Abstract
Security compliance auditing against standards, regulations or requirements in cloud environments is of increasing importance to boost trust between stakeholders. Many automatic security compliance auditing tools have been developed to facilitate accountability and transparency of a cloud provider to its tenants in a large scale and complex cloud. User operations in clouds that may cause security compliance violations have attracted attention, including some management operations conducted by insider attackers. System changes induced by the operations concerning security policies are captured for auditing. However, existing cloud security compliance auditing tools mainly concentrate on verification rather than on evidence provision. In this paper, we propose an automatic approach to digging evidence for security compliance violations of user operations, by mining the insights of system execution for the operations from system execution traces. Both known and potentially unknown suspicious user operation re-quests that may cause security compliance violations, or suspect system execution behavior changes, are automatically recognized. More importantly, evidences related to the detected suspicious requests are presented for further auditing, where the abnormal and expected snippets are marked in the relevant extracted execution traces. We have evaluated our method in OpenStack, a popular open source cloud operating system. The experimental results demonstrate the capability of our approach to detecting user opera-tion requests causing security compliance violations and presenting relevant evidences.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Majumdar, S., et al.: Proactive verification of security compliance for clouds through pre-computation: application to OpenStack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016, Part I. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_3
Alliance, C.S.: Cloud Security Alliance (2012). https://cloudsecurityalliance.org/
CloudAudit: Cloudaudit (2014). https://cloudsecurityalliance.org/research/cloudaudit/
Matrix, C.C.: Ccm (2014). https://cloudsecurityalliance.org/research/ccm/
Majumdar, S., et al.: LeaPS: learning-based proactive security auditing for clouds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 265–285. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_15
Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructures. In: ACSAC 2015, pp. 51–60 (2015)
Congress: Openstack policy as a service (2017). https://wiki.openstack.org/wiki/Vitrage
OpenStack: Open source software for creating private and public clouds (2010). http://www.openstack.org
CloudWatch, A.: Cloud and network monitoring services (2009). http://aws.amazon.com/cloudwatch
Ceilometer: Openstack telemetry service (2013). https://wiki.openstack.org/wiki/Ceilometer
Vitrage: Openstack rca (root cause analysis) service (2017). https://wiki.openstack.org/wiki/Vitrage
CloudTrail, A.: Track user activity and API usage (2014). http://aws.amazon.com/cloudtrail/
Farshchi, M., Schneider, J.G., Weber, I., Grundy, J.: Metric selection and anomaly detection for cloud operations using log and metric correlation analysis. J. Syst. Softw. 137, 531–549 (2017)
Ju, X., Soares, L., Shin, K.G., Ryu, K.D., Da Silva, D.: On fault resilience of openstack. In: SOCC 2013 (2013)
Goel, A., Kalra, S., Dhawan, M.: Gretel: Lightweight fault localization for openstack. In: CoNEXT 2016 (2016)
Pham, C., et al.: Failure diagnosis for distributed systems using targeted fault injection. IEEE Trans. Parallel Distrib. Syst. 28(2), 503–516 (2017)
Majumdar, S., et al.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)
Baek, H., Srivastava, A., Van der Merwe, J.: Cloudsight: a tenant-oriented transparency framework for cross-layer cloud troubleshooting. In: CCGrid 2017 (2017)
Xu, Y., Liu, Y., Singh, R., Tao, S.: Identifying SDN state inconsistency in openstack. In: SOSR 2015 (2015)
Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: Sphinx: detecting security attacks in software-defined networks. In: NDSS 2015 (2015)
Zeng, H., et al.: Libra: divide and conquer to verify forwarding tables in huge networks. In: NSDI 2014 (2014)
Curtsinger, C., Berger, E.D.: Coz: finding code that counts with causal profiling. In: SOSP 2015 (2015)
Mace, J., Roelke, R., Fonseca, R.: Pivot tracing: dynamic causal monitoring for distributed systems. In: SOSP 2015 (2015)
