Digging Evidence for Violation of Cloud Security Compliance with Knowledge Learned from Logs

  • Yue Yuan
  • Anuhan Torgonshar
  • Wenchang ShiEmail author
  • Bin Liang
  • Bo Qin
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 960)


Security compliance auditing against standards, regulations or requirements in cloud environments is of increasing importance to boost trust between stakeholders. Many automatic security compliance auditing tools have been developed to facilitate accountability and transparency of a cloud provider to its tenants in a large scale and complex cloud. User operations in clouds that may cause security compliance violations have attracted attention, including some management operations conducted by insider attackers. System changes induced by the operations concerning security policies are captured for auditing. However, existing cloud security compliance auditing tools mainly concentrate on verification rather than on evidence provision. In this paper, we propose an automatic approach to digging evidence for security compliance violations of user operations, by mining the insights of system execution for the operations from system execution traces. Both known and potentially unknown suspicious user operation re-quests that may cause security compliance violations, or suspect system execution behavior changes, are automatically recognized. More importantly, evidences related to the detected suspicious requests are presented for further auditing, where the abnormal and expected snippets are marked in the relevant extracted execution traces. We have evaluated our method in OpenStack, a popular open source cloud operating system. The experimental results demonstrate the capability of our approach to detecting user opera-tion requests causing security compliance violations and presenting relevant evidences.


Security compliance Cloud security Auditing IaaS User operations OpenStack 



This work was supported in part by the National Nature Science Foundation of China under grant NO. (61472429, 61070192, 91018008, 61303074, 61170240), Beijing Nature Science Foundation under grant No. 4122041, National High-Tech Research Development Program of China under grant No. 2007AA01Z414, and National Science and Technology Major Project of China under grant No. 2012ZX01039-004.


