scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Review: A survey of intrusion detection techniques in Cloud

Chirag Modi1, Dhiren Patel1, Bhavesh Borisaniya1, Hiren Patel2, Avi Patel3, Muttukrishnan Rajarajan3 
Sardar Vallabhbhai National Institute of Technology, Surat1, Sri Pratap College2, City University London3
01 Jan 2013-Journal of Network and Computer Applications (Academic Press Ltd.)-Vol. 36, Iss: 1, pp 42-57
TL;DR: This paper surveys different intrusions affecting availability, confidentiality and integrity of Cloud resources and services and recommends IDS/IPS positioning in Cloud environment to achieve desired security in the next generation networks.
About: This article is published in Journal of Network and Computer Applications.The article was published on 2013-01-01 and is currently open access. It has received 799 citations till now. The article focuses on the topics: Intrusion detection system & Cloud computing security.

Summary (5 min read)

Jump to: [I. INTRODUCTION][A. Insider attack][B. Flooding attack][C. User to Root attacks][E. Attacks on Virtual Machine (VM) or hypervisor][F. Backdoor channel attacks][III. FIREWALLS: COMMON SOLUTION TO INTRUSIONS][A. Signature based Detection][B. Anomaly Detection][C. Artificial Neural Network (ANN) based IDS][E. Association Rule based IDS][F. Support Vector Machine (SVM) based IDS][G. Genetic Algorithm (GA) based IDS][H. Hybrid Techniques][Anomaly detection][ANN based IDS][SVM based IDS][A. Host based Intrusion Detection Systems (HIDS)][B. Network based Intrusion Detection System (NIDS)][C. Distributed Intrusion Detection System (DIDS)][D. Hypervisor-based Intrusion Detection Systems][E. Intrusion Prevention System (IPS)][F. Intrusion Detection and Prevention System (IDPS)][IDPS][Prevention] and [VI. CONCLUSION]

I. INTRODUCTION

  • Cloud computing aims to provide convenient, on-demand, network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services), which can be rapidly provisioned and released with minimal management effort or service provider interactions [1] .
  • The recent cloud computing security white paper by Lockheed Martin Cyber Security division [9] shows that the major security concern after data security is intrusion detection and prevention in cloud infrastructures.
  • Firewall can be a good option to prevent outside attacks but does not work for insider attacks.
  • Section 6 concludes with references at the end.

A. Insider attack

  • Authorized Cloud users may attempt to gain (and misuse) unauthorized privileges.
  • Insiders may commit frauds and disclose information to others (or destroy information intentionally).
  • An internal DoS attack demonstrated against the Amazon Elastic Compute Cloud (EC2) [11] .

B. Flooding attack

  • Here, attacker tries to flood victim by sending huge number of packets from innocent host in network.
  • This kind of attack may be possible due to illegitimate network connections.
  • In case of Cloud, the requests for VMs are accessible by anyone through Internet, which may cause DoS (or DDoS) attack via zombies.
  • Flooding attack affects the service's availability to authorized user.
  • Such an attack is called direct DoS attack.

C. User to Root attacks

  • This makes him able to exploit vulnerabilities for gaining root level access to system.
  • Buffer overflows are used to generate root shells from a process running as root.
  • It occurs when application program code overfills static buffer.
  • The mechanisms used to secure the authentication process are a frequent target since there are no universal standard security mechanisms that can be used to prevent security risks like weak password recovery workflows, phishing attacks, keyloggers etc.
  • In case of Cloud, attacker acquires access to valid user's instances which enables him/her for gaining root level access to VMs or host.

E. Attacks on Virtual Machine (VM) or hypervisor

  • By compromising the lower layer hypervisor, attacker can gain control over installed VMs.
  • Through these attacks, hackers can be able to compromise installed-hypervisor to gain control over the host.
  • New vulnerabilities, such as zero-day vulnerability, are found in Virtual Machines (VMs) [16] that attract an attacker to gain access to hypervisor or other installed VMs.
  • A zeroday vulnerability is a threat that tries to exploit application vulnerabilities that are unknown to others or the software developer.

