Abstract
In public Infrastructure-as-a-Service (IaaS), virtual machines (VMs) are sharing the cloud with other VMs from other organisations. Each VM is under the control of its owner and security management is their responsibility. Considering this, providers should deal with the hosted VMs as potential source of attacks against other VMs and/or against the cloud infrastructure. The cloud model is flexible enough to allow consumers to initiate VMs to perform specific tasks for an hour or two, then terminate; so call VMs short-lived VMs. The provider dilemma here is monitoring these VMs, including short-lived ones, and detecting any change of behaviour on them as a sign of anomaly with a low level of intrusiveness for legal and practical reasons.
In this paper, we therefore propose a hypervisor based anomaly detection system that monitors system calls in between a VM and its host kernel. This host intrusion detection system (HIDS),is able to detect change in behaviour in even short-lived VMs without requiring any prior knowledge of them. To achieve this goal, a Hidden Markov Model (HMM) is used to build the classifier and system calls are analysed and grouped to reflect the properties of a VM-based cloud infrastructure. We also report on the experimental validation of our approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: IEEE Sympsium on Security and Privacy, pp. 133–145. IEEE Computer Society (1999)
Shelke, P.K., Sontakke, S., Gawande, A.D.: Intrusion detection system for cloud computing. International Journal of Scientific and Technology Research 1 (2012)
Alarifi, S.S., Wolthusen, S.D.: Detecting anomalies in iaas environments through virtual machine host system call analysis. In: 2012 International Conference for Internet Technology and Secured Transactions, pp. 211–218 (December 2012)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium, pp. 191–206 (2003)
Laureano, M., Maziero, C., Jamhour, E.: Intrusion detection in virtual machine environments. In: Proceedings of the 30th EUROMICRO Conference, EUROMICRO 2004, pp. 520–525. IEEE Computer Society, Washington, DC (2004)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128 (May 1996)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)
Vieira, K., Schulter, A., Westphall, C., Westphall, C.: Intrusion detection for grid and cloud computing. IT Professional 12(4), 38–43 (2010)
Gul, I., Hussain, M.: Distributed cloud intrusion detection model. International Journal of Advanced Science and Technology 34 (2011)
Hu, J., Yu, X., Qiu, D., Chen, H.H.: A simple and efficient hidden markov model scheme for host- based anomaly intrusion detection. Netwrk. Mag. of Global Internetwkg. 23(1), 42–47 (2009)
Yan Yeung, D., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36, 229–243 (2003)
Kang, D.K., Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 118–125 (June 2005)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society (1999)
Sultana, A., Hamou-Lhadj, A., Couture, M.: An improved hidden markov model for anomaly detection using frequent common patterns. In: ICC, pp. 1113–1117. IEEE (2012)
Hu, J.: Host-based anomaly intrusion detection. In: Stavroulakis, P.P., Stamp, M. (eds.) Handbook of Information and Communication Security, pp. 235–255. Springer (2010)
Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)
Bernaschi, M., Gabrielli, E., Mancini, L.V.: Operating system enhancements to prevent the misuse of system calls. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS 2000, pp. 174–183. ACM, New York (2000)
Hoang, X., Hu, J.: An efficient hidden markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proceedings of the 12th IEEE International Conference on Networks (ICON 2004), vol. 2, pp. 470–474 (November 2004)
Khreich, W., Granger, E., Sabourin, R., Miri, A.: Combining hidden markov models for improved anomaly detection. In: IEEE International Conference on Communications, ICC 2009, pp. 1–6 (June 2009)
Khreich, W.: Towards Adaptive Anomaly Detection Systems using Boolean Combination of Hidden Markov Models. PhD thesis, Ecole De Technologie Superieure, Université Du Quebec, Canada (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Alarifi, S., Wolthusen, S. (2013). Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-38631-2_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38630-5
Online ISBN: 978-3-642-38631-2
eBook Packages: Computer ScienceComputer Science (R0)