Paper should be in IEEE format with annotations. The document should be 6-8 pages. The contents should be:? 1. Abstract 2. Introduction 3. Literatur

38 IT Pro July/August 2010 P u b l i s h e d b y t h e I E E E C o m p u t e r S o c i e t y 1520-9202/10/$26.00 © 2010 IEEE

CYBERSECuRITY

Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall, Federal University of Santa Catarina, Brazil

Providing security in a distributed system requires more than user authentication with passwords or digital certificates and confidentiality in data transmission. The Grid and Cloud Computing Intrusion Detection System integrates knowledge and behavior analysis to detect intrusions.

B ecause of their distributed nature, grid and cloud computing environ- ments are easy targets for intruders looking for possible vulnerabilities to

exploit. By impersonating legitimate users, the intruders can use a service’s abundant resources maliciously.

To combat attackers, intrusion-detection sys- tems (IDSs) can offer additional security mea- sures for these environments by investigating configurations, logs, network traffic, and user actions to identify typical attack behavior.1 How- ever, an IDS must be distributed to work in a grid and cloud computing environment. It must mon- itor each node and, when an attack occurs, alert other nodes in the environment. This kind of communication requires compatibility between heterogeneous hosts, various communication mechanisms, and permission control over system maintenance and updates—typical features in grid and cloud environments.2 Cloud middleware

usually provides these features, so we propose an IDS service offered at the middleware layer (as opposed to the infrastructure or software layers).

An attack against a cloud computing system can be silent for a network-based IDS deployed in its environment, because node communication is usually encrypted. Attacks can also be invisi- ble to host-based IDSs, because cloud-specific attacks don’t necessarily leave traces in a node’s operating system, where the host-based IDS re- sides. In this way, traditional IDSs can’t appro- priately identify suspicious activities in a grid and cloud environment3 (see the “Related Work in Intrusion Detection” sidebar).

Here, we take a careful look at the cloud case in particular. We propose the Grid and Cloud Computing Intrusion Detection System (GCCIDS), which has an audit system designed to cover attacks that network- and host-based sys- tems can’t detect. GCCIDS integrates knowledge and behavior analysis to detect specific intrusions.

Intrusion Detection for Grid and Cloud Computing

itpro-12-04-West.indd 38 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

computer.org/ITPro 3 9

Our Proposed Service In our solution, each node identifies local events that could represent security violations and alerts the other nodes. Each individual IDS coopera- tively participates in intrusion detection. Figure 1 depicts the sharing of information between the IDS service and the other elements participating in the architecture: the node, service, event audi- tor, and storage service.

The node contains the resources, which are accessed homogeneously through the middle- ware. The middleware sets the access-control

pol icies a nd suppor t s a ser v ice-or iented environment.

The service provides its functionality in the environment through the middleware, which facilitates communication.

The event auditor is the key piece in the sys- tem. It captures data from various sources, such as the log system, service, and node mes- sages. The IDS service analyzes this data and applies detection techniques based on user be- havior and knowledge of previous attacks. If it detects an intrusion, it uses the middleware’s

Related Work in Intrusion Detection

Here we present some of the relevant research on intrusion detection for grids, discussing in par- ticular the techniques they apply and the source of the data they analyze.

Table A classifies related work according to the audit data source (host, network, or grid), the analysis tech- nique (knowledge- or behavior-based), and if there was a proper evaluation. Fang-Yie Leu, Jia-Chun Lin, Ming-Chang Li, Chao-Tung Yang, and Po-Chi Shih’s work,1 along with Stuart Kenny and Brian Coghlan’s2 solutions, are based on analyzing data from a grid’s network, although these approaches can’t detect grid-specific attacks, because they don’t capture any high-level data. Guofu Feng, Xiaoshe Dong, Weizhe Liu, Ying Chu, and Junyang Li integrate a host-based intrusion-detection system (IDS) into a grid environ- ment, providing protection against typical operating system attacks, but not the ones that might target middleware vulnerabilities.3

Mohamed Tolba4 and Alexandre Schulter5 and their colleagues view a computational grid as one big host of resources, and the audit data is collected from the operating systems as in typical host-based IDSs. Their solutions focus on analyzing high-level information regarding grid usage by its users, and

they apply behavior-based techniques in the analy- sis. In comparison, we conclude that the available solutions approach the problem in a different way, especially in regards to the threats we try to de- fend against by combining two distinct auditing techniques.

References 1. F-Y. Leu et al., “Integrating Grid with Intrusion Detection,”

Proc. Int’l Conf. Advanced Information Networking and

Applications (AINA 05), vol. 1, IEEE CS Press, 2005,

pp. 304–309.

2. S. Kenny and B. Coghlan, “Towards a Grid-Wide

Intrusion Detection System,” Proc. European Grid Conf.

(EGC 05), Springer, 2005, pp. 275–284.

3. G. Feng et al., “GHIDS: Defending Computational Grids

against Misusing of Shared Resource,” Proc. Asia-Pacific

Conf. Services Computing (APSCC 06), IEEE CS Press,

2006, pp. 526–533.

4. M. Tolba et al., “Distributed Intrusion Detection System

for Computational Grids,” Proc. 2nd Int’l Conf. Intelligent

Computing and Information Systems (ICICIS 05), 2005.

5. A. Schulter et al., “Intrusion Detection for Computational

Grids,” Proc. 2nd Int’l Conf. New Technologies, Mobility,

and Security, IEEE Press, 2008, pp. 1–5.

Table A. Features of related works concerning intrusion detection for grids.

Author Host-based IDS

Network- based IDS

Data from a grid

Knowledge- based technique

Behavior- based technique Validation

Tolba Yes No Yes No Yes Yes

Schulter Yes Yes No No Yes Yes

Choon No Yes N/A No No No

Kenny No Yes No Yes No Yes

Leu No Yes No Yes No Yes

Feng Yes No No Yes No Yes

itpro-12-04-West.indd 39 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

40 IT Pro July/August 2010

CYBERSECuRIT Y

communication mechanisms to send alerts to the other nodes. The middleware synchro- nizes the known-attacks and user-behavior databases.

The storage service holds the data that the IDS service must analyze. It’s important for all nodes to have access to the same data, so the middle- ware must transparently create a virtualization of the homogeneous environment.

IDS Service The IDS service increases a cloud’s security level by applying two methods of intrusion detection. The behavior-based method dictates how to compare recent user actions to the usual behavior. The knowledge-based method detects

known trails left by attacks or certain sequences of actions from a user who might represent an attack.

The audited data is sent to the IDS service core, which analyzes the be- havior using artificial intelligence to detect deviations. The analyzer uses a profile history database to deter- mine the distance between a typical user behavior and the suspect behav- ior and communicates this to the IDS service.

The rules analyzer receives audit packages and determines whether a rule in the database is being broken. It returns the result to the IDS service core. With these responses, the IDS calculates the probability that the ac- tion represents an attack and alerts the other nodes if the probability is sufficiently high.

Event Auditor To detect an intrusion, we need audit data describing the environ- ment’s state and the messages being exchanged. The event auditor can monitor the data that the analyzers are accessing. The first component monitors message exchange between nodes. Although audit information about the communication between nodes is being captured, no network data is taken into account—only node information.

The second component monitors the middle- ware logging system. For each action occurring in a node, a log entry is created containing the action’s type (such as error, alert, or warning), the event that generated it, and the message. With this kind of data, it’s possible to identify an ongo- ing intrusion.

Behavior Analysis Numerous methods exist for behavior-based intrusion detection, such as data mining, ar- tificial neural networks, and artificial immu- nological systems. We use a feed-for wa rd artificial neural network, because—in contrast to traditional methods—this type of network can quickly process information, has self-learning

Figure 1. The architecture of grid and cloud computing intrusion detection. Each node identifies local events that could represent security violations and sends an alert to the other nodes.