F. Backdoor channel attacks

  • Using backdoor channels, hackers can control victim's resources and can make it as zombie to attempt DDoS attack.
  • Due to this, compromised system faces difficulty in performing its regular tasks.
  • In Cloud environment, attacker can get access and control Cloud user's resources through backdoor channel and make VM as Zombie to initiate DoS/DDoS attack.
  • For flooding attack and backdoor channel attack, either signature based intrusion detection or anomaly based intrusion detection techniques can be used.
  • Firewall (in Cloud) could be the common solution to prevent some of the attacks listed above.

III. FIREWALLS: COMMON SOLUTION TO INTRUSIONS

  • Firewall protects the front access points of system and is treated as the first line of defense.
  • It diverts incoming traffic according to predefined policy.
  • Few DoS or DDoS attacks are also too complex to detect using traditional firewalls.
  • If there is an attack on port 80 (web service), firewalls cannot distinguish good traffic from DoS attack traffic [20] .
  • Its positioning within network, its configuration etc.

A. Signature based Detection

  • As a result, signature based systems are capable of attaining high levels of accuracy and minimal number of false positives in identifying even very subtle intrusions.
  • Little variation in known attacks may also affect the analysis if a detection system is not properly configured [32] .
  • These signatures are composed by several elements that identify the traffic.
  • In Cloud, signature based intrusion detection technique can be used to detect known attack.
  • These approaches are discussed in the next section.

B. Anomaly Detection

  • Anomaly (or behavioral) detection is concerned with identifying events that appear to be anomalous with respect to normal system behavior [32] .
  • A wide variety of techniques including data mining, statistical modeling and hidden markov models have been explored as different ways to approach the anomaly detection problem.
  • Anomaly based approach involves the collection of data relating to the behavior of legitimate users over a period of time, and then apply statistical tests to the observed behaviour, which determines whether that behaviour is legitimate or not.
  • T. Dutkevych et al. [33] provided anomaly based solution to prevent intrusion in real time system, which analyzes protocol based attack and multidimensional traffic.
  • Anomaly detection techniques can be used for Cloud to detect unknown attacks at different levels.

C. Artificial Neural Network (ANN) based IDS

  • The types of ANN used in IDS are as follows [36] : Multi-Layer Feed-Forward (MLFF) neural nets, Multi-Layer Perceptron (MLP) and Back Propagation (BP).
  • They showed that inclusion of more hidden layers increase detection accuracy of IDS.
  • It is claimed that, Distributed Time Delay Neural Network [36] has higher detection accuracy for most of the network attacks.
  • Accuracy of this approach can be improved by combining it with other soft computing techniques mentioned above.
  • The intrusion detection accuracy of this approach is based on number of hidden layers and training phase of ANN.

E. Association Rule based IDS

  • Some intrusion attacks are formed based on known attacks or variant of known attacks.
  • H. Han, et al., in [43] proposed network based intrusion detection using data mining technique.
  • Signature based algorithm generates signature for misuse detection.
  • Authors in [44] solved the database scanning time problem examined in [43] .
  • It has very high false positive alarm rate since some interesting patterns are ignored and unwanted patterns are produced.

F. Support Vector Machine (SVM) based IDS

  • SVM [35] is used to detect intrusions based on limited sample data, where dimensions of data will not affect the accuracy.
  • In [46] , it is showed that the results regarding false positive rate are better in case of SVM compared with that of ANN, since ANN requires large amount of training samples for effective classification, whereas SVM has to set fewer parameters.
  • SVM is used only for binary data.
  • The support vector machine (SVM) classifier is also used with SNORT to reduce false alarm rate and improve accuracy of IPS.

G. Genetic Algorithm (GA) based IDS

  • Genetic algorithms (GAs) [48] [50] are used to select network features or to determine optimal parameters which can be used in other techniques for achieving result optimization and improving accuracy of IDS.
  • This increases the detection rate and improves accuracy.
  • Limitation of this approach is the best fit problem.
  • They used support confidence based fitness function for deriving rules, which classifies network intrusions effectively.
  • In Cloud environment, selection of optimal parameters (network features) for intrusion detection will increase the accuracy of underlying IDS.

H. Hybrid Techniques

  • Hybrid techniques use the combination two or more of above techniques.
  • It is advantageous since each technique has some advantages and drawbacks.
  • This approach uses the advantages of each classifier and improves overall performance of IDS.
  • Association rule based IDS is efficient for only correlated attacks.
  • Knowledge base for matching should be crafted carefully.

Anomaly detection

  • Can lower the false alarm rate for unknown attacks.
  • Lot of time required to identify attacks.

ANN based IDS

  • Large number of samples required for training effectively.
  • Fuzzy Logic based IDS Used for quantitative features.
  • Provides better flexibility to some uncertain problems.

SVM based IDS

  • It can correctly classify intrusions, if limited sample data are given.
  • So, preprocessing of those features is required before applying.

A. Host based Intrusion Detection Systems (HIDS)

  • A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the information collected from a specific host machine.
  • HIDS running on a host machine detects intrusion for the machine by collecting information such as file system used, network events, system calls etc.
  • As shown in Fig. 4 [55], IDS service is composed of two components: Analyzer and Alert System.
  • So, this approach is efficient for detecting known attacks by using knowledge base as well as unknown attacks by applying feed forward ANN.
  • All attacks are taken as a sample space.

B. Network based Intrusion Detection System (NIDS)

  • A Network based Intrusion Detection System (NIDS) is an intrusion detection system that tries to detect malicious activity such as DoS attacks, port scans or even attempts to crack into computers by monitoring network traffic.
  • NIDS mostly monitors IP and transport layer headers of individual packet and detects intrusion activity.
  • IDS management unit consists of event gatherer, event database, analysis component and remote controller.
  • To detect known attacks, the logged packets are analyzed and compared by the IDS in real time with known signature.
  • This approach can block the DDoS attack in virtualized environment and can secure services running on virtual machines.

C. Distributed Intrusion Detection System (DIDS)

  • A Distributed IDS (DIDS) consists of several IDS (E.g. HIDS, NIDS etc.) over a large network, all of which communicate with each other, or with a central server that enables network monitoring.
  • Combination of anomaly and signature based detection approaches are used for the analysis purpose.
  • So, this type of detection and prevention helps to resist attacks in Cloud computing region.
  • In case of intrusion detection, it drops attacker packet, then sends alert message about the attack detected by itself to other region.

D. Hypervisor-based Intrusion Detection Systems

  • Hypervisor-based intrusion detection system is an intrusion detection system specifically designed for hypervisors.
  • Novelty in the technology and lack of experience are the few of its challenges [21] .
  • Hypervisor based IDS is one of the important techniques, specifically in Cloud computing, to detect intrusion in virtual environment.
  • VMM interface is used for VMI-IDS to communicate with VMM, which allows VMI-IDS to get VM state information, monitoring certain events and controlling VMs.
  • Policy engine responds in appropriate manner, even if system is compromised.

E. Intrusion Prevention System (IPS)

  • With the help of IDS, IPS monitors network traffic and system activities to detect possible intrusions and dynamically responds to intrusions for blocking the traffic or quarantine it.
  • Based on the preconfigured rules, IPS decides whether network traffic should be passed or blocked.
  • M. Ahmed et al. [29] proposed efficient network based intrusion detection and prevention approach, which does not require installing IDS on every node.
  • First part is interacting with Iptables application layer which is developed as shared library and second part is Iptable kernel developed as kernel dynamic library.
  • Also pointer to skb buffer storing the packet information is transferred to HOOK function to identify the rules irrespective of the rules matching the data.

F. Intrusion Detection and Prevention System (IDPS)

  • Having their own strengths and weaknesses, individual IDS and IPS are not capable of providing full-fledged security.
  • Apart from identifying possible intrusions, IDPS stops and reports them to security administrators [31] .
  • Fig. 13 demonstrates the same followed by its summary.
  • IDS can be located within such network to monitor traffic between the VMs as well as between the VM and host.
  • Cloud provider can be given duties to manage IDS.

IDPS

  • Effectively detect and prevent intrusion attacks.
  • So far, the authors have discussed some of the existing approaches which are incorporating IDS into Cloud.
  • There is no universal efficient solution found yet.
  • This gives the cloud security research community several challenges to address before a standard security framework for the cloud can be proposed.
  • Produce network load with increase of VMs attached to MA.

Prevention

  • On each Host Prevention using user configured rules.
  • Anomaly detection -Used to detect all types of attacks.

