Securing Grid Using Intrusion Detection System

Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007.

Securing Grid Using Intrusion Detection System Sanjeev Rana1, Rajneesh Gujral2, Manpreet Singh3 Department of Computer Engineering M. M. Engineering College Mullana-133203, Ambala, Haryana, India 1 [email protected] , 2 [email protected] , [email protected]

Abstract Computational grids are emerging as tools to facilitate the secure sharing of resources in heterogeneous environments. Security is one of the most challenging aspects of grid computing. Applying intrusion detection to the fast growing computational Grid environmental improves the security which is considered to be the heart of this new field. Flexible cooperative distributed intrusion detection architecture is introduced that suits and benefits from the underlying Grid environment. The proposed architecture was tested using homogeneous distributed intrusion detection servers that use learning vector quantization neural network to detect the intrusion if occurred.

IDS’s are export systems that detect intrusions in computers systems and respond by sending alert notifications to security managers [5]. Typical Host based IDS’s and Network based IDS’s [6] can be deployed in Grid Environment to improve its security. However, they cannot properly detect the Grid Intrusions. Intrusion detection system are based on the assumption that normal use of the system is different from the malicious use [7]. Due to the special characteristics [8] and requirement [9] of computational grids, detecting such difference in behavior imposed some new unique challenges that did not exist in traditional intrusion detection system.. This paper proposes a Grid based intrusion detection architecture that uses Homogenous Distributed Intrusion Detection servers to overcome the above said limitations. 2. THE PROPOSED ARCHITECTURE OF GRID INTRUSION DETECTION SYSTEM(GIDA)

Keywords:

Computational Grids, Grids Security Architecture, Intrusion GIDA was designed with considering the Grid characteristics. Figure1 shows the proposed architecture of IDS in Grid Detection. environment. GIDA has two main parts. The first is the Intrusion Detection Agent (IDA) that is responsible for 1. INTRODUCTION gathering information. The second part is the Intrusion Grid resources can be quite attractive [1] due to large ranges Detection Server (IDS), responsible for analyzing the gathered of computation and storage capabilities and we should expect information and cooperating with other IDSs to detect they become targets for attractors and useful for intruders. The intrusion. The circles represent the administrative domains access and sharing of resources and collaborative computing (resource) in a Grid environment. Each administrative domain facilitated by Grids amplifies the concerns about intrusions, will have an IDA to collect data and the IDA will register with especially in large scale Grids [2]. In this kind of Grids, the one or more IDSs which will analyze the gathered data. The considerable computing power can be used by an Intruder to IDAs will be designed to work with each class of resources to break passwords, the storage devices can be used to save illicit handle heterogeneity. The IDSs may use different techniques files, and the large bandwidth networks are ideal for launching for data analysis. GIDA compatibility with the Grid is Denial of Service Attacks [3, 1]. It is unrealistic to absolutely summarizing below: prevent breaches of security from appearing, especially in • Heterogeneity: IDA deals with heterogeneity complex distributed systems like Grids. Even if the security • Scalability: All components are distributed services offered by Grid Middleware [4] are designed and • No centralized control: Decision is made through implemented carefully to avoid Vulnerabilities, Intruders can cooperation between IDS’s explore flaws in any of the other components involved, such • Standard protocol: s Build on top of GSI and Grid as operating system, Network protocols and Non Grid protocols. Application running in the same environment. Moreover, a Grid cannot defend itself against stolen passwords and legitimated users who abuse their privileges to execute malicious activities. Security is a very important issue that must exist to enable the creation of Grid environments. The Intrusion Detection Systems have an important role in Grid Security management.

88

Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007. Output (log Files) GD

SSH

Log

Log

SSL

Intrusion Detection Server

IDS

IDS

IDS AuthenticatioS

Resources

IDS TLS

PLAIN TEXT

Requests

GD

Intrusion Detection Agent

Audit Information

Intrusion Detection Server

Warning Signal

Administrator Domain

Cooperation Protocol

Users

Grid Database

Figure1. Proposed Grid intrusion detection architecture

• Nontrivial QoS: Different ID algorithms and Trust relationships • Dynamic or Adaptability: Registration with multiple IDS’s so if one fails others provide protection 3. AN IMPLEMENTATION OF GIDA We used two stages to test the proposed GIDA. The first stage simulates the IDA and the Grid environment. Most of the available Grid simulation toolkits are designed for resource management and scheduling problems. For this reason we developed a grid simulation toolkit based on GridSim [10] to satisfy our needs. The simulation environment simulates users with different behaviors, resources with associated IDAs, and IDAs registration with IDSs. This allows us to perform the required experiments. Each experiment will generate a dataset consisting of one or more log file. Figure2 shows the simulation environment with dummy IDSs that only generate log files reflecting the data they should analyze. The next stage implements the IDSs modules and test them with the data generated from the simulation stage. In this initial implementation we choose to use homogeneous IDSs for simplification. We believe that currently the best intrusion detection technique to use in this case is host-based anomaly intrusion detection [11]. The host in this case is the administrative domain with all its resources. The assigned IDA will gather information about the users interactions with this domain. The anomaly detection is implemented using LVQ [12] neural network. The LVQ will try to learn the user behavior through interaction with different resource and then detect deviation from normal behavior. So an intruder in this case is a user whose current behavior deviates from the learned historical

Intruders Figure 2. The simulated Grid and Data gathering modules

profile. The system takes advantage from the fact that each user in the Grid has a unique Global name. The decision module will analyze the LVQ result then, with information from the cooperation module, will decide wither a user is normal or intruder (Figure 3). The cooperation module helps in sharing the results. Each IDSs analyze the user behavior in its scope and then shares these results with other IDSs in a way similar to P2P networks where the IDSs are the peers.

Response

Preprocessing

Trained LVQ

Decision Modules

Cooperation Modules

Analyzing and detection Figure3. The Intrusion Detection Server 4. TESTING OF GIDA The number of IDSs is an important issue that shows the scalability of the system and that it is possible to distribute the intrusion detection problem among multiply IDSs. Increased the percentage of false positive (Figure 5.a). This is because less information is available to each IDSs about the user behavior. Meanwhile it decreased the percentage of false negative (Figure 5.b) because among the few user actions monitored at an IDS detecting deviation form them is easier. Increasing the number of IDSs has a great effect on reducing

89


the training time (Figure 5.c). On the other hand, increasing REFERENCE the number of users increased the training time (Figure 5.d) this shows that centralized systems with one IDS are not [1] L.Sardinha, n. Neves, and P.Verissimo, “ Tolerating scalable as training time increased exponentially, multiply intrusion in grid system,” in proceeding of the 2004 IDSs kept training time low. Increasing resources reduced the Int. Conference on Security and Management, , Las false positive percentage (Figure 5.e). This is because users Vegas, USA, June 2004. have wider variety of resources to choose from and this gives [2] National Science Foundation TeraGrid [Online]. them better distinct behavior. Increasing the number of Available http://www.teragrid.org. intruders has only slightly increased the percentage of the [3] K.Kendall, a Database of Computer Attacks for the false negative (Figure 5.f). More detailed information can be Evaluation of Intrusion Detection System, Master found in [11]. Thesis, Department of Electrical Engineering and Computer Science, Massachustes Institute of Technology (MIT), Cambridge, MA, USA, June 1999. [4] P. Asadzadeh, R. Buyya, C. Kei, D. Nayar, and S. Venugopal, “Global Grids and Software Toolkits: A Study of four middleware technologies”, in High Performance Comptuing: Paradigm and Infrastructure , New Jersey, USA: Willey Press, June 2005. [5] J. Allen, A. Christie. W. Fithen, J. McHugh. J.Pickel, and E. Stoner, State of the Practice of Intrusion Detection technologies, Technical Report CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon University, January 2000. [6] H. Debar, M. Dacier and A. Wespi, “Towards a Taxonomy of Intrusion – detection Systems,” Int. J. Computer and Telecommunication Networking, Vol. 31, no. 9, pp. 805-822, 1999. [7] I. Foster, Grid Today. Daily News and Information for the Global Grid Community, July 22, 2002: VOL.1NO. 6 http://news.tgc.com/msgget.jsp?mid = 286185&xsl = story.xsl 5. CONCLUSIONS AND FUTURE WORK [8] M.Baker, R. Buyya, and D.Laforenza, “Grid and grid technologies for wide-area distributed The proposed GIDA is an open and flexible architecture that Computing “, software Practice and Experience, addresses the special requirements of the Grid. The main 2002. issues affecting the system have been discussed to help in deciding in the value of different parameters to increase the [9] M.Murshed, R.Buyya, and D. Abramson, “GridSim: A Grid Simulation toolkit for Resource performance of the system in different Grid environments. Management and Scheduling in Large-Scale Grid The distribution of the intrusion detection problem among Computing Environment”. 17th IEEE International multiple IDSs made GIDA suitable for the Grid and improved Symposium on Parallel and Distributed Processing performance compared with centralized systems. This work (IPDPS 2002), April 15-19, 2002,Fort Lauderdale, helps to understand the problem of intrusion detection in Grid FL, USA. environments and to build future systems. The effect of trust relationships between different resource [10] M. Tolba, M. Abdel-Wahab, I. Taha, and A. AlShishtawy, “Distributed Intrusion Detection owners and the use of heterogeneous IDSs should be further System for Computational Grids”. Second investigated. Also these two issues will raise a question about Internatinal Conference on ntelligent Computing their effects on different QoSs can be selected and measured. and Information Systems, March 2005. With Heterogeneous IDSs and trust relationships more complex algorithms will be needed for the cooperation [11] P. Anderson, “Computer security Threat Monitoring and Surveillance”. Technical Report, module that will be need further investigations. The James P.Anderson company, fort wasington, application of the Grid in real problems will help in building a Pennsylvania, April 1980. knowledge base of attack signatures that will enable the use of [12] T. Kohonen, “Learning Vector misuse intrusion detection with the Grid. Quantization”. In M. Arbib, editor, The

90


Handbook of Brain Theory and Neural Networks. Pages 537—540. MIT Press, 1995.

91