Knowledge base

Storage service

IDS service

Service

Grid node

Analyzer

Alert system

Ev en

t a ud

ito r

Behavior base

Knowledge base

Storage service

IDS service

Service

Grid node

Analyzer

Alert system

Ev en

t a ud

ito r

Behavior base

Knowledge base

Storage service

IDS service

Service

Grid node

Analyzer

Alert system

Ev en

t a ud

ito r

Behavior base

Database

Service

Alert system

Synchronize Communication service

itpro-12-04-West.indd 40 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

computer.org/ITPro 4 1

capabilities, and can tolerate small behavior deviations. These features help overcome some IDS limitations.4

Using this method, we need to recognize ex- pected behavior (legitimate use) or a severe be- havior deviation. Training plays a key role in the pattern recognition that feed-forward networks perform. The network must be correctly trained to efficiently detect intrusions. For a given intru- sion sample set, the network learns to identify the intrusions using its retropropagation algorithm. However, we focus on identifying user behav- ioral patterns and deviations from such patterns. With this strategy, we can cover a wider range of unknown attacks.

Knowledge Analysis Knowledge-based intrusion detection is the most often applied technique in the field be- cause it results in a low false-alarm rate and high positive rates, although it can’t detect unknown attack patterns. It uses rules (also called signa- tures) and monitors a stream of events to find malicious characteristics.

Using an expert system, we can describe a malicious behavior with a rule. One advantage of using this kind of intrusion detection is that we can add new rules without modifying exist- ing ones.

In contrast, behavior-based analysis is per- formed on learned behavior that can’t be modified without losing the previous learn- ing. Generating rules is the key element in this technique—it helps the expert system recognize newly discovered attacks. Creating a rule con- sists of defining the set of conditions that repre- sent the attack.

Increasing Attack Coverage The two intrusion detection techniques are dis- tinct. The knowledge-based intrusion detection is characterized by a high hit rate of known at- tacks, but it’s deficient in detecting new attacks. We therefore complemented it with the behavior- based technique, which can discover deviations from acceptable use and thus help identify privi- lege abuse.

The volume of data in a cloud computing en- vironment can be high, so administrators don’t observe each user’s actions—they observe only alerts from the IDS.

Results We developed a prototype to evaluate the pro- posed architecture using Grid-M, a middleware of our research group developed at the Federal University of Santa Catarina.5

We created data tables to perform the experi- ments with audit elements coming from both the log system and from data captured during node communications. We prepared three types of simulation data to test.

First, we created data representing legitimate action by executing a set of known services simu- lating a regular behavior.

Then, we created data representing behavior anomalies. To represent anomalous sequences of actions, we altered the services and their us- age frequency. For example, for a teaching depart- ment that posts grades electronically, if two out of every 100 grades are typically corrected later be- cause of a mistake, then an anomalous behavior would be correcting 10 consecutive grades. This action would deserve special attention to deter- mine whether it constituted an abuse of privileges.

Finally, we created data representing policy violation. This was prepared with a set of audit packages containing a series of elements violat- ing base rules.

Evaluating the Event Auditor The event auditor captures all requests received by a node and the corresponding responses, which is fundamental for behavior analysis.

For each action a node performs, a log entry is generated to register the methods and param- eters invoked during the action.

In the experiments with the behavior-based IDS, we considered using audit data from both a log and a communication system. Unfortunately, data from a log system—with the exception of the message element—has a limited set of values with little variation. This made it difficult to find attack patterns, so we opted to explore communi- cation elements to evaluate this technique.

We evaluated the behavior-based technique using artificial intelligence enabled by a feed- forward neural network.6 In the simulation en- vironment, we monitored five intruders and five legitimate users.

We initiated the neural-network training with a data set representing 10 days of usage simula- tion. Using this data resulted in a high number

itpro-12-04-West.indd 41 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

42 IT Pro July/August 2010

CYBERSECuRIT Y

of false negatives and a high level of uncertainty. Increasing the sample period for the learning phase improved the results.

