Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2012: Information Security pp 168–187Cite as

Dynamic Anomaly Detection for More Trustworthy Outsourced Computation

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7483))

Abstract

A hybrid cloud combines a trusted private cloud with a public cloud owned by an untrusted cloud provider. This is problematic: When a hybrid cloud shifts computation from its private to its public part, it must trust the public part to execute the computation as intended. We show how public-cloud providers can use dynamic anomaly detection to increase their clients’ trust in outsourced computations. The client first defines the computation’s reference behavior by running an automated dynamic analysis in the private cloud. The cloud provider then generates an application profile when executing the outsourced computation for its client, persisted in tamper-proof storage. When in doubt, the client checks the profile against the recorded reference behavior. False positives are identified by re-executing the dubious computation in the trusted private cloud, and are used to re-fine the description of the reference behavior. The approach is fully automated. Using 3,000 harmless and 118 malicious inputs to different Java applications, we show that our approach is effective. In particular, different characterizations of behavior can yield anything from low numbers of false positives to low numbers of false negatives, effectively trading trustworthiness for computation cost in the private cloud.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ammons, G., Ball, T., Larus, J.R.: Exploiting hardware performance counters with flow and context sensitive profiling. In: Proc. of the 10th Conference on Programming Language Design and Implementation (PLDI), pp. 85–96 (1997)

    Google Scholar 

  2. Apache Software Foundation. The Apache Java PDF Library (PDFbox), http://pdfbox.apache.org/

  3. Apache Software Foundation. The Java API for Microsoft Documents (Apache POI), http://poi.apache.org/

  4. Benabbas, S., Gennaro, R., Vahlis, Y.: Verifiable Delegation of Computation over Large Datasets. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 111–131. Springer, Heidelberg (2011)

    Google Scholar 

  5. Bodden, E., Sewe, A., Sinschek, J., Oueslati, H., Mezini, M.: Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In: Proc. of the 33rd International Conference on Software Engineering (ICSE), pp. 241–250 (2011)

    Google Scholar 

  6. Bond, M.D., McKinley, K.S.: Probabilistic calling context. In: Proc. of the 22nd Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), pp. 97–112 (2007)

    Google Scholar 

  7. Ernst, M.D., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. In: Proc. of the 21st International Conference on Software Engineering (ICSE), pp. 213–224 (1999)

    Google Scholar 

  8. Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proc. of the 2003 IEEE Symposium on Security and Privacy (S&P), pp. 62–75 (2003)

    Google Scholar 

  9. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proc. of the 1996 Symposium on Security and Privacy (S&P), pp. 120–128 (1996)

    Google Scholar 

  10. Gamma, E., Helm, R., Johnson, R., Vlissides, J.M.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Professional (1994)

    Google Scholar 

  11. Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: Proc. of the 11th Conference on Computer and Communications Security (CCS), pp. 318–329 (2004)

    Google Scholar 

  12. Gennaro, R., Gentry, C., Parno, B.: Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)

    Google Scholar 

  13. Gruska, N., Wasylkowski, A., Zeller, A.: Learning from 6,000 projects: Lightweight cross-project anomaly detection. In: Proc. of the 19th International Symposium on Software Testing and Analysis (ISSTA), pp. 119–130 (2010)

    Google Scholar 

  14. Gu, L., Cheng, Y., Ding, X., Deng, R.H., Guo, Y., Shao, W.: Remote Attestation on Function Execution (Work-in-Progress). In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 60–72. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Gu, L., Ding, X., Deng, R.H., Xie, B., Mei, H.: Remote attestation on program execution. In: Proc. of the 3rd Workshop on Scalable Trusted Computing (STC), pp. 11–20 (2008)

    Google Scholar 

  16. Gutzmann, T., Löwe, W.: Custom-made instrumentation based on static analysis. In: Proc. of the 9th International Workshop on Dynamic Analysis, WODA (2011)

    Google Scholar 

  17. Haldar, V., Chandra, D., Franz, M.: Semantic remote attestation: a virtual machine directed approach to trusted computing. In: Proc. of the 3rd Conference on Virtual Machine Research and Technology Symposium, pp. 3–20 (2004)

    Google Scholar 

  18. Hangal, S., Lam, M.S.: Tracking down software bugs using automatic anomaly detection. In: Proc. of the 24th International Conference on Software Engineering (ICSE), pp. 291–301 (2002)

    Google Scholar 

  19. Inoue, H., Forrest, S.: Anomaly intrusion detection in dynamic execution environments. In: Proc. of the 2002 Workshop on New Security Paradigms (NSPW), pp. 52–60 (2002)

    Google Scholar 

  20. Karabulut, Y., Kerschbaum, F., Massacci, F., Robinson, P., Yautsiukhin, A.: Security and trust in IT business outsourcing: a manifesto. ENTCS 179, 47–58 (2007)

    Google Scholar 

  21. Kohavi, R.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In: Proc. of the International Joint Conference on Artificial Intelligence (IJCAI), pp. 1137–1143 (1995)

    Google Scholar 

  22. Lacity, M.C., Khan, S.A., Willcocks, L.P.: A review of the IT outsourcing literature: Insights for practice. The Journal of Strategic Information Systems 18(3), 130–146 (2009)

    Article  Google Scholar 

  23. Liang, S., Bracha, G.: Dynamic class loading in the java virtual machine. In: Proc. of the 13th Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), pp. 36–44 (1998)

    Google Scholar 

  24. Pradel, M., Gross, T.R.: Automatic generation of object usage specifications from large method traces. In: Proc. of the 24th International Conference on Automated Software Engineering (ASE), pp. 371–382 (2009)

    Google Scholar 

  25. Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proc. of the 13th USENIX Security Symposium, pp. 1–16 (2004)

    Google Scholar 

  26. Sarimbekov, A., Sewe, A., Binder, W., Moret, P., Mezini, M.: JP2: Call-site aware calling context profiling for the Java Virtual Machine. Science of Computer Programming (2012), doi:10.1016/j.scico.2011.11.003

    Google Scholar 

  27. Sarimbekov, A., Sewe, A., Binder, W., Moret, P., Schöberl, M., Mezini, M.: Portable and accurate collection of calling-context-sensitive bytecode metrics for the Java Virtual Machine. In: Proc. of the 9th Conference on the Principles and Practice of Programming in Java (PPPJ), pp. 11–20 (2011)

    Google Scholar 

  28. Scarlata, V., Rozas, C., Wiseman, M., Grawrock, D., Vishik, C.: Tpm virtualization: Building a general framework. In: Pohlmann, N., Reimer, H. (eds.) Trusted Computing, pp. 43–56. Vieweg+Teubner (2008)

    Google Scholar 

  29. Strasser, M., Stamer, H.: A Software-Based Trusted Platform Module Emulator. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 33–47. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  30. Tan, K., McHugh, J., Killourhy, K.: Hiding Intrusions: From the Abnormal to the Normal and Beyond. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 1–17. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  31. Thummalapenta, S., Xie, T.: Alattin: Mining alternative patterns for detecting neglected conditions. In: Proc. of the 24th International Conference on Automated Software Engineering (ASE), pp. 283–294 (2009)

    Google Scholar 

  32. Thummalapenta, S., Xie, T.: Mining exception-handling rules as sequence association rules. In: Proc. of the 31st International Conference on Software Engineering (ICSE), pp. 496–506 (2009)

    Google Scholar 

  33. The tpm4java library, http://sourceforge.net/projects/tpm4java/

  34. Trusted Computing Group, Inc. TPM Main Specification Level 2 Version 1.2, Revision 116 (March 2011)

    Google Scholar 

  35. The TrustedGRUB extension to the GRUB bootloader, http://sourceforge.net/projects/trustedgrub/

  36. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proc. of the 9th Conference on Computer and Communications Security (CCS), pp. 255–264 (2002)

    Google Scholar 

  37. Zhang, X., Seifert, J.-P., Sandhu, R.: Security enforcement model for distributed usage control. In: Proc. of the Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC), pp. 10–18 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for Advanced Security Research Darmstadt - CASED, Technische Universität Darmstadt, Mornewegstraße 32, 64293, Darmstadt, Germany

    Sami Alsouri, Jan Sinschek, Andreas Sewe, Eric Bodden, Mira Mezini & Stefan Katzenbeisser

Authors
  1. Sami Alsouri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Sinschek
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andreas Sewe
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eric Bodden
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mira Mezini
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Stefan Katzenbeisser
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Security in Distributed Applications, University of Technology, Harburger Schlossstrasse 20, 21073, Hamburg, Germany

    Dieter Gollmann

  2. Department of Computer Science, University of Erlangen-Nürnberg, Am Wolfsmantel 46, 91058, Erlangen, Germany

    Felix C. Freiling

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Alsouri, S., Sinschek, J., Sewe, A., Bodden, E., Mezini, M., Katzenbeisser, S. (2012). Dynamic Anomaly Detection for More Trustworthy Outsourced Computation. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33383-5_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33382-8

  • Online ISBN: 978-3-642-33383-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation