Robert, I believe we are mixing multiple product scopes here.
1. NIDS : Network intrusion detection system( different from prevention systems NIPS ). It is Agentless ( no need of agent on each machine to detect attaks ), identifies attacks based upon PI\DPI techniques + lot others. Identifies attacks pertaining to all hosts that appliance or solution is catering to. So, typically all the traffic entering your organization after edge device is put through the Firewall\IPS\IDS solution to decipher attacks. 2. HIDS : Host intrusion detection system( again no prevention system HIPS ). It requires an agent and resides on machine. Caters only to the identification of attacks pertaining to that host. Limitations are lot compared to NIDS starting from its scope to working behavior. 3. SIEM: Security information and event management. Gathers logs, information from various products, event information from solutions like vulnerability manager,IDS etc, correlates and analyzes the information. I believe this is what you are looking for.Look for OSSIM, i believe when you refer to "correlation", you are referring to SIEM solution rather than IDS. offcourse SIEM also can integrate with IDS solutions,various product outputs,logs including host logs EX; Syslogs etc. There are less open source solutions in this space which are good, reasons could be many. The scope of SIEM is solution specific sometimes and its intended usage. So, for your case you may don't want every packet on your vm to go through detection system, i am referring to statement below where installing snort\suricata on each guest vm. We are ideally overloading the guest vm i believe. Unless, If we want HIDS, then think of other agent based solutions for IDS. So, the other question to ask is do we want to build new DOS algorithm that applies to common NIDS\HIDS and wanted to implement an already used solution to detect attacks at network layer( not restricted only to layer 3) and correlate with logs like SIEM does? I believe what you are looking for is SIEM solution in relation to IDS detection happening at network layer, or even host and do some correlation based upon events and logs collected? DOS\DDOS techniques are many, from statistical model detection to basic behavorial based. Some are commercial( through patents ) and few well known bayesian detection techniques for your traffic profile. If we are interested in learning and implementing new algorithm for DOS, then line to approach is different? If we just( may be wrong word) want to use NIDS and do some correlation, then the line to approach is different? If it is enhancing existing DOS technique\add new technique, then that could be related or away from cloudstack as well. If we are fitting to see NIDS + SIEM, then you are fitting to see in CS space? If we really are interested in writing a new DOS detection technique, then approach should be to see what suricata\snort cannot handle currently? A sample dos attack and try to see why it cannot handle it with its current approach provided signatures, configurations related to their detections are configured properly? Then, we can see what approach to follow and enhance for detecting dos technique I believe you wanted to narrow down your intention of SIEM( OSSIM ) + IDS( NIDS only and use suricata ) and their usage in cloudstack perspective. (Or) develop a new detection technique for DOS ( or only DDOS or any other )? But, i could see that implementing security solutions( customized ) viz., NIDS and SIEM for cloud solutions has a definite value add and provides a security cover addition to existing cloud resource usage. If we can narrow down the scope, then that should be good i believe. Let us know. Thanks! Santhosh ________________________________________ From: Robert Bruce [precious.king...@gmail.com] Sent: Monday, November 25, 2013 5:47 AM To: users@cloudstack.apache.org Cc: j...@stratosec.co Subject: Re: Distributed Intrusion Detection System in Cloud Computing Hi John, Thank you so much for your valuable suggestions and directions. I will set up snort/suricata on management station as well as on each guest VM, where it will monitor the incoming/outgoing network packets for intrusions. *Here I am confused about network intrusions vs system intrusions.* what should we call these intrusions? After local correlation on each VM, NIDS on guest VMs will send the alerts to management station (MS) if they can not identify an intrusion. Global level of correlation will take place at MS and so on so forth, as you already mentioned. Moreover, I will be using CloudStack networking with VLANs. I need further guidance regarding selection of some efficient "correlation algorithm" which can help in detection of distributed intrusions. Can you please quote some best algorithm that show good performance in terms of computation and accuracy? Thanking you in anticipation. Regards, Robert On Fri, Nov 22, 2013 at 6:46 AM, John Kinsella <j...@stratosec.co> wrote: > Hey Robert! > > On Nov 16, 2013, at 11:53 AM, Robert Bruce <precious.king...@gmail.com> > wrote: > > > Hi, hope all of you will be fine and doing your best for the development > of > > open source community. > > > > I want your suggestions and help regarding my project. I am going to > start > > my master's thesis in the domain of Cloud Computing > > I want to develop a Signature Based Distributed Intrusion Detection > System > > (DIDS) to detect distributed intrusions in Cloud environment. > > Yes, I intend to deploy it in CloudStack. > > First thought: signature-based systems are useless. They're great for > low-hanging fruit, but anybody who takes the time to craft packets/binaries > will circumvent it. Or worse, they'll craft packets to set it off and kill > detection performance while they go about their real attack. For the early > stages of your project they'll work fine, but architect things so you can > swap that out for anomaly-based detection (or a mixture) > > (Insert rant on signature based AV systems, the amount of money we've paid > Symantec et al, and the increase - not decrease - in infected systems) > > The main thing to consider - you might want to do some correlation on each > host, but really you need a separate system to correlate between events > seen by various hosts. > > Also - what are you attempting to detect? Network intrusions? System > intrusions? Public Internet or activity between hosts? Are you looking to > work in CloudStack's basic network model, advanced with VLANs, or something > with SDN? Also consider all the event data being generated by ACS itself. > > Plenty of space for you to do research in here, just thinking you might > want to define things a little more narrow…also, look around - some of the > three-letter government agencies are working on big-data analytics, not > sure if any of the work is public or not yet[1]. > > John > 1: This wasn't meant as a Snowden joke