Evaluating the Behavior-Based System To measure IDS efficiency,1 we considered ac- curacy in terms of the system’s ability to de- tect attacks and avoid false alarms. A system is imperfect if it accuses a legitimate action of being malicious. So, we measured accuracy using the number of false positives (legitimate actions marked as attacks) and false negatives (the absence of an alert when an attack has occurred).

The performance test we designed also eval- uated the analysis technique’s cost. We per- formed a load test where the program analyzed 1 to 100,000 actions. The simulation involving 100,000 actions is hypothetical. It surpasses the usual data volume and served as a base for understanding system behavior in an overload- ing condition. An action took approximately 0.000271 seconds to be processed with our setup.

The training time for an input of 30 days of sample behavior took 1.993 seconds. However, the training was sporadic—we had to plan up- dates to the behavior profile database according to a routine in the execution environment (since a user’s behavior tends to change with time). This helped us identify a convenient period of days for determining the profile of a legitimate user. Artificial neural networks aren’t determin- istic, so the number of false positives and false negatives didn’t represent a linear decreasing progression.

Figure 2 shows the results. The neural net- work tended to avoid identifying legitimate

actions as attacks—there were always more false negatives than false posi- tives when using the same quantity of input data.

No false alarms occurred when we started the training with 16 days of simulation, although the uncer- tainty level was still high, with sev- eral outputs near zero. With input periods of 28, 29, and 30 days, the algorithm showed a low number of false positives, but after several repe- titions, the quantity of false positives

varied, again representing the nondeterministic nature of neural networks.

Evaluating the Knowledge-Based System In contrast to the behavior-based system, we used audit data from both a log system and the com- munication system to evaluate the knowledge- based system. We created a series of rules to illustrate security policies that the IDS should monitor.

We collected audit data referring to a route- discovery service, service discovery, and service request and response. The series of policies we created tested the system’s performance, al- though our scope didn’t include discovering new kinds of attacks or creating an attack database. Our goal was to evaluate our solution’s function- ality and the prototype’s performance.

The rule below characterizes an attack in any message related to the storage service. The func- tions of the rule are as follows:

1. At start-up, the rules stored in an XML file are loaded into a data structure.

2. The auditor starts to capture data from the log and communication systems.

3. The data is preprocessed to create a data structure dividing log data from communi- cation data to provide easy access to each element.

4. The corresponding policy for the audit pack- age is verified.

5. An alert is generated if an attack or violation occurred.

We performed a load test for this algorithm simulating the analysis of 10 to 1,000,000 rules for an action. We verified the textual or

Figure 2. The behavior score results. The algorithm had the lowest number of false positives for input periods with 28–30 days.

0

1

2

3

4

5

6

10 12 14 16 18 20 22 24 26 28 30

Number of training examples

N um

be r o

f f al

se p

os iti

ve s

an d

fa ls

e ne

ga tiv

es

False positive False negative

itpro-12-04-West.indd 42 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

computer.org/ITPro 4 3

numerical field in comparison to the rules. The analyzer performed two primary func- tions: it searched for improper content, and it compared numerical intervals. Comparing 100,000 rules for an action consumed 0.361 seconds; comparing a million rules consumed 2.7 seconds. This suggests that real-time anal- ysis is possible up until a certain limit in the number of rules.

I n testing our prototype, we learned that it has a low processing cost while still provid- ing a satisfactory performance for real-time

implementation. Sending data to other nodes for processing didn’t seem necessary.7 The individ- ual analysis performed in each node reduces the complexity and the volume of data in compari- son to previous solutions, where the audit data is concentrated in single points.

In the future, we’ll implement our IDS, help- ing to improve green (energy-efficient), white (using wireless networks), and cognitive (using cognitive networks) cloud computing environ- ments. We also intend to research and improve cloud computing security.

References 1. H. Debar, M. Dacier, and A. Wespi, “Towards a Tax-

onomy of Intrusion Detection Systems,” Int’l J. Com- puter and Telecommunications Networking, vol. 31, no. 9, 1999, pp. 805–822.

2. I. Foster et al., “A Security Architecture for Computational Grids,” Proc. 5th ACM Conf. Com- puter and Communications Security, ACM Press, 1998, pp. 83–92.

3. S. Axelsson, Research in Intrusion-Detection Systems: A Survey, tech. report TR-98-17, Dept. Computer Eng., Chalmers Univ. of Technology, 1999.

4. A. Schulter et al., “Intrusion Detection for Computational Grids,” Proc. 2nd Int’l Conf. New Technologies, Mobility, and Security, IEEE Press, 2008, pp. 1–5.

5. H. Franke et al., “Grid-M: Middleware to Integrate Mobile Devices, Sensors and Grid Computing,” Proc. 3rd Int’l Conf. Wireless and Mobile Comm. (ICWMC 07), IEEE CS Press, 2007, p. 19.

6. N.B. Idris and B. Shanmugam, “Artificial Intelligence Techniques Applied to Intrusion Detection,” Proc. 2005 IEEE India Conf. (Indicon) 2005 Conf., IEEE Press, 2005, pp. 52–55.

7. P.F. da Silva and C.B. Westphall, “Improvements in the Model for Interoperability of Intrusion Detec- tion Responses Compatible with the IDWG Model,” Int’l J. Network Management, vol. 17, no. 4, 2007, pp. 287–294.

Kleber Vieira is a team leader for a software development company in Brazil and is a member of the Networks and Management Laboratory at the Federal University of Santa Catarina, Brazil. His research interests include information systems, software engi- neering, distributed systems, and security. Vieira re- ceived his MSc in computer science from the Federal University of Santa Cataria. Contact him at [email protected] inf.ufsc.br.

Alexandre Schulter is an IT analyst for a Brazilian government company. Previously, he was a researcher and software developer at several laboratories in the Technological Centre at the Federal University of Santa Catarina, Brazil. His research interests include infor- mation systems, component-based systems, software engineering, distributed systems, and security. Schulter received his MSc in computer science from the Federal University of Santa Cataria. Contact him at [email protected] inf.ufsc.br.

Carlos Becker Westphall is a full professor in the Department of Informatics and Statistics at the Fed- eral University of Santa Catarina, Brazil, where he is the leader of the Networks and Management Labo- ratory. His research interests include network man- agement, security, and grid and cloud computing. Westphall received his DSc in computer science from the Paul Sabatier University, France. Contact him at [email protected]

Carla Merkle Westphall is a professor in the Department of Informatics and Statistics at the Federal University of Santa Catarina, Brazil. Her research interests include distributed security, identity manage- ment, and grid and cloud security. Westphall received her PhD in electrical engineering from the Federal University of Santa Cataria. Contact her at [email protected] inf.ufsc.br.

Selected CS articles and columns are available for free at http://ComputingNow.computer.org.

itpro-12-04-West.indd 43 30/06/10 4:50 PM

Authorized licensed use limited to: University of Houston. Downloaded on February 21,2022 at 18:39:47 UTC from IEEE Xplore. Restrictions apply.

©2012-17 International Journal of Information Technology and Electrical Engineering `

ITEE, 6 (2) pp. 40-45, APR 2017

40

ITEE Journal Information Technology & Electrical Engineering

ISSN: – 2306-708X

Volume 6, Issue 2 April 2017

Predicting Critical Cloud Computing Security Issues using Artificial Neural

Network (ANNs) Algorithms in Banking Organizations

Abdelrafe Elzamly1, Burairah Hussin 2, Samy S. Abu Naser3, Tadahiro Shibutani4, and Mohamed Doheir5

1Department of Computer Science, Al-Aqsa University, Gaza, Palestine 2 ,5 Information & Communication Technology, Universiti Teknikal Malaysia Melaka (UTeM), Malaysia

3Department Information Technology, Al-Azhar University, Gaza, Palestine 4Institute of Advanced Sciences, Yokohama National University, Yokohama, Japan

E-mail: [email protected]

ABSTRACT The aim of this study is to predict critical cloud computing security issues by using Artificial Neural Network (ANNs) algorithms.

