Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management SystemCloud Computing-Based Forensic Analysis for Collaborative Network Security Management System
Zhen Chen;Fuye Han;Junwei Cao;Xin Jiang;Shuo Chen;
摘要(Abstract):
Internet security problems remain a major challenge with many security concerns such as Internet worms, spam, and phishing attacks. Botnets, well-organized distributed network attacks, consist of a large number of bots that generate huge volumes of spam or launch Distributed Denial of Service (DDoS) attacks on victim hosts. New emerging botnet attacks degrade the status of Internet security further. To address these problems, a practical collaborative network security management system is proposed with an effective collaborative Unified Threat Management (UTM) and traffic probers. A distributed security overlay network with a centralized security center leverages a peer-to-peer communication protocol used in the UTMs collaborative module and connects them virtually to exchange network events and security rules. Security functions for the UTM are retrofitted to share security rules. In this paper, we propose a design and implementation of a cloud-based security center for network security forensic analysis. We propose using cloud storage to keep collected traffic data and then processing it with cloud computing platforms to find the malicious attacks. As a practical example, phishing attack forensic analysis is presented and the required computing and storage resources are evaluated based on real trace data. The cloud-based security center can instruct each collaborative UTM and prober to collect events and raw traffic, send them back for deep analysis, and generate new security rules. These new security rules are enforced by collaborative UTM and the feedback events of such rules are returned to the security center. By this type of close-loop control, the collaborative network security management system can identify and address new distributed attacks more quickly and effectively.
关键词(KeyWords):
基金项目(Foundation): supported by the National Key Basic Research and Development (973) Program of China(Nos.2011CB302805,2011CB302505,2012CB315801,and2013CB228206);; the National Natural Science Foundation of China(No.61233016);; supported by Intel Research Councils UPO program with the title of Security Vulnerability Analysis Based on Cloud Platform
作者(Authors): Zhen Chen;Fuye Han;Junwei Cao;Xin Jiang;Shuo Chen;
参考文献(References):
- [1]P.Knickerbocker,D.Yu,and J.Li,Humboldt:A distributed phishing disruption system,in Proc.IEEE eCrime Researchers Summit,Tacoma,USA,2009,pp.1-12.
- [2]S.Sheng,B.Wardman,G.Warner,L.F.Cranor,J.Hang,and C.Zhang,An empirical analysis of phishing blacklists,in Proc.Sixth Conference on Email and AntiSpam(CEAS2009),California,USA,2009,pp.1-10.
- [3]Google Safe Browsing v2API,http://code.google.com/apis/safebrowsing/,2012.
- [4]APWG,http://www.apwg.org/or http://www.antiphishing.org/crimeware.html,2012.
- [5]StopBadware,http://stopbadware.org/,2012.
- [6]D.Ruan,Z.Chen,J.Ni,and P.D.Urgsunan,Handling high speed traffic measurement using network processors,in Proc.2006International Conference on Communication Technology(ICCT2006),Beijing,China,2006,pp.1-5.
- [7]J.Ni,Z.Chen,C.Len,and P.Ungsunan,A fast multi-pattern matching algorithm for deep packet inspection on a network processor,in Proc.2007International Conference on Parallel Processing(ICPP2007),2007,Xi’an,China,pp.16.
- [8]Z.Chen,C.Lin,J.Ni,D.Ruan,B.Zheng,Z.Tan,Y.X.Jiang,X.Peng,A.Luo,B.Zhu,Y.Yue,Y.Wang,P.Ungsunan,and F.Ren,Anti-worm NPU-based parallel bloom filters in Giga-Ethernet LAN,in Proc.IEEE International Conference on Communications(ICC),Istanbul,Turkey,2006,pp.2118-2123.
- [9]Z.Chen,C.Lin,J.Ni,D.Ruan,B.Zheng,Z.Tan,Y.Jiang,X.Peng,A.Luo,B.Zhu,Y.Yue,J.Zhuang,F.Feng,Y.Wang,and F.Ren,Anti-worm NPU-based parallel bloom filters for TCP-IP content processing in Giga-Ethernet LAN,in Proc.1st IEEE LCN Workshop on Network Security(WoNS2005),Sydney,Australia,2005,pp.748-755.
- [10]R.Bye,S.A.Camtepe,and S.Albayrak,Collaborative intrusion detection framework:Characteristics,adversarial opportunities and countermeasures,in Proc.USENIX Symposium on Networked Systems Design and Implementation,Cambridge,MA,USA,2007,pp.1-12.
- [11]F.Cuppens and A.Mige,Alert correlation in a cooperative intrusion detection framework,in Proc.IEEE Symposium on Security and Privacy,Berkeley,California,USA,2002,pp.205-215.
- [12]A.Hofmann,I.Dedinski,B.Sick,and H.de Meer,A novelty driven approach to intrusion alert correlation based on distributed hash tables,in Proc.2007IEEE International Conference on Communications(ICC),Glasgow,Scotland,2007,pp.71-78.
- [13]B.Mu,X.Chen,and Z.Chen,A collaborative network security management system in metropolitan area network,in Proc.the3rd International Conference on Communications and Mobile Computing(CMC),Qingdao,China,2011,pp.45-50.
- [14]X.Chen,B.Mu,and Z.Chen,NetSecu:A collaborative network security platform for in-network security,in Proc.the3rd International Conference on Communications and Mobile Computing(CMC),Qingdao,China,2011,pp.59-64.
- [15]W.H.Allen,Computer forensics,IEEE Security&Privacy,vol.3,no.4,pp.59-62,2005.
- [16]M.A.Caloyannides,N.Memon,and W.Venema,Digital forensics,IEEE Security&Privacy,vol.7,no.2,pp.16-17,2009.
- [17]F.Raynal,Y.Berthier,P.Biondi,and D.Kaminsky,Honeypot forensics part I:Analyzing the network,IEEE Security&Privacy,vol.2,no.4,pp.72-78,2004.
- [18]F.Raynal,Y.Berthier,P.Biondi,and D.Kaminsky,Honeypot forensics part II:Analyzing the compromised host,IEEE Security&Privacy,vol.2,no.5,pp.77-80,2004.
- [19]F.Deng,A.Luo,Y.Zhang,Z.Chen,X.Peng,X.Jiang,and D.Peng,TNC-UTM:A holistic solution to secure enterprise networks,in Proc.9th IEEE International Conference for Young Computer Scientists(ICYCS2008),Zhangjiajie,China,2008,pp.2240-2245.
- [20]P.Desnoyers and P.Shenoy,Hyperion:High volume stream archival for retrospective querying,in Proc.USENIX Annual Technical Conference,Santa Clara,CA,USA,2007,pp.45-58.
- [21]S.Kornexl,V.Paxson,H.Dreger,A.Feldmann,and R.Sommer,Building a time machine for efficient recording and retrieval of high-volume network traffic,in Proc.2005Internet Measurement Conference(IMC2005),Berkeley,CA,USA,2005,pp.267-272.
- [22]G.Maier,R.Sommer,H.Dreger,A.Feldmann,V.Paxson,and F.Schneider,Enriching network security analysis with time travel,in Proc.ACM SIGCOMM2008,Seattle,WA,2008,pp.183-194.
- [23]L.Deri,V.Lorenzetti,and S.Mortimer,Collection and exploration of large data monitoring sets using bitmap databases,traffic monitoring and analysis,Lecture Notes in Computer Science,vol.6003,pp.73-86,2010.
- [24]J.Li,S.Ding,M.Xu,F.Han,X.Guan,and Z.Chen,TIFA:Enabling real-time querying and storage of massive stream data,in Proc.1st International Conference on Networking and Distributed Computing(ICNDC),Hangzhou,China,2011,pp.61-64.
- [25]Z.Chen,X.Shi,L.Ruan,F.Xie,and J.Li,High speed traffic archiving system for flow granularity storage and querying,in Proc.6th International Workshop on Performance Modeling and Evaluation of Computer and Telecommunication(ICCCN2012workshop on PMECT),Munich,Germany,2012,pp.1-5.
