Monitoring of Client-Cloud Interaction

  • Harald LampesbergerEmail author
  • Mariam Rady
Part of the Texts & Monographs in Symbolic Computation book series (TEXTSMONOGR)


When a client consumes a cloud service, computational liabilities are transferred to the service provider in accordance to the cloud paradigm, and the client loses some control over software components. One way to raise assurance about correctness and dependability of a consumed service and its software components is monitoring. In particular, a monitor is a system that observes the behavior of another system, and observation points that expose the target system’s state and state changes are required. Due to the cloud paradigm, popular techniques for monitoring such as code instrumentation are often not available to the client because of limited visibility, lack of control, and black-box software components. Based on a literature review, we identify potential observation points in today’s cloud services. Furthermore, we investigate two cloud-specific monitoring applications based on our ongoing research. While service level agreement (SLA) monitoring ensures that agreed-upon conditions between clients and providers are met, language-based anomaly detection monitors the interaction between client and cloud for misuse attempts.


Cloud Computing Cloud Service Transmission Control Protocol Intrusion Detection Anomaly Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank the Christian Doppler Society for supporting this research.


  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 1–40 (2009)CrossRefGoogle Scholar
  2. 2.
    Aceto, G., Botta, A., de Donato, W., Pescapè, A.: Cloud monitoring: a survey. Comput. Netw. 57(9), 2093–2115 (2013)CrossRefGoogle Scholar
  3. 3.
    Ahonen, H.: Generating grammars for structured documents using grammatical inference methods. Tech. Rep. A-1996-4. Department of Computer Science, University of Helsinki (1996)Google Scholar
  4. 4.
    Alonso, G., Casati, F., Kuno, H.A., Machiraj, V.: Web Services - Concepts, Architectures and Applications. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  5. 5.
    Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distrib. Comput. 2(3), 117–126 (1987)zbMATHCrossRefGoogle Scholar
  6. 6.
    Alur, R., Madhusudan, P.: Visibly pushdown languages. In: Proceedings of the 36th Annual ACM Symposium on Theory of Computing, STOC’04, pp. 202–211. ACM, New York (2004)Google Scholar
  7. 7.
    Alur, R., Madhusudan, P.: Adding nesting structure to words. J. ACM 56(3), 1–43 (2009)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Amazon Elastic Compute Cloud: GPU instances. (2014). Accessed 09 Sept 2014
  9. 9.
    Amazon Web Services: Amazon web services customer agreement. (2008). Accessed 28 Aug 2013
  10. 10.
    Amazon Web Services: Amazon ec2 service level agreement. (2013). Accessed 20 Nov 2013
  11. 11.
    Android Developers: Sensors overview. (2014). Accessed 09 Sept 2014
  12. 12.
    Apache Commons: BCEL. (2014). Accessed 10 Sept 2014
  13. 13.
    Ariu, D., Tronci, R., Giacinto, G.: Hmmpayl: an intrusion detection system based on hidden markov models. Comput. Secur. 30(4), 221–241 (2011)CrossRefGoogle Scholar
  14. 14.
    Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: A view of cloud computing. Commun. ACM 53(4), 50–58 (2010)CrossRefGoogle Scholar
  15. 15.
    Avižienis, A., Laprie, J.C.: Dependable computing: from concepts to design diversity. Proc. IEEE 74(5), 629–638 (1986)CrossRefGoogle Scholar
  16. 16.
    Avižienis, A., Laprie, J.C., Randell, B.: Dependability and its threats: a taxonomy. In: Building the Information Society. IFIP International Federation for Information Processing, vol. 156, pp. 91–120. Springer, New York (2004)Google Scholar
  17. 17.
    Avižienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)CrossRefGoogle Scholar
  18. 18.
    Ayad, A., Dippel, U.: Agent-based monitoring of virtual machines. In: International Symposium in Information Technology (ITSim), pp. 1–6. IEEE, Kuala Lumpur (2010)Google Scholar
  19. 19.
    Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, IMW’02, pp. 71–82. ACM, New York (2002)Google Scholar
  20. 20.
    Barreno, M., Nelson, B., Sears, R., Joseph, A.D., Tygar, J.: Can machine learning be secure? In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, ASIACCS’06, pp. 16–25. ACM, New York (2006)Google Scholar
  21. 21.
    Barros, A., Dumas, M., ter Hofstede, A.H.: Service interaction patterns: towards a reference framework for service-based business process interconnection. Tech. Rep. FIT-TR-2005-02. Faculty of IT, Queensland University of Technology (2005)Google Scholar
  22. 22.
    Bellevue Linux Users Group: The linux information project (linfo). (2007). Accessed 19 Oct 2013
  23. 23.