However, we proposed the Levenberg–Marquardt based Back Propagation (LMBP) Algorithms to predict the performance for

cloud security level. Also LMBP algorithms can be used to estimate the performance of accuracy in predicting cloud security

level. ANNs are more efficiently used for improving performance and learning neural membership functions. Furthermore, we

used the cloud Delphi technique for data gathering and analysis it in this study. In this study, the samples of 40 panelists were

selected from inside and outside Malaysian banking organizations based on their experienced in banking cloud computing.

However, we have indicated that the LMBP is nonlinear optimization models which used to measure accuracy of the prediction

model, the Mean Square Error (MSE) are measured to determine the performance. The performance is goodness, if the MSE is

small as shown in Table 1. This work has been conducted on groups of cloud banking developers and IT managers. As future

work, we intend to combine another optimal technique with ANNs algorithms to predict and mitigate critical security cloud issues.

Though, positive prediction of critical cloud security issues is going to surge the probability of cloud banking success rate.

Keywords: Cloud banking organization, Cloud Computing, Cloud Security Issues, , Artificial Neural Network, Levenberg Marquardt Algorithm,

Back Propagation Algorithm,. 1. NTRODUCTION

Although much research and progress in the area of

cloud computing project, a lot of cloud computing projects

have a very high failure rate particularly when it is related to

the banking area. However, several serious cloud security

issues like data protection and integrity, quality of

services(QoS), Portability and Interoperability, and mobility

need to be controlled and mitigated before cloud computing

able to apply adoptive widely [1]. In addition, cloud

computing has several advantages but cloud computing in

banking organizations is suffering from a lot of cloud

security issues. The aim of cloud risk management is

identification and evaluation of cloud security issues at an

early stage to predict the cloud computing security level [2].

Today, cloud computing risk management became a mutual

practice amongst leading banking organization success. In

the increasing effort to improve development processes and

security; new studies have led to cloud computing risk area.

Risk management aids software project manager and team

to do improved decisions to mitigate cloud-computing risks.

The objective of this study is predicting performance for

cloud computing security issues using Levenberg–

Marquardt based Back Propagation (LMBP) algorithms.

2. LITERATURE REVIEW

Cloud computing risk management consists of

computing processes, methods and techniques that are

useful to mitigate cloud computing risk failure. Security

risk management is increasingly becoming significant

in a diversity of areas linked to information technology

(IT), for example: telecommunications, banking

information systems, cloud computing[3]. Moreover,

the cloud banking model is a resource management

modeling founded on economic philosophies. Its

function like commercial banks in loan and deposit

business [4]. Cloud security is a general subject and any

grouping of policies, controls, and technologies to

safeguard data, services and infrastructure from

conceivable attacks. Additionally, current researches

focused on providing security technologies, instead of

business features such as services stability, availability

and continuity [5]. This study is going to predict the

critical cloud issues in Malaysian banking

organizations. Actually, they presented the conceptual

framework for cloud security banking that involved

components for example security, legal, privacy,

compliance and regulatory issues of banking [6]. As

stated by previous studies we split the framework

modeling cloud computing to five phases as mobility

and banking application, Cloud Deployment Models

(CDM), cloud risk management models (CRMM),

Cloud Service Models (CSM), and cloud security model

(CSM) as follows: Firstly, mobility related to the

possibility of moving and taking place in diverse

locations and through multiple times using any kind of

portable devices like smart phones, Personal Digital

Assistants (PDAs) and wireless laptops. Nonetheless,

mobile banking related to any operation that linked to

banking services like balance check, payments and

receiving banking SMS via a mobile device, and

account transactions [7]. Secondly, CSM depend on

htt

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.