Defining Security Monitoring SLAs in IaaS Clouds: the Example of a Network IDS

Abstract : In an IaaS cloud the physical infrastructure is controlled by service providers, including its security monitoring aspect. Clients hosting their information system need to trust and rely on what the providers claim. At the same time providers try to give assurance for some aspects of the infrastructure (e.g. availability) through service level agreements (SLAs). We aim at extending SLAs to include security monitoring terms. In our previous study [1] we proposed a verification method for security monitoring SLAs describing the performance on an network intrusion detection system (NIDS). In this paper we address the problem of security monitoring SLA definition, specifically for the case of NIDSs in cloud. We present the following contributions. First we propose a security monitoring service description with relevant key performance indicators (KPIs). Second we propose an extension to an SLA language called CSLA [2], in order to have a standard method to define security monitoring SLAs. Third the KPIs used to describe performance of NIDS take a base rate parameter, representing the rate of attacks in the monitored network traffic. However, the value of the base rate is unknown at the time of SLA definition. In order to address this contradiction, we propose a model building method and the model is used in the SLA definition. The model is used to estimate the expected performance depending on the base rate. Fourth, since there is a large number of vulnerabilities among all software products possibly used by tenants, defining an SLA requires lots of performance evaluation tests, which makes the process impractical. To address this we propose a method based on rules clustering which builds a knowledge base for NIDS performance for a large number of vulnerabilities. Finally, we present experiments showing the feasibility of our methods on performance estimation and clustering of NIDS rules. We also present analysis on the shortcomings of the proposed method.
Complete list of metadatas

Cited literature [58 references]  Display  Hide  Download

https://hal.inria.fr/hal-02079860
Contributor : Amir Teshome Wonjiga <>
Submitted on : Friday, March 29, 2019 - 2:22:56 PM
Last modification on : Friday, September 13, 2019 - 9:51:33 AM
Long-term archiving on : Sunday, June 30, 2019 - 2:49:51 PM

File

RR-9263.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02079860, version 2

Citation

Amir Teshome Wonjiga, Louis Rilling, Christine Morin. Defining Security Monitoring SLAs in IaaS Clouds: the Example of a Network IDS. [Research Report] RR-9263, Inria Rennes Bretagne Atlantique. 2019, pp.1-37. ⟨hal-02079860v2⟩

Share

Metrics

Record views

51

Files downloads

737