    Bendrath, R., Mueller, M.: The end of the net as we know it? Deep packet inspection and internet governance. New Media Soc. 13(7), 1142–1160 (2011)Google Scholar
  24. 24.
    Bex, G.J., Neven, F., Van den Bussche, J.: Dtds versus xml schema: a practical study. In: Proceedings of the 7th International Workshop on the Web and Databases, WebDB’04, pp. 79–84. ACM, New York (2004)Google Scholar
  25. 25.
    Bex, G.J., Neven, F., Vansummeren, S.: Inferring xml schema definitions from xml data. In: Proceedings of the 33rd International Conference on Very Large Data Bases, VLDB’07, pp. 998–1009. VLDB Endowment, Vienna (2007)Google Scholar
  26. 26.
    Bex, G.J., Gelade, W., Neven, F., Vansummeren, S.: Learning deterministic regular expressions for the inference of schemas from xml data. ACM Trans. Web 4(4), 1–32 (2010)CrossRefGoogle Scholar
  27. 27.
    Bex, G.J., Neven, F., Schwentick, T., Vansummeren, S.: Inference of concise regular expressions and dtds. ACM Trans. Database Syst. 35(2), 1–47 (2010)CrossRefGoogle Scholar
  28. 28.
    Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS’12, pp. 833–844. ACM, New York (2012)Google Scholar
  29. 29.
    Binder, W., Hulaas, J., Moret, P.: Advanced java bytecode instrumentation. In: Proceedings of the 5th International Symposium on Principles and Practice of Programming in Java, pp. 135–144. ACM, New York (2007)Google Scholar
  30. 30.
    Boggs, N., Hiremagalore, S., Stavrou, A., Stolfo, S.J.: Cross-domain collaborative anomaly detection: so far yet so close. In: Recent Advances in Intrusion Detection – RAID’11. Lecture Notes of Computer Science, vol. 6961, pp. 142–160. Springer, Heidelberg (2011)Google Scholar
  31. 31.
    Bolzoni, D., Etalle, S., Hartel, P., Zambon, E.: Poseidon: a 2-tier anomaly-based network intrusion detection system. In: 4th IEEE International Workshop on Information Assurance, IWIA’06, pp. 144–156. IEEE, London (2006)Google Scholar
  32. 32.
    Börger, E., Stärk, R.: Abstract State Machines: A Method for High-Level System Design and Analysis. Springer, New York (2003)CrossRefGoogle Scholar
  33. 33.
    Bradley, K.A., Lemler, C., Patel, A.C., Lau, R.M.: Time-based monitoring of service level agreements. Cisco Technology, Inc., United States Patent, No. US007082463 B1 (2006)Google Scholar
  34. 34.
    Carpenter, B., Brim, S.: Middleboxes: taxonomy and issues. RFC 3234 (Informational). (2002)
  35. 35.
    Čeleda, P., Krmíček, V.: Flow data collection in large scale networks. In: Advances in IT Early Warning, pp. 30–40. Fraunhofer, Stuttgart (2013)Google Scholar
  36. 36.
    Chan-Tin, E., Heorhiadi, V., Hopper, N., Kim, Y.: The frog-boiling attack: limitations of secure network coordinate systems. ACM Trans. Inf. Syst. Secur. 14(3), 1–23 (2011)CrossRefGoogle Scholar
  37. 37.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–58 (2009)CrossRefGoogle Scholar
  38. 38.
    Chidlovskii, B.: Schema extraction from xml: a grammatical inference approach. In: Proceedings of the 8th International Workshop on Knowledge Representation Meets Databases, KRDB’01 (2001)Google Scholar
  39. 39.
    Choon, M., Lin, C.Y.J., Wang, X.: A scalable monitoring approach for service level agreements validation. In: International Conference on Network Protocols, ICNP’00, pp. 37–48. IEEE, Osaka (2000)Google Scholar
  40. 40.
    Cisco: Netflow. Accessed 18 Oct 2013
  41. 41.
    Comuzzi, M., Kotsokalis, C., Spanoudakis, G., Yahyapour, R.: Establishing and monitoring slas in complex service based systems. In: IEEE International Conference on Web Services, ICWS’09, pp. 783–790. IEEE (2009)Google Scholar
  42. 42.
    Corona, I., Ariu, D., Giacinto, G.: Hmm-web: a framework for the detection of attacks against web applications. In: IEEE International Conference on Communications, ICC’09, pp. 1–6. IEEE, Los Angeles (2009)Google Scholar
  43. 43.
    Criscione, C., Salvaneschi, G., Maggi, F., Zanero, S.: Integrated detection of attacks against browsers, web applications and databases. In: European Conference on Computer Network Defense, EC2ND’09, pp. 37–45. IEEE, Milan (2009)Google Scholar
  44. 44.
    Croll, A., Power, S.: Complete web monitoring: watching your visitors, performance, communities, and competitors. O’Reilly Media, Sebastopol (2009)Google Scholar
  45. 45.
    Curry, E.: Message-oriented middleware. In: Mahmoud, Q.H. (ed.) Middleware for Communications. Wiley, Chichester (2005)Google Scholar
  46. 46.
    Dastjerdi, A.V., Tabatabaei, S.G.H., Buyya, R.: A dependency-aware ontology-based approach for deploying service level agreement monitoring services in cloud. Softw. Pract. Exp. 42(4), 501–518 (2012)CrossRefGoogle Scholar
  47. 47.
    de la Higuera, C.: Grammatical Inference: Learning Automata and Grammars. Cambridge University Press, Cambridge (2010)Google Scholar
  48. 48.
    Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion-detection systems. Comput. Netw. 31(8), 805–822 (1999)CrossRefGoogle Scholar
  49. 49.
    Delgado, N., Gates, A., Roach, S.: A taxonomy and catalog of runtime software-fault monitoring tools. IEEE Trans. Softw. Eng. 30(12), 859–872 (2004)CrossRefGoogle Scholar
  50. 50.
    Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. SE-13(2), 222–232 (1987)CrossRefGoogle Scholar
  51. 51.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). (2008). Updated by RFCs 5746, 5878, 6176
  52. 52.
    Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, S&P’11, pp. 297–312. IEEE, Washington (2011)Google Scholar
  53. 53.
    Düssel, P., Gehl, C., Laskov, P., Rieck, K.: Incorporation of application layer protocol syntax into anomaly detection. In: Information Systems Security – ICISS’08. Lecture Notes of Computer Science, vol. 5352, pp. 188–202. Springer, Heidelberg (2008)Google Scholar
  54. 54.
    Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 1–42 (2012)CrossRefGoogle Scholar
  55. 55.
    Emeakaroha, V.C., Brandic, I., Maurer, M., Dustdar, S.: Low level metrics to high level slas-lom2his framework: bridging the gap between monitored metrics and sla parameters in cloud environments. In: International Conference on High Performance Computing and Simulation, HPCS’10, pp. 48–54. IEEE, Caen (2010)Google Scholar
  56. 56.
    Emeakaroha, V.C., Netto, M.A.S., Calheiros, R.N., Brandic, I., Buyya, R., De Rose, C.A.: Towards autonomic detection of sla violations in cloud infrastructures. Futur. Gener. Comput. Syst. 28(7), 1017–1029 (2012)CrossRefGoogle Scholar
  57. 57.
    Endres-Niggemeyer, B.: The mashup ecosystem. In: Semantic Mashups, pp. 1–51. Springer, Heidelberg (2013)Google Scholar
  58. 58.
    Falkenberg, A., Jensen, M., Schwenk, J.: Welcome to (2011). Accessed 05 Feb 2013
  59. 59.
    Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: IEEE Symposium on Security and Privacy, S&P’03, pp. 62–75. IEEE, Washington (2003)Google Scholar
  60. 60.
    Fernau, H.: Learning xml grammars. In: Machine Learning and Data Mining in Pattern Recognition – MLDM’01. Lecture Notes of Computer Science, vol. 2123, pp. 73–87. Springer, Heidelberg (2001)Google Scholar
  61. 61.
    Fernau, H.: Identification of function distinguishable languages. Theor. Comput. Sci. 290(3), 1679–1711 (2003)zbMATHMathSciNetCrossRefGoogle Scholar
  62. 62.
    Fielding, R.T.: Rest: architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California (2000)Google Scholar
  63. 63.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, S&P’96, pp. 120–128. IEEE, Washington (1996)Google Scholar
  64. 64.
    Freier, A., Karlton, P., Kocher, P.: The Secure Sockets Layer (SSL) Protocol Version 3.0. RFC 6101 (Historic) (2011).
  65. 65.
    Frossi, A., Maggi, F., Rizzo, G., Zanero, S.: Selecting and improving system call models for anomaly detection. In: Detection of Intrusions and Malware, and Vulnerability Assessment – DIMVA’09. Lecture Notes in Computer Science, vol. 5587, pp. 206–223. Springer, Heidelberg (2009)Google Scholar
  66. 66.
    Garfinkel, T.: Traps and pitfalls: practical problems in system call interposition based security tools. In: Proceedings of the Network and Distributed Systems Security Symposium, NDSS’03, pp. 163–176 (2003)Google Scholar
  67. 67.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium, NDSS’03 (2003)Google Scholar
  68. 68.
    Garofalakis, