Abstract
A hybrid cloud combines a trusted private cloud with a public cloud owned by an untrusted cloud provider. This is problematic: When a hybrid cloud shifts computation from its private to its public part, it must trust the public part to execute the computation as intended. We show how public-cloud providers can use dynamic anomaly detection to increase their clients’ trust in outsourced computations. The client first defines the computation’s reference behavior by running an automated dynamic analysis in the private cloud. The cloud provider then generates an application profile when executing the outsourced computation for its client, persisted in tamper-proof storage. When in doubt, the client checks the profile against the recorded reference behavior. False positives are identified by re-executing the dubious computation in the trusted private cloud, and are used to re-fine the description of the reference behavior. The approach is fully automated. Using 3,000 harmless and 118 malicious inputs to different Java applications, we show that our approach is effective. In particular, different characterizations of behavior can yield anything from low numbers of false positives to low numbers of false negatives, effectively trading trustworthiness for computation cost in the private cloud.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Ammons, G., Ball, T., Larus, J.R.: Exploiting hardware performance counters with flow and context sensitive profiling. In: Proc. of the 10th Conference on Programming Language Design and Implementation (PLDI), pp. 85–96 (1997)
Apache Software Foundation. The Apache Java PDF Library (PDFbox), http://pdfbox.apache.org/
Apache Software Foundation. The Java API for Microsoft Documents (Apache POI), http://poi.apache.org/
Benabbas, S., Gennaro, R., Vahlis, Y.: Verifiable Delegation of Computation over Large Datasets. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 111–131. Springer, Heidelberg (2011)
Bodden, E., Sewe, A., Sinschek, J., Oueslati, H., Mezini, M.: Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In: Proc. of the 33rd International Conference on Software Engineering (ICSE), pp. 241–250 (2011)
Bond, M.D., McKinley, K.S.: Probabilistic calling context. In: Proc. of the 22nd Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), pp. 97–112 (2007)
Ernst, M.D., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. In: Proc. of the 21st International Conference on Software Engineering (ICSE), pp. 213–224 (1999)
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proc. of the 2003 IEEE Symposium on Security and Privacy (S&P), pp. 62–75 (2003)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proc. of the 1996 Symposium on Security and Privacy (S&P), pp. 120–128 (1996)
Gamma, E., Helm, R., Johnson, R., Vlissides, J.M.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Professional (1994)
Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: Proc. of the 11th Conference on Computer and Communications Security (CCS), pp. 318–329 (2004)
Gennaro, R., Gentry, C., Parno, B.: Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)
Gruska, N., Wasylkowski, A., Zeller, A.: Learning from 6,000 projects: Lightweight cross-project anomaly detection. In: Proc. of the 19th International Symposium on Software Testing and Analysis (ISSTA), pp. 119–130 (2010)
Gu, L., Cheng, Y., Ding, X., Deng, R.H., Guo, Y., Shao, W.: Remote Attestation on Function Execution (Work-in-Progress). In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 60–72. Springer, Heidelberg (2010)
Gu, L., Ding, X., Deng, R.H., Xie, B., Mei, H.: Remote attestation on program execution. In: Proc. of the 3rd Workshop on Scalable Trusted Computing (STC), pp. 11–20 (2008)
Gutzmann, T., Löwe, W.: Custom-made instrumentation based on static analysis. In: Proc. of the 9th International Workshop on Dynamic Analysis, WODA (2011)
Haldar, V., Chandra, D., Franz, M.: Semantic remote attestation: a virtual machine directed approach to trusted computing. In: Proc. of the 3rd Conference on Virtual Machine Research and Technology Symposium, pp. 3–20 (2004)
Hangal, S., Lam, M.S.: Tracking down software bugs using automatic anomaly detection. In: Proc. of the 24th International Conference on Software Engineering (ICSE), pp. 291–301 (2002)
Inoue, H., Forrest, S.: Anomaly intrusion detection in dynamic execution environments. In: Proc. of the 2002 Workshop on New Security Paradigms (NSPW), pp. 52–60 (2002)
Karabulut, Y., Kerschbaum, F., Massacci, F., Robinson, P., Yautsiukhin, A.: Security and trust in IT business outsourcing: a manifesto. ENTCS 179, 47–58 (2007)
Kohavi, R.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In: Proc. of the International Joint Conference on Artificial Intelligence (IJCAI), pp. 1137–1143 (1995)
Lacity, M.C., Khan, S.A., Willcocks, L.P.: A review of the IT outsourcing literature: Insights for practice. The Journal of Strategic Information Systems 18(3), 130–146 (2009)
Liang, S., Bracha, G.: Dynamic class loading in the java virtual machine. In: Proc. of the 13th Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), pp. 36–44 (1998)
Pradel, M., Gross, T.R.: Automatic generation of object usage specifications from large method traces. In: Proc. of the 24th International Conference on Automated Software Engineering (ASE), pp. 371–382 (2009)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proc. of the 13th USENIX Security Symposium, pp. 1–16 (2004)
Sarimbekov, A., Sewe, A., Binder, W., Moret, P., Mezini, M.: JP2: Call-site aware calling context profiling for the Java Virtual Machine. Science of Computer Programming (2012), doi:10.1016/j.scico.2011.11.003
Sarimbekov, A., Sewe, A., Binder, W., Moret, P., Schöberl, M., Mezini, M.: Portable and accurate collection of calling-context-sensitive bytecode metrics for the Java Virtual Machine. In: Proc. of the 9th Conference on the Principles and Practice of Programming in Java (PPPJ), pp. 11–20 (2011)
Scarlata, V., Rozas, C., Wiseman, M., Grawrock, D., Vishik, C.: Tpm virtualization: Building a general framework. In: Pohlmann, N., Reimer, H. (eds.) Trusted Computing, pp. 43–56. Vieweg+Teubner (2008)
Strasser, M., Stamer, H.: A Software-Based Trusted Platform Module Emulator. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 33–47. Springer, Heidelberg (2008)
Tan, K., McHugh, J., Killourhy, K.: Hiding Intrusions: From the Abnormal to the Normal and Beyond. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 1–17. Springer, Heidelberg (2003)
Thummalapenta, S., Xie, T.: Alattin: Mining alternative patterns for detecting neglected conditions. In: Proc. of the 24th International Conference on Automated Software Engineering (ASE), pp. 283–294 (2009)
Thummalapenta, S., Xie, T.: Mining exception-handling rules as sequence association rules. In: Proc. of the 31st International Conference on Software Engineering (ICSE), pp. 496–506 (2009)
The tpm4java library, http://sourceforge.net/projects/tpm4java/
Trusted Computing Group, Inc. TPM Main Specification Level 2 Version 1.2, Revision 116 (March 2011)
The TrustedGRUB extension to the GRUB bootloader, http://sourceforge.net/projects/trustedgrub/
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proc. of the 9th Conference on Computer and Communications Security (CCS), pp. 255–264 (2002)
Zhang, X., Seifert, J.-P., Sandhu, R.: Security enforcement model for distributed usage control. In: Proc. of the Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC), pp. 10–18 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Alsouri, S., Sinschek, J., Sewe, A., Bodden, E., Mezini, M., Katzenbeisser, S. (2012). Dynamic Anomaly Detection for More Trustworthy Outsourced Computation. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-33383-5_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33382-8
Online ISBN: 978-3-642-33383-5
eBook Packages: Computer ScienceComputer Science (R0)