An Expert Forensic Investigation System for Detecting Malicious Attacks and Identifying Attackers in Cloud Environment

P. Santra¹

¹ Criminal Investigation Department, West Bengal, Kolkata, India.

Section:Research Paper, Product Type: Journal
Vol.6 , Issue.5 , pp.1-26, Oct-2018

Online published on Oct 31, 2018

Copyright © P. Santra . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
 

View this paper at   Google Scholar | DPI Digital Library

XML View     PDF Download

How to Cite this Paper

941 Views    555 Downloads    318 Downloads

Abstract :
In recent years’ complex and high level computations is done in cloud environment to achieve better performance with low cost. Different large and medium organizations are moving towards cloud computing due to its several trending features. This leads to a drastic increase in cloud services. However, shared on demand characteristic of cloud increases the vulnerability of several security threats. Several security mechanisms and intrusion identification techniques are proposed in the recent years to ensure a better quality of services. But ensuring a complete flawless system is very difficult. So, forensic science or investigation helps in identifying the adversary and collecting proper evidence against the intruder. No traditional digital and network forensic methods are applicable in cloud computing due to its different architectural features compared to a client-server network. A generic forensic model is proposed in this paper for cloud environment. Focus is given on the identification phase of the forensic system because a proper identification of the intruder leads to better forensic evidence generation. A strong fuzzy based expert forensic model “Fuzzy Expert System for Network Log Analysis� and “Expert System for Management Log Analysis� is projected which analyses network and management logs from cloud server for identifying the intruder. A “Forensic Investigation Report� is prepared to serve as a forensic report that will help to smoothly continue the forensic investigation as well as serve as evidence. The proposed model is also simulated in a private cloud environment showing improved accuracy up to ~5.6% over known forensic systems.

Key-Words / Index Term :
Cloud, Forensic, Intrusion, Learning, Network, Association, Attacks

