The evolving trends of mobility, cloud computing and collaboration have blurred the perimeter separating corporate networks from the wider world. These new tools and business models enhance productivity and present new opportunities for competitive advantage although they also introduce new risks. Currently, security is one of the most limiting issues for technological development in fields such as Internet of Things or Cyber-physical systems. This work contributes to the cyber security research field with a design that can incorporate advanced scheduling algorithms and predictive models in a parallel and distributed way, in order to improve intrusion detection in the current scenario, where increased demand for global and wireless interconnection has weakened approaches based on protection tasks running only on specific perimeter security devices. The aim of this paper is to provide a framework to properly distribute intrusion detection system (IDS) tasks, considering security requirements and variable availability of computing resources. To accomplish this, we propose a novel approach, which promotes the integration of personal and enterprise computing resources with externally supplied cloud services, in order to handle the security requirements. For example, in a business environment, there is a set information resources that need to be specially protected, including data handled and transmitted by small mobile devices. These devices can execute part of the IDS tasks necessary for self-protection, but other tasks could be derived to other more powerful systems. This integration must be achieved in a dynamic way: cloud resources are used only when necessary, minimizing utility computing costs and security problems posed by cloud, but preserving local resources when those are required for business processes or user experience. In addition to satisfying the main objective, the strengths and benefits of the proposed framework can be explored in future research. This framework provides the integration of different security approaches, including well-known and recent advances in intrusion detection as well as supporting techniques that increase the resilience of the system. The proposed framework consists of: (1) a controller component, which among other functions, decides the source and target hosts for each data flow; and (2) a switching mechanism, allowing tasks to redirect data flows as established by the controller scheduler. The proposed approach has been validated through a number of experiments. First, an experimental DIDS is designed by selecting and combining a number of existing IDS solutions. Then, a prototype implementation of the proposed framework, working as a proof of concept, is built. Finally, singular tests showing the feasibility of our approach and providing a good insight into future work are performed.

Introduction

Over the past decade, IT environments have become increasingly vulnerable. The evolving trends of mobility, cloud computing and collaboration, have blurred the perimeter separating corporate networks from the wider world. 5 While increased mobility may make an organisation and its employees more productive, it also creates layers of complexity for securing the enterprise [1]. In the coming years, cyber attacks will almost certainly intensify. Networking technology vendor Cisco Systems forecasts that by 2020, 50 billion devices will be connected to the Internet, including a large portion of industrial, mili10 tary and aerospace related devices and systems. Each new thing that connects to cyberspace is a potential target for a cyber attack [2]. One of the main approaches to information security and cyber security (see [3] for a discussion about the difference between these two terms) has been the development and deployment of intrusion detection systems (IDS) [4]. An IDS 15 dynamically controls the operations that need to be considered in an environment by monitoring log files, network traffic or other sources. Then, it infers whether these actions indicate an attack or they are usual practices in the environment [5]. Many intrusion detection techniques, frameworks, projects, and products have been developed since the proposal of this approach. Currently, 20 the interest of diverse IDS approaches is growing as shown by the recent works in anomaly detection [6, 7], wireless sensor networks [8], mobile agents [9], new statistical and machine learning techniques [10, 11, 12], smart grids [13], among many others. Taking into account the current scenario, where the network perimeter is 25 increasingly complex, having a number of instances of IDS processes deployed in select interconnection devices and security solutions, has become ineffective. Furthermore, the classical “insiders” vs. “outsiders” distinction when referring to network attackers could be irrelevant, since an outsider computer can become internal without breaking any physical barrier by means of wireless network 30 attacks (other reasons for fighting insider threats can be found in [14]). Ideally, an effective network IDS should be able to examine all the data flows between all computers regardless of its position in relation to corporate firewalls. Figure 1 gives a simplified view of this evolution of the connectivity and the implications on the required security processes.