Abstract
Intrusion detection on today’s cloud is challenging: a user’s application is automatically deployed through new cloud orchestration tools (e.g., OpenStack Heat, Amazon CloudFormation, etc.), and its computing resources (i.e., virtual machine instances) come and go dynamically during its runtime, depending on its workloads and configurations. Under such a dynamic environment, a centralized detection service needs to keep track of the state of the whole deployment (a cloud stack), size up and down its own computing power and dynamically allocate its existing resources and configure new resources to catch up with what happens in the application. Particularly in the case of anomaly detection, new application instances created at runtime are expected to be protected instantly, without going through conventional profile learning, which disrupts the operations of the application.
To address those challenges, we developed Elite, a new elastic computing framework, to support high-performance detection services on the cloud. Our techniques are designed to be fully integrated into today’s cloud orchestration mechanisms, allowing an o rdinary cloud user to requ est a detection service and specify its parameters conveniently, through the cloud-formation file she submits for deploying her application. Such a detection service is supported by a high-performance stream-processing engine, and optimized for concurrent analysis of a large amount of data streamed from application instances and automatic adaptation to different computing scales. It is linked to the cloud orchestration engine through a communication mechanism, which provides the runtime information of the application (e.g., the types of new instances created) necessary for the service to dynamically configure its resources. To avoid profile learning, we further studied a set of techniques that enable reuse of normal behavior profiles across different instances within one user’s cloud stack, and across different users (in a privacy-preserving way). We evaluated our implementation of Elite on popular web applications deployed over 60 instances. Our study shows that Elite efficiently shares profiles without losing their accuracy and effectively handles dynamic, intensive workloads incurred by these applications.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
How long the detector needs to stay in “training mode” depends on many factors such as the nature of the service provided by the application instances, the quality of training inputs, and to what extent the cloud user can tolerate the false positives. Precise tuning of the training time and the trade-offs involved is not the focus of this paper.
- 2.
Those calls need to happen on almost all intrusion vectors (as evidenced by our false negative evaluation in Sect. 4.2). Also our design can be easily extended to accommodate other types of calls.
- 3.
An example here is JMeter Script Recorder, which can be provided by the cloud and customized by the user.
- 4.
False positives incurred by such profile sharing can be further adjusted during the system’s online operation.
- 5.
In addition to the contents with wildcards, those profile templates were also specialized according to the ID of the stack.
References
Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., Lo Iacono, L.: All your clouds are belong to us: Security analysis of cloud management interfaces. In: CCSW (2011)
Mulazzani, M., Schrittwieser, S., Leithner, M., Huber, M., Weippl, E.: Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: USENIX Security (2011)
McAfee SaaS Endpoint Protection Suite. http://www.mcafee.com/us/products/saas-endpoint-protection-suite.aspx
Trend Micro Deep Security as a Service. http://www.trendmicro.com/us/business/saas/deep-security-as-a-service/index.html
Alerg Logic Public Cloud Security. https://www.alertlogic.com/products-services/public-cloud-security/
Heat - OpenStack. https://wiki.openstack.org/wiki/Heat
AWS CloudFormation. https://aws.amazon.com/cloudformation/
Sung, A.H., Xu, J., Chavez, P., Mukkamala, S.: Static analyzer of vicious executables (save). In: ACSAC, Washington, DC, USA (2004)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security, Berkeley, CA, USA (2006)
Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: USENIX Security (2009)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS, New York, USA (2007)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6, 151–180 (1998)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: IEEE S&P (1996)
Michael, C.C., Ghosh, A.: Simple, state-based approaches to program-based anomaly detection. ACM Trans. Inf. Syst. Secur. 5, 203–237 (2002). http://doi.acm.org/10.1145/545186.545187
Provos, N.: Improving host security with system call policies. In: USENIX Security (2002)
IBM InfoSphere Streams. http://www-03.ibm.com/software/products/en/infosphere-streams
Storm - The Apache Software Foundation! http://storm.incubator.apache.org/
Apache Storm - A system for processing streaming data in real time. http://hortonworks.com/hadoop/storm/
Apache ZooKeeper. http://zookeeper.apache.org/
Google Hacking Database. http://www.exploit-db.com/google-dorks/
AWS CloudFormation Sample Template WordPressMultiAZ. https://s3-us-west-2.amazonaws.com/cloudformation-templates-us-west-2/WordPress_Multi_AZ.template
Heat API Instance Tools. https://launchpad.net/heat-cfntools
AWS CloudFormation Templates. https://aws.amazon.com/cloudformation/aws-cloudformation-templates/
Distributed Ruby Send instance eval/syscall Code Execution. https://www.rapid7.com/db/modules/exploit/linux/misc/drb_remote_codeexec
Java RMI Server Insecure Default Configuration Java Code Execution. https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server
SQLite Home Page. http://www.sqlite.org/
Samba Guest Account Symlink Traversal Arbitrary File Access. http://www.osvdb.org/62145
Samba Symlink Directory Traversal. https://www.rapid7.com/db/modules/auxiliary/admin/smb/samba_symlink_traversal
Need for speed: Testing the networking performance of the top 4 cloud providers. http://gigaom.com/2014/04/12/need-for-speed-testing-the-networking-performance-of-the-top-4-cloud-providers/
Google Compute Engine: Transparent maintenance. https://developers.google.com/compute/docs/zones#maintenance
Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: CCS, New York, USA (1994)
Vigna, G., Kruegel, C.: Host-based intrusion detection (2005)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: USENIX System Administration, Berkeley, CA, USA (1999)
Tsai, C.-F., Hsu, Y.-F., Lin, C.-Y., Lin, W.-Y.: Intrusion detection by machine learning: a review. Expert Syst. Appl. 36, 11994–12000 (2009)
Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: S&P (1999)
Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive intrusion detection: a data mining approach. Artif. Intell. Rev. 14, 533–567 (2000)
Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. ACM SIGOPS 45, 38–53 (2011)
Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)
Kholidy, H.A., Baiardi, F.: CIDS: a framework for intrusion detection in cloud systems. In: ITNG (2012)
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. JNCA 36, 42–57 (2013)
Patel, A., Taghavi, M., Bakhtiyari, K., Celestino Jr., J.: Review: an intrusion detection and prevention system in cloud computing: a systematic review. JNCA 36, 25–41 (2013)
Gember, A., Krishnamurthy, A., John, S.S., Grandl, R., Gao, X., Anand, A.: Stratos: a network-aware orchestration layer for virtual middleboxes in clouds. arXiv (2013)
Chari, S.N., Cheng, P.-C.: Bluebox: A policy-driven, host-based intrusion detection system. ACM TISSEC 6, 173–200 (2003)
Smalley, S., Vance, C., Salamon, W.: Implementing selinux as a linux security module. NAI Labs Rep. 1, 43 (2001)
SUSE AppArmor. https://www.suse.com/support/security/apparmor/
Harada, T., Horie, T., Tanaka, K.: Task oriented management obviates your onus on linux. In: Linux Conference (2004)
Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: ACSAC (2008)
Acknowledgments
The project is supported in part by National Science Foundation CNS-1117106, 1223477, 1223495, 1223967, 1330491, and 1408944. Yangyi Chen was also supported in part by IBM internship program. The views and conclusions contained herein are those of the authors only and do not necessarily reflect those of the NSF or IBM.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Chen, Y., Bindschaedler, V., Wang, X., Berger, S., Pendarakis, D. (2015). Elite: Automatic Orchestration of Elastic Detection Services to Secure Cloud Hosting. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)