implementation of digital forensic technique for cloud computing
advertisement
Implementation of Digital Forensic Technique For Cloud Computing IMPLEMENTATION OF DIGITAL FORENSIC TECHNIQUE FOR CLOUD COMPUTING 1 DEOYANI SHIRKHEDKAR, 2SULABHA PATIL 1 M.Tech. Student (Comp. Sci. and Engg.), T.G.P.C.E.T, Nagpur, M.S. India 2 Assistant Professor M.Tech.(CSE), T.G.P.C.E.T ,Nagpur , M.S. India Abstract- Cloud computing has penetrated the Information Technology industry deep enough to influence major companies to adopt it into their mainstream business. A strong thrust on the use of virtualization technology to realize Infrastructure-asa-Service (IaaS) has led enterprises to leverage subscription-oriented computing capabilities of public Clouds for hosting their application services. A seldomly discussed, but in this regard highly relevant open issue is the ability to perform digital investigations. This continues to fuel insecurity on the sides of both providers and customers. In Cloud Forensics, the lack of physical access to servers constitutes a completely new and disruptive challenge for investigators. Due to the decentralized nature of data processing in the Cloud, traditional approaches to evidence collection and recovery are no longer practical. The main disturbing element of the security of the cloud i.e. the DDoS attacks has led to the establishment of various technologies in order to gain defense against DDoS attacks. This paper gives the implementation of a forensic technique which detects DDoS attack and is used as a service provided by CSP. Keyword: Cloud, DDos Attack, Iaas, Cloud forensic virtual machine (VM)[asurvey on virtualization] A hypervisor is one of many virtualization techniques which allow multiple operating systems, termed guests, to run concurrently on a host computer, a feature called hardware virtualization. It is so named because it is conceptually one level higher than a supervisor. The hypervisor presents to the guest operating systems a virtual operating platform and monitors the execution of the guest OS (guest operating systems) I.INTRODUCTION The Cloud Computing has spread like conflagration in the market within short duration travelling from buzzword to groundbreaker. Now, there are even small companies from animation to distributed computing, though gradually; have started their move to conform changes favored for Cloud field Virtualization is the technology that makes cloud computing possible. When large numbers of computers, storage devices, and networks are gathered together and presented to users as a userprovisioned, incrementally charged, nearly infinite resource, the cloud is born Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual machines. There are several common approaches to virtualization with differences between how each controls the virtual machines. They are : Operating system – based virtualization Application – based virtualization Hypervisor – based virtualization Here we will discuss about hypervisor –based virtualization. In two surveys carried out by International data Corporation (IDC) in 2008 and 2009 respectively, security came top on the list. Although traditional threats are countered effectively but still some nonfamiliar risks have been introduced to the cloud. One such threat is Distributed Denial of Service (DDoS) attack. The DDoS attacks which took place in recent years have aroused the need for taking stern steps against it. This paper gives a technique which detects the DDos attack and unauthorized file sharing. A.Hypervisor-Based Virtualization The hypervisor is available at the boot time of machine in order to control the sharing of system resources across multiple VMs. Some of these VMs are privileged partitions which manage the virtualization platform and hosted Virtual Machines. In this architecture, the privileged partitions view and control the Virtual Machines. This approach establishes the most controllable environment and can utilize additional security tools such as intrusion detection systems. II.VIRTUALIZATION Virtualization is the backbone of cloud computing. Virtualization is the abstraction of a hardware or software system that lets applications run on top of the virtualized environment without the need of knowing the underlying resources available. The virtualized environment is otherwise known as the Fig 1: Hypervisorbased Virtualization[30] Proceedings of Fifth IRF International Conference, 10th August 2014, Goa, India, ISBN: 978-93-84209-45-2 95 Implementation of Digital Forensic Technique For Cloud Computing 1)Benefits: 1. Hypervisor provides a narrow interface nearly similar to original hardware interface in traditional system to Guest OS. Actually Hypervisor instructs the hardware in favor of guest OS. This capability allows hypervisor based virtualization to have a secure infrastructure. Hypervisor can act as a firewall and will be able to prevent malicious users to from compromising the hardware infrastructure. 2. Hypervisor is implemented below the guest OS in the cloud computing hierarchy, which means that if an attack passes the security systems in the guest OS, the hypervisor can detect it and it also provides simplified transaction monitoring process. 3. Some services take advantage of services provided by hypervisors. Like a service running below the operating system can fairly easily encapsulate the whole state of a virtual machine. The resulting capsule can then be used to migrate the virtual machine to another physical machine network entry elements; usually any form of hardware that operates on a Blacklist pattern is quickly overrun. Denial-of-Service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic In cloud computing where infrastructure is shared by large number of VM clients, DDoS attacks make have the potential of having much greater impact than against single tenanted architectures If cloud has not sufficient resource to provide services to its VMs then maybe cause undesirable DDoS attacks V.PROPOSED SYSTEM A virtual machine hosted in a cloud environment is used to commit crime as it used to be done with physical computers.. In this section, two scenarios of criminal activities carried out in the cloud are considered, i.e., DDoS attacks and unauthorized file sharing. The environment is set up using two Desktop PC’s, each running Ubuntu 12.04. Here, open source cloud manager, OpenStack is used. One of the hosts running OpenStack host virtual machines. Three virtual machines are deployed in OpenStack where one virtual machine is used to launch attacks and one of the Virtual machines is used to monitor communications between the attacker and the victim virtual machine. The attacker uses the second physical host to access its virtual machine hosted in OpenStack. The monitoring virtual machine uses WireShark and nmap to monitor activities occurring in the victim machine. In this proposed system we have created three virtual machines as follows:1) VM1 - This is the attacker machine with IP address 10.0.1.21.Ubuntu desktop is installed on this machine for GUI. 2) VM2- This is the victim machine with IP address 10.0.1.16.Apache server is installed on this machine. 3) VM3- This is monitor which monitors the system. Monitoring tools wireshark and nmap are installed on this machine III.HYPERVISOR The virtualization marketplace is comprised of both mature (e.g. VMWare and Xen) and up-and-coming (e.g. KVM and Hyper-V) participants. Of the four main Hypervisor offerings, which take up 93% of the total market share two are closed-source (VMWare and Hyper-V) and two are open-source (Xen and KVM). Recent surveys suggest that the number of different Hypervisor brands deployed in datacenters is broad and expanding, with a multi-Hypervisor strategy becoming the norm. A.KVM KVM is a relatively new open-source project, which dates back to Red Hat's acquisition of Qumranet in 2008. Its adoption has spiked since it was made part of the main Linux kernel branch starting from version 2.6.20, becoming the main virtualization package in Ubuntu, Fedora, and other mainstream Linux operating systems. Each guest VM runs as a separate user process and has a corresponding QEMU device emulation instance running with it. The Hypervisor itself runs as a module inside a host Operating System, which makes KVM a Type-II (hosted) Hypervisor. VI.IMPLEMENTATION of PROPOSED SYSTEM Implementation of the proposed technique is a two step process first is to set up an environment and then to perform the tests A.Environmental Set Up Environmental set up is done by using two machines and installing OpenStack cloud manager. The minimum requirements which can support several minimal instances: • Controller Node: 1 processor, 2 GB memory, and 5 GB storage • Network Node: 1 processor, 512 MB memory, and 5 GB storage Fig 2. KVM Architecture[33] IV. DDOS ATTACKS Distributed Denial of Service (DDoS) attacks typically focus high quantity of IP packets at specific Proceedings of Fifth IRF International Conference, 10th August 2014, Goa, India, ISBN: 978-93-84209-45-2 96 Implementation of Digital Forensic Technique For Cloud Computing • Compute Node: 1 processor, 2 GB memory, and 10 GB storage 64-bit ubuntu 12.0 is installed on both the systems List available security groups: ubuntu@root:-$ secgroup-list Security Groups 1)Launch An Instance First open the dashboard through the browser OpenStack Dashboard Launch Instance To launch an instance, you must at least specify the flavor, image name, network, security group, key, and instance name. A flavor specifies a virtual resource allocation profile which includes processor, memory, and storage. List available flavors: ubuntu@root :-$ flavor-list Flavours VII.EXPERIMENTS AND RESULTS Two types of attacks has been executed on Cloud Controller which has been found to be simple but highly penetrable: DDoS Attack In this part, the “SSL DoS” tool has initiated large SSL handshakes mechanism with the server so that it will easy to bring down and eventually crash down the cloud system. The fundamental idea is to commit large numbers of handshakes with a server after establishing secure socket layer (SSL) connection. SSL is the protocol which is in the middle of Application and Network layer which ensures security and confidentiality. The attack has been performed as follows: The most popular & admin/hacker friendly utility hping3, basically used to test firewall rules and nmap protocol scanning purposes is used. The command given from the attacker VM is as follows: . List available images: ubuntu@root :-$ image-list ubuntu@demo1-attacker:-$ hping3 -1 172.24.4.123 List available networks: ubuntu@root :-$ net-list Fig 3 Flooding from attacker virtual machine Proceedings of Fifth IRF International Conference, 10th August 2014, Goa, India, ISBN: 978-93-84209-45-2 97 Implementation of Digital Forensic Technique For Cloud Computing change which shows that the contents of the file were change by attacker. CONCLUSION AND FUTURE SCOPE This research work presented, a technique aimed at addressing digital forensics challenges in a cloud environment. The technique addresses the issue of data acquisition in the cloud. . Finally, we conclude from the results that, the technique detects the unauthorized file sharing and the DDos attack successfully .It is used as a service at CSP end. It is a SaaS application. Fig: 4 Legitimate Traffic( before any attack ) CPU Statistics The next step in this research involves Development of an algorithm that will extract log information from accessible locations in the crime scene. The domain knowledge representation that is used in reasoning while associating an attacker with data in the cloud is also going to be developed. The development of a guideline that will be used to validate evidence collected using this service. Before invoking TCP SYN flood, CPU statistics of front end, the system was receiving data at a rate of 1.6 KB/s as shown in image 4. REFERENCES [1] Dominik Birk, Christoph Wegener” Technical Issues of Forensic Investigations in Cloud Computing Environments” [2] George Sibiya,Hein S. Venterand Thomas Fogwill,”Digital Forensic Framework for a cloud Environment”,IST-Africa 2012 conference proceedings [3] Wireshark: The world’s foremost network protocol analyser, [Online] Available at: http://www.wireshark.org/ [Accessed 30 November 2014]. [4] http://nmap.org/, [Accessed 10 December 2014]. [5] S. Castro, Virtual machine trojan: A new type of threat. [Online] Available at: http://www. infosegura.net /VMTthreat.html [Accessed 15 November 2014]. [6] E. W. Hobson, Qinetiq white paper: Digital investigations in the cloud, QinetiQ Digital Investigations Service, Farnborough, UK, 2010. [7] R, Ieong, Challenges to digital forensics from cloud computing, [Online] Available at: http://www.chinaforensic.com/downloads/2011 [Accessed 15 November 2014]. [8] R. Marty, Cloud application logging for forensics. Taichung, Taiwan, March 2011. SAC, ACM. [9] M.A. Monroe, Virtualization and Cloud Computing Draft Version. Digital Reality Trust, drivers of data growth, part 2 edition, 2010. Fig 5 Resultant Traffic After Attack In this case, distributed attack strategy has observed. When this hping3 flood command based attack has instantiated, there has observed a sudden hike in the data receiving from the random IP address. The machine even stops responding even from opening the command line. Unauthorized file sharing attack Here we have used Samba Server. First we have installed samba server on the demo1-http1 machine. Then we have created a shared folder with right as nobody. The files were created from demo1-http1. These files are accessed from demo1-attacker. Following commands were used:ubuntu@demo1-http1:-$ Sudo apt-get install Samba ubuntu@demo1-http1:-$sudo nautilus ubuntu@demo1-http1:-$sudo-config-samba we have made following change in the config file ubuntu@demo1-http1:-$ /etc/samba/samba.conf [10] I. Resendez, P. Martinez, and J. Abraham, An introduction to digital forensics. [Online] Available at: http://acetweb. org/journal/ACETJournal_Vol6/ [Accessed 01 November 2014]. The change made was log level=3 The demo1-attacker vm accessed the file stored and created by