nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Elite: Automatic Orchestration of Elastic Detection Services to Secure Cloud Hosting

verfasst von : Yangyi Chen, Vincent Bindschaedler, XiaoFeng Wang, Stefan Berger, Dimitrios Pendarakis

Erschienen in: Research in Attacks, Intrusions, and Defenses

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Intrusion detection on today’s cloud is challenging: a user’s application is automatically deployed through new cloud orchestration tools (e.g., OpenStack Heat, Amazon CloudFormation, etc.), and its computing resources (i.e., virtual machine instances) come and go dynamically during its runtime, depending on its workloads and configurations. Under such a dynamic environment, a centralized detection service needs to keep track of the state of the whole deployment (a cloud stack), size up and down its own computing power and dynamically allocate its existing resources and configure new resources to catch up with what happens in the application. Particularly in the case of anomaly detection, new application instances created at runtime are expected to be protected instantly, without going through conventional profile learning, which disrupts the operations of the application.

To address those challenges, we developed Elite, a new elastic computing framework, to support high-performance detection services on the cloud. Our techniques are designed to be fully integrated into today’s cloud orchestration mechanisms, allowing an o rdinary cloud user to requ est a detection service and specify its parameters conveniently, through the cloud-formation file she submits for deploying her application. Such a detection service is supported by a high-performance stream-processing engine, and optimized for concurrent analysis of a large amount of data streamed from application instances and automatic adaptation to different computing scales. It is linked to the cloud orchestration engine through a communication mechanism, which provides the runtime information of the application (e.g., the types of new instances created) necessary for the service to dynamically configure its resources. To avoid profile learning, we further studied a set of techniques that enable reuse of normal behavior profiles across different instances within one user’s cloud stack, and across different users (in a privacy-preserving way). We evaluated our implementation of Elite on popular web applications deployed over 60 instances. Our study shows that Elite efficiently shares profiles without losing their accuracy and effectively handles dynamic, intensive workloads incurred by these applications.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel $$\textsc {BotWatcher}$$

Nächstes Kapitel AmpPot: Monitoring and Defending Against Amplification DDoS Attacks

How long the detector needs to stay in “training mode” depends on many factors such as the nature of the service provided by the application instances, the quality of training inputs, and to what extent the cloud user can tolerate the false positives. Precise tuning of the training time and the trade-offs involved is not the focus of this paper.

Those calls need to happen on almost all intrusion vectors (as evidenced by our false negative evaluation in Sect. 4.2). Also our design can be easily extended to accommodate other types of calls.

An example here is JMeter Script Recorder, which can be provided by the cloud and customized by the user.

False positives incurred by such profile sharing can be further adjusted during the system’s online operation.

In addition to the contents with wildcards, those profile templates were also specialized according to the ID of the stack.

Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., Lo Iacono, L.: All your clouds are belong to us: Security analysis of cloud management interfaces. In: CCSW (2011)

Mulazzani, M., Schrittwieser, S., Leithner, M., Huber, M., Weippl, E.: Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: USENIX Security (2011)

McAfee SaaS Endpoint Protection Suite. http://www.mcafee.com/us/products/saas-endpoint-protection-suite.aspx

Trend Micro Deep Security as a Service. http://www.trendmicro.com/us/business/saas/deep-security-as-a-service/index.html

Alerg Logic Public Cloud Security. https://www.alertlogic.com/products-services/public-cloud-security/

Heat - OpenStack. https://wiki.openstack.org/wiki/Heat

AWS CloudFormation. https://aws.amazon.com/cloudformation/

Sung, A.H., Xu, J., Chavez, P., Mukkamala, S.: Static analyzer of vicious executables (save). In: ACSAC, Washington, DC, USA (2004)

Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security, Berkeley, CA, USA (2006)

10.

Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: USENIX Security (2009)

11.

Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS, New York, USA (2007)

12.

Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6, 151–180 (1998)

13.

Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: IEEE S&P (1996)

14.

Michael, C.C., Ghosh, A.: Simple, state-based approaches to program-based anomaly detection. ACM Trans. Inf. Syst. Secur. 5, 203–237 (2002). http://doi.acm.org/10.1145/545186.545187 CrossRef

15.

Provos, N.: Improving host security with system call policies. In: USENIX Security (2002)

16.

IBM InfoSphere Streams. http://www-03.ibm.com/software/products/en/infosphere-streams

17.

Storm - The Apache Software Foundation! http://storm.incubator.apache.org/

18.

Apache Storm - A system for processing streaming data in real time. http://hortonworks.com/hadoop/storm/

19.

Apache ZooKeeper. http://zookeeper.apache.org/

20.

Google Hacking Database. http://www.exploit-db.com/google-dorks/

21.

AWS CloudFormation Sample Template WordPressMultiAZ. https://s3-us-west-2.amazonaws.com/cloudformation-templates-us-west-2/WordPress_Multi_AZ.template

22.

Heat API Instance Tools. https://launchpad.net/heat-cfntools

23.

AWS CloudFormation Templates. https://aws.amazon.com/cloudformation/aws-cloudformation-templates/

24.

Distributed Ruby Send instance eval/syscall Code Execution. https://www.rapid7.com/db/modules/exploit/linux/misc/drb_remote_codeexec

25.

Java RMI Server Insecure Default Configuration Java Code Execution. https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server

26.

SQLite Home Page. http://www.sqlite.org/

27.

Samba Guest Account Symlink Traversal Arbitrary File Access. http://www.osvdb.org/62145

28.

Samba Symlink Directory Traversal. https://www.rapid7.com/db/modules/auxiliary/admin/smb/samba_symlink_traversal

29.

Need for speed: Testing the networking performance of the top 4 cloud providers. http://gigaom.com/2014/04/12/need-for-speed-testing-the-networking-performance-of-the-top-4-cloud-providers/

30.

Google Compute Engine: Transparent maintenance. https://developers.google.com/compute/docs/zones#maintenance

31.

Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: CCS, New York, USA (1994)

32.

Vigna, G., Kruegel, C.: Host-based intrusion detection (2005)

33.

Roesch, M.: Snort - lightweight intrusion detection for networks. In: USENIX System Administration, Berkeley, CA, USA (1999)

34.

Tsai, C.-F., Hsu, Y.-F., Lin, C.-Y., Lin, W.-Y.: Intrusion detection by machine learning: a review. Expert Syst. Appl. 36, 11994–12000 (2009)CrossRef

35.

Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: S&P (1999)

36.

Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive intrusion detection: a data mining approach. Artif. Intell. Rev. 14, 533–567 (2000)CrossRefMATH

37.

Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. ACM SIGOPS 45, 38–53 (2011)CrossRef

38.

Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)

39.

Kholidy, H.A., Baiardi, F.: CIDS: a framework for intrusion detection in cloud systems. In: ITNG (2012)

40.

Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. JNCA 36, 42–57 (2013)CrossRef

41.

Patel, A., Taghavi, M., Bakhtiyari, K., Celestino Jr., J.: Review: an intrusion detection and prevention system in cloud computing: a systematic review. JNCA 36, 25–41 (2013)

42.

Gember, A., Krishnamurthy, A., John, S.S., Grandl, R., Gao, X., Anand, A.: Stratos: a network-aware orchestration layer for virtual middleboxes in clouds. arXiv (2013)

43.

Chari, S.N., Cheng, P.-C.: Bluebox: A policy-driven, host-based intrusion detection system. ACM TISSEC 6, 173–200 (2003)CrossRef

44.

Smalley, S., Vance, C., Salamon, W.: Implementing selinux as a linux security module. NAI Labs Rep. 1, 43 (2001)

45.

SUSE AppArmor. https://www.suse.com/support/security/apparmor/

46.

Harada, T., Horie, T., Tanaka, K.: Task oriented management obviates your onus on linux. In: Linux Conference (2004)

47.

Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: ACSAC (2008)

Titel: Elite: Automatic Orchestration of Elastic Detection Services to Secure Cloud Hosting
verfasst von: Yangyi Chen
Vincent Bindschaedler
XiaoFeng Wang
Stefan Berger
Dimitrios Pendarakis
Verlag: Springer International Publishing
Buch: Research in Attacks, Intrusions, and Defenses
Print ISBN: 978-3-319-26361-8

Electronic ISBN: 978-3-319-26362-5

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-26362-5_27

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"