data Storage as a Service (dSaaS)

CONTROLLING

Sometimes there is no full control in: - security - data - privacy - Applications

SO WHO IS USING CLOUD

Host :
HP, Cisco , Amazon (AWS) , IBM, GoGRID , Microsoft

API:
Sun , salesforce.com ,amazon, windows Azure , twilio

SaaS:
Skype , SAP, Mobile me, vertica, Oracle , Google windows live , salesforce.com

CLOUD TYPES

NEEDS OF SECURITY

CLOUD SECURITY REQUIREMENTS

Requirement Effectiveness Precision Transparency Definition The main goal of security in cloud is effectively prevents\detects, vulnerabilities and attacks Systems need to enhance its accuracy in terms of detection attacks with minimum false-positive and false-negative rates The security model must have minimum visibility from cloud service provider, developers, and service users and attackers sight

The cloud host and physical layer in addition to VMs must be protected Non-Subvert-ability against compromised service users with infeasibility to suspending the alarm system Deployability Dynamic reaction Accountability The system must be possible to be implemented over various available cloud architectures System must be able to employ impressive techniques to defeat attacks intrusion with minimal effect on legitimate process and functionalities Security system must not affect the clouds core functionality and applications, while it must log cloud activities to enable accountability

INTRUSION DETECTION SYSTEM

Host-based IDSs
-Get audit data from host audit trails. -Detect attacks against a single host

Distributed IDSs
- Gather audit data from multiple host and network that connects the hosts

Network-Based IDSs
- Use network traffic as the audit data source
- Detect attacks from network.

Virtual Machine Monitor based Intrusion Detection System (VMM-IDS)

INTRUSION DETECTION SYSTEM TECHNIQUES

Misuse Detection: - using signature of known attacks signatures or patterns - Needs experts to find out new attack signature to update the signature base - Needs to update the signature frequently Anomaly detection: - detect unknown attacks using learning techniques - deviation the normal behavior with abnormal one - significant false-positive and negative rate as compared to misuse detection

MISUSE DETECTION VS. ANOMALY DETECTION Advantages disadvantages

Misuse detection

Accurately and generate much fewer false alarm

Cannot detect novel or unknown attacks

Anomaly detection

Is able to detect unknown attacks based on audit

High false-alarm and limited by training data.

VIRTUALIZATION & CLOUD

WHAT IS VIRTUALIZATION

Reducing IT costs while increasing the efficiency, utilization and flexibility of their existing computer hardware.
running multiple operating systems and applications on the same SERVER at the same time Increasing the utilization and flexibility of hardware.

Separating the OS from underlying platform resources

VIRTUALIZATION PRODUCTS

VMWARE (ESX, Server) CITRIX (Xen) SUN xVM (VirtualBox) MICROSOFT (Hyper-V Server 2008)

PARALLELS
VIRTUALIRON

CONCEPT OF VIRTUALIZATION

APP APP APP APP APP APP

OS

OS

OS

Virtualization (e.g. VMM) Hardware

CLOUD LAYERS

Cloud Clients web browser, mobile app, thin client, terminal emulator,..

SaaS CRM, Email, virtual desktop, communication, games,.. PaaS Execution runtime, database, web server, development tools.... IaaS Virtual machine, servers, storage, load balancers, network,...

HIERARCHICAL SECURE VIRTUALIZATION MODEL

PRIMARY VM

Process duplicator

VMM-Master

VMShadow

V-Basement Communicator

VIRTUAL MACHINE MASTER

VMM-Master communicator

Stream Buffer IDS Unit ACL Analyzer

Inter-VMMMonitor

Firewall

VIRTUALIZATION BASEMENT

Network Layer IDS Inter-PVM Monitor DDOS Detection/Prevention Host OS Communicator