Developing algorithms and software solutions for detecting network attacks and protecting in cloud computing systems based on intellectual analysis of user behavior and ultra high-volume traffic patterns.
network attacks, DDOS, information security, network threat detection, cloud computing, cloud data protection, threats data model, network traffic analysis, data networks, Markov networks, pattern recognition, machine learning, self-learning, data analysis
The goal of that project is to provide new effective methods of improving information security, preventing network threats, to companies which are engaged in the development of cloud computing systems. This will significantly expand the use of cloud computing and reduce the losses for its users, also it will make possible to create and widespread use the local computing cloud systems. To achieve this goal, a complex of software and hardware solutions will be developed aimed at creating a software complex that can provide:
- networks attacks detection using the methods of detecting deviations in ultra-large volumes of traffic coming from border routers of the network and detecting uncharacteristic behavior of users;
- protection against such network attacks as obtaining unauthorized access to information and services, denial of service;
- identification of threats and risks in information security in cloud computing environment based on user behavior analysis using modern high-speed methods of data analysis.
Problem description, justification of the research relevance
Protecting information from network attacks is still a critical issue in information security of cloud computing systems and other data processing systems and data storage systems. Today there are standard methods in information security applicable in cloud environment:
- User identification and autoinfection methods;
- Limitations and delimitations of access rights, traffic volumes for users;
- Data encryption;
- Low level hardware and software protection;
- Involvement of an operator in special cases (for manual control).
These methods are necessary to provide information security in cloud environment and in data storage systems, but not enough. In cloud computing systems, data storage systems and large corporate networks there are opportunities of attack detecting based on traffic volume and user behavior analysis, but it requires an analysis of large amounts of data almost in real time.
The analysis of trends in the field of recognition of suspicious user behavior is in fact not about the information security in cloud environment and data storage systems, mainly about user behavior patterns in the network and risks associated with this — spam, likes winding. fake reposts, etc.
The analogues of proposed development
“Elastica” company (https://www.elastica.net/detect) was bought by “Blue Coat” company, a part of the world’s largest company dealing with IT security products — “Symantec”. For each procedure performed by user in the cloud, the risk level (ThreadScore) is calculated based on machine learning and self-learning. Then, based on risk levels, it is possible to program security policies. This system is only available on SAAS (cloud service) and not available to be installed on high-performance local storage systems, its mathematical apparatus is not documented and it is not suitable for use in russian clouds, as it will require data transfer to foreign sites.
The LANeye system (LANeye Network Intrusion Detection and Prevention Software, http://www.laneye.com/software/how-laneye-works/suspicious-logon-detection.htm) analyses user traffic according to pre-determined rules (for example, comparing activity with the last session) is not self-learned, does not analyse the behavior signs not related to network activity.
In this project, we plan to develop a self-learning system for detecting network attacks and protecting against them, which can be used in the cloud computing environment and also in various data storage systems and corporate networks.
Tasks and possible solutions
The main tasks of this project are:
- Selection of researches direction in the field of algorithms for detecting network attacks and software solutions to protect from them;
- Investigation of cloud computing environments architecture and information security systems architecture
- Development of algorithms for detecting network attacks based on machine learning methods;
- Define to scheme of interaction of detection and protection systems from network attacks between them and with other cloud services and user applications;
- Development of threats models for information security in the cloud environment;
- Development of traffic volumes dynamic models;
- Development of methods for dynamically building user behavior models;
- Building training samples for learning algorithms to detect network attacks;
- Development of an experimental software complex sample for detecting information security threats and protecting from them.
We propose to investigate the possibility of applying the risks transaction forecasting method based on self-learning methods, synthesis and subsequent identification of hidden Markov models using artificial neural networks in particular. These models build causal relationships between factors, that can lead to final classification of user behavior as an “attack” with greater accuracy than classical statistical learning methods.
Markov networks for a given problem formulation can be considered as one of the variants of hidden Markov time-continuous models that use the estimates of user behavior basic signs of as observable parameters. Actually, Markov models act as one of special types of neural networks.
In the course of solving that problem, two main tasks are solved:
- using a sample of observed behavioral characteristics, compile a spectrum of the most probable Markov models representing “safe” behaviors and “attack” models as a structure of interrelated actions, including a set of states corresponding to various actions preceding the attacks, possible transactions between them and their quantitative characteristics (synthesis task);
- using Markov model with given parameters, the states of which represent various actions and sequence of observed user actions, determine the most probable model of behavior (“normal” model or one of the attack types) (identification task).
This method successfully proved itself in one of the most sensitive to special situations application field — aircraft engineering.
Possible method for solving problems with detecting network attacks:
The being developed software complex receives the following information as initial data:
- user profile data;
- user traffic volume data;
- user actions data.
Software complex calculates statistical characteristics of traffic for single users and for user groups, constructs dynamic traffic volume models and stores statistical characteristics and models parameters in the database.
Software complex builds dynamic models of single user or user groups behavior based on comprehensive analysis of data on user actions, user profiles, and results of traffic volumes analysis.
Software complex detects information security threats based on analysis of reconciliation of dynamic traffic volume models and user behavior models with given traffic volumes and user behavior.
Software complex protects from network attacks using:
- notificating network management system;
- blocking connection;
- blocking user profiles;
- blocking single services.
Main expected results of the project are the following:
- detecting network attacks, based on the detection of deviations in large-volumed traffic coming from the border routers and on the detection of non-typical user behavior;
- protecting from network attacks, such as unauthorized access to information and services, denial of service.
Software complex for detecting information security threats and protecting from them created based on the developed software set of software and hardware solutions. This complex can be integrated in the cloud computing system.
Areas of application, how to use the expected results
The main area we expect is cloud computing networks. In this area, project results will be used to prevent information threats.
The results also can be applied in security systems in large corporate networks, data storage systems and data processing systems.
The main way to bring the expected results to consumers is to license the results to the industrial partner of the project. The industrial partner of this project is russian company “KNS Group” LLC (YADRO trademark, part of the National Computes Corporation group http://www.ncc.ru/structure/, www.yadro.com), which develops and manufactures hardware: computing systems and data storage systems; develops system software.
Based on the results of pilot projects on real data of industrial partner the integration of developed software complex with industrial partner products will be done. In addition, under the terms of the agreement with the industrial partner, “PAWLIN Technologies” LLC will be able to use the results of intellectual activity for further independent researches and for formation of new product proposals (independent ones or with other industrial partners).
The main consumers:
- The industrial partner will be able to use the results of ASREX as a part of the system software that provides computer networks functioning;
- The operators of cloud computing networks will be able to use the results of ASREX to develop information security services;
- Any organizations that use cloud computing to store and process corporate data will be the end users of the results of ASREX;
- Any large organizations when developing corporate networks security system.
Scientific adviser of the project
Scientific adviser of the project is Lev Semenovich Kuravskiy, Ph. D., Professor, Dean of the Faculty of Information Technologies of Moscow State University of Psychology and Education, Head of the Department of Applied Informatics and Multimedia Technologies at the Faculty of Information Technologies of Moscow State University of Psychology and Education, laureate of Russian Federation Prize in Education (2011).