Journal Home > Volume 18 , Issue 1
Tsinghua Science and Technology 2013, 18(1): 40-50 https://doi.org/10.1109/TST.2013.6449406
Open Access | Issue | Published: 07 February 2013

Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management System

Show Author's Information Zhen Chen( ) Fuye Han Junwei Cao Xin Jiang Shuo Chen
Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China
Department of Automation, Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China
Keywords:
cloud computing, overlay network, collaborative network security system, computer forensics, anti-botnet, anti-phishing, hadoop file system, eucalyptus, amazon web service
Cite this article:
Chen Z, Han F, Cao J, et al. Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management System. Tsinghua Science and Technology, 2013, 18(1): 40-50. https://doi.org/10.1109/TST.2013.6449406
Download citation
EndNote(RIS)
BibTeX

558

Views

15

Downloads

Citations

51

Crossref

N/A

WoS

69

Scopus

0

CSCD

Abstract Full text About this article

Internet security problems remain a major challenge with many security concerns such as Internet worms, spam, and phishing attacks. Botnets, well-organized distributed network attacks, consist of a large number of bots that generate huge volumes of spam or launch Distributed Denial of Service (DDoS) attacks on victim hosts. New emerging botnet attacks degrade the status of Internet security further. To address these problems, a practical collaborative network security management system is proposed with an effective collaborative Unified Threat Management (UTM) and traffic probers. A distributed security overlay network with a centralized security center leverages a peer-to-peer communication protocol used in the UTMs collaborative module and connects them virtually to exchange network events and security rules. Security functions for the UTM are retrofitted to share security rules. In this paper, we propose a design and implementation of a cloud-based security center for network security forensic analysis. We propose using cloud storage to keep collected traffic data and then processing it with cloud computing platforms to find the malicious attacks. As a practical example, phishing attack forensic analysis is presented and the required computing and storage resources are evaluated based on real trace data. The cloud-based security center can instruct each collaborative UTM and prober to collect events and raw traffic, send them back for deep analysis, and generate new security rules. These new security rules are enforced by collaborative UTM and the feedback events of such rules are returned to the security center. By this type of close-loop control, the collaborative network security management system can identify and address new distributed attacks more quickly and effectively.


menu
Abstract
Full text
Outline
About this article

Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management System

Show Author's information Zhen Chen( )Fuye HanJunwei CaoXin JiangShuo Chen
Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China
Department of Automation, Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Abstract

Internet security problems remain a major challenge with many security concerns such as Internet worms, spam, and phishing attacks. Botnets, well-organized distributed network attacks, consist of a large number of bots that generate huge volumes of spam or launch Distributed Denial of Service (DDoS) attacks on victim hosts. New emerging botnet attacks degrade the status of Internet security further. To address these problems, a practical collaborative network security management system is proposed with an effective collaborative Unified Threat Management (UTM) and traffic probers. A distributed security overlay network with a centralized security center leverages a peer-to-peer communication protocol used in the UTMs collaborative module and connects them virtually to exchange network events and security rules. Security functions for the UTM are retrofitted to share security rules. In this paper, we propose a design and implementation of a cloud-based security center for network security forensic analysis. We propose using cloud storage to keep collected traffic data and then processing it with cloud computing platforms to find the malicious attacks. As a practical example, phishing attack forensic analysis is presented and the required computing and storage resources are evaluated based on real trace data. The cloud-based security center can instruct each collaborative UTM and prober to collect events and raw traffic, send them back for deep analysis, and generate new security rules. These new security rules are enforced by collaborative UTM and the feedback events of such rules are returned to the security center. By this type of close-loop control, the collaborative network security management system can identify and address new distributed attacks more quickly and effectively.

Keywords: cloud computing, overlay network, collaborative network security system, computer forensics, anti-botnet, anti-phishing, hadoop file system, eucalyptus, amazon web service

References(46)

