CIDS: Adapting Legacy Intrusion Detection Systems to the Cloud with Hybrid Sampling

摘要

Many attacks originate from inside, and security problems within cloud-computing platforms are becoming more and more severe. Although many Intrusion Detection System (IDS) help monitor and protect the inbound and outbound traffic of data centers, it is still challenging to deploy IDS inside a cloud-computing platform due to extremely high bandwidth within, and the lack of a single ingress point to deploy the IDS. This paper presents two ideas allowing traditional IDS to be adopted to the cloud environment: software-defined-networking (SDN) based packet collection and a hybrid sampling algorithm to significantly reduce workload on the IDS. We integrate our data collector in the Open vSwitch of every physical server, making packets capturing highly efficient. Our hybrid sampling algorithm combines both flow statistics and IDS feedback to intelligently choose which packets to sample. The sampling rate is determined by the current workload in the cloud, and thus minimizing the effects to normal workload. We evaluate our prototype CIDS on a 125-server production OpenStack cloud using real world attack traces, and demonstrate the effectiveness of our approach.