Cloud computing refers to technology of providing a large scale of information technology (IT) resources using virtualization technology and distributed processing technology. Using a cloud computing service, a user may be provided with a service with respect to computing resources through the Internet. Computing resources may include a memory resource, a central processing unit (CPU) resource, a network resource, a storage resource, and the like. The user may pay an entity operating the cloud computing service a fee corresponding to an amount of computing resources used by the user.
Specifically, cloud computing refers to technology of integrating, into a single computing resource through virtualization technology, computing resources that are present at physically different positions, and providing the integrated computing resource to users. For example, cloud computing may be regarded as an “Internet based and user centered on-demand outsourcing service technology”.
When the Internet is provided, the user may use a computing environment of the user through the cloud computing service without restrictions on a time and an occasion. The cloud computing service charges the user with a fee corresponding to an amount of resources used by the user. Also, through a computing environment of the cloud computing service, the user may be provided with all of the services such as a hardware service, a software service, an after service (AS), and the like. Accordingly, costs for maintaining and repairing a system may be reduced, costs for purchasing software may be reduced, and an amount of energy used for computing processing may be reduced.
With the increasing attention to the cloud computing service, the cloud computing service has been widely distributed under the lead of major IT companies. The cloud computing service includes four cloud computing service types, such as a public cloud service, a private cloud service, and the like.
The public cloud service may provide a cloud service to many and unspecified users through the Internet. The public cloud service indicates neither providing of a free service nor opening of data and a source associated with a service. The public cloud service may also provide a service using a user access control, charge, and the like. In the public cloud service, a service provider may manage user information and the resources of the cloud computing service may be shared. Accordingly, the public cloud service may have a weakness in protecting personal information of a user.
The private cloud service may provide the same computing environment as in the public cloud service. The private cloud service indicates a cloud service that enables a predetermined company or institution to directly manage a cloud computing service, data, and process. Specifically, the private cloud service may be a closed cloud service type that avoids an external access and allows access of only authorized users for security.
A communication cloud service refers to a cloud computing service for a group of predetermined users. The communication cloud service may assign an access right only to members of a predetermined group. Members of a group may share data, an application, and the like through the communication cloud service.
A hybrid cloud service refers to a service in which the public cloud service and the private cloud service are combined. The hybrid cloud service may basically provide the public cloud service and may follow a policy of the private cloud service with respect to data and a service that a user does not desire to share.
A structure of the cloud computing service may be classified into an infra-type service structure, a platform-type service structure, and a software service structure. The infra-type service structure may provide a user-tailored computing environment based on requirements of a user. The platform-type service structure may provide an environment in which a user may select and use a platform suitable for a computing purpose of the user. The software service structure may provide an environment in which a user may select and use software suitable for a usage purpose.
Intrusion detection is a process of analyzing an intrusion attack signal occurring in a computer system or a network. The intrusion attack signal may include traffic overload, right extortion, and the like.
An intrusion may occur due to a variety of reasons, for example, a malicious code. For example, an attacker may make an unauthorized access through the Internet. Also, an authorized user may abuse the right and may attempt to extort the right. Even though some intrusions may be malicious, many intrusions may not be malicious. For example, a user may erroneously input a computer address. Due to the erroneously input computer address, connection from another system to which the user has no right may be attempted.
An intrusion detection system may automatically perform a detection process with respect to the aforementioned intrusion. The intrusion detection system is a system of detecting an intrusion action in real time by analyzing a signal that threatens a computing resource. The intrusion detection system may monitor an event occurring in a computer system or a network in order to analyze the signal. The intrusion detection system may analyze the signal based on a security policy, known intrusion cases, and the like.
The intrusion detection system may be classified into two types. The two types may include a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS).
The NIDS may be operated as a single independent system on a network. The NIDS has advantages in that network resources are not lost and data modulation does not occur in monitoring. Also, the NIDS may monitor and inspect traffic with respect to the overall network. The NIDS has disadvantages in that an error detection rate is high and many packets are not detected in a network having high traffic.
The HIDS may be additionally installed in an operating system (OS) of a computer system, or may be installed in a general client and thereby be operated. The HIDS may collect and analyze data such as system call, application log, file system correction, activity of another host associated with a host, a state of the other host, and the like. Using the above collection and analysis, intrusion detection may be performed. The HIDS may not perform intrusion detection with respect to the overall network. Also, the HIDS is positioned within a host and thus, may become a target of an intrusion attack together with the host.