- [26]D.Peng,W.Liu,C.Lin,Z.Chen,and X.Peng,Enhancing Tit-for-Tat strategy to cope with free-riding in unreliableP2P networks,in Proc.3rd IEEE International Conference on Internet and Web Applications and Services(ICIW2008),Athens,Greece,2008,pp.336-341.
- [27]F.Han,Z.Chen,H.Xu,and Y.Liang,A collaborative botnets suppression system based on overlay network,International Journal of Security and Networks,vol.7,no.4,2012.
- [28]F.Han,Z.Chen,H.Xu,and Y.Liang,Garlic:A distributed botnets suppression system,in Proc.IEEE ICDCS workshop on the First International Workshop on Network Forensics,Security and Privacy(NFSP),Macau,China,2012,pp.634-639.
- [29]C.Lam,Hadoop in Action,Second Edition,Greenwichi:Manning Publications Co.,2012.
- [30]Apache Hadoop,http://hadoop.apache.org,2012.
- [31]B.Wardman,G.Shukla,and G.Warner,Identifying vulnerable websites by analysis of common strings in phishing URLs,in Proc.IEEE eCrime Researchers Summit,Tacoma,USA,2009,pp.1-13.
- [32]S.Li and R.Schmitz,A novel anti-phishing framework based on honeypots,in Proc.IEEE eCrime Researchers Summit,Tacoma,USA,2009,pp.1-13.
- [33]R.Layton,P.Watters,and R.Dazeley,Automatically determining phishing campaigns using the USCAP methodology,in Proc.IEEE eCrime Researchers Summit,Dallas,USA,2010,pp.1-6.
- [34]N.Sklavos,N.Modovyan,V.Grorodetsky,and O.Koufopavlou,Computer network security:Report from MMM-ACNS,IEEE Security&Privacy,vol.2,no.1,pp.49-52,2004.
- [35]B.D.Carrier,Digital forensics works,IEEE Security&Privacy,vol.7,no.2,pp.26-29,2009.
- [36]G.Maier,R.Sommer,H.Dreger,and V.Paxson,Enriching network security analysis with time travel,in Proc.ACM Sigcomm,Seattle,WA,USA,2008,pp.183-194.
- [37]K.Thomas,C.Grier,J.Ma,V.Paxson,and D.Song,Monarch:Providing real-time URL spam filtering as a service,in Proc.IEEE Symposium on Security and Privacy,Oakland,California,USA,2011,pp.447-462.
- [38]T.Li,F.Han,S.Ding,and Z.Chen,LARX:Large-scale anti-phishing by retrospective data-exploring based on a cloud computing platform,in Proc.3rd Workshop on Grid and P2P Systems and Applications(GridPeer),Maui,Hawaii,2011,pp.1-5.
- [39]L.A.Barroso,J.Dean,and U.Holzle,Web search for a planet:The google cluster architecture,IEEE Micro,vol.23,no.2,pp.22-28,2003.
- [40]S.Ghemawat,H.Gobioff,and S.Leung,The google file system,in Proc.USENIX ACM Symposium on Operating Systems Principles(SOSP03),New York,USA,2003,pp.29-43.
- [41]J.Dean and S.Ghemawat,MapReduce:Simplified data processing on large clusters,in Proc.6th Symposium on Operating System Design and Implementation(OSDI2004),San Francisco,California,USA,2004,pp.139-147.
- [42]Eucalyptus,open source Cloud Computing platform,http://www.eucalyptus.com,2012.
- [43]S.L.Garfinke,An evaluation of Amazons grid computing services:EC2,S3and SQS,Technical Report TR-08-07,2007.
- [44]Amazon web services,Amazon elastic compute cloud(amazon ec2),http://aws.amazon.com/ec2,2012.
- [45]Amazon web services,Amazon simple storage service(amazon s3),http://aws.amazon.com/s3,2012.
- [46]TCPtrace and TCPdump,http://www.tcptrace.org/and http://www.tcpdump.org/,2012.