References :
[1] Buyya R, Yeo C S, Venugopal S, Broberg J, Brandic I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation computer systems, 25(6), (pp. 599-616).
[2] T OGRAPH B, MORGENS Y R. (2008). Cloud computing. Communications of the ACM, 51(7), (pp. 9-11).
[3] Rimal B P, Choi E, Lumb I. (2009). A taxonomy and survey of cloud computing systems. INC, IMS and IDC, (pp. 44-51).
[4] Mell P, Grance T. (2011). The NIST definition of cloud computing.
[5] Market Research Media. Global cloud computing market forecast 2015-2020. http://www.marketresearchmedia.com/2012/ 01/08/global-cloud- computing-market/ [Accessed July 5th, 2012]
[6] Krutz R L, Vines R D (2010). Cloud security: A comprehensive guide to secure cloud computing. Wiley Publishing.
[7] Computing C. (2011). Cloud computing privacy concerns on our doorstep. Communications of the ACM, 54(1), (pp. 36-38).
[8] Viega J. (2009). Cloud computing and the common man. Computer, 42(8), (pp. 106-108).
[9] Wei J, Zhang X, Ammons G, Bala V, Ning P. (2009). Managing security of virtual machine images in a cloud environment, ACM workshop on Cloud computing security (pp. 91-96).
[10] Zhang, X, Wuwong N, Li H, Zhang X. (2010). Information security risk management framework for the cloud computing environments. Computer and Information Technology (CIT), IEEE International Conference, (pp. 1328-1334).
[11] Subashini S, Kavitha V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), (pp. 1-11).
[12] Kandukuri B R, Rakshit A. (2009). Cloud security issues. Services Computing, IEEE International Conference, (pp. 517-520).
[13] So K. (2011). Cloud computing security issues and challenges. International Journal of Computer Networks, 3(5), (pp. 247-255).
[14] Ren K, Wang C, Wang Q. (2012). Security challenges for the public cloud. IEEE Internet Computing, 16(1), (pp. 69).
[15] Clavister. Security in the cloud. http://www.clavister.com/documents/resources/white-papers/clavister-whp-security-in-the-cloud-gb.pdf, Clavister White Paper, [Accessed July 5th, 2012].
[16] Ruan K, Carthy J, Kechadi T, Baggili I. (2013). Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results. Digital Investigation, 10(1), (pp. 34-43).
[17] Shah J J, Malik L G. (2014). An approach towards digital forensic framework for cloud. Advance Computing Conference (IACC), IEEE International, (pp. 798-801).
[18] Dykstra J, Sherman A T. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9, (pp. S90-S98).
[19] Zawoad S, Hasan R. (2013). Cloud forensics: a meta-study of challenges, approaches, and open problems. arXiv preprint arXiv:1302.6312.
[20] Ruan K, Carthy J, Kechadi T. (2011). Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis. Proceedings of the Conference on Digital Forensics, Security and Law, (p. 55).
[21] Zawoad S, Dutta A K, Hasan R. (2013). SecLaaS: secure logging-as-a-service for cloud forensics, Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, (pp. 219-230).
[22] Sang T. (2013). A log based approach to make digital forensics easier on cloud computing. In: Intelligent System Design and Engineering Applications (ISDEA), Third International Conference, (pp. 91-94).
[23] Thorpe S, Ray I, Grandison T, Barbir A. (2012). Cloud log forensics metadata analysis, Computer Software and Applications Conference Workshops (COMPSACW), IEEE 36th Annual (pp. 194-199).
[24] Vo H T, Wang S, Agrawal D, Chen G, Ooi B C (2012). LogBase: a scalable log-structured database system in the cloud. Proceedings of the VLDB Endowment, 5(10), (pp. 1004-1015).
[25] Patrascu A, Patriciu V V. (2014). Logging framework for cloud computing forensic environments. Communications (COMM), 10th International Conference, (pp. 1-4).
[26] Kim J S, Kim D G, Noh B N (2004). A fuzzy logic based expert system as a network forensics. Fuzzy Systems, Proceedings. IEEE International Conference on (2), (pp. 879-884).
[27] Dickerson J E, Dickerson J A. (2000). Fuzzy network profiling for intrusion detection. Fuzzy Information Processing Society, NAFIPS. International Conference of the North American (pp. 301-306).
[28] Iyengar N C S, Banerjee A, Ganapathy G. (2014). A fuzzy logic based defense mechanism against distributed denial of service attack in cloud computing environment. International Journal of Communication Networks and Information Security, 6(3), (pp. 233).
[29] Sabhnani M, Serpen G. (2003). Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection Context. In MLMTA (pp. 209-215).
[30] Hoque, Mohammad Sazzadul, et al. (2012). An implementation of intrusion detection system using genetic algorithm. arXiv preprint arXiv:1204.1336 .
[31] Stoffel K, Cotofrei P, Han D. (2010). Fuzzy methods for forensic data analysis. SoCPaR (pp. 23-28).
[32] Singh S. (2014). Cloud computing attacks: a discussion with solutions. Open Journal of Mobile Computing and Cloud Computing, 1(1).
[33] Lerman L, Bontempi G, Markowitch O. (2011). Side channel attack: an approach based on machine learning. Center for Advanced Security Research Darmstadt, (pp. 29-41).
[34] Portnoy L, Eskin E., Stolfo S. (2001). Intrusion detection with unlabeled data using clustering. Proceedings of ACM CSS Workshop on Data Mining Applied to Security DMSA-2001.
[35] Sharma A., Panda S N. (2009). Intrusion detection system. Enterprise Information Systems in 21st Century: Opportunities and Challenges, (pp. 194).
[36] Garcia-Teodoro P, Diaz-Verdejo J, Maciá-Fernández G,Vázquez E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. computers & security, 28(1), (pp. 18-28).
[37] Vo, H. T., Wang, S., Agrawal, D., Chen, G., &Ooi, B. C. (2012). LogBase: a scalable log-structured database system in the cloud. Proceedings of the VLDB Endowment, 5(10), 1004-1015.
[38] SaadAlqahtany, Nathan Clarke, Steven Furnell, Christoph Reich. (2014). "A forensically-enabled IAAS cloud computing architecture", 12th Australian Digital Forensics Conference, , http://ro.ecu.edu.au/adf/136/
[39] Meera G, Alluri B K, Powa, D, Geethakumari G. (2015). A strategy for enabling forensic investigation in cloud IaaS. In Electrical, Computer and Communication Technologies (ICECCT), IEEE International Conference on (pp. 1-5).
[40] Munz G, Carle G. (2008). Distributed network analysis using TOPAS and wireshark. In Network Operations and Management Symposium Workshops, 2008. NOMS Workshops 2008. IEEE (pp. 161-164).
[41] Dabir A, Matrawy A. (2007). Bottleneck analysis of traffic monitoring using wireshark. In Innovations in Information Technology, 4th International Conference on (pp. 158-162).
[42] Kayacik H G, Zincir-Heywood A N, Heywood M. I (2005). Selecting features for intrusion detection: A feature relevance analysis on KDD 99 intrusion detection datasets. Proceedings of the third annual conference on privacy, security and trust.
[43] Devaraju S, Ramakrishnan, S. (2014). Performance comparison for intrusion detection system using neural network with KDD dataset. ICTACT Journal on Soft Computing, 4(3), (pp. 743-752).
[44] J B MacQueen (1967): Some Methods for classification and Analysis of Multivariate Observations, Proceedings of 5-th Berkeley Symposium on Mathematical Statistics and Probability, Berkeley, University of California Press, 1:281-297
[45] Faraoun K M, Boukelif A. (2006). Neural networks learning improvement using the K-means clustering algorithm to detect network intrusions. INFOCOMP Journal of Computer Science, 5(3), (pp. 28-36).
[46] Soumi G, Dubey S K. (2013). Comparative analysis of k-means and fuzzy c-means algorithms." IJACSA) International Journal of Advanced Computer Science and Applications 4.4
[47] David C. Hoaglin, Frederick Mosteller, John W. Tukey. Understanding robust and exploratory data analysis". Wiley, 1983. ISBN 0-471-09777-2
[48] Suryawanshi S, Jodhe P, Chawhan S, Kuthe A M. (1999). Apriori Algorithm Using Data Mining.
[49] Pasquier N, Bastide Y, Taouil R., Lakhal L. Efficient mining of association rules using closed itemset lattices. Information systems, 24(1), (pp. 25-46).
[50] Jafarzadeh H, Sadeghzadeh M, Improved. (2014). Apriori Algorithm Using Fuzzy Logic, International Journal of Advanced Research, Computer Science and Software Engineering,
[51] Han J, Pei J, Yin Y. (2000). Mining frequent patterns without candidate generation. ACM Sigmod Record (Vol. 29, No. 2. (pp. 1-12).
[52] Baset S A. (2012). Cloud SLAs: present and future. ACM SIGOPS Operating Systems Review, 46(2), (pp. 57-66).
[53] Andrzejak A., Kondo D, Yi S. (2010). Decision model for cloud computing under sla constraints. IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (pp. 257-266).
[54] Sefraoui, O, Aissaoui M, Eleuldj M. (2012). OpenStack: toward an open-source solution for cloud computing. International Journal of Computer Applications, 55(3).
[55] Wuhib F, Stadler R, Lindgren H. (2012). Dynamic resource allocation with management objectives—Implementation for an OpenStack cloud. 8th international conference on network and service management (cnsm) and 2012 workshop on systems virtualiztion management (svm) (pp. 309-315).