Creating snort-IDS rules for detection behavior using multi-sensors in private cloud

Abstract

The private cloud system plays an important role in the present time because it has the ability to adjust to work better based on the needs of users, such as an adjustment of memory, storage units and using resources together, and private cloud is the embodiment of all resources in the system. The private cloud system has equipment, or programs using for security such as firewall. Therefore, the firewall cannot detect the intrusion behavior. So that, this paper proposes the procedure to improve the snort-IDS rules for behavior detection in private cloud. The multi-sensors are proposed for behavior detection. Each sensor will be installed in the private cloud and it will work accordance with snort-IDS rules installed in their own selves. It performs each function accordance with the configuration of snort-IDS rules. When intrusion behavior is detected by each sensor, the alert data will be sent to the alert event database. The detection performance depends on the design of appropriate snort-IDS rules. We have considered five types of the intrusion behavior such as detection port scanning behavior, surveying IP address behavior, checking operating systems behavior, detection of use the application behavior, and intrusion detection of the virus and malware behavior. In order to evaluate the detection performance, we utilized the data set from the MIT-DAPRA 1999 and Nmap. The experimental results show that the proposed multi-sensors cooperated with the proposed snort-IDS rules can detect 51 cases of intrusion behaviors.