[1]
P. Knickerbocker, D. Yu, and J. Li, Humboldt: A distributed phishing disruption system, in Proc. IEEE eCrime Researchers Summit, Tacoma, USA, 2009, pp. 1-12.
DOI
[2]
S. Sheng, B. Wardman, G. Warner, L. F. Cranor, J. Hang, and C. Zhang, An empirical analysis of phishing blacklists, in Proc. Sixth Conference on Email and AntiSpam (CEAS 2009), California, USA, 2009, pp. 1-10.
[3]
Google Safe Browsing v2 API, http://code.google.com/apis/safebrowsing/, 2012.
[4]
APWG, http://www.apwg.org/ or http://www.antiphishing.org/crimeware.html, 2012.
[5]
StopBadware, http://stopbadware.org/, 2012.
[6]
D. Ruan, Z. Chen, J. Ni, and P. D. Urgsunan, Handling high speed traffic measurement using network processors, in Proc. 2006 International Conference on Communication Technology (ICCT 2006), Beijing, China, 2006, pp. 1-5.
[7]
J. Ni, Z. Chen, C. Len, and P. Ungsunan, A fast multi-pattern matching algorithm for deep packet inspection on a network processor, in Proc. 2007 International Conference on Parallel Processing (ICPP 2007), 2007, Xi’an, China, pp. 16.
DOI
[8]
Z. Chen, C. Lin, J. Ni, D. Ruan, B. Zheng, Z. Tan, Y. X. Jiang, X. Peng, A. Luo, B. Zhu, Y. Yue, Y. Wang, P. Ungsunan, and F. Ren, Anti-worm NPU-based parallel bloom filters in Giga-Ethernet LAN, in Proc. IEEE International Conference on Communications (ICC), Istanbul, Turkey, 2006, pp. 2118-2123.
DOI
[9]
Z. Chen, C. Lin, J. Ni, D. Ruan, B. Zheng, Z. Tan, Y. Jiang, X. Peng, A. Luo, B. Zhu, Y. Yue, J. Zhuang, F. Feng, Y. Wang, and F. Ren, Anti-worm NPU-based parallel bloom filters for TCP-IP content processing in Giga-Ethernet LAN, in Proc. 1st IEEE LCN Workshop on Network Security (WoNS 2005), Sydney, Australia, 2005, pp. 748-755.
DOI
[10]
R. Bye, S. A. Camtepe, and S. Albayrak, Collaborative intrusion detection framework: Characteristics, adversarial opportunities and countermeasures, in Proc. USENIX Symposium on Networked Systems Design and Implementation, Cambridge, MA, USA, 2007, pp. 1-12.
[11]
F. Cuppens and A. Mige, Alert correlation in a cooperative intrusion detection framework, in Proc. IEEE Symposium on Security and Privacy, Berkeley, California, USA, 2002, pp. 205-215.
[12]
A. Hofmann, I. Dedinski, B. Sick, and H. de Meer, A novelty driven approach to intrusion alert correlation based on distributed hash tables, in Proc. 2007 IEEE International Conference on Communications (ICC), Glasgow, Scotland, 2007, pp. 71-78.
DOI
[13]
B. Mu, X. Chen, and Z. Chen, A collaborative network security management system in metropolitan area network, in Proc. the 3rd International Conference on Communications and Mobile Computing (CMC), Qingdao, China, 2011, pp. 45-50.
DOI
[14]
X. Chen, B. Mu, and Z. Chen, NetSecu: A collaborative network security platform for in-network security, in Proc. the 3rd International Conference on Communications and Mobile Computing (CMC), Qingdao, China, 2011, pp. 59-64.
DOI
[15]
W. H. Allen, Computer forensics, IEEE Security & Privacy, vol. 3, no. 4, pp. 59-62, 2005.
DOI Google Scholar
[16]
M. A. Caloyannides, N. Memon, and W. Venema, Digital forensics, IEEE Security & Privacy, vol. 7, no. 2, pp. 16-17, 2009.
DOI Google Scholar
[17]
F. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, Honeypot forensics part I: Analyzing the network, IEEE Security & Privacy, vol. 2, no. 4, pp. 72-78, 2004.
DOI Google Scholar
[18]
F. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, Honeypot forensics part II: Analyzing the compromised host, IEEE Security & Privacy, vol. 2, no. 5, pp. 77-80, 2004.
DOI Google Scholar
[19]
F. Deng, A. Luo, Y. Zhang, Z. Chen, X. Peng, X. Jiang, and D. Peng, TNC-UTM: A holistic solution to secure enterprise networks, in Proc. 9th IEEE International Conference for Young Computer Scientists(ICYCS 2008), Zhangjiajie, China, 2008, pp. 2240-2245.
DOI
[20]
P. Desnoyers and P. Shenoy, Hyperion: High volume stream archival for retrospective querying, in Proc. USENIX Annual Technical Conference, Santa Clara, CA, USA, 2007, pp. 45-58.
[21]
S. Kornexl, V. Paxson, H. Dreger, A. Feldmann, and R. Sommer, Building a time machine for efficient recording and retrieval of high-volume network traffic, in Proc. 2005 Internet Measurement Conference (IMC 2005), Berkeley, CA, USA, 2005, pp. 267-272.
DOI
[22]
G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, and F. Schneider, Enriching network security analysis with time travel, in Proc. ACM SIGCOMM 2008, Seattle, WA, 2008, pp. 183-194.
DOI
[23]
L. Deri, V. Lorenzetti, and S. Mortimer, Collection and exploration of large data monitoring sets using bitmap databases, traffic monitoring and analysis, Lecture Notes in Computer Science, vol. 6003, pp. 73-86, 2010.
DOI Google Scholar
[24]
J. Li, S. Ding, M. Xu, F. Han, X. Guan, and Z. Chen, TIFA: Enabling real-time querying and storage of massive stream data, in Proc. 1st International Conference on Networking and Distributed Computing (ICNDC), Hangzhou, China, 2011, pp. 61-64.
DOI
[25]
Z. Chen, X. Shi, L. Ruan, F. Xie, and J. Li, High speed traffic archiving system for flow granularity storage and querying, in Proc. 6th International Workshop on Performance Modeling and Evaluation of Computer and Telecommunication (ICCCN 2012 workshop on PMECT), Munich, Germany, 2012, pp. 1-5.
DOI
[26]
D. Peng, W. Liu, C. Lin, Z. Chen, and X. Peng, Enhancing Tit-for-Tat strategy to cope with free-riding in unreliable P2P networks, in Proc. 3rd IEEE International Conference on Internet and Web Applications and Services (ICIW 2008), Athens, Greece, 2008, pp. 336-341.
DOI
[27]
F. Han, Z. Chen, H. Xu, and Y. Liang, A collaborative botnets suppression system based on overlay network, International Journal of Security and Networks, vol. 7, no. 4, 2012.
DOI Google Scholar
[28]
F. Han, Z. Chen, H. Xu, and Y. Liang, Garlic: A distributed botnets suppression system, in Proc. IEEE ICDCS workshop on the First International Workshop on Network Forensics, Security and Privacy (NFSP), Macau, China, 2012, pp. 634-639.
DOI
[29]
C. Lam, Hadoop in Action, Second Edition, Greenwichi: Manning Publications Co., 2012.
[30]
Apache Hadoop, http://hadoop.apache.org, 2012.
[31]
B. Wardman, G. Shukla, and G. Warner, Identifying vulnerable websites by analysis of common strings in phishing URLs, in Proc. IEEE eCrime Researchers Summit, Tacoma, USA, 2009, pp. 1-13.
DOI
[32]
S. Li and R. Schmitz, A novel anti-phishing framework based on honeypots, in Proc. IEEE eCrime Researchers Summit, Tacoma, USA, 2009, pp. 1-13.
[33]
R. Layton, P. Watters, and R. Dazeley, Automatically determining phishing campaigns using the USCAP methodology, in Proc. IEEE eCrime Researchers Summit, Dallas, USA, 2010, pp. 1-6.
DOI
[34]
N. Sklavos, N. Modovyan, V. Grorodetsky, and O. Koufopavlou, Computer network security: Report from MMM-ACNS, IEEE Security & Privacy, vol. 2, no. 1, pp. 49-52, 2004.
DOI Google Scholar
[35]
B.D. Carrier, Digital forensics works, IEEE Security & Privacy, vol. 7, no. 2, pp. 26-29, 2009.
DOI Google Scholar
[36]
G. Maier, R. Sommer, H. Dreger, and V. Paxson, Enriching network security analysis with time travel, in Proc. ACM Sigcomm, Seattle, WA, USA, 2008, pp. 183-194.
DOI
[37]
K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song, Monarch: Providing real-time URL spam filtering as a service, in Proc. IEEE Symposium on Security and Privacy, Oakland, California, USA, 2011, pp. 447-462.
[38]
T. Li, F. Han, S. Ding, and Z. Chen, LARX: Large-scale anti-phishing by retrospective data-exploring based on a cloud computing platform, in Proc. 3rd Workshop on Grid and P2P Systems and Applications (GridPeer), Maui, Hawaii, 2011, pp. 1-5.
DOI
[39]
L. A. Barroso, J. Dean, and U. Holzle, Web search for a planet: The google cluster architecture, IEEE Micro, vol. 23, no. 2, pp. 22-28, 2003.
DOI Google Scholar
[40]
S. Ghemawat, H. Gobioff, and S. Leung, The google file system, in Proc. USENIX ACM Symposium on Operating Systems Principles(SOSP03), New York, USA, 2003, pp. 29-43.
DOI
[41]
J. Dean and S. Ghemawat, MapReduce: Simplified data processing on large clusters, in Proc. 6th Symposium on Operating System Design and Implementation (OSDI 2004), San Francisco, California, USA, 2004, pp. 139-147.
[42]
Eucalyptus, open source Cloud Computing platform, http://www.eucalyptus.com, 2012.
[43]
S. L. Garfinke, An evaluation of Amazons grid computing services: EC2, S3 and SQS, Technical Report TR-08-07, 2007.
[44]
Amazon web services, Amazon elastic compute cloud (amazon ec2), http://aws.amazon.com/ec2, 2012.
[45]
Amazon web services, Amazon simple storage service (amazon s3), http://aws.amazon.com/s3, 2012.
[46]
TCPtrace and TCPdump, http://www.tcptrace.org/ and http://www.tcpdump.org/, 2012.
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 15 December 2012
Accepted: 15 January 2013
Published: 07 February 2013
Issue date: February 2013

Copyright

© The author(s) 2013

Acknowledgements

This work is supported by the National Key Basic Research and Development (973) Program of China (Nos. 2011CB302805, 2011CB302505, 2012CB315801, and 2013CB228206), and the National Natural Science Foundation of China (No. 61233016). This work is also supported by Intel Research Councils UPO program with the title of Security Vulnerability Analysis Based on Cloud Platform.

Rights and permissions

Return