Network Intrusion detection and Countermeasure sElection(NICE

NICE SEMINARREPORT 2015
Department of MCA, LBSCEK 1
1. INTRODUCTION
Recent studies have shown that users migrating to the cloud consider security as the most important
factor. A recentCloudSecurityAlliance (CSA) survey shows that among all security issues, abuse and
nefarious use of cloud computingis consideredas the topsecuritythreat [1], in which attackers can
exploit vulnerabilities in clouds and utilize cloud system resources to deploy attacks. In traditional
data centers, where systemadministratorshave full control over the host machines, vulnerabilities
can be detected and patched by the system administrator in a centralized manner. However,
patching known securityholes in cloud data centers,where cloud users usuallyhave the privilege
to control software installed on their managed VMs, may not work effectively and can violate the
Service Level Agreement(SLA).Furthermore, cloud users can install vulnerable software on their VMs,
which essentially contributes to loopholes in cloud security. The challenge is to establish an effective
vulnerability/attackdetectionandresponse systemforaccuratelyidentifyingattacksandminimizingthe
impact of security breach to cloud users.
M. Armbrust et al. Addressed that protecting “Business continuity and services availability “from
service outages is one of the top concerns in cloud computing systems. In a cloud system where the
infrastructure is shared by potentially millions of users, abuse and nefarious use of the shared
infrastructure benefitsattackerstoexploit vulnerabilities of the cloud and use its resource to deploy
attacks in more efficient ways. Suchattacks are more effective inthe cloud environment since cloud
users usually share computing resources, e.g., being connected through the same switch, sharing
with the same data storage and file systems,even withpotential attackers.The similarsetupforVMs
in the cloud, e.g., virtualization techniques, VM OS, installed vulnerable software, networking, etc.,
attracts attackers to compromise multiple VMs.
We propose NICE (Network Intrusion detection and Countermeasure sElection in virtual network
systems) to establish a defense-in-depth intrusion detection framework. For better attack detection,
NICEincorporates attack graph analytical procedures into the intrusion detection processes. We must
note that the design of NICE does not intend to improve any of the existing intrusion detection
algorithms;indeed,NICEemploys areconfigurable virtual networking approach to detect and counter
the attempts to compromise VMs, thus preventing zombie VMs.

2. NICE Models
In this section, we describe how to utilize attack graphs to model security threats and
vulnerabilities in a virtual networked system, and propose a VM protection model based on
virtual network reconfiguration approaches to prevent VMs from being exploited.
2.1 Threat Model
In our attack model, we assume that an attacker can be located either outside or inside of the
virtual networking system. The attacker’s primary goal is to exploit vulnerable VMs and
compromise them as zombies. Our protection model focuses on virtual-network-based attack
detection and reconfiguration solutions to improve the resiliency to zombie explorations. Our
work does not involve host-based IDS and does not address how to handle encrypted traffic
for attack detections.
Our proposed solution can be deployed in an Infrastructure-as-a-Service (IaaS) cloud
networking system, and we assume that the Cloud Service Provider (CSP) is benign. We also
assume that cloud service users are free to install whatever operating systems or
applications they want, even if such action may intro- duce vulnerabilities to their
controlled VMs. Physical security of cloud server is out of scope of this paper. We assume that
the hypervisor is secure and free of any vulnerability. The issue of a malicious tenant breaking
out of DomU and gaining access to physical server have been studied in recent work [21] and
are out of scope of this paper.
2.2 Attack Graph Model
An attacks graph is a modeling tool to illustrate all possible multistage ,multihost attack
paths that are crucial to understand threats and then to decide appropriate
countermeasures [22]. In an attack graph, each node represents either precondition or
consequence of an exploit. The actions are not necessarily an active attack since normal
protocol interactions can also be used for attacks. Attack graph is helpful in identifying
potential threats, possible attacks and known vulnerabilities in a cloud system.

Since the attack graph provides details of all known vulnerabilities in the system and the
connectivity information, we get a whole picture of current security situation of the
system where we can predict the possible threats and attacks by correlating detected
events or activities. If an event is recognized as a potential attack, we can apply specific
countermeasures to mitigate its impact or take actions to prevent it from contaminating the
cloud system. To represent the attack and the result of such actions, we extend the
notation of MulVAL logic attack graph as presented by X. Ou et al. [12] and define as Scenario
Attack Graph (SAG).
Definition 1 :( Scenario Attack Graph): A Scenario Attack Graph is a tuple SAG= (V, E), where
1. V = NC ∪ND ∪NR denotes a set of vertices that include three types namely conjunction
node NC to represent exploit, disjunction node ND to denote result of exploit, and root node
NR for showing initial step of an attack scenario.
2. E = Epre ∪ Epost denotes the set of directed edges. An edge e ∈ Epre ⊆ ND × NC represents
that ND must be satisfied to achieve NC. An edge e ∈ Epost ⊆ NC × ND means that the
consequence shown by ND can be obtained if NC is satisfied.
Node vc ∈ NC is defined as a three tuple representing a set of IP addresses, vulnerability
information such as CVE [23], and alerts related to vc , respectively. ND behaves like a logical
OR operation and contains details of the results of actions. NR represents the root node of the
scenario attack graph. For correlating the alerts, we refer to the approach described in [15]
and define a new Alert Correlation Graph (AC G) to map alerts in ACG to their respective
nodes in SAG. To keep track of attack progress, we track the source and destination IP
addresses for attack activities.
Definition 2: (Alert Correlation Graph). An AC G is a three tuple AC G = (A, E, P), where
1. A is a set of aggregated alerts. An alert a ∈ A is a data structure (src, dst, cls, ts)
representing source IP address, destination IP address, type of the alert, and timestamp
of the alert respectively.

2. Each alert a maps to a pair of vertices (vc , vd ) in SAG using map(a) function,
i.e., map(a) : a →{(vc , vd )|(a.src ∈ vc .Hosts) ∧ (a.dst ∈ vd .Hosts) ∧ Mi(a.cgls = vc
.vurl)}.
3. E is a set of directed edges representing correlation between two alerts (a, a ) if
criteria below satisfied:
i. (a.ts < a .ts) ∧ (a .ts − a.ts < threshold)
ii. ∃(vd , vc ) ∈ Epre : (a.dst ∈ vd .Hosts ∧ a .src ∈ vc .Hosts)
4. P is set of paths in AC G. A path Si ⊂ P is a set of related alerts in chronological order.
We assume that A contains aggregated alerts rather than raw alerts. Raw alerts
having same source and destination IP addresses, attack type and timestamp
within a specified window are aggregated as Meta Alerts. Each ordered pair (a, a) in AC
G maps to two neighbor vertices in SAG with timestamp difference of two alerts within a
predefined threshold. AC G shows dependency of alerts in chronological order and we
can find related alerts in the same attack scenario by searching the alert path in AC
G. A set P is used to store all paths from root alert to the target alert in the SAG,
and each path Si ⊂ P represents alerts that belong to the same attack scenario.
We explain a method for utilizing SAG and AC G together so as to predict an
attacker’s behavior. Alert Correlation algorithm is followed for every alert detected
and returns one or more paths Si. For every alert ac that is received from the IDS,
it is added to AC G if it does not exist. For this new alert ac , the corresponding
vertex in the SAG is found by using function map(ac ) (line 3). For this vertex in
SAG, alert related to its parent vertex of type NC is then correlated with the current
alert ac (line 5). This creates a new set of alerts that belong to a path Si in AC G (line
8) or splits out a new path Si+1 from Si with subset of Si before the alert a and
appends ac to Si+1 (line 10). In the end of this algorithm, the ID of ac will be added to
alert attribute of the vertex in SAG. Algorithm 1 returns a set of attack paths S in AC G.
Algorithm 1: Alert Correlation
Require: alert ac, SAG, AC G
1: if (ac is a new alert) then

2: create node ac in AC G
3: n1 ← VC ∈ map (ac)
4: for all n2 ∈ parent (n1) do
5: create edge (n2 .alert, ac)
6: for all Si containing a do
7: if a is the last element in Si then
8: append ac to Si
9: else
10: create path Si+1 = {subset (Si, a), ac}
11: end if
12: end for
13: add ac to n1 .alert
14: end for
15: end if
16: return S
2.3 VM Protection Model
The VM protection model of NICE consists of a VM pro- filer, a security indexer and a
state monitor. We specify security index for all the VMs in the network depending
upon various factors like connectivity, the number of vulnerabilities present and their
impact scores. The impact score of a vulnerability, as defined by the CVSS guide [24],
helps judge the confidentiality, integrity, and availability impact of the vulnerability
being exploited. Connectivity metric of a VM is decided by evaluating incoming and
outgoing connections.
Definition 3 (VM State): Based on the information gathered from the network
controller, VM states can be defined as following:
1. Stable: there does not exist any known vulnerability on the VM.
2. Vulnerable: presence of one or more vulnerabilities on a VM, which remains
unexploited.
3. Exploited: at least one vulnerability has been exploited and the VM is compromised.

4. Zombie: VM is under control of attacker.
3 .NICE SYSTEM DESIGN
In this section, we first present the system design overview of NICE and then
detailed descriptions of its components.
3.1 System design overview
The proposed NICE framework is illustrated in figure 1. It shows the NICE framework
within one cloud server cluster. Major components in this framework are distributed
and light-weighted NICE-A on each physical cloud server, a network controller, a VM
profiling server, and an attack analyzer. The latter three components are located in a
centralized control center connected to software switches on each cloud server (i.e.,
virtual switches built on one or multiple Linux software bridges). NICE- A is a software
agent implemented in each cloud server connected to the control center through
a dedicated and isolated secure channel, which is separated from the normal data
packets using OpenFlow tunneling or VLAN approaches. The network controller is
responsible for deploying attack countermeasures based on decisions made by the
attack analyzer.

In the following description, our terminologies are based on the XEN virtualization
technology. NICE-A is a network intrusion detection engine that can be installed in
either Dom0 or DomU of a XEN cloud server to capture and filter malicious
traffic. Intrusion detection alerts are sent to control center when suspicious or
anomalous traffic is detected. After receiving an alert, attack analyzer evaluates the
severity of the alert based on the attack graph, decides what countermeasure
strategies to take, and then initiates it through the network controller. An attack
graph is established according to the vulnerability information derived from both offline
and real-time vulnerability scans. Offline scanning can be done by running
penetration tests and online real-time vulnerability scanning can be triggered by
the network controller (e.g., when new ports are opened and identified by OpenFlow
switches) or when new alerts are generated by the NICE-A. Once new vulnerabilities
are discovered or countermeasures are deployed, the attack graph will be
reconstructed. Countermeasures are initiated by the attack analyzer based on the
evaluation results from the cost-benefit analysis of the effectiveness of
countermeasures. Then, the network controller initiates countermeasure actions by
reconfiguring virtual or physical OpenFlow switches.
3.2 System Components
In this section we explain each component of NICE.
3.2.1 NICE-A
The NICE-A is a Network-based Intrusion Detection Sys- tem (NIDS) agent installed in
either Dom0 or DomU in each cloud server. It scans the traffic going through Linux
bridges that control all the traffic among VMs and in/out from the physical cloud
servers. In our experiment, Snort is used to implement NICE -A in Dom0. It will sniff a
mirroring port on each virtual bridge in the Open vSwitch. Each bridge forms an
isolated subnet in the virtual network and connects to all related VMs. The traffic
generated from the VMs on the mirrored software bridge will be mirrored to a

specific port on a specific bridge using SPAN, RSPAN, or ERSPAN methods. The
NICE-A sniffing rules have been custom defined to suite our needs. Dom0 in the
Xen environment is a privilege domain, that includes a virtual switch for traffic
switching among VMs and network drivers for physical network interface of the cloud
server. It’s more efficient to scan the traffic in Dom0 since all traffic in the cloud server
needs go through it; however our design is independent to the installed VM. In the
performance evaluation section, we will demonstrate the trade-offs of installing NICE-A
in Dom0 and DomU.
We must note that the alert detection quality of NICE-A depends on the implementation
of NICE-A which uses Snort. We do not focus on the detection accuracy of Snort in this
article. Thus, the individual alert detection’s false alarm rate does not change.
However, the false alarm rate could be reduced through our architecture design. We
will discuss more about this issue in the later section.
3.2.2 VM Profiling
Virtual machines in the cloud can be profiled to get precise information about
their state, services running, open ports, etc. One major factor that counts towards a
VM profile is its connectivity with other VMs. Any VM that is connected to more
number of machines is more crucial than the one connected to fewer VMs because
the effect of compromise of a highly connected VM can cause more damage. Also
required is the knowledge of services running on a VM so as to verify the authenticity of
alerts pertaining to that VM. An attacker can use port- scanning program to perform an
intense examination of the network to look for open ports on any VM.
So information about any open ports on a VM and the history of opened ports
plays a significant role in determining how vulnerable the VM is. All these factors
combined will form the VM profile.
VM profiles are maintained in a database and contain comprehensive information about
vulnerabilities, alert and traffic. The data comes from:
• Attack graph generator: while generating the attack graph, every detected
vulnerability is added to its corresponding VM entry in the database.

• NICE-A: the alert involving the VM will be recorded in the VM profile database.
• Network controller: the traffic patterns involving the VM are based on 5 tuples
(source MAC address, destination MAC address, source IP address, destination IP
address, protocol). We can have traffic pattern where packets emanate from a single IP
and are delivered to multiple destination IP addresses, and vice-versa.
3.2.3 Attack Analyzer
The major functions of NICE system are performed by attack analyzer, which
includes procedures such as attack graph construction and update, alert correlation
and countermeasure selection.
The process of constructing and utilizing the Scenario Attack Graph (SAG) consists of
three phases: information gathering, attack graph construction, and potential exploit
path analysis. With this information, attack paths can be modeled using SAG. Each
node in the attack graph represents an exploit by the attacker. Each path from an initial
node to a goal node represents a successful attack.
In summary, NICE attack graph is constructed based on the following information:
• Cloud system information is collected from the node controller (i.e., Dom0 in
XenServer). The information includes the number of VMs in the cloud server, running
services on each VM, and VM’s Virtual Interface (VIF) information.
• Virtual network topology and configuration information is collected from the
network controller, which includes virtual network topology, host connectivity, VM
connectivity, every VM’s IP address, MAC address, port information, and traffic flow
information.
• Vulnerability information is generated by both on- demand vulnerability scanning
(i.e., initiated by the network controller and NICE-A) and regular penetration
testing using the well-known vulnerability databases, such as Open Source
Vulnerability Database (OSVDB)[25], Common Vulnerabilities and Exposures List
(CVE)[23], and NIST National Vulnerability Database (NVD) [26].

The Attack Analyzer also handles alert correlation and analysis operations. This
component has two major functions: (1) constructs Alert Correlation Graph (ACG), (2)
provides threat information and appropriate countermeasures to network controller for
virtual network reconfiguration.
Figure 2 shows the workflow in the attack analyzer component. After receiving an alert
from NICE-A, alert analyzer matches the alert in the ACG. If the alert already exists in the
graph and it is a known attack (i.e., matching the attack signature), the attack analyzer
performs countermeasure selection procedure according to Algorithm 2, and then
notifies network controller immediately to deploy countermeasure or mitigation
actions. If the alert is new, attack analyzer will perform alert correlation and analysis
according to Algorithm 1, and updates ACG and SAG. This algorithm correlates each
new alert to a matching alert correlation set (i.e., in the same attack scenario). A
selected countermeasure is applied by the network controller based on the severity of
evaluation results. If the alert is a new vulnerability and is not present in the NICE
attack graph, the attack analyzer adds it to attack graph and then reconstructs it.
3.2.4 Network Controller
The network controller is a key component to support the programmable networking
capability to realize the virtual network reconfiguration feature based on OpenFlow
protocol [20]. In NICE, within each cloud server there is a software switch, for
example, Open vSwitch (OVS) [5], which is used as the edge switch for VMs to handle
traffic in & out from VMs. The communication between cloud servers (i.e., physical
servers) is handled by physical OpenFlow-capable Switch (OFS). In NICE, we integrated
the control functions for both OVS and OFS into the network controller that allows
the cloud system to set security/filtering rules in an integrated and comprehensive
manner.
The network controller is responsible for collecting network information of current
OpenFlow network and provides input to the attack analyzer to construct attack graphs.
Through the cloud internal discovery modules that use DNS, DHCP, LLDP and flow-
initiations [27], network controller is able to discover the network connectivity

information from OVS and OFS. This information includes current data paths on each
switch and detailed flow information associated with these paths, such as TCP/IP and
MAC header. The network flow and topology change information will be automatically
sent to the controller and then delivered to attack analyzer to reconstruct attack graphs.
Another important function of the network controller is to assist the attack analyzer
module. According to the OpenFlow protocol [20], when the controller receives the
first packet of a flow, it holds the packet and checks the flow table for complying
traffic policies. In NICE, the network control also consults with the attack analyzer
for the flow access control by setting up the filtering rules on the corresponding OVS
and OFS. Once a traffic flow is admitted, the following packets of the flow are not
handled by the network controller, but monitored by the NICE-A.
Network controller is also responsible for applying the countermeasure from attack
analyzer. Based on VM Security Index and severity of an alert, countermeasures are
selected by NICE and executed by the network controller. If a severe alert is
triggered and identifies some known attacks, or a VM is detected as a zombie, the
network controller will block the VM immediately. An alert with medium threat level
is triggered by a suspicious compromised VM. Countermeasure in such case is to put
the suspicious VM with exploited state into quarantine mode and redirect all its flows
to NICE- A Deep Packet Inspection (DPI) mode. An alert with a minor threat level can
be generated due to the presence of a vulnerable VM. For this case, in order to
intercept the VM’s normal traffic, suspicious traffic to/from the VM will be put into
inspection mode, in which actions such as restricting its flow bandwidth and
changing network configurations will be taken to force the attack exploration behavior
to stand out.
4. Nice Security Measurement, Attack Mitigation and Countermeasures
In this section, we present the methods for selecting the countermeasures for a given
attack scenario. When vulnerabilities are discovered or some VMs are identified as
suspicious, several countermeasures can be taken to restrict attackers’ capabilities
and it’s important to differentiate between compromised and suspicious VMs. The

