Skip to main content

A multi-level proactive security auditing framework for clouds through automated dependency building

CCF Transactions on Networking volume 3pages 112–127 (2020)Cite this article

Abstract

A cloud is very often a subject to diverse security threats directing to its multiple levels (e.g., user, virtual, and physical). Even though there exist several security solutions for a specific cloud level, none of them provides a comprehensive solution that can protect a cloud tenant against the threats rendered from those multiple levels; which is mainly due to the operational complexity and unique nature of each level of cloud (e.g., authentication and access control models in the user level vs. VM migration rules in the virtual level) in a cloud. Furthermore, a simple integration of those existing tools will not be sufficient as all of them are suffering from different practical issues. For instance, most of the existing solutions suffer from slow response time and require significant manual efforts from the cloud tenants. In this paper, we propose a multi-level proactive security auditing framework, which provides a unified platform to plug-in existing security auditing tools for those levels and overcomes their major practical issues. To this end, our main idea is to design a framework to integrate existing auditing solutions and protect the multiple levels of a cloud. Also, we convert those tools (regardless of their original nature, e.g., retroactive and runtime) into a proactive auditing solution by leveraging a predictive model, which captures the dependency relationships between cloud events and helps to predict future events. We integrate our framework with OpenStack, a popular cloud management platform and outline a concrete guideline to adapt our framework to other major cloud platforms, Google GCP, Amazon EC2, and Microsoft Azure. Our experiments using both synthetic and real data show the practicality and effectiveness of this solution (e.g., responding in a few milliseconds to verify each level of the cloud).

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Notes

  1. https://pypi.org/project/pgmpy/.

  2. https://github.com/qpwo/python-simple-cycles.

References

  • Aikat, J., Akella, A., Chase, J.S., Juels, A., Reiter, M., Ristenpart, T., Sekar, V., Swift, M.: Rethinking security in the era of cloud computing. IEEE Secur. Privacy 15(3), (2017)

  • Amazon. Amazon virtual private cloud. Available at: https://aws.amazon.com/vpc. Accessed 14 Feb 2018

  • Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, Citeseer (1997)

  • Beschastnikh, I., Brun, Y., Schneider, S., Sloan, M., Ernst, M. D.: Leveraging existing instrumentation to automatically infer invariant-constrained models. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering. ACM, (2011)

  • Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructures. In: ACSAC, (2015)

  • Doelitzscher, F., Fischer, C., Moskal, D., Reich, C., Knahl, M., Clarke, N.: Validating cloud infrastructure changes by cloud audits. In: Services. IEEE, (2012)

  • Elasticsearch: Logstash. Available at: https://www.elastic.co/products/logstash. Accessed on: 14 Feb (2018)

  • Google: Google cloud platform. Available at: https://cloud.google.com. Accessed on: 14 Feb 2018

  • Hämäläinen, W., Nykänen, M.: Efficient discovery of statistically significant association rules. In: ICDM, pp. 203–212. IEEE, (2008)

  • Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: New attacks and countermeasures. In: Proceedings of 2015 Annual Network and Distributed System Security Symposium (NDSS’15), (2015)

  • Kwon, J., Lee, K.M.: A unified framework for event summarization and rare event detection from multiple views. IEEE Trans. Pattern Anal. Mach. Intell. 37(9), 1737–1750 (2015)

    Article  Google Scholar 

  • Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: Mycloud: supporting user-configured privacy protection in cloud computing. In: ACSAC, pp 59–68. ACM, (2013)

  • Lopes, N. P., Bjørner, N., Godefroid, P., Jayaraman, K., Varghese, G.: Checking beliefs in dynamic networks. In: 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI’15), pp 499–512, (2015)

  • Luo, Y., Luo, W., Puyang, T., Shen, Q., Ruan, A., Wu, Z.: OpenStack security modules: a least-invasive access control framework for the cloud. In: CLOUD, (2016)

  • Madi, T., Jarraya, Y., Alimohammadifar, A., Majumdar, S., Wang, Y., Pourzandi, M., Wang, L., Debbabi, M.: ISOTOP: auditing virtual networks isolation across cloud layers in OpenStack. ACM Trans. Privacy Secur. 22(1), 1 (2018)

    Google Scholar 

  • Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to openstack. In: CODASPY, pp. 195–206. ACM, (2016)

  • Majumdar, S., Jarraya, Y., Madi, T., Alimohammadifar, A., Pourzandi, M., Wang, L., Debbabi, M.: Proactive verification of security compliance for clouds through pre-computation: application to OpenStack. In: ESORICS, (2016)

  • Majumdar, S., Jarraya, Y., Oqaily, M., Alimohammadifar, A., Pourzandi, M., Wang, L., Debbabi, M.: LeaPS: Learning-based proactive security auditing for clouds. In: ESORICS, (2017)

  • Majumdar, S., Madi, T., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: CloudCom, pp. 58–65. IEEE, (2015)

  • Majumdar, S., Madi, T., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)

    Article  Google Scholar 

  • Majumdar, S., Tabiban, A., Jarraya, Y., Oqaily, M., Alimohammadifar, A., Pourzandi, M., Wang, L., Debbabi, M.: Learning probabilistic dependencies among events for proactive security auditing in clouds. J. Comput. Secur. 27(2), 165–202 (2019)

    Article  Google Scholar 

  • Majumdar, S., Tabiban, A., Mohammady, M., Oqaily, A., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: Multi-level proactive security auditing for cloud. In: IEEE Conference on Dependable and Secure Computing (DSC), (2019)

  • Majumdar, S., Tabiban, A., Mohammady, M., Oqaily, A., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M.: Proactivizer: Transforming existing verification tools into efficient solutions for runtime security enforcement. In: ESORICS, (2019)

  • Microsoft: Microsoft Azure virtual network. Available at: https://azure.microsoft.com. Accessed on: 14 Feb 2018

  • Murphy, K.: A brief introduction to graphical models and bayesian networks. (1998)

  • OpenStack: Neutron security groups bypass through invalid cidr, 2015. Available at: https://security.openstack.org/ossa/OSSA-2014-014.html. Accessed on: 14 Feb 2018

  • OpenStack: Nova network security group changes are not applied to running instances, 2015. Available at: https://security.openstack.org/ossa/OSSA-2015-021.html, Accessed on: 14 Feb 2018

  • OpenStack: OpenStack Congress, 2015. Available at: https://wiki.openstack.org/wiki/Congress, Accessed on: 14 Feb 2018

  • OpenStack: OpenStack open source cloud computing software, 2015. Available at: http://www.openstack.org, Accessed on: 14 Feb 2018

  • OpenStack: OpenStack user survey, 2016. Available at: https://www.openstack.org/assets/survey/October2016SurveyReport.pdf. Accessed on: 14 Feb 14 2018

  • OpenStack: OpenStack logging, 2018. Available at: https://docs.openstack.org/operations-guide/ops-logging.html. Accessed on: 07 April 2020

  • Peng, W., Perng, C., Li, T., Wang, H.: Event summarization for system management. In: Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, (2007)

  • Priestley, M. B.: Spectral analysis and time series. (1981)

  • Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS. ACM, (2009)

  • Schear, N., Cable II, P. T., Moyer, T. M., Richard, B., Rudd, R.: Bootstrapping and maintaining trust in the cloud. In: ACSAC, (2016)

  • Skowyra, R., Xu, L., Gu, G., Hobson, T., Dedhia, V., Landry, J., Okhravi, H.: Effective topology tampering attacks and defenses in software-defined networks. In: Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’15), (2018)

  • Tabiban, A., Majumdar, S., Wang, L., Debbabi, M.: Permon: An openstack middleware for runtime security policy enforcement in clouds. In: SPC, (2018)

  • Tamura, N., Banbara, M.: Sugar: A CSP to SAT translator based on order encoding. In: Proceedings of the Second International CSP Solver Competition, pp. 65–69 (2008)

  • Ullah, K. W., Ahmed, A. S., Ylitalo, J.: Towards building an automated security compliance tool for the cloud. In: TrustCom, pp. 1587–1593. IEEE, (2013)

  • Varadarajan, V., Kooburat, T., Farley, B., Ristenpart, T., Swift, M. M.: Resource-freeing attacks: improve your cloud performance (at your neighbor’s expense). In: CCS. ACM, (2012)

  • VMware: VMware vCloud Director. Available at: https://www.vmware.com. Accessed on: 14 Feb 2018

  • Wang, C., Chow, S.S., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for secure cloud storage. IEEE Trans. Comput. 62(2), 362–375 (2013)

    Article  MathSciNet  Google Scholar 

  • Wang, Y., Wu, Q., Qin, B., Shi, W., Deng, R.H., Hu, J.: Identity-based data outsourcing with comprehensive auditing in clouds. IEEE Trans. Inf. Forensics Secur. 12(4), 940–952 (2017)

    Article  Google Scholar 

  • WSGI: Middleware and libraries for WSGI, 2016. Available at: http://wsgi.readthedocs.io/en/latest/libraries.html. Accessed on: 15 Feb 2018

  • Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: USENIX Security (2015)

  • Yau, S. S., Buduru, A. B., Nagaraja, V.: Protecting critical cloud infrastructures with predictive capability. In: CLOUD, pp. 1119–1124. IEEE, (2015)

  • Zhang, Y., Juels, A., Reiter, M. K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: CCS. ACM, (2012)

  • Zhang, Y., Juels, A., Reiter, M. K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: CCS. ACM, (2014)

Download references

Acknowledgements

This research was supported by University at Albany (Grant Startup).

Author information

Authors and Affiliations

  1. Information Security and Digital Forensics, University at Albany, Albany, USA

    Suryadipta Majumdar

Authors
  1. Suryadipta Majumdar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Suryadipta Majumdar.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Majumdar, S. A multi-level proactive security auditing framework for clouds through automated dependency building. CCF Trans. Netw. 3, 112–127 (2020). https://doi.org/10.1007/s42045-020-00028-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s42045-020-00028-9

Keywords

  • Cloud security
  • Security auditing
  • Proactive security
  • Multi-level security