In order to resolve huge amount of anomaly information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique, named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the performance of ICAS is suitable for analyzing and reducing large alerts.

1. Building a Cloud Computing Analysis System for Intrusion Detection System DATE:4/14/09 Wei-Yu Chen, Yao-Tsung Wang National Center for High-Performance Computing, Taiwan {waue,jazz}@nchc.org.tw

2. Taiwan Introduction

3. NCHC Introduction The NCHC is responsible for Taiwan’s cyberinfrasructure, R&D in HPC and networking applications 3 Business Units located in science parks to support local high tech industry The NCHC integrates information, engineering and scientific disciplines The NCHC provides computing, networking and storage services National Center for High-performance Computing

10. System Architecture ICAS Overview

15. Program Procedure

16. Alert Integration Procedure

17. Key - Values The victim IP addresses A unique ID used to identify attack method in Snort rules The time when the attack was launghed TCP/IP protocol Attack was lunched from this port Victim ports The IP address where malicious one launghed attack

18. Alert Merge Example 6007,6008 5002 4077,5002 T5 T4 T1,T2,T3 53 443 80,443 tcp, udp tcp tcp Sip3,Sip4,Sip5 ,Sip6 D.D.O.S. Host_3 Sip1 Trojan Host_2 Sip1,Sip2 Trojan Host_1 Values Key T5 tcp 6008 53 Sip6 D.D.O.S Host_3 T5 udp 6007 53 Sip5 D.D.O.S Host_3 T5 tcp 6008 53 Sip4 D.D.O.S Host_3 T5 udp 6007 53 Sip3 D.D.O.S Host_3 T4 tcp 5002 443 Sip1 Trojan Host_2 T3 tcp 5002 443 Sip1 Trojan Host_1 T2 tcp 4077 80 Sip2 Trojan Host_1 T1 tcp 4077 80 Sip1 Trojan Host_1 Timestamp Packet Protocol Source Port Destination Port Source IP Attack Signature Destination IP

20. Experimental Result The Consuming Time of Each Number of Data Sets

21. Experimental Result Throughput Data Overall

24. Thank You ! & Question ? DATE:4/14/09