International Journal of Computer Applications (0975 – 8887) Volume 41– No.1, March 2012 35 Managing Intrusion Detection as a Service in Cloud Networks Hatem Hamad The Islamic University of Gaza Gaza, Palestine Mahmoud Al-Hoby The Islamic University of Gaza Gaza, Palestine ABSTRACT Cloud computing is frequently being utilized to eliminate the need to local information resources. In this paper, we address the problem of intrusion detection in cloud environments and the possibility of allowing intrusion detection to be provided to clients as a service. The paper describes the Cloud Intrusion Detection Service (CIDS), which is intended to function as an intrusion detection web service to be provided for cloud clients in a service-based manner. CIDS utilizes the “Snort” open source intrusion detection system. The operating logic and user access webpages were developed using J2EE. We implemented a proof-of-concept prototype to evaluate the performance. CIDS was proved to be very friendly to resource allocation. Additionally, CIDS gave better attack detection rates and attack detection times than other solutions. These improvements can be beneficial to both cloud providers and cloud subscribers alike. General Terms Cloud Computing, Intrusion Detection Management Keywords Cloud Computing; CRE; Intrusion Detection; SaaS 1. INTRODUCTION Cloud computing is a large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet [1]. The cloud computing paradigm is usually linked to SaaS or Software as a Service model [2]. This service model works by providing applications for end users on service-based manner. A recent addition to cloud services was security- related services, in what is termed as Security-as-a-Service [3]. Different systems have been made available to end user to provide the security products for users in a service-based manner. This included many product services and types like Remote Vulnerability Scanning [4], Web root’s Email and web Security SaaS [5], and Panda’s Managed Office Protection [6]. In this paper, we design and implement a security-related cloud service. More specifically, we design the Cloud Intrusion Detection Service (CIDS). CIDS is intended to be used as a service-based intrusion detection system for which cloud clients can subscribe with. The remaining of this paper is as follows. In section 2, we define the main problem of this paper. In section 3, we describe some of the currently published papers that are specific to cloud intrusion detection solutions. Later in section 4, we introduce the CIDS. This is where we describe our approach to the solution. After that and in section 5, we test and evaluate the different performance measures for this system. We conclude in section 6. 2. PROBLEM DEFINITION Intrusion detection systems are commonly used by network administrators to monitor the traffic being exchanged between different network segments. And by replacing the traditional local server-based network environments with cloud-based network infrastructure, system administrators will need to purchase additional services from the cloud provider so that they can deploy their own network intrusion detection systems. This paper discusses the effective design of an intrusion detection system that can be integrated with the available services in cloud networks. The main idea is to provide intrusion detection as a service for the cloud users. This in turn will enable the clients to choose the protection settings they wish to utilize using a simple and easy-to-use web interfaces. Currently, multiple research activities were introduced to address the issue of intrusion detection within cloud computing environments. These activities can be classified as those to detect intrusions against the cloud itself. And those that to detect attacks that target individual machines inside the cloud. Our study is on the latter type of the two. More specifically, it will cover the service-based or subscription- based intrusion detection. Which is a field that did not received as much attention as the classical intrusion detection activities. The required intrusion detection framework has some desired criteria, where these are needed to comply with the traditional SaaS service models. These include the ability of users to subscribe or unsubscribe from the service, change subscription requirements (i.e. protection requirements), pay for size and complexity of subscription database, and to be an easy to use service. 3. CURRENT STATUS Multiple research activities were introduced to address the issue of intrusion detection within cloud computing environments. Dastjerdi et. al. [7] implemented applied agent- based IDS as a security solution for the cloud. The model they proposed was an enhancement of the DIDMA [8]. The system is mainly designed to protect the networks’ resources and cannot be customized as a service. Bakshi et. al. [9] proposed another cloud intrusion detection solution. The main concern was to protect the cloud from DDoS attacks. The model uses an installed intrusion detection system on the virtual switch and when a DDoS attack is detected. Despite being reported as effective, the model helps to protect the cloud itself, not the cloud clients who in turn don’t have any kind of authority over the intrusion detection system being used. Another recent