Securing Cloud Computing from Different Attacks Using Intrusion Detection Systems

— Cloud computing is a new way of integrating a set of old technologies to implement a new paradigm that creates an avenue for users to have access to shared and configurable resources through internet on-demand. This system has many common characteristics with distributed systems, hence, the cloud computing also uses the features of networking. Thus the security is the biggest issue of this system, because the services of cloud computing is based on the sharing. Thus, a cloud computing environment requires some intrusion detection systems (IDSs) for protecting each machine against attacks. The aim of this work is to present a classification of attacks threatening the availability, confidentiality and integrity of cloud resources and services. Furthermore, we provide literature review of attacks related to the identified categories. Additionally, this paper also introduces related intrusion detection models to identify and prevent these types of attacks.

The National Institute of Standards and Technology (NIST) defined five characteristics of cloud computing [1]: on-demand self-service, rapid elasticity or expansion, broad network access, resource pooling, and measured service.It also defined three "service models" (software, platform and infrastructure), and four "deployment models" (private, community, public and hybrid) that together categorize ways to deliver cloud services.
Figure 1 shows cloud deployment models together with their internal infrastructure (Infrastructure as a Service IaaS, Platform as a Service PaaS and Software as a Service SaaS), and the essential characteristics of this environment.
Despite the enormous technical and business benefits of cloud computing, concern for security and privacy has been one of the main obstacles that impede its widespread.
In this work, we classify security problems and attacks of cloud computing environments such as Flooding Attack, Denial of Service (DoS) attacks, Side Channel Attacks, phishing, malware Cloud Injection Attacks.To prevent these attackers, Intrusion Detection Systems (IDSs) are effective solutions to resist them.IDS can identify suspicious activities by monitoring network traffic changes, configuration of the system, logs files, and actions of end-users.When such a suspicious event is detected, IDS sends an alert message to a person or monitoring console to trigger some actions for preventing these attacks.
The remainder of this paper is structured as follows.The next section presents the main categories of cloud computing security.In Section 3, we present description of the well known attacks affecting cloud computing.Intrusion detection Systems and our types are detailed in section 4. The section 5 presents our proposed model to detect, classify and resist these types of attacks.And the last section summarizes the main contribution of this work and details our perspectives.

II. caTegORIes Of clOud secuRITy
As part of this work, we started an investigation into the security issues and attacks on cloud computing.Cloud computing also suffers from various traditional attacks such as Flooding Attack, Side Channel Attack, port scanning, denial of service (DoS), Distributed Denial of Service (DDoS) etc.We classify these attacks and problems related to the security of cloud computing in five categories, which are summarized in Table 1 [2]:  In addition to identifying cloud security issues and classifying them into several categories, we have identified dependencies among these categories and the security issues they encompass.If one of the categories is prone to certain attacks, other categories may also become prone to these attacks.

III. aTTacks RelaTed TO The clOud secuRITy caTegORIes
In what follows, we present a list of attacks on cloud.We briefly explain each attack and accompanied by a brief discussion of the consequences of the attacks in the cloud environment.Table 2 presents a summary of attack names and attack category [2] [7] [9].

A. Denial of Service Attacks
A DoS attack is an attempt to make the affected services unavailable to the authorized users In such an attack, the server providing the service is flooded with a large number of applications and therefore the service becomes unavailable for the authorized user.Sometimes when you try to access a website, we see that due to overload, the server with the website is inaccessible and we observe an error message.This occurs when the number of requests that can be processed by a server exceeds its capacity [4].
Thus, the attacker does not have to flood all n servers that provide a certain service in target, but merely can flood a single, Cloud-based address in order to perform a full loss of availability on the intended service [5].

B. Port Scanning
An attack that identifies open, closed and filtered ports on a system in cloud environment [3].In port scanning, intruders can seize information with the help of open ports like services that run on a system, IP and MAC addresses which belong to a connection, and router, gateway and firewall rules.In the scenario of Cloud, the attacker can attack the services available through the scanning of ports (discovering open ports on which these services are provided) [10].

C. Malware Injection Attacks
In the cloud computing, a lot of data is transferred between the cloud provider and the consumer; it is necessary user authentication and authorization [5].When data is transferred between the cloud provider and the user, the attacker can introduce malicious code between the two actors.
This attack requires the adversary to create its own malicious service implementation module (SaaS or PaaS) or virtual machine instance (IaaS), and add it to the Cloud system.Then, the adversary has to trick the Cloud system so that it treats the new service implementation instance as one of the valid instances for the particular service attacked by the adversary.If this succeeds, the Cloud system automatically redirects valid user requests to the malicious service implementation, and the adversary's code is executed [7].

D. Attacks on Virtual Machine (VM) or hypervisor
One of the top cloud computing threats involves one of its core enabling technologies: virtualization.In virtual environments, the attacker can take control of virtual machines installed by compromising the lower layer hypervisor.New vulnerabilities, such as zero-day vulnerability found in virtual machines (VM) that attract an attacker access to the hypervisor or other VMs installed.The zeroday vulnerability has been exploited in the application virtualization HyperVM which resulted in the destruction of many websites based on the virtual server [3].