An intrusion detection scheme may be classified into a misuse detection scheme and an anomaly detection scheme.
In the misuse detection scheme, a currently occurring signal such as log information or a packet is compared with a signal list through a character string comparison operation. The misuse detection scheme may detect an intrusion through the above comparison and thus, be very effective in detecting a known threat. However, the misuse detection scheme may be ineffective in detecting a previously unknown threat, a disguised threat using avoidance technology, and a deformed threat.
In various networks and various types of program applications, the range in which a signal-based detection scheme such as the misuse detection scheme is available may be relatively narrow. Also, in complex communication, the signal-based detection scheme may be unsuitable for attack detection. As described above, the misuse detection scheme may perform intrusion detection through pattern comparison of applying a known attack pattern. Accordingly, the misuse detection scheme is vulnerable to a new attack pattern not included in known attack patterns and needs to continuously update the new attack pattern.
The anomaly detection scheme defines general traffic and signal, and designates a deviation with respect to the general traffic and signal. The anomaly detection scheme is a process of detecting an attack when traffic and a signal are deviated from the range of the deviation. The intrusion detection system using the anomaly detection scheme may define a normal action of a target to be detected, such as a user, a host, a network connection, an application, and the like, and may set the allowable range with respect to an action of the target to be detected. The allowable range may be normal range of the action of the target to be detected. The anomaly detection scheme may recognize that an attack has occurred when the action of the target to be detected is deviated from the allowable range based on a predetermined time unit. The recognized attack may be notified to a manager.
The anomaly detection scheme may compare a current activity and a general activity of the target to be detected using a statistical method. When anomaly is detected as the comparison result, the anomaly detection scheme may notify the manager that the anomaly is detected. For example, the detected anomaly may correspond to a case that the target to be detected uses a bandwidth beyond the allowable range. The anomaly detection scheme may set the allowable range based on an action attribute such as the number of e-mails transmitted from a user, the number of times that the user has failed to log in, an amount of processor usage of a host that the user has used during a predetermined period of time, and the like. Here, the predetermined period of time may be a day unit, a week unit, and the like. The anomaly detection scheme may be very effective in detecting a threat not known yet.
A training period is a predetermined period of time used to set a threshold. In the anomaly detection scheme, setting of the threshold may be fixed or flexible. In fixed setting of a threshold, the threshold does not change unless the intrusion detection system sets a new threshold. In flexible setting of a threshold g, the threshold is seamlessly adjusted every time an additional event occurs in the intrusion detection system. In the anomaly detection scheme, an intrusion attack within the threshold frequently occurs. Also, detailed setting of a threshold may give great burden to computing activities and may also degrade computing performance.
For example, when a predetermined maintenance activity that requires transmission of a large file occurs only once per month, the maintenance activity may not appear during the training period. However, when the maintenance activity frequently occurs, the anomaly detection scheme may regard the maintenance activity as an intrusion and trigger an alert.
In a flexible environment, a normal activity that exceeds the threshold may be present. Accordingly, the anomaly detection scheme may make a false positive decision. As for another noticeable issue in using the anomaly detection scheme, when a large amount of complex traffic occurs, it may be verify difficult to make a correct analysis and decision about intrusion detection using the anomaly detection scheme.
Even though the aforementioned NIDS and HIDS are intrusion detection systems that are widely used in the existing Internet environment, the NIDS and the HIDS may be unsuitable for a cloud environment.
The NIDS is positioned within a network to provide traffic analysis and monitoring with respect to the overall network in which the NIDS is positioned.
However, a cloud computing service may also form a virtual network within a cloud computing system using virtualization technology. The NIDS may not consider an intrusion between internal virtual machines, an intrusion between cloud computing service providers, and the like. Accordingly, the NIDS may be unsuitable for the cloud environment.
The HIDS is positioned in each host to perform inspection about log information of a host, inspection of an application executed in the host, monitoring of communication with another host, and the like. Inspection and monitoring of the HIDS may be independently performed for each host. Accordingly, the HIDS may be vulnerable to a large scale of intrusion attack or a joint attack.
Accordingly, there is a desire for a new intrusion detection system suitable for a cloud environment.