1. Building a Cloud Computing Analysis System for Intrusion
Detection System DATE:4/14/09 Wei-Yu Chen, Yao-Tsung Wang National
Center for High-Performance Computing, Taiwan
{waue,jazz}@nchc.org.tw
2. Taiwan Introduction
3. NCHC Introduction The NCHC is responsible for Taiwans
cyberinfrasructure, R&D in HPC and networking applications 3
Business Units located in science parks to support local high tech
industry The NCHC integrates information, engineering and
scientific disciplines The NCHC provides computing, networking and
storage services National Center for High-performance
Computing
4. Outline
Motivation
The IDEA
Architecture
Procedure
Results
Pros and Cons
Conclusions
5. Current Situation of IDS
Intrusion Detection System IDS (IDS)
Detecting unwanted attempts at accessing, manipulating or
disabling of computer systems through Internet.
IDS Detect Rate
false positive
false negative
Accuracy = top mission of IDS ?
6. Alerts
Alert is produced when IDS detect something as malicious.
Two method of alert storage
A Text Log -> terrible
In Database -> mostly
7. Whats the problem about Alert ?
Enormous Data less Efficient
Ignore the crucial information easily !!!
Got Nothing if the database were crash
8. Our Motivation
To resolve above problems come with huge amount of anomaly
information generated by IDS
9. Our IDEA - ICAS
ICAS, IDS Cloud Analysis System
Applying Cloud Computing technique
Improve higher performance of analysis
reducing redundancy
Merge relation
10. System Architecture ICAS Overview
11. System Architecture
SNORT is an open source network intrusion prevention and
detection system
The most widely deployed intrusion detection
Snort
12. System Architecture
Apache Hadoop Core is a software platform that lets one easily
write and run applications that process vast amounts of data.
Inspired by Google's MapReduce and Google File System (GFS)
papers
Implements MapReduce and Hadoop Distributed File System
(HDFS)
Operates pairs
Hadoop
13. System Architecture
HBase is the Hadoop database
An open-source, distributed, column-oriented store modeled
after the Google paper, BigTable
HBase
14. System Architecture
Regular Parser
Parsing original snort log and transfer to HDFS (hadoop file
system)
Analysis Procedure
Dispatch job if pool is not empty and insert the result into
database
Data Mapper
mapping
Data Reducer
Four Components
15. Program Procedure
16. Alert Integration Procedure
17. Key - Values The victim IP addresses A unique ID used to
identify attack method in Snort rules The time when the attack was
launghed TCP/IP protocol Attack was lunched from this port Victim
ports The IP address where malicious one launghed attack