VI. CONCLUSION

  • Firewall may not be sufficient to solve Cloud security issues.
  • The paper emphasized the usage of alternative options to incorporate intrusion detection or intrusion prevention techniques into Cloud and explored locations in Cloud where IDS/IPS can be positioned for efficient detection and prevention of intrusion.
  • The adaptation of soft computing techniques in IDS/IPS can optimistically improve the security.

Did you find this useful? Give us your feedback

Figures (16)
Citations
More filters
Proceedings ArticleDOI
A Survey of Fog Computing: Concepts, Applications and Issues

[...]

Shanhe Yi1, Cheng Li1, Qun Li1
College of William & Mary1
21 Jun 2015
TL;DR: The definition of fog computing and similar concepts are discussed, representative application scenarios are introduced, and various aspects of issues the authors may encounter when designing and implementing fog computing systems are identified.
Abstract: Despite the increasing usage of cloud computing, there are still issues unsolved due to inherent problems of cloud computing such as unreliable latency, lack of mobility support and location-awareness. Fog computing can address those problems by providing elastic resources and services to end users at the edge of network, while cloud computing are more about providing resources distributed in the core network. This survey discusses the definition of fog computing and similar concepts, introduces representative application scenarios, and identifies various aspects of issues we may encounter when designing and implementing fog computing systems. It also highlights some opportunities and challenges, as direction of potential future work, in related techniques that need to be considered in the context of fog computing.

1,217 citations

Cites background from "Review: A survey of intrusion detec..."

  • ...Intrusion detection Intrusion detection techniques have been applied to cloud infrastructures to mitigate attacks such as insider attack, flooding attack, port scanning, attacks on VM or hypervisor [33]....

    [...]

Journal ArticleDOI
Review: Intrusion detection system: A comprehensive review

[...]

Hung-Jen Liao1, Chun-Hung Richard Lin1, Ying Chih Lin1, Kuang-Yuan Tung1
National Sun Yat-sen University1
01 Jan 2013-Journal of Network and Computer Applications
TL;DR: Through the extensive survey and sophisticated organization, this work proposes the taxonomy to outline modern IDSs and tries to give a more elaborate image for a comprehensive review.

1,102 citations

Cites methods from "Review: A survey of intrusion detec..."

  • ...More recent works (Fragkiadakis et al., 2012; Mar et al., 2012; Kartit et al., 2012; Farooqi et al.,2012; Modi et al., 2012; Wang et al., 2011; Couture, 2012; Li et al., 2012) integrate several detection approaches of five subclasses into a sophisticated one to give better efficiency and lower…...

    [...]

  • ...We categorize the technologies into four classes according to where they are deployed to inspect suspicious activities, and what event types they can recognize (Mukherjee et al., 1994; Stavroulakis and Stamp, 2010; Sabahi and Movaghar, 2008; Modi et al., 2012)....

    [...]

Proceedings ArticleDOI
The Fog computing paradigm: Scenarios and security issues

[...]

Ivan Stojmenovic1, Sheng Wen1
Deakin University1
23 Oct 2014
TL;DR: The motivation and advantages of Fog computing are elaborated, and its applications in a series of real scenarios, such as Smart Grid, smart traffic lights in vehicular networks and software defined networks are analysed.
Abstract: Fog Computing is a paradigm that extends Cloud computing and services to the edge of the network Similar to Cloud, Fog provides data, compute, storage, and application services to end-users In this article, we elaborate the motivation and advantages of Fog computing, and analyse its applications in a series of real scenarios, such as Smart Grid, smart traffic lights in vehicular networks and software defined networks We discuss the state-of-the-art of Fog computing and similar work under the same umbrella Security and privacy issues are further disclosed according to current Fog computing paradigm As an example, we study a typical attack, man-in-the-middle attack, for the discussion of security in Fog computing We investigate the stealthy features of this attack by examining its CPU and memory consumption on Fog device

915 citations

Cites background from "Review: A survey of intrusion detec..."

  • ...Intrusion detection techniques can also be applied in Fog computing [28]....

    [...]

Journal ArticleDOI
A Survey of Intrusion Detection Systems in Wireless Sensor Networks

[...]

Ismail Butun1, Salvatore D. Morgera1, Ravi Sankar1
University of South Florida1
21 Jan 2014-IEEE Communications Surveys and Tutorials
TL;DR: A survey of the state-of-the-art in Intrusion Detection Systems (IDSs) that are proposed for WSNs is presented, followed by the analysis and comparison of each scheme along with their advantages and disadvantages.
Abstract: Wireless Sensor Networking is one of the most promising technologies that have applications ranging from health care to tactical military. Although Wireless Sensor Networks (WSNs) have appealing features (e.g., low installation cost, unattended network operation), due to the lack of a physical line of defense (i.e., there are no gateways or switches to monitor the information flow), the security of such networks is a big concern, especially for the applications where confidentiality has prime importance. Therefore, in order to operate WSNs in a secure way, any kind of intrusions should be detected before attackers can harm the network (i.e., sensor nodes) and/or information destination (i.e., data sink or base station). In this article, a survey of the state-of-the-art in Intrusion Detection Systems (IDSs) that are proposed for WSNs is presented. Firstly, detailed information about IDSs is provided. Secondly, a brief survey of IDSs proposed for Mobile Ad-Hoc Networks (MANETs) is presented and applicability of those systems to WSNs are discussed. Thirdly, IDSs proposed for WSNs are presented. This is followed by the analysis and comparison of each scheme along with their advantages and disadvantages. Finally, guidelines on IDSs that are potentially applicable to WSNs are provided. Our survey is concluded by highlighting open research issues in the field.

743 citations

Cites background from "Review: A survey of intrusion detec..."

  • ...• A survey of IDS in cloud computing is provided in [27], which would be helpful to secure next generation networks....

    [...]

Journal ArticleDOI
Survey of intrusion detection systems: techniques, datasets and challenges

[...]

Ansam Khraisat1, Iqbal Gondal1, Peter Vamplew1, Joarder Kamruzzaman1
Federation University Australia1
01 Jul 2019-Cybersecurity
TL;DR: A taxonomy of contemporary IDS is presented, a comprehensive review of notable recent works, and an overview of the datasets commonly used for evaluation purposes are presented, and evasion techniques used by attackers to avoid detection are presented.
Abstract: Cyber-attacks are becoming more sophisticated and thereby presenting increasing challenges in accurately detecting intrusions. Failure to prevent the intrusions could degrade the credibility of security services, e.g. data confidentiality, integrity, and availability. Numerous intrusion detection methods have been proposed in the literature to tackle computer security threats, which can be broadly classified into Signature-based Intrusion Detection Systems (SIDS) and Anomaly-based Intrusion Detection Systems (AIDS). This survey paper presents a taxonomy of contemporary IDS, a comprehensive review of notable recent works, and an overview of the datasets commonly used for evaluation purposes. It also presents evasion techniques used by attackers to avoid detection and discusses future research challenges to counter such techniques so as to make computer systems more secure.

684 citations

Cites background from "Review: A survey of intrusion detec..."

  • ...SIDS have also been labelled in the literature as Knowledge-Based Detection or Misuse Detection (Modi et al., 2013)....

    [...]

  • ...Signature-based intrusion detection systems (SIDS) Signature intrusion detection systems (SIDS) are based on pattern matching techniques to find a known attack; these are also known as Knowledge-based Detection or Misuse Detection (Khraisat et al., 2018)....

    [...]

References
More filters
Book
Data Mining: Concepts and Techniques

[...]

Jiawei Han1, Micheline Kamber2, Jian Pei2
University of Illinois at Urbana–Champaign1, Simon Fraser University2
08 Sep 2000
TL;DR: This book presents dozens of algorithms and implementation examples, all in pseudo-code and suitable for use in real-world, large-scale data mining projects, and provides a comprehensive, practical look at the concepts and techniques you need to get the most out of real business data.
Abstract: The increasing volume of data in modern business and science calls for more complex and sophisticated tools. Although advances in data mining technology have made extensive data collection much easier, it's still always evolving and there is a constant need for new techniques and tools that can help us transform this data into useful information and knowledge. Since the previous edition's publication, great advances have been made in the field of data mining. Not only does the third of edition of Data Mining: Concepts and Techniques continue the tradition of equipping you with an understanding and application of the theory and practice of discovering patterns hidden in large data sets, it also focuses on new, important topics in the field: data warehouses and data cube technology, mining stream, mining social networks, and mining spatial, multimedia and other complex data. Each chapter is a stand-alone guide to a critical topic, presenting proven algorithms and sound implementations ready to be used directly or with strategic modification against live data. This is the resource you need if you want to apply today's most powerful data mining techniques to meet real business challenges. * Presents dozens of algorithms and implementation examples, all in pseudo-code and suitable for use in real-world, large-scale data mining projects. * Addresses advanced topics such as mining object-relational databases, spatial databases, multimedia databases, time-series databases, text databases, the World Wide Web, and applications in several fields. *Provides a comprehensive, practical look at the concepts and techniques you need to get the most out of real business data

