Intrusion detection and prevention of web service attacks for software as a service: Fuzzy association rules vs fuzzy associative patterns

Abstract

Cloud computing inherits all the systems, networks as well as Web Services’ security vulnerabilities, in particular for software as a service (SaaS), where business applications or services are provided over the Cloud as Web Service (WS). Hence, WS-based applications must be protected against loss of integrity, confidentiality and availability when they are deployed over to the Cloud environment. Many existing IDP systems address only attacks mostly occurring at PaaS and IaaS. In this paper, we present our fuzzy association rule-based (FAR) and fuzzy associative pattern-based (FAP) intrusion detection and prevention (IDP) systems in defending against WS attacks at the SaaS level. Our experimental results have validated the capabilities of these two IDP systems in terms of detection of known attacks and prediction of new variant attacks with accuracy close to 100%. For each transaction transacted over the Cloud platform, detection, prevention or prediction is carried out in less than five seconds. For load and volume testing on the SaaS where the system is under stress (at a work load of 5000 concurrent users submitting normal, suspicious and malicious transactions over a time interval of 300 seconds), the FAR IDP system provides close to 95% service availability to normal transactions. Future work involves determining more quality attributes besides service availability, such as latency, throughput and accountability for a more trustworthy SaaS.

Keywords

Intrusion detection intrusion prevention software as a service fuzzy association rule web service

Get full access to this article

View all access options for this article.

References

Andreu

, Professional Pen Testing for Web Applications, Indianapolis: Wiley Publishing Inc, 2006.

Chonka

, Detecting and Mitigating HX-DoS attacks against Cloud Web Services, The 15th International Conference on Network-Based Information Systems, Melbourne, Australia, 2012, pp. 429–434.

Joshi

, Vijayan

A.S.

and Joshi

B.K.

, Securing Cloud Computing Environment against DDoS Attacks, In Proceedings of 2012 International Conference on Computer Communication and Informatics (ICCCI 2012), Combatore, India, pp. 1–5.

C.C.

, Huang

C.C.

and Ku

, A Cooperative Intrusion Detection System Framework for Cloud Computing Networks, IEEE 39th International Conference on Parallel Processing Workshops, San Diego, California, USA, 2010, pp. 280–284.

Modi

C.N.

, Patel

D.R.

, Patel

and Muttukrishnan

, Bayesian Classifier and Snort based Network Intrusion Detection System in Cloud Computing, In Proceedings of the 2012 Third International Conference on Computing Communication and Networking Technologies (ICCCNT), Tamilnadu, India, pp. 2012, 1–7.

Modi

C.N.

, Patel

D.R.

, Patel

and Muttukrishnan

, Integrating Signature Apriori based Network Intrusion Detection System (NIDS) in Cloud Computing, In Proceedings of the 2nd International Conference on Communication, Computing & Security (ICCCS-2012), pp. Rourkela, India, 906–912.

, An Effective Pattern Matching Algorithm for Intrusion Detection, In Proceedings of the IEEE International Conference on Computer Science and Electronic Engineering, Hangzhou, China, 2012, 34–38.

Nascimento

and Correia

, Anomaly-based Intrusion Detection in Software as a Service, 2011 IEEE Dependable Systems and Networks Workshops, Hong Kong, China, 2011, pp. 19–24.

Chan

G.Y.

, Lee

C.S.

and Chua

F.F.

, Fuzzy Association Rules vs Fuzzy Associative Patterns in Defending against Web Service Attacks, In Proceedings of the 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2015), Zhangjiajie, China, 2015, pp. 558–563.

10.

Chan

G.Y.

, Lee

C.S.

and Heng

S.H.

, Policy-enhanced ANFIS model to counter SOAP-related attacks, Knowledge-Based System35 (2012), 64–76.

11.

Chan

G.Y.

, Lee

C.S.

and Heng

S.H.

, Discovering fuzzy association rule patterns and increasing sensitivity analysis of XML-related attacks, Journal of Network and Computer Applications36 (2013), 829–842.

12.

Kholidy

H.A.

and Baiardi

, CIDS: A Framework for Intrusion Detection in Cloud Systems, In Proceedings of the 2012 Ninth International Conference on Information Technology: New Generations (ITNG), Las Vegas, Nevada, USA, 2012, pp. 379–385.

13.

Khan

H.M.

, Chan

G.Y.

and Chua

F.F.

, An Adaptive Monitoring Framework for Ensuring Accountability and Quality of Services in Cloud Computing, In Proceedings of the 30th International Conference on Information Networking (ICOIN 2016), Kota Kinabalu, Malaysia, 2016, pp. 249–253.

14.

Arshad

, Townend

and Xu

, A novel intrusion severity analysis approach for clouds, Future Generation Computer Systems, Journal29 (2013), 416–428.

15.

Mei

, Li

, Ouyang

and Li

, A profit maximization scheme with guaranteed quality of service in cloud computing, IEEE Transaction on Computers64(11) (2015), 3064–3078.

16.

Iyengar

N.Ch.S.N.

and Banerjee

, and G.Ganapathy, A fuzzy logic based defense mechanism against distributed denial of service attack in cloud computing environment, International Journal of Communication Networks and Information Security (IJCNIS)6(3) (2014), 233–245.

17.

Shelke

P.K.

, Sontakke

and Gawande

A.D.

, Intrusion detection system for cloud computing, International Journal of Scientific & Technology Research1(4) (2012), 67–71.

18.

Mell

and Grance

, The NIST Definition of Cloud Computing, National Institute of Standards and Technology, US Department of Commerce, Special Publication 800-145, 2011. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

19.

Dhage

, Meshram

, Rawat

, Padawe

, Paingaokar

and Misra

, Intrusion Detection System in Cloud Computing Environment, In Proceedings of the International Conference & Workshop on Emerging Trends in Technology, Mumbai, India, 2011, pp. 235–239.

20.

Park

and Lee

S.R.

, Red tides prediction system using fuzzy reasoning and the ensemble method, Applied Intelligence, Journal40 (2014), 244–255.

21.

Subashini

and Kavitha

, A survey on security issues in service delivery models of cloud computing, Journal of Network and Computer Applications34(1) (2011), 1–11.

22.

Sandar

S.V.

and Shenai

, Economic denial of sustainability (EDoS) in cloud services using HTTP and XML based DDoS attacks, International Journal of Computer Applications41(20) (2012), 11–16.

23.

Karnwal

, Sivakumar

and Aghila

, A Comber Approach to Protect Cloud Computing against XML DDoS and HTTP DDoS Attack, In Proceedings of the 2012 IEEE Students’ Conference on Electrical, Electronics and Computer Science, Bhopal, India, 2012, pp. 1–5.

24.

Tuncer

and Tatar

, Detection DoS Attack on FPGA Using Fuzzy Association Rules, International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11, 2011, pp. 1271–1276.

25.

Tupakula

, Varadharajan

and Akku

, Intrusion Detection Techniques for Infrastructure as a Service Cloud, In Proceedings of the Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing, Sydney, Australia, 2011, pp. 744–751.

26.

Windows Azure. http://azure.microsoft.com/, (Accessed January –August, 2015).

27.

W.W.

, Mining significant factors affecting the adoption of SaaS using the rough set approach, Journal of Systems and Software84 (2011), 435–441.

28.

Ren

, Shen

, Wang

, Han

and Lee

, Mutual verifiable provable data auditing in public cloud storage, Journal of Internet Technology16(2) (2015), 317–324.