NICE (Network Intrusion Detection and Counter Measurement) is a new intrusion detection and prevention framework for multiphase distributed networks in a virtual network environment that captures and inspects suspicious traffic in the cloud without disrupting users' applications and Services in the cloud. Cloud security is one of the most important issues that has attracted much research and development effort in recent years. In traditional data centers, where system administrators have full control over host machines, vulnerabilities can be detected and patched centrally by the system administrator. However, patching known security holes in cloud data centers, where cloud users are often privileged to control software installed on managed VMs, may not work properly and may violate SLA.
Attackers can scan a system's vulnerabilities in the cloud and compromise virtual machines to implement greater Distributed Denial of Service (DDoS) on a large scale. DDoS attacks usually involve actions in early stages such as multi-stage scanning, low-frequency vulnerability scanning, and compromising vulnerable virtual machines identified as zombies and finally DDoS attacks through compromised zombies. Within the cloud system, especially Clouds Infrastructure as a Service (IaaS), detection of zombie scanning attacks is extremely difficult. This is because cloud users can install vulnerable applications on their virtual machines.
In order to prevent vulnerable virtual machines from being compromised in the cloud, a distributed vulnerability detection, measurement and countermeasure selection mechanism, NICE, is proposed based on analytical models based on attack graphs and reconfigurable countermeasures based on virtual networks. Each time a new vulnerability is discovered or there are changes in network connectivity and services running through them, updated information is provided to attack the graphics generator and the old attack graph is updated to a new one. The proposed framework leverages the OpenFlow network programming APIs to create a monitor and control plane through distributed programmable virtual switches to significantly improve the detection of attacks and mitigate the consequences of attacks. The system and safety assessments demonstrate the efficiency and effectiveness of the proposed solution.
In traditional data centers, system administrators have full control over host machines, and therefore, vulnerabilities can be detected and patched centrally by the system administrator. However, known security issues in cloud data centers, where cloud users often have the privilege of controlling software installed on their managed virtual machines, may not work properly and violate the SLA. In a cloud system, where infrastructure is shared by potentially millions of users, the abuse and misuse of shared infrastructure benefits attackers to exploit cloud vulnerabilities and use its resource to deploy attacks more efficiently Because the number of facts is polynomial in the system.
The proposed solution uses a new network control method called SDN, where network functions can be programmed through a software switch and an OpenFlow protocol. Flow-based switches, such as OVS and OpenFlow Switch (OFS), support thin-grain control and flow level for packet switching. With the help of the central controller, all OpenFlow-based switches can be monitored and configured. The flow-based switch (OVS) and the network controller help to apply the selected network countermeasures in the proposed solution.
NICE is a new multi-phase distributed network intrusion detection and prevention framework in a virtual network environment that captures and inspects suspicious traffic in the cloud without disrupting user applications and cloud services. It uses a reconfigurable virtual network approach to detect and counter attempts to compromise virtual machines, thus avoiding zombie virtual machines. It incorporates a software switching solution to quarantine and inspect suspicious virtual machines for further investigation and protection. Through programmable network approaches, NICE can improve the probability of attack detection and improve resistance to VM exploit attack without disrupting network services.