Multi-level Intrusion detection system in cloud environment based on trust level

Abstract

Cloud computing is a new way to address a wide range of resource needs. Cloud environment provides a framework for dynamic and saleable use of services. It provides access to computing and data storage resources on a pay per usage model. Although there are many known advantages for cloud, security is still one of its most challenging issues. Intrusion detection systems are a common security tool which can also be used in cloud environment to increase the level of security. But conventional intrusion detection systems are not able to fully handle the features of the cloud, such as highly distributed or the variety of services. Also there are differences in security needs for each service or user of different cloud service providers. In this study we proposed a multi-level architecture for intrusion detection system based on different levels of risk level identified for each user. User's risk level can be defined through the computed trust level; as risk level can be reveres of trust level for each user. With identified trust level, users are categorized in to three groups of “High risk”, “Medium risk” and “Low risk”. After the risk levels are identified and users are assigned to a security group, pre-configured IDS agent is assigned to user's virtual machine. IDS are configured in three types of HIDS, MIDS and LIDS in proportion to the security groups described before. These three types of IDS agents vary in number of rules in their rule set, and configuration of rules in each level. A higher level agent for each type of IDS controls the performance and updates rule sets. There is a global agent which collects alert logs to analyze them for detecting correlation in alerts. This architecture improves resource usage, time and packet drop without a tangible impact on accuracy.