Chow, M., Meisner, D., Flinn, J., Peek, D., Wenisch, T.F.: The mystery machine: end-to-end performance analysis of large-scale internet services. In: OSDI 2014 (2014)
Yu, X., Joshi, P., Xu, J., Jin, G., Zhang, H., Jiang, G.: Cloudseer: workflow monitoring of cloud infrastructures via interleaved logs. In: ASPLOS 2016 (2016)
Nandi, A., Mandal, A., Atreja, S., Dasgupta, G.B., Bhattacharya, S.: Anomaly detection using program control flow graph mining from execution logs. In: KDD 2016 (2016)
Shang, W., Jiang, Z.M., Hemmati, H., Adams, B., Hassan, A.E., Martin, P.: Assisting developers of big data analytics applications when deploying on hadoop clouds. In: ICSE 2013 (2013)
Beschastnikh, I., Brun, Y., Ernst, M.D., Krishnamurthy, A.: Inferring models of concurrent systems from logs of their behavior with CSight. In: ICSE 2014 (2014)
Lin, Q., Zhang, H., Lou, J.G., Zhang, Y., Chen, X.: Log clustering based problem identification for online service systems. In: ICSE 2016 (2016)
Ding, R., et al.: Healing online service systems via mining historical issue repositories. In: ASE 2012 (2012)
Ding, R., Fu, Q., Lou, J.G., Lin, Q., Zhang, D., Xie, T.: Mining historical issue repositories to heal large-scale online service systems. In: DSN 2014 (2014)
Jiang, H., Li, X., Yang, Z., Xuan, J.: What causes my test alarm?: automatic cause analysis for test alarms in system and integration testing. In: ICSE 2017 (2017)
Bertero, C., Roy, M., Sauvanaud, C., Tredan, G.: Experience report: log mining using natural language processing and application to anomaly detection. In: ISSRE 2017 (2017)
Du, M., Li, F., Zheng, G., Srikumar, V.: Deeplog: anomaly detection and diagnosis from system logs through deep learning. In: CCS 2017 (2017)
Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 45–56 (2015)
Gu, Z., Pei, K., Wang, Q., Si, L., Zhang, X., Xu, D.: Leaps: Detecting camouflaged attacks with statistical learning guided by program analysis. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 57–68 (2015)
Xu, W., Huang, L., Fox, A., Patterson, D., Jordan, M.I.: Detecting large-scale system problems by mining console logs. In: SOSP 2009 (2009)
He, P., Zhu, J., He, S., Li, J., Lyu, M.R.: Towards automated log parsing for large-scale log data analysis. IEEE Trans. Dependable Secure Comput. 15(6), 931–944 (2017)
Zawoad, S., Dutta, A.K., Hasan, R.: Towards building forensics enabled cloud through secure logging-as-a-service. IEEE Trans. Dependable Secure Comput. 13(2), 148–162 (2016)
Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: Mycloud: supporting user-configured privacy protection in cloud computing. In: ACSAC 2013, pp. 59–68 (2013)
OpenStack: Neutron iptables firewall anti-spoof protection bypass (2016). https://security.openstack.org/ossa/OSSA-2016-009.html/
Manning, C.D., Raghavan, P.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008)
Alliance, C.S.: The Notorious Nine Cloud Computing Top Threats in 2013 (2013)
ISO/IEC: ISO/IEC 27017:2015: Information technology - security techniques - code of practice for information security controls based on ISO/IEC 27002 for cloud services (2015). https://www.iso.org/standard/43757.html/
European Network and Information Security Agency (ENISA): Cloud computing: benefits, risks and recommendations for information security (2012). https://resilience.enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-benefits-risks-and-recommendations-for-information-security
Acknowledgments
This work was supported in part by the National Nature Science Foundation of China under grant NO. (61472429, 61070192, 91018008, 61303074, 61170240), Beijing Nature Science Foundation under grant No. 4122041, National High-Tech Research Development Program of China under grant No. 2007AA01Z414, and National Science and Technology Major Project of China under grant No. 2012ZX01039-004.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yuan, Y., Torgonshar, A., Shi, W., Liang, B., Qin, B. (2019). Digging Evidence for Violation of Cloud Security Compliance with Knowledge Learned from Logs. In: Zhang, H., Zhao, B., Yan, F. (eds) Trusted Computing and Information Security. CTCIS 2018. Communications in Computer and Information Science, vol 960. Springer, Singapore. https://doi.org/10.1007/978-981-13-5913-2_20
Download citation
DOI: https://doi.org/10.1007/978-981-13-5913-2_20
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-5912-5
Online ISBN: 978-981-13-5913-2
eBook Packages: Computer ScienceComputer Science (R0)