2013 IEEE International Conference on Cloud Computing Technology and Science
Cloud Resource Monitoring for Intrusion Detection Sijin He1, Moustafa Ghanem2, Li Guo3, Yike Guo1 1
Department of Computing, Imperial College London, London, UK School of Science and Technology, Middlesex University, London, UK 3 University of Central Lancashire
[email protected],
[email protected],
[email protected],
[email protected] 2
Abstract — We present a novel security monitoring framework for intrusion detection in IaaS cloud infrastructures. The framework uses statistical anomaly detection techniques over data monitored both inside and outside each Virtual Machine instance. We present the architecture of our monitoring framework and describe the implementation of the real-time monitors and detectors. We also describe how the framework is used in three different attack scenarios. For each of the three attack scenarios, we describe how the attack itself works and how it could be detected. We describe what data is monitored in our framework and how the detection is conducted using anomaly detection methods. We also present evaluation of the detection using synthetic and real data sets. Our experimental evaluation across all three scenarios shows that our tools perform well in practical situations and provide a promising direction for future research.
are designed to provide full isolation between different users, various side channels and backdoors still exist due to sharing the physical infrastructure. For example various VMs executing on the same PM end up sharing the cache memory in most cases. Moreover, all VMs executing on the same network end up sharing the network itself. In such cases, one VM could infer information about another VM by monitoring the performance of the shared resource. We depart from attempting to close the side channels themselves and the back doors by which intruders can gain access into a system, e.g. by stealing passwords. We assume that the attacker is already inside the system and exploiting such channels. We investigate how to detect the attacker by monitoring the behaviour of normal users, applications and virtual machines their behaviour. We present a novel security monitoring framework for intrusion detection in cloud infrastructures based on monitoring the behaviour of applications and VMs, and summarise our contributions as follows: 1) Novel Cloud Security Monitoring Framework: We present a novel cloud security monitoring framework based on using statistical anomaly detection techniques over data that monitor the behaviour of applications and VMs in a cloud environment. The framework allows the collection of monitoring such data either from inside a VM instance (InVM monitoring) or outside it (Out-VM monitoring). By enabling the use of a mix of In-VM and Out-VM methods, the behaviour of a wide variety of applications and VMs can be monitored effectively. Our proposed framework is generic and is easily implementable in various cloud systems. It has been developed and hosted on the IC Cloud system [4], an IaaS cloud platform developed at Imperial College London to provide a set of generic, scalable and resource efficient services for science. 2) Validation Case Studies: To validate our framework, we investigate three types of potential attacks in a cloud environment: Data Asset Attack, Network Application Attack and Cache Memory Side-channel Attack. For each case study, we investigate the data that needs to be monitored and chose the most suitable data for detecting the attack and also investigate the specific anomaly detection tools that can be used. 3) Evaluation using synthetic and real data sets: To evaluate our approach we conduct and present evaluation studies conducted using synthetic and real data sets. One such real data set was conducted in a special workshop during the Urban Prototyping London crackathon event in April 2013. Our experimental evaluation on both the real and synthetic cases shows that our tools work well in practical situations.
Keywords—Cloud Computing, Security,Anomaly Detection
I. INTRODUCTION Driven by the rapid growth in demand for efficient and economical computational power, cloud computing [1], has led the world into a new era. However, cloud computing also introduces various new risks that are a direct result of such an outsourcing model. The first risk is that of an increased potential of insider attacks. The question here is to what extent should users trust the cloud provider (or its employees) and if they can be certain that no malicious insider will access their confidential data or information. The second risk is that of side-channel attacks. This is a result of many people (organizations) now being served by the same large physical infrastructure of the cloud provider. Although, hardware and software mechanisms do exist to isolate users from one another, all users still end up sharing the same physical resources in the Cloud. Such sharing increases the potential for malicious users who are legitimately using the cloud to gain access, directly or indirectly, to data and information belonging to other users via side channels that exist in the context of virtualization. Virtualization is one of the key technologies enabling cloud computing. A VM is a software implementation of the functionality of a physical machine (i.e. a computer) allowing it to execute programs like the physical machine itself. By using VMs, cloud providers can create isolated instances that can be allocated to different users to deliver computational resources [2, 3], such as computational power, storage space and network, in such ways that users are able to consume them over the Internet as services anywhere at any time. Although virtualization technologies 978-0-7695-5095-4/13 $31.00 © 2013 IEEE DOI 10.1109/CloudCom.2013.148
281
II. MONITORING FRAMEEWORK Our approach is based on using two types of monitors, u own virtual In-VM monitors that execute inside user’s machine, and Out-VM monitors thatt execute on the physical machines themselves. The monitors collect information about various properties off virtual machines execution in the IC-Cloud and also aboout the PMs used. They also collect information about daatabase properties and network request properties. Using In-VM monitors, each VM caan monitor its own information as seen from inside the VM itself. Such monitors are designed to be lightweighht for use by users of the cloud system. In contrast, Out-VM monitors are designed for use by the Cloud infrasstructure provider collecting information on the VMs as seen s from outside. In Fig. 1, the Virtual Machine Monitor,, VMM, uses OutVM monitoring installed in a PM to logg the activities for its hosted VMs when they access the physical p resources. Note that the behaviour logs kept at a VM V or at the VMM are typically at different granularities and a that there is a semantic gap between them. All monnitors operate by measuring values in a given time period, the sampling a memory load, period. Such values include processor and timing information, usage informationn, message counts and sizes, etc. (TABLE I).
TABLE I.
PM Properties
VM Properties Database (DB) System Properties DB query Properties
Network Request Properties
We note that in many casess, both In-VM and Out-VM monitors can capture similarr information, but slightly different, information. For exaample, an Out-VM monitor keeps track of PM resource usage including PM CPU time, memory, network packeet, IO operations, and any other property that the monitoor can capture. The In-VM captures similar information about the VM and its C time, memory, network individual processes, such as CPU packets, and IO operations. It is i important to note that InVM monitors capture more information that Out-VM u attach semantics to monitors. Moreover, we can usually such information. For example, in case of queries sent to a database, an In-VM monitor has access to context or semantic information. Such innformation is typically not available to the Out-VM monittor, which “should” not see such content (due to legal issuues) or cannot see it (e.g. if the data encrypted). While the t monitoring framework keeps track of the behaviour inside and outside VMs, it also performs online analysiss using anomaly detection techniques on the collected data and detects possible attacks in the cloud environmennt. A. Data Asset Attack The Data Asset Attack scennario is a simple attack that is based on unauthorised accesss to a user’s cloud storage space or a database. Thhe attacker has already compromised the system by b acquiring the user’s credentials. Our aim is to detect their activities by collecting monitoring informattion on their database usage activities and comparing it to normal n user behaviour. The architecture of the monnitor for Data Asset Attack is shown in Fig. 2. The monnitors are used to monitor properties in the cloud. They can be placed inside the VM T properties that can be or outside the VM or both. The monitored for Out-VM monitorrs for Data Asset Attack are PM Properties, and Network Request R Properties. Monitored data is storedd in the Monitored Data Database. The detector is usedd to detect whether there is an attack. It can be located anyywhere, for example, inside the VM, outside the VM, or evven at your local machine as long as the Monitored Data Database is assessable.
Fig. 1. The Monitoring Framew work PROPERTIES USED IN THE MONITTORING FRAMEWORK Monitor Property Meaning Out-VM PM CPU % Average PM CPU % usage usage for a periodd. Out-VM PM memory Average PM memoory usage for a periodd. usage Out-VM Cache read Time taken for readiing values from PM memoryy cache In-VM time In-VM VM CPU % Average VM CPU % usage usage for a periodd In-VM VM Memory Average VM memoory usage for a periodd usage In-VM DB CPU % Average DB CPU % usage usage for a periodd In-VM DB Memory The average DB memory m usage for a perriod % usage In-VM Query pattern Query pattern is geenerated from a database query Out-VM q to Query Time taken for a query complete a databasse query In-VM response time Out-VM Query packet The size of data that a In-VM size database query geenerates Query Time interval betw ween two Out-VM consecutive DB queeries from frequency In-VM the same user or o IP Request Time interval betw ween two Out-VM consecutive HTTP requests frequency In-VM from the same useer or IP In-VM Request The data attachedd to the HTTP requeest content
Fig. 2. Architecture off Data Asset Attacks
The properties that can bee monitored by the In-VM monitor are Database Propertiees, VM Properties, Request Properties and Database (DB) Query Property. Note that f a database query using the Query pattern is extracted from method stated in [5] that can transform it into a vector. v extracted from the Aggregating the number of vectors query pattern data set of a noormal user can then form a profile of a normal user. This normal profile can then be used to compare with any incooming query from the same user account using MAD test [55]. Among these monitored prroperties, not all properties show significance when deetecting abnormality, for example, when a database query q is neither CPU nor
282
memory intensive, it is difficult to tell when w the database is under attack as the neither CPU nor memory has significant change in values. Thereforre, we runs three different set of synthetic database queries and use anomaly detection to find the most suitaable properties for detection from the IC Cloud VM managgement database as input queries. 1) Normal User workload is a set of 10 queries that involves the most frequentlly used queries in the IC Cloud. This represents the queery activities of a normal user browsing the IC Cloud dataabase. 2) Attacker 1 workload is a set of queries that is coompletely different from the Normal User Set. This reprresents the query activity of an attacker. 3) Attacker 2 woorkload is a subset of Normal User workload that tries too simulate that an attacker tries to follow the query patterrn of normal users and obtain information without being detected. i and was sent Each set of workload was taken as input by a query dispatcher at random interrvals to the target database. All monitored properties off this attack were logged. t-test [6] is applied to differenntiate the Normal User workload with Attack 1 and 2 worrkload (confidence level 90%). Different anomaly detectioon techniques can be applied to select suitable properties foor detection.
workload with random Query Frequency between 0 to 20 seconds, Attacker 1 worklooad with random Query Frequency between 0 to 10 seeconds, Attack 2 workload with random Query Frequencyy between 0 to 30 seconds). One of the three workloads waas chosen at random and run in a query dispatcher for 5 minutes. m We conducted the experiment for 10 times. The monitor framework tracks the selected properties and detects abnormality. The evaluation of the synthetic woorkloads for 10 trials only has one false positive; the alarm was raised by the anomaly of Query Frequency. This is due to the fact that the Query Frequency set forr Attack 1 and Attack 2 workloads overlap the Query Frequency F for Normal User workload. The accuracy of thiss anomaly detection is 90% and the precision is 87.5% %. The realistic workload evaluation was conducted in a public crackathon event held in conjunction of the UP London 2013 (Urban Prototyping Event) at Imperiaal College London in April 2013. The contestants were provided with tools that A Attack and Network facilitate conducting Data Asset Application Attack and were also provided with a high level description of how the moonitoring framework works. Five teams participated in Data D Asset Attack, two of which were able to circumventt the monitoring framework highlighting certain weaknessees in the implementation of the monitors rather than thee approach. One attacker decompiled the tools provided to the contestants to help in the attack and acquired infoormation that was used to attack the monitor first. We are currently working on securing the monitor impllementation. The second contestant hid the syntax of thee query as comments in the SQL code. We are currently modifying our parsers to detect this type of hiding the syntax of the query. Each a to perform attacks. team has been given five user accounts Thus, there are a total of 25 useer accounts can be detected. The accuracy is 84% and the prrecision is 92.3%. B. Network Application Side-cchannel Attack In Network Application Side-channel Attack, the u and monitors network attacker simulates a normal user traffic. The attacker’s aim is too matches the packet size of a request to the keystrokes of the normal user. The h tool to match network attacker firstly has to train his packet sizes to keyboard strokees.
Fig. 3. Comparisons of Query Response Tim me of Three Query Workload: Normal (left), Attacker 1 (midddle), Attacker 2 (right)
In Fig. 3, it shows Query Responnse Time of each workload. Attacker 1 workload is cleaarly different from Normal User workload and thus can be detected by t-test. s (in fact a However, Attacker 2 workload is a similar subset) to the normal workload, detectting the attack by using only Query Response Time is not sufficient. Thus, it requires more properties to determine thee anomaly.
Fig. 4. Query Frequency: Normal User (left) annd Attacker 2 (right)
In Fig. 4, the distribution of Queery Frequency of Normal User and Attacker 2 are significaantly different and the anomaly can be detected. Therefore,, the properties we chose for the final monitor framework for this attack are the properties that can differentiatte the synthetic workload. For the final monitored prroperties used for detection, we use only Request Propertiies for In-VM and Out-VM monitors, and Query Pattern foor In-VM monitor. Since multiple properties were takeen as inputs for anomaly detection, the detector only raiise alarms if there is one or more properties that have been detected as abnormal. To evaluate the framework, we firrstly evaluate the monitoring framework of this attackk using synthetic workload, and then we evaluate it using realistic workload in the crackathon event. For the syntheetic workload, we used the same workload described earllier (Normal User
Fig. 5. The Architecture of Networkk Application Side-channel Attack
The monitoring frameworrk attempts to detect the attacker at training time due too anomalies in their access patterns, e.g. abnormal keysstrokes being sent to the system. The architecture of the monitor for Network Application Side-channel Attacck is shown in Fig. 5. The properties that can bee monitored from Out-VM monitors for Network Appliccation Side-channel Attack are PM Properties, and Requesst Properties. The properties that can be monitored from In-VM monitors for Network Application Side-channel Attaack are PM Properties, and Request Properties. We have evaluated e the use of the In-
283
VM and Out-VM properties across manny HTTP synthetic workloads using t-test. For the final monitoring VM and Out-VM framework, Request Frequency for In-V monitors, and Request Content for Inn-VM monitor are used. For the synthetic workload, we definee a normal request workload with a random Request Freequency. We then define an attacker that tries to adapt the normal user behavior for avoiding being detected, at the same time, developing the mapping table in thee training phrase. Therefore, the attacker workload is a mixture m of normal input and other data input with a random Request Frequency. One of the two workloadds was chosen at random and run in a request dispatcher for 5 minutes. We mes. The monitor conducted the experiment for 10 tim framework tracks the selected propeerties and detects abnormality. The accuracy and precisioon of this anomaly detection are both 100%. o this attack was The realistic workload evaluation of conducted in a public crackathon evvent. Three teams participated in the Network Applicattion Side-channel Attack but none was able to circumventt the monitors. We have however documented the strategiees that were being used by the attackers were being usedd to investigate if they could lead to vulnerabilities. Team 1 and 2 performed attacks. Team 3 just triedd to use network monitoring tools to sniff network traffics without attacking, but failed. The result shows 100% accuracy and precision. C. Memory Cache Side-channel Attack In this attack, an attacker places a VM on the same c performance PM of the user. The attacker monitors cache (time to read memory) whenever this tim me is high it means that user VM is active. The attacker creates c a VM that must be in the PM as the target VM, and a then creates a program that throws a large chunk of data into the memory cache and records its execcution time. The program keeps reading the same chunkk of the data from the memory and records the execution time t of every data read. The execution time of the program m would vary if the target VM tries to access the memory caache. The attacker is then able to detect the workload of thee target VM.
me is then measured. If the intervals. The cache read tim attacker is performing an attackk, the cache read time must be greater than normal. The results r during the period of halted VM are then collected annd analysed by the anomaly detection at random intervals. In order to avoid this type of threat, many providers restrrict the co-location of VMs from multiple users on same PM M. For our final monitor we decided to use only Cache Read Time for In-VM and OutVM monitors. For the synthetic workload,, we define a normal cache access pattern and then we define an attacker that is different cache access patternn from the normal cache access pattern. For each trial, the normal cache access pattern is always running. For F every 5 minutes, we randomly decide whether to run r the attack cache access pattern or not for 5 minutes. We W conducted the experiment for 10 times. The monitor fram mework tracks the selected properties and detects abnorrmality. The result shows 100% accuracy and precision. We conducted an internal evaluation similar to that of thhe crackathon event where five internal teams from Impeerial College London were invited to conduct the attackk and test the monitoring framework for this attack. Thhe result is 100% accuracy and precision. III. CONCLUSION Our work in this paper has highlighted various threats that are enabled by vulnerabillities in a cloud computing environment. We have also prresented a framework based on In-VM and Out-VM monitooring and anomaly detection techniques to capture such atttacks. We have developed prototypes of the monitoringg framework and anomaly detection techniques for three attack scenarios. For each of the three scenarios presenteed we compared the use of In-VM and Out-VM monitoring information. We have evaluated our appproach using synthetic and real workloads. Our initial evvaluation indicated that the approach is indeed promisingg with high accuracy and precision. The current shortccomings were due to the prototypical implementation raather than the inadequacy of the methods used. [1]
[2] Fig. 6. Architecture of Memory Cache Sidee-channel Attack
The aim of monitor is to detect thhe presence of the attacker VM. The architecture of the moonitor for Memory Cache Side-channel Attack is shownn in Fig. 6. The monitor and detection works by stoppinng the user’s own VMs and listening to see if an attacker is i present, i.e. this is actually using the same approach as the attacker – by listening to see if there is unexpected cache usage. The monitoring framework uses a techniquue similar to that used by the attacker (listening to cache activity) to detect whether any other VM is active on the saame PM. The user firstly halts all VMs in the PM betweeen a random time
[3]
[4]
[5]
[6]
284
NCES REFEREN S. He, L. Guo, Y. Guo, C. Wu, M. Ghanem, and R. Han, "Elastic Application Container: A Ligghtweight Approach for Cloud Resource Provisioning," in Advaanced Information Networking and Applications (AINA), 2012 IEE EE 26th International Conference on, 2012, pp. 15-22. S. He, L. Guo, and Y. Guo, "Reeal time elastic cloud management for limited resources," in Cloud Computing (CLOUD), 2011 IEEE International Conference on, 20111, pp. 622-629. S. He, L. Guo, M. Ghanem, annd Y. Guo, "Improving Resource Utilisation in the Cloud Environment E using Multivariate Probabilistic Models," in Cloud Computing (CLOUD), 2012 IEEE 5th International Conference on,, 2012, pp. 574-581. L. Guo, Y. Guo, and X. Tiann, "IC cloud: a design space for composable cloud computing," in Cloud Computing (CLOUD), 2010 IEEE 3rd International Connference on, 2010, pp. 394-401. A. Kamra, E. Terzi, and E. Berttino, "Detecting anomalous access patterns in relational databases,"" Vldb Journal, vol. 17, pp. 10631077, Aug 2008. V. Chandola, A. Banerjee, and V. V Kumar, "Anomaly Detection: A Survey," Acm Computing Surveyys, vol. 41, 2009.