E. Side Channel Attacks
These attacks exploit the physical properties of materials to gather information that may give a diagram or pattern of the system to attack.The fact that multiple virtual machines share the same hardware side channel attack makes it relatively easy to achieve.Without implementation of the safety device in the hardware, equipment sharing is dangerous [2].
In cloud computing environments, it is possible to map the infrastructure and identify where the virtual machine resides.It is then possible to instantiate new VMs until one is placed in co-residence with the target VM.After being instantiated, VM attacker can retrieve sensitive data from the legitimate VM attacked.This is a side channel attack-type [16].

F. Phishing Attacks
In cloud computing, phishing attacks can be classified into two categories of threats: first, as an abusive behavior in which an attacker hosts a phishing attack site on cloud by using one of the cloud services and second hijack accounts and services in the cloud through traditional social engineering techniques [8].

G. Man-In-The-Middle Cryptographic Attacks
This attack is performed when an attacker placed between two users in a cloud environment.Anytime attackers can be placed in the communication path, there is the possibility that they can intercept and change communications [9].

IV. InTRusIOn deTecTIOn sysTem
As detailed in previous section, there are different types of attacks in cloud environment.Intrusion Detection Systems (IDS) are effective solutions to detect and resist these attacks.IDSs are software or hardware systems that realize intrusion detection, log detected information, alert or perform predefined procedures [11,12].
An IDS is composed of several components [13]: • Sensors which generate security events.
• Console to monitor events and alerts and control the sensors.
• Central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.
Mainly there are two types of IDS in cloud computing systems: Host based IDS (HIDS) and Network based IDS (NIDS).

A. Host-based Intrusion Detection Systems
A host-based intrusion detection system (HIDS) is a system that monitors a computer system on which it is installed to detect an intrusion and/or misuse, and responds by logging the activity and notifying the designated authority.A HIDS can be thought of as an agent that monitors and analyzes whether anything or anyone, whether internal or external, has circumvented the system's security policy [14].

B. Network based Intrusion Detection Systems
Network-based IDS (NIDS) observe, monitor and analyses the specified and pre-identified network traffic.It can detect different situations based on specified points and generally located between the end point devices like routers, firewalls.A NIDS is an intrusion detection system that attempts to discover unauthorized access to a network by analyzing traffic on the network for signs of malicious activities and events.An example for NIDS architecture and sensor placement is shown in Figure 3 [15].

A. Work
Our proposed model in Figure 3  if it comes from a pirate, it redirects to the IDS management service that can provide instant reports on the cloud user with an advisory report for the cloud service provider.If it is not from a pirate sends them to the cloud services.
Alerts logs are easily communicated to the user of the Cloud with an expert opinion for the cloud service provider (CSP).The server-admin on examining the security risks involved performs emergency response to the attack by identifying the source IP addresses involved in the attack could automatically generate the access lists that would drop all the packets received from that IP.If the attack type is DDoS attack, the botnet formed by all the zombie machines are blocked.The server-admin then responds to the attack by transferring the targeted applications to virtual machines hosted in another datacenter.Router automation would immediately re-route operational network links to the new location.Hence, the firewall located at the new server will block all the IP addresses that attacker used and if any genuine user is trying to connect to the server, he will be redirected to the new server.
Our model is always dynamic because there are still several days to put launched by this model such as firewall reconfiguration to block new attacker.Also update the IDS database to alert more attacks.So our model is complete to detect such kind of attack.
To manage a large number of data flow packets in such an environment IDS Approach proposed in this paper.IDS able to process huge amount of data and may reduce packet loss.After effective treatment of IDS alerts watched proposed move to a monitoring service by third parties, who in turn informs the cloud directly to users about their system under attack.Figure 3 shows the proposed IDS model.The user cloud access its data on remote servers to the service provider site on the cloud network.Applications and user actions are monitored and recorded by IDS.Alerts logs are easily communicated to the user with a cloud expert advice from cloud service provider.

B. Advantages of proposed model
1. High volume of data in cloud environment could be handled by a single node IDS through a multi-threaded approach.
2. Classify the attack to generate well organized alert Report.
3. Being at a central point, proposed Cloud IDS would be capable to carry out concurrent processing of data analysis, which is an efficient approach.
4. The automatic updates of the routing table on the network to block attacks detected 5. Automatic firewall configuration to block all IP addresses used by the attacker.

VI. cOnclusIOns
Cloud Computing is at the keen interest and numerous works has been published in this field.This research is primarily done to study the problems and attacks of cloud computing such as DOS Attack, Flooding Attack, and Phishing Attacks on Virtual Machine.Moreover, we classified these attacks into five security categories, namely: security standards, network, access, cloud infrastructure, and data.And we have detailed each one of these attacks.Also this work focuses on the effective solutions to detect this kind of attacks, including intrusion detection systems (IDSs).We propose the deployment of integrated and layered IDS on cloud that designed to cover various attacks.This IDS integrates knowledge and behavior analysis to increases a cloud's security.

TABLE I .
CLOUD SECURITY CATEGORIES.

TABLE II .
KNOWN ATTACKS ON CLOUDS.