23,600 citations

"Review: A survey of intrusion detec..." refers background or methods in this paper

  • ...The goal of using ANNs (Han and Kamber, 2006) for intrusion detection is to be able to generalize data (from incomplete data) and to be able to classify data as being normal or intrusive (Ibrahim, 2010)....

    [...]

  • ...SVM (Han and Kamber, 2006) is used to detect intrusions based on limited sample data, where dimensions of data will not affect the accuracy. In Chen et al. (2005), it is shown that the results (regarding false positive rate) are better in case of SVM compared with that of ANN, since ANN requires large amount of training samples for effective classification, whereas SVM has to set fewer parameters....

    [...]

  • ...Fuzzy logic (Han and Kamber, 2006) can be used to deal with inexact description of intrusions....

    [...]

  • ...SVM (Han and Kamber, 2006) is used to detect intrusions based on limited sample data, where dimensions of data will not affect the accuracy....

    [...]

  • ...Fuzzy logic (Han and Kamber, 2006) can be used to deal with inexact description of intrusions. Tillapart et al. (2002) proposed Fuzzy IDS (FIDS) for network intrusions like SYN and UDP floods, Ping of Death, E-mail Bomb, FTP/Telnet password guessing and port scanning....

    [...]

ReportDOI
The NIST Definition of Cloud Computing

[...]

Peter Mell, Timothy Grance
28 Sep 2011
TL;DR: This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
Abstract: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

15,145 citations

"Review: A survey of intrusion detec..." refers background in this paper

  • ...…to provide convenient, on-demand, network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services), which can be rapidly provisioned and released with minimal management effort or service provider interactions (Mell and Grance, 2011)....

    [...]

  • ...networks, servers, storage, applications, and services), which can be rapidly provisioned and released with minimal management effort or service provider interactions (Mell and Grance, 2011)....

    [...]

Data Mining: Concepts and Techniques (2nd edition)

[...]

Jiawei Han, Micheline Kamber
01 Jan 2006
TL;DR: There have been many data mining books published in recent years, including Predictive Data Mining by Weiss and Indurkhya [WI98], Data Mining Solutions: Methods and Tools for Solving Real-World Problems by Westphal and Blaxton [WB98], Mastering Data Mining: The Art and Science of Customer Relationship Management by Berry and Linofi [BL99].
Abstract: The book Knowledge Discovery in Databases, edited by Piatetsky-Shapiro and Frawley [PSF91], is an early collection of research papers on knowledge discovery from data. The book Advances in Knowledge Discovery and Data Mining, edited by Fayyad, Piatetsky-Shapiro, Smyth, and Uthurusamy [FPSSe96], is a collection of later research results on knowledge discovery and data mining. There have been many data mining books published in recent years, including Predictive Data Mining by Weiss and Indurkhya [WI98], Data Mining Solutions: Methods and Tools for Solving Real-World Problems by Westphal and Blaxton [WB98], Mastering Data Mining: The Art and Science of Customer Relationship Management by Berry and Linofi [BL99], Building Data Mining Applications for CRM by Berson, Smith, and Thearling [BST99], Data Mining: Practical Machine Learning Tools and Techniques by Witten and Frank [WF05], Principles of Data Mining (Adaptive Computation and Machine Learning) by Hand, Mannila, and Smyth [HMS01], The Elements of Statistical Learning by Hastie, Tibshirani, and Friedman [HTF01], Data Mining: Introductory and Advanced Topics by Dunham, and Data Mining: Multimedia, Soft Computing, and Bioinformatics by Mitra and Acharya [MA03]. There are also books containing collections of papers on particular aspects of knowledge discovery, such as Machine Learning and Data Mining: Methods and Applications edited by Michalski, Brakto, and Kubat [MBK98], and Relational Data Mining edited by Dzeroski and Lavrac [De01], as well as many tutorial notes on data mining in major database, data mining and machine learning conferences.