  1. 1.
    Majumdar, S., et al.: Proactive verification of security compliance for clouds through pre-computation: application to OpenStack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016, Part I. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). Scholar
  2. 2.
    Alliance, C.S.: Cloud Security Alliance (2012).
  3. 3.
  4. 4.
  5. 5.
    Majumdar, S., et al.: LeaPS: learning-based proactive security auditing for clouds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 265–285. Springer, Cham (2017). Scholar
  6. 6.
    Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructures. In: ACSAC 2015, pp. 51–60 (2015)Google Scholar
  7. 7.
    Congress: Openstack policy as a service (2017).
  8. 8.
    OpenStack: Open source software for creating private and public clouds (2010).
  9. 9.
    CloudWatch, A.: Cloud and network monitoring services (2009).
  10. 10.
    Ceilometer: Openstack telemetry service (2013).
  11. 11.
    Vitrage: Openstack rca (root cause analysis) service (2017).
  12. 12.
    CloudTrail, A.: Track user activity and API usage (2014).
  13. 13.
    Farshchi, M., Schneider, J.G., Weber, I., Grundy, J.: Metric selection and anomaly detection for cloud operations using log and metric correlation analysis. J. Syst. Softw. 137, 531–549 (2017)CrossRefGoogle Scholar
  14. 14.
    Ju, X., Soares, L., Shin, K.G., Ryu, K.D., Da Silva, D.: On fault resilience of openstack. In: SOCC 2013 (2013)Google Scholar
  15. 15.
    Goel, A., Kalra, S., Dhawan, M.: Gretel: Lightweight fault localization for openstack. In: CoNEXT 2016 (2016)Google Scholar
  16. 16.
    Pham, C., et al.: Failure diagnosis for distributed systems using targeted fault injection. IEEE Trans. Parallel Distrib. Syst. 28(2), 503–516 (2017)Google Scholar
  17. 17.
    Majumdar, S., et al.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)CrossRefGoogle Scholar
  18. 18.
    Baek, H., Srivastava, A., Van der Merwe, J.: Cloudsight: a tenant-oriented transparency framework for cross-layer cloud troubleshooting. In: CCGrid 2017 (2017)Google Scholar
  19. 19.
    Xu, Y., Liu, Y., Singh, R., Tao, S.: Identifying SDN state inconsistency in openstack. In: SOSR 2015 (2015)Google Scholar
  20. 20.
    Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: Sphinx: detecting security attacks in software-defined networks. In: NDSS 2015 (2015)Google Scholar
  21. 21.
    Zeng, H., et al.: Libra: divide and conquer to verify forwarding tables in huge networks. In: NSDI 2014 (2014)Google Scholar
  22. 22.
    Curtsinger, C., Berger, E.D.: Coz: finding code that counts with causal profiling. In: SOSP 2015 (2015)Google Scholar
  23. 23.
    Mace, J., Roelke, R., Fonseca, R.: Pivot tracing: dynamic causal monitoring for distributed systems. In: SOSP 2015 (2015)Google Scholar
  24. 24.
    Chow, M., Meisner, D., Flinn, J., Peek, D., Wenisch, T.F.: The mystery machine: end-to-end performance analysis of large-scale internet services. In: OSDI 2014 (2014)Google Scholar
  25. 25.
    Yu, X., Joshi, P., Xu, J., Jin, G., Zhang, H., Jiang, G.: Cloudseer: workflow monitoring of cloud infrastructures via interleaved logs. In: ASPLOS 2016 (2016)Google Scholar
  26. 26.
    Nandi, A., Mandal, A., Atreja, S., Dasgupta, G.B., Bhattacharya, S.: Anomaly detection using program control flow graph mining from execution logs. In: KDD 2016 (2016)Google Scholar
  27. 27.
    Shang, W., Jiang, Z.M., Hemmati, H., Adams, B., Hassan, A.E., Martin, P.: Assisting developers of big data analytics applications when deploying on hadoop clouds. In: ICSE 2013 (2013)Google Scholar
  28. 28.
    Beschastnikh, I., Brun, Y., Ernst, M.D., Krishnamurthy, A.: Inferring models of concurrent systems from logs of their behavior with CSight. In: ICSE 2014 (2014)Google Scholar
  29. 29.
    Lin, Q., Zhang, H., Lou, J.G., Zhang, Y., Chen, X.: Log clustering based problem identification for online service systems. In: ICSE 2016 (2016)Google Scholar
  30. 30.
    Ding, R., et al.: Healing online service systems via mining historical issue repositories. In: ASE 2012 (2012)Google Scholar
  31. 31.
    Ding, R., Fu, Q., Lou, J.G., Lin, Q., Zhang, D., Xie, T.: Mining historical issue repositories to heal large-scale online service systems. In: DSN 2014 (2014)Google Scholar
  32. 32.
    Jiang, H., Li, X., Yang, Z., Xuan, J.: What causes my test alarm?: automatic cause analysis for test alarms in system and integration testing. In: ICSE 2017 (2017)Google Scholar
  33. 33.
    Bertero, C., Roy, M., Sauvanaud, C., Tredan, G.: Experience report: log mining using natural language processing and application to anomaly detection. In: ISSRE 2017 (2017)Google Scholar
  34. 34.
    Du, M., Li, F., Zheng, G., Srikumar, V.: Deeplog: anomaly detection and diagnosis from system logs through deep learning. In: CCS 2017 (2017)Google Scholar
  35. 35.
    Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 45–56 (2015)Google Scholar
  36. 36.
    Gu, Z., Pei, K., Wang, Q., Si, L., Zhang, X., Xu, D.: Leaps: Detecting camouflaged attacks with statistical learning guided by program analysis. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 57–68 (2015)Google Scholar
  37. 37.
    Xu, W., Huang, L., Fox, A., Patterson, D., Jordan, M.I.: Detecting large-scale system problems by mining console logs. In: SOSP 2009 (2009)Google Scholar
  38. 38.
    He, P., Zhu, J., He, S., Li, J., Lyu, M.R.: Towards automated log parsing for large-scale log data analysis. IEEE Trans. Dependable Secure Comput. 15(6), 931–944 (2017)CrossRefGoogle Scholar
  39. 39.
    Zawoad, S., Dutta, A.K., Hasan, R.: Towards building forensics enabled cloud through secure logging-as-a-service. IEEE Trans. Dependable Secure Comput. 13(2), 148–162 (2016)CrossRefGoogle Scholar
  40. 40.
    Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: Mycloud: supporting user-configured privacy protection in cloud computing. In: ACSAC 2013, pp. 59–68 (2013)Google Scholar
  41. 41.
    OpenStack: Neutron iptables firewall anti-spoof protection bypass (2016).
  42. 42.
    Manning, C.D., Raghavan, P.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008)CrossRefGoogle Scholar
  43. 43.
    Alliance, C.S.: The Notorious Nine Cloud Computing Top Threats in 2013 (2013)Google Scholar
  44. 44.
    ISO/IEC: ISO/IEC 27017:2015: Information technology - security techniques - code of practice for information security controls based on ISO/IEC 27002 for cloud services (2015).
  45. 45.
    European Network and Information Security Agency (ENISA): Cloud computing: benefits, risks and recommendations for information security (2012).

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Yue Yuan
    • 1
  • Anuhan Torgonshar
    • 1
  • Wenchang Shi
    • 1
    Email author
  • Bin Liang
    • 1
  • Bo Qin
    • 1
  1. 1.School of Information, Renmin university of ChinaBeijingChina

Personalised recommendations