countermeasure serves the purpose of 1) protecting the target VMs from being
compromised; and 2) making attack behavior stand prominent so that the attackers’
actions can be identified.
4.1 Security Measurement Metrics
The issue of security metrics has attracted much attention and there has been
significant effort in the development of quantitative security metrics in recent years.
Among different approaches, using attack graph as the security metric model for the
evaluation of security risks [28] is a good choice. In order to assess the network
security risk condition for the current network configuration, security metrics are
needed in the attack graph to measure risk likelihood. After an attack graph is
constructed, vulnerability information is included in the graph. For the initial node or
external node (i.e., the root of the graph, NR ⊆ ND), the priori probability is assigned on
the likelihood of a threat source becoming active and the difficulty of the vulnerability
to be exploited. We use GV to denote the priori risk probability for the root node of the
graph and usually the value of GV is assigned to a high probability, e.g., from 0.7 to 1.
For the internal exploitation node, each attack-step node e ∈ NC will have a probability
of vulnerability exploitation denoted as GM [e]. GM [e] is assigned according to the
Base Score (BS) from CVSS (Common Vulnerability Scoring System).The base score as
shown in (1) [24], is calculated by the impact and exploitability factor of the
vulnerability. Base score can be directly obtained from National Vulnerability Database
[26] by searching for the vulnerability CVE id.
BS = (0.6 × IV + 0.4 × E − 1.5) × f (IV), (1)
Where,
IV = 10.41 × (1 − (1 − C) × (1 − I) × (1 − A)), E = 20 × AC × AU × AV,

The impact value (IV ) is computed from three basic parameters of security
namely conﬁdentiality (C ), integrity (I ), and availability (A). The exploitability (E)
score consists of access vector (AV ), access complexity (AC ), and authentication
instances (AU ). The value of BS ranges from 0 to 10. In our attack graph, we assign each
internal node with its BS value divided by 10, as shown in (2).
GM [e] = P r (e = T) = BS (e)/10, ∀e ∈ NC. (2)
In the attack graph, the relations between exploits can be disjunctive or conjunctive
according to how they are related through their dependency conditions [29]. Such
relationships can be represented as conditional probability, where the risk probability
of current node is determined by the relationship with its predecessors and their risk
probabilities. We propose the following probability derivation relations:
• For any attack-step node n ∈ NC with immediate predecessors set W = parent (n),
Pr (n|W) = GM [n] × Pr (s|W); (3)
• For any privilege node n ∈ ND with immediate predecessors set W = parent (n), and
then
Pr (n|W) = 1 − (1 – Pr (s|W)). (4)
Once conditional probabilities have been assigned to all internal nodes in SAG, we can
merge risk values from all predecessors to obtain the cumulative risk probability or
absolute risk probability for each node according to (5) and (6). Based on derived
conditional probability assignments on each node, we can then derive an effective
security hardening plan or a mitigation strategy:
• For any attack-step node n ∈ NC with immediate predecessor set W = parent (n),
P r(n) = P r(n|W ) × P r(s); (5)
s∈W
• For any privilege node n ∈ ND with immediate predecessor set W = parent (n),
P r (n) = 1− (1 − P r(s)). s∈W (6)
5.2 Mitigation Strategies

Based on the security metrics defined in the previous subsection, NICE is able to
construct the mitigation strategies in response to detected alerts. First, we define the
term countermeasure pool as follows:
Definition 4 (Countermeasure Pool). A countermeasure pool CM = {cm1, cm2... cmn}
is a set of countermeasures. Each cm ∈ CMis a tuple cm = (cost, intrusiveness, condition
effectiveness), where
1. Cost is the unit that describes the expenses required to apply the countermeasure in
terms of resources and operational complexity, and it is defined in a range from
1 to 5, and higher metric means higher cost;
2. intrusiveness is the negative effect that a countermeasure brings to the Service Level
Agreement (SLA) and its value ranges from the least intrusive (1) to the most intrusive
(5), and the value of intrusiveness is 0 if the countermeasure has no impacts on the SLA;
3. Condition is the requirement for the corresponding countermeasure;
4. Effectiveness is the percentage of probability changes of the node, for which this
countermeasure is applied.
In general, there are many countermeasures that can be applied to the cloud virtual
networking system depending on available countermeasure techniques that can be
applied. Without losing the generality, several common virtual-networking-based
countermeasures are listed in table 1.

The optimal countermeasure selection is a multi-objective optimization problem, to
calculate MIN (impact, cost) and MAX (benefit).
In NICE, the network reconfiguration strategies mainly involve two levels of
action: layer-2 and layer-3. At layer-2, virtual bridges (including tunnels that can be
established between two bridges) and VLANs are main component in cloud’s virtual
networking system to connect two VMs directly. A virtual bridge is an entity that
attaches Virtual Interfaces (VIFs). Virtual machines on different bridges are isolated at
layer 2. VIFs on the same virtual bridge but with different VLAN tags cannot
communicate to each other directly. Based on this layer-2 isolation, NICE can deploy
layer-2 network reconfiguration to isolate suspicious VMs. For example, vulnerabilities
due to Arpspoofing [30] attacks are not possible when the suspicious VM is isolated to a
different bridge. As a result, this countermeasure disconnects an attack path in the
attack graph causing the attacker to explore an alternate attack path. Layer-3
reconfiguration is another way to disconnect an attack path. Through the network
controller, the flow table on each OVS or OFS can be modified to change the network
topology.
We must note that using the virtual network reconfiguration approach at lower
layer has the advantage in that upper layer applications will experience minimal
impact. Especially, this approach is only possible when using software-switching
approach to automate the reconfiguration in a highly dynamic networking environment.
Countermeasures such as traffic isolation can be implemented by utilizing the traffic
engineering capabilities of OVS and OFS to restrict the capacity and reconfigure the
virtual network for a suspicious flow. When a suspicious activity such as network
and port scanning is detected in the cloud system, it is important to determine
whether the detected activity is indeed malicious or not. For example, attackers can
purposely hide their scanning behavior to prevent the NIDS from identifying their
actions. In such situation, changing the network configuration will force the attacker to
perform more explorations, and in turn will make their attacking behavior stand out.

4.3 Countermeasure selection
Algorithm 2 presents how to select the optimal countermeasure for a given attack
scenario. Input to the algorithm is an alert, attack graph G, and a pool of
countermeasures CM. The algorithm starts by selecting the node vAlert that
corresponds to the alert generated by a NICE-A. Before selecting the countermeasure,
we count the distance of vAlert to the target node. If the distance is greater than a
threshold value, we do not perform countermeasure selection but update the ACG
to keep track of alerts in the system (line 3). For the source node vAlert , all the
reachable nodes (including the source node) are collected into a set T (line 6).
Because the alert is generated only after the attacker has performed the action, we
set the probability of vAlert to 1 and calculate the new probabilities for all of its child
(downstream) nodes in the set T (line 7 & 8). Now for all t ∈ T the applicable
countermeasures in CM are selected and new probabilities are calculated according
to the effectiveness of the selected countermeasures (line 13 &14). The change in
probability of target node gives the benefit for the applied countermeasure using (7). In
the next double for-loop, we compute the Return of Investment (ROI) for each benefit
of the applied countermeasure based on (8). The countermeasure which when applied
on a node gives the least value of ROI, is regarded as the optimal
countermeasure. Finally, SAG and ACG are also updated before terminating the
algorithm. The complexity of Algorithm 2 is O (|V |× |CM |) where |V | is the number of
vulnerabilities and |CM | represents the number of countermeasures.
Algorithm 2 Countermeasure Selection
Require: Alert, G (E, V), C M
1: Let vAlert = Source node of the Alert
2: if Distance to Target (vAlert) > threshold then
3: Update ACG
4: return
5: end if

6: Let T = Descendant (vAlert) ∪ vAlert
7: Set P r (vAlert) = 1
8: Calculate Risk Prob (T)
9: Let benefit [|T |, |CM |] = ∅
10: for each t ∈ T do
11: for each cm ∈ CM do
12: if cm.condition (t) then
13: P r(t) = P r(t) ∗ (1 − cm.effectiveness)
14: Calculate Risk Prob (Descendant (t))
15:
benefit [t, cm] = ΔP r (target node). (7)
16: end if
17: end for
18: end for
19: Let ROI [|T |, |CM |] = ∅
20: for each t ∈ T do
21: for each cm ∈ CM do
22: ROI [t, cm] =
23: end for
24: end for
benefit[t, cm]
cost.cm + intrusiveness.cm
25: Update SAG and Update ACG
26: return Select Optimal CM (ROI)

5. Performance Evaluation
In this section we present the performance evaluation of NICE .Our evaluation is
conducted in two directions: the security performance, and the system computing and
network reconﬁguration overhead due to introduced security mechanism.
5.1 Security Performance Analysis
To demonstrate the security performance of NICE, we created a virtual network testing
environment consisting of all the presented components of NICE.

5.1.1 Environment and Configuration
To evaluate the security performance, a demonstrative virtual cloud system consisting
of public (public virtual servers) and private (VMs) virtual domains is established
as shown in Figure 3. Cloud Servers 1 and 2 are connected to Internet through the
external firewall. In the Demilitarized Zone (DMZ) on Server 1, there is one Mail
server, one DNS server and one Web server. Public network on Server 2 houses
SQL server and NAT Gateway Server. Remote access to VMs in the private network
is controlled through SSHD (i.e., SSH Daemon) from the NAT Gateway Server. Table 2
shows the vulnerabilities present in this network and table 3 shows the
corresponding network connectivity that can be explored based on the identified
vulnerabilities.
TABLE 2
Vulnerabilities in the virtual networked system.
5.1.2 Attack Graph and Alert Correlation
The attack graph can be generated by utilizing network topology and the vulnerability
information, and it is shown in Fig. 3. As the attack progresses, the system generates

various alerts that can be related to the nodes in the attack graph. Creating an attack
graph requires knowledge of network connectivity, running services, and their
vulnerability information. This information is provided to the attack graph generator as
the input. Whenever a new vulnerability is discovered or there are changes in the
network connectivity and services running through them, the updated information is
provided to attack graph generator and old attack graph is updated to a new one. SAG
provides information about the possible paths that an attacker can follow. ACG serves
the purpose of confirming attacker’s behavior, and helps in determining false positive
and false negative. ACG can also be helpful in predicting attacker’s next steps.

5.1.3 Countermeasure Selection
To illustrate how NICE works, consider an example where an alert is generated for node
16 (vAlert=16) when the system detects LICQ Buffer overflow. After the alert is
generated, the cumulative probability of node 16 becomes 1 because that attacker has
already compromised that node. This triggers a change in cumulative probabilities of
child nodes of node 16. Now, the next step is to select the countermeasures from the
pool of countermeasures CM. If the countermeasure CM4: Create filtering rules is
applied to node 5 and assuming that this countermeasure has effectiveness of 85
percent, the probability of node 5 will change to 0.1164, which causes change in
probability values of all child nodes of node 5 thereby accumulating to a decrease of
28.5 percent for the target node 1. Following the same approach for all possible
countermeasures that can be applied, the percentage change in the cumulative
probability of node 1, i.e., benefits computed are shown in Fig. 4. Apart from calculating
the benefit measurements, the evaluation based on ROI is done and represent a
comprehensive evaluation considering benefit, cost, and intrusiveness of
countermeasure. Fig. 5 shows the ROI evaluations for presented countermeasures.
Results show that countermeasures CM2 and CM8 on node 5 have the maximum
benefit evaluation; however, their cost and intrusiveness scores indicate that they might
not be good candidates for the optimal countermeasure and ROI evaluation results
confirm this. The ROI evaluations demonstrate that CM4 on node 5 is the optimal
solution.

5.1.4 Experiment in Private Cloud Environment
For performance analysis and capacity test, configuration in Table 3 is extended to
create another test environment, which includes 14 VMs across three cloud servers and
configured each VM as a target node to create a dedicated SAG for each VM. These VMs
consist of Windows (W) and Linux (L) machines in the private network 172.16.11.0/24,
and contains more number of vulnerabilities related to their OSes and applications.
Penetration testing scripts are created with Metasploit framework and Armitage as
attackers in the test environment. These scripts emulate attackers from different places
in the internal and external sources, and launch diversity of attacks based on the
vulnerabilities in each VM. To evaluate security level of a VM, a VSI is defined to
represent the security level of each VM in the current virtual network environment. This
VSI refers to the VEAbility metric and utilizes two parameters that include Vulnerability
and Exploitability as security metrics for a VM. The VSI value ranges from 0 to 10, where
lower value means better security. VSI for a virtual machine k is defined as
VSIk = (Vk+Ek)/2
Where
1. Vk is vulnerability score for VM k. The score is the exponential average of BS from
each vulnerability in the VM or a maximum 10, i.e., V k= min {10, ln PeBaseScore (v)}
2. Ek is exploitability score for VM k. It is the exponential average of exploitability score
for all vulnerabilities or a maximum 10 multiplied by the ratio of network services on the
VM, i.e., Ek = (min{10, ln PeExploitabilityScore(v)}) × SkNSk. Sk represents the number of
services provided by VM k. NSk represents the number of network services the VM k can
connect to.
Basically, vulnerability score considers the BSs of all the vulnerabilities on a VM. The BS
depicts how easy it is for an attacker to exploit the vulnerability and how much damage
it may incur. The exponential addition of BSs allows the vulnerability score to incline
toward higher BS values and increases in logarithm-scale based on the number of
vulnerabilities. The exploitability score on the other hand shows the accessibility of a
target VM, and depends on the ratio of the number of services to the number of

network services. Higher exploitability score means that there are many possible paths
for that attacker to reach the target. VSI can be used to measure the security level of
each VM in the virtual network in the cloud system. A VM with higher value of VSI
means is easier to be attacked. To prevent attackers from exploiting other vulnerable
VMs, the VMs with higher VSI values need to be monitored closely by the system (e.g.,
using DPI) and mitigation strategies may be needed to reduce the VSI value when
necessary. Fig. 6 shows the plotting of VSI for these virtual machines before
countermeasure selection and application. Fig. 7 compares VSI values before and after
applying the countermeasure CM4, i.e., creating filtering rules. It shows the percentage
change in VSI after applying countermeasure on all of the VMs. Applying CM4 avoids
vulnerabilities and causes VSI to drop without blocking normal services and ports.
5.1.5 False Alarms
A cloud system with hundreds of nodes will have huge amount of alerts raised by Snort.
Not all of these alerts can be relied upon, and an effective mechanism is needed to
verify if such alerts need to be addressed. Since Snort can be programmed to generate
alerts with CVE id, one approach that NICE provides is to match if the alert is actually
related to some vulnerability being exploited. If so, the existence of that vulnerability in
SAG means that the alert is more likely to be a real attack. Thus, the false positive rate
will be the joint probability of the correlated alerts, which will not increase the false
positive rate compared to each individual false positive rate. In the case of zero-day
attack, where the vulnerability is discovered by the attacker but is not detected by
vulnerability scanner, the alert being real will be regarded as false, given that there does
not exist corresponding node in SAG. Thus, current research does not address how to

reduce the false negative rate. It is important to note that vulnerability scanner should
be able to detect most recent vulnerabilities and sync with the latest vulnerability
database to reduce the chance of Zero-day attacks.
5.2 NICE System Performance
NICE was evaluated based on Dom0 and DomU implementations with mirroring-based
and proxy-based attack detection agents (i.e., NICE-A). In mirror based IDS scenario, two
virtual networks were established in each cloud server: Normal network and monitoring
network. NICE-A is connected to the monitoring network. Traffic on the normal network
is mirrored to the monitoring network using Switched Port Analyzer (SPAN) approach. In
the proxy-based IDS solution, NICE-A interfaces two VMs and the traffic goes through
NICE-A. Additionally, the NICE-A have been deployed in Dom0 and it removes the traffic
duplication function in mirroring and proxy-based solutions. NICE-A running in Dom0 is
more efficient because it can sniff the traffic directly on the virtual bridge. However, in
DomU, the traffic need to be duplicated on the VMs VIF, causing overhead. When the
IDS is running in Intrusion Prevention System (IPS) mode, it needs to intercept all the
traffic and perform packet checking, which consumes more system resources as
compared to IDS mode. To demonstrate performance evaluations, four metrics namely
CPU utilization, network capacity, agent processing capacity, and communication delay
were used. The evaluation on cloud servers with Intel quad-core Xeon 2.4-GHz CPU and
32-G memory was performed. Packet generator was used to mimic real traffic in the
cloud system. As shown in Fig. 8, the traffic load, in the form of packet sending speed,
increases from 1 to 3,000 packets per second. The performance at Dom0 consumes less
CPU and the IPS mode consumes the maximum CPU resources. When the packet rate
reaches to 3,000 packets per second, the CPU utilization of IPS at DomU reaches its
limitation, while the IDS mode at DomU only occupies about 68 percent.

Fig. 9, represents the performance of NICE-A in terms of percentage of successfully
analyzed packets. The higher this value is more packets this agent can handle. IPS agent
demonstrates 100 percent performance because every packet captured by the IPS is
cached in the detection agent buffer. However, 100 percent success analyzing rate of
IPS is at the cost of the analyzing delay. For other two types of agents, the detection
agent does not store the captured packets and, thus, no delay is introduced. However,
they all experience packet drop when traffic load is huge. For a small-scale cloud system
this approach works well. The performance evaluation includes two parts. First, security
performance evaluation. It shows that the system helps to prevent vulnerable VMs from
being compromised and do so in less intrusive and cost effective manner. Second, CPU
and throughput performance evaluation. It shows the limits of using the proposed
solution in terms of networking throughputs based on software switches and CPU usage
when running detection engines on Dom 0 and Dom U. The performance results provide
a benchmark for the given hardware setup and shows how much traffic can be handled
by using a single detection domain.

6. Conclusions
6.1 Conclusion
NICE is used to detect and mitigate collaborative attacks in the cloud virtual networking
environment. NICE utilizes the attack graph model to conduct attack detection and
prediction. The proposed solution investigates how to use the programmability of
software switches-based solutions to improve the detection accuracy and defeat victim
exploitation phases of collaborative attacks. The system performance evaluation
demonstrates the feasibility of NICE and shows that the proposed solution can
significantly reduce the risk of the cloud system from being exploited and abused by
internal and external attackers. NICE only investigates the network IDS approach to
counter zombie explorative attacks.
6.2 Future Scope
To improve the detection accuracy, host-based IDS solutions are needed to be
incorporated and to cover the whole spectrum of IDS in the cloud system. This should
be investigated in the future work. The scalability of the proposed NICE solution can be
investigated by investigating then decentralized network control and attack analysis
model.

7. Reference
 Roman V. Yampolskiy and Venu Govindaraju, “Computer Security: a Survey of Methods and
Systems”, Journal of Computer Science 3 (7), 2007
 Iftikhar Ahamad, Azween B Abdullah and Abdullah S Alghamdi, “Comparative Analysis of
Intrusion Detection Approaches”, 12th International Conference on Computer Modeling
and Simulation,2010
 David Elson, “Intrusion Detection, Theory and Practice”, www.symantec.com
 Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS)” ,
Special Publication 800-94
 http://ids.nic.in/JCES%20TNL%20OCT%202008/IDS/IDS.htm
 http://sectools.org/ids.html
 http://www.wikipedia.org

Network Intrusion detection and Countermeasure sElection(NICE

More Related Content

What's hot (18)

Similar to Network Intrusion detection and Countermeasure sElection(NICE (20)

Recently uploaded (20)

Network Intrusion detection and Countermeasure sElection(NICE