2,591 citations

"Review: A survey of intrusion detec..." refers background or methods in this paper

  • ...In Chen et al. (2005), it is shown that the results (regarding false positive rate) are better in case of SVM compared with that of ANN, since ANN requires large amount of training samples for effective classification, whereas SVM has to set fewer parameters....

    [...]

  • ...Another solution is to incorporate IDS or IPS in Cloud....

    [...]

  • ...For handling large number of network features, SVM is preferable....

    [...]

  • ...There are many soft computing techniques such as Artificial Neural Network (ANN), Fuzzy logic, Association rule mining, Support Vector Machine (SVM), Genetic Algorithm (GA), etc. that can be used to improve detection accuracy and efficiency of signature based IDS or anomaly detection based IDS....

    [...]

  • ...The goal of using ANNs (Han and Kamber, 2006) for intrusion detection is to be able to generalize data (from incomplete data) and to be able to classify data as being normal or intrusive (Ibrahim, 2010)....

    [...]

Proceedings Article
A Virtual Machine Introspection Based Architecture for Intrusion Detection.

[...]

Tal Garfinkel1, Mendel Rosenblum1
Stanford University1
01 Jan 2003
TL;DR: This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor.
Abstract: Today’s architectures for intrusion detection force the IDS designer to make a difficult choice If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance We achieve this through the use of a virtual machine monitor Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware We present a detailed study of our architecture, including Livewire, a prototype implementation We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks

1,629 citations

"Review: A survey of intrusion detec..." refers background or result in this paper

  • ...According to results shown by (Garfinkel and Rosenblum, 2003), performance of policy engine is good in terms of workload and time....

    [...]

  • ...11 (Garfinkel and Rosenblum, 2003)....

    [...]

  • ...VM introspection based IDS (Garfinkel and Rosenblum, 2003) is one of the examples of hypervisor based intrusion detection system....

    [...]

  • ...VMI-IDS based architecture (Garfinkel and Rosenblum, 2003) Hypervisor based Anomaly detection....

    [...]

  • ...Garfinkel and Rosenblum (2003), Vieira et al. (2010), Dastjerdi et al. (2009) and Guan and Bao (2009) proposed anomaly detection techniques are proposed to detect intrusions at different layers of Cloud....

    [...]

SP 800-145. The NIST Definition of Cloud Computing

[...]

Peter Mell1, Timothy Grance1
National Institute of Standards and Technology1
01 Sep 2011

1,188 citations

"Review: A survey of intrusion detec..." refers background in this paper

  • ...…to provide convenient, on-demand, network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services), which can be rapidly provisioned and released with minimal management effort or service provider interactions (Mell and Grance, 2011)....

    [...]

Related Papers (5)
Review: A survey on security issues in service delivery models of cloud computing

[...]

01 Jan 2011-Journal of Network and Computer Applications
S. Subashini, V. Kavitha
The NIST Definition of Cloud Computing

[...]

28 Sep 2011
Peter Mell, Timothy Grance
A detailed analysis of the KDD CUP 99 data set

[...]

08 Jul 2009
Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, Ali A. Ghorbani 
Addressing cloud computing security issues

[...]

01 Mar 2012-Future Generation Computer Systems
Dimitrios Zissis, Dimitrios Lekkas
Anomaly-based network intrusion detection: Techniques, systems and challenges

[...]

01 Feb 2009-Computers & Security
Pedro García-Teodoro, Jesús E. Díaz-Verdejo, Gabriel Maciá-Fernández, E. Vázquez 
Frequently Asked Questions (2)
Q1. What are the contributions in this paper?

This paper, surveys different intrusions affecting availability, confidentiality and integrity of Cloud resources and services. 

This survey, discussed several intrusions which can threat integrity, confidentiality and availability of Cloud services in the future. The paper emphasized the usage of alternative options to incorporate intrusion detection or intrusion prevention techniques into Cloud and explored locations in Cloud where IDS/IPS can be positioned for efficient detection and prevention of intrusion. The paper has finally identified several security challenges that need to be addressed by the cloud research community before the cloud can become a secure and trusted platform for the delivery of future Internet of Things.