LeaPS: Learning-Based Proactive Security Auditing for Clouds

  • Suryadipta MajumdarEmail author
  • Yosr Jarraya
  • Momen Oqaily
  • Amir Alimohammadifar
  • Makan Pourzandi
  • Lingyu Wang
  • Mourad Debbabi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)


Cloud security auditing assures the transparency and accountability of a cloud provider to its tenants. However, the high operational complexity implied by the multi-tenancy and self-service nature, coupled with the sheer size of a cloud, imply that security auditing in the cloud can become quite expensive and non-scalable. Therefore, a proactive auditing approach, which starts the auditing ahead of critical events, has recently been proposed as a promising solution for delivering practical response time. However, a key limitation of such approaches is their reliance on manual efforts to extract the dependency relationships among events, which greatly restricts their practicality and adoptability. In this paper, we propose a fully automated approach, namely LeaPS, leveraging learning-based techniques to extract dependency models from runtime events in order to facilitate the proactive security auditing of cloud operations. We integrate LeaPS to OpenStack, a popular cloud platform, and perform extensive experiments in both simulated and real cloud environments that show a practical response time (e.g., 6 ms to audit a cloud of 100,000 VMs) and a significant improvement (e.g., about 50% faster) over existing proactive approaches.


Proactive auditing Security auditing Cloud security OpenStack 



The authors thank the anonymous reviewers for their valuable comments. We also thank Anandamayee Majumdar for her insightful suggestions. This work is partially supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under CRD Grant N01566.


  1. 1.
    Amazon: Amazon virtual private cloud.
  2. 2.
    BayesFusion: GeNIe and SMILE.
  3. 3.
    Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, Citeseer (1997)Google Scholar
  4. 4.
    Bleikertz, S., Groß, T., Schunter, M., Eriksson, K.: Automated information flow analysis of virtualized infrastructures. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 392–415. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23822-2_22CrossRefGoogle Scholar
  5. 5.
    Bleikertz, S., Vogel, C., Groß, T., Radar, C.: Near real-time detection of security failures in dynamic virtualized infrastructures. In: ACSAC (2014)Google Scholar
  6. 6.
    Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructure. In: ACSAC (2015)Google Scholar
  7. 7.
    Cloud Auditing Data Federation: PyCADF: a Python-based CADF library (2015).
  8. 8.
    Cloud Security Alliance: Cloud control matrix CCM v3.0.1 (2014).
  9. 9.
    Dempster, A.P., Laird, N.M., Rubin, D.B.: Maximum likelihood from incomplete data via the EM algorithm. J. Roy. Stat. Soc. 39, 1–38 (1977)MathSciNetzbMATHGoogle Scholar
  10. 10.
    Doelitzscher, F., Fischer, C., Moskal, D., Reich, C., Knahl, M., Clarke, N.: Validating cloud infrastructure changes by cloud audits. In: IEEE Services (2012)Google Scholar
  11. 11.
    Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2014)CrossRefGoogle Scholar
  12. 12.
    Foley, S.N., Neville, U.: A firewall algebra for OpenStack. In: IEEE CNS (2015)Google Scholar
  13. 13.
    Google: Google cloud platform.
  14. 14.
    Guha, S.: Attack detection for cyber systems and probabilistic state estimation in partially observable cyber environments. Ph.D. thesis, Arizona State University (2016)Google Scholar
  15. 15.
    Heckerman, D.: A tutorial on learning with Bayesian networks. In: Learning in graphical models (1998)Google Scholar
  16. 16.
    Hemmat, R.A., Hafid, A.: SLA violation prediction in cloud computing: a machine learning perspective. Technical report (2016)Google Scholar
  17. 17.
    Holm, H., Shahzad, K., Buschle, M., Ekstedt, M.: \(P^2\) CySeMoL: predictive, probabilistic cyber security modeling language. IEEE TDSC 12, 626–639 (2015)Google Scholar
  18. 18.
    ISO Std IEC. ISO 27017: Information technology- security techniques- code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) (2012).
  19. 19.
    Jiang, Y., Zhang, E.Z., Tian, K., Mao, F., Gethers, M., Shen, X., Gao, Y.: Exploiting statistical correlations for proactive prediction of program behaviors. In: Proceedings of 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization. ACM (2010)Google Scholar
  20. 20.
    Lauritzen, S.L.: The EM algorithm for graphical association models with missing data. Comput Stat. Data Anal. 19(2), 191–201 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: MyCloud: supporting user-configured privacy protection in cloud computing. In: ACSAC (2013)Google Scholar
  22. 22.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM TISSEC 12, 19 (2009)CrossRefGoogle Scholar
  23. 23.
    Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 87–100. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15497-3_6CrossRefGoogle Scholar
  24. 24.
    Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack. In: ACM CODASPY (2016)Google Scholar
  25. 25.
    Majumdar, S., Jarraya, Y., Madi, T., Alimohammadifar, A., Pourzandi, M., Wang, L., Debbabi, M.: Proactive verification of security compliance for clouds through pre-computation: application to OpenStack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). doi: 10.1007/978-3-319-45744-4_3CrossRefGoogle Scholar
  26. 26.
    Majumdar, S., Madi, T., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: IEEE CloudCom (2015)Google Scholar
  27. 27.
    Mehnaz, S., Bertino, E.: Ghostbuster: a fine-grained approach for anomaly detection in file system accesses. In: ACM CODASPY (2017)Google Scholar
  28. 28.
    Microsoft: Microsoft Azure virtual network.
  29. 29.
    Mitchell, R., Chen, R.: Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems. IEEE TDSC 12, 16–30 (2015)Google Scholar
  30. 30.
    Murphy, K.: A brief introduction to graphical models and Bayesian networks (1998)Google Scholar
  31. 31.
    OpenStack: Nova network security group changes are not applied to running instances (2015).
  32. 32.
    OpenStack: OpenStack Congress (2015).
  33. 33.
    OpenStack: OpenStack open source cloud computing software (2015).
  34. 34.
    OpenStack: OpenStack audit middleware (2016).
  35. 35.
  36. 36.
    Pearl, J.: Causality: models, reasoning and inference (2000)Google Scholar
  37. 37.
    Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Internet Comput. 1, 69–73 (2012)CrossRefGoogle Scholar
  38. 38.
    Schneider, F.B.: Enforceable security policies. ACM TISSEC 3, 30–50 (2000)CrossRefGoogle Scholar
  39. 39.
    Solanas, M., Hernandez-Castro, J., Dutta, D.: Detecting fraudulent activity in a cloud using privacy-friendly data aggregates. Technical report, arXiv preprint (2014)Google Scholar
  40. 40.
    Ullah, K., Ahmed, A., Ylitalo, J.: Towards building an automated security compliance tool for the cloud. In: IEEE TrustCom 2013 (2013)Google Scholar
  41. 41.
    Wang, C., Chow, S.S., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for secure cloud storage. IEEE TC 62, 362–375 (2013)MathSciNetzbMATHGoogle Scholar
  42. 42.
    Wang, Y., Wu, Q., Qin, B., Shi, W., Deng, R.H., Hu, J.: Identity-based data outsourcing with comprehensive auditing in clouds. IEEE TIFS 12, 940–953 (2017)Google Scholar
  43. 43.
    Yau, S.S., Buduru, A.B., Nagaraja, V.: Protecting critical cloud infrastructures with predictive capability. In: IEEE CLOUD (2015)Google Scholar
  44. 44.
    Zhu, X., Song, S., Wang, J., Philip, S.Y., Sun, J.: Matching heterogeneous events with patterns. In: IEEE ICDE (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Suryadipta Majumdar
    • 1
    Email author
  • Yosr Jarraya
    • 2
  • Momen Oqaily
    • 1
  • Amir Alimohammadifar
    • 1
  • Makan Pourzandi
    • 2
  • Lingyu Wang
    • 1
  • Mourad Debbabi
    • 1
  1. 1.CIISE, Concordia UniversityMontrealCanada
  2. 2.Ericsson Security ResearchMontrealCanada

Personalised recommendations