demo1-http1 vm.We have used the CRC checker and found that the CRC of the file was [11] K. Ruan, J. Carthy, T. Kechadi, and M. Crosbie, Cloud forensics: An overview. [Online] Available at: Proceedings of Fifth IRF International Conference, 10th August 2014, Goa, India, ISBN: 978-93-84209-45-2 98 Implementation of Digital Forensic Technique For Cloud Computing http://cloudforensicsresearch.org/publication/ [Accessed 10 November 2014]. [24] Rainer Poisel, Erich Malzer and Simon Tjoa,” Evidence and Cloud Computing: The Virtual Machine Introspection Approach” [25] Johnson D,Kiran Murari,Murthy Raju,Suseendran RB,Yogesh Girikumar, Eucalyptus Beginner's Guide – UEC Edition (Ubuntu Server 10.04 - Lucid Lynx)v1.0, 25 May 2010 [12] C. A. Schiller, J. Binkley, D. Harley, G. Evron, T. Bradley, C. Willems, and M. Cross. Botnets: The killer web application. Syngress, Inc Publishing, 2007. [13] J. Shende. Digital forensic challenges within cloud computing. [Online] Available at:http://jonshende. blogspot.com /2010/10/ digital-forensicchallengeswithin.html [ 30 October 2011]. [26] Mayur S. Patil, Prof. Bharati Ainapure, “Intrusion Detection by Forensic Method in Private Cloud using Eucalyptus” , International Journal of Computer Applications (0975 – 8887), Volume 85 – No 12, January 2014 [14] T. Stallard and K. Levitt, Automated analysis for digital forensic science: Semantic integrity checking, University of California, One Shield Avenue, Davis, CA, 95616 USA, 2003. [27] Mohamed-K Hussein, Mohamed-H Mousa , “Highperformance Execution of Scientific Multi-Physics Coupled Applications in a Private Cloud “, International Journal of Advanced Research in Computer Science and Software Engineering, Volume 4, Issue 2, February 2014 ISSN: 2277 128X [15] I.Walden, Law enforcement access in a cloud environment, Queen Mary University of Londin, Schoolof Law , 2011. [16] S. Zimmerman and D. Glavach. Cyber forensics in the cloud, IANewsletter, Volume 14 Number 1,Winter 2011, p 4. [28] G. Srinivas Reddy,”Functional Analysis of the Eucalyptus Private Cloud “, International Journal of Engineering and Innovative Technology (IJEIT) Volume 2, Issue 9, March 2013, ISSN: 2277-3754 ISO 9001:2008 Certified [17] N.Jaswanth, J.Durga, “An Integrated Research Analysis of Cloud Forensics for Secured Computing Environment”, International Journal of Computer Trends and Technology (IJCTT) - volume4 Issue5–May 2013 [29] Upma Goyal, Gayatri Bhatti and Sandeep Mehmi, “A Dual Mechanism for defeating DDoS Attacks in Cloud Computing Model” ,International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org,ditorijaiem@gmail.com,Volume 2, Issue 3, March 2013 ISSN 2319 – 4847 [18] Nandan Mirajkar, Mohan Barde, Harshal Kamble, Dr.Rahul Athale, Kumud Singh, “Implementation of Private Cloud using Eucalyptus and an open source Operating System” [19] Ludwig Slusky, Parviz Partow-Navid, Mohit Doshi, “Cloud computing and computer forensics for business applications”, Journal of Technology Research [30] Farzad Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology”, International Journal of Machine Learning and Computing, Vol. 2, No. 1, February 2012 [20] Simon Ostermann1, Alexandru Iosup2, Nezih Yigitbasi2, An Early Performance Analysis of Cloud Computing Services for Scientific Computing Delft University of Technology Parallel and Distributed Systems Report Series, ISSN 13872109 [31] Debojyoti Sengupta,” A Survey on Security of Hypervisorbased Virtualization System in Cloud Computing” [32] Jakub Szefer, Ruby B. Lee,” Architectural Support for Hypervisor-Secure Virtualization”, International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), March 2012. [21] Jaliya Ekanayake ,Xiaohong Qiu1, Thilina Gunarathne, Scott Beason, Geoffrey Fox, “High Performance Parallel Computing with Cloud and Cloud Technologies” [22] Siani Pearson, Yun Shen and Miranda Mowbray, A Privacy Manager for Cloud Computing [33] Diego Perez-Botero, Jakub Szefer and Ruby B. Lee,” Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers”, Workshop on Security in Cloud Computing (SCC), May 2013 [23] Liang Yan, Chunming Rong, and Gansen Zhao, “Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography”, M.G. Jaatun, G. Zhao, and C. Rong (Eds.): CloudCom 2009, LNCS 5931, pp. 167–177, 2009. © Springer-Verlag Berlin Heidelberg 2009 [34] Naresh Kumar, Shalini Sharma,” Study of Intrusion Detection System for DDoS Attacks in Cloud Computing”, 978-1-4673-5999-3/13/$31.00 ©2013 IEEE [35] A.M. Lonea, D.E. Popescu, H. Tianfield,” Detecting DDoS Attacks in Cloud Computing Environment”, INT J COMPUT COMMUN, ISSN 1841-9836 ,8(1):70-78, February, 2013. Proceedings of Fifth IRF International Conference, 10th August 2014, Goa, India, ISBN: 978-93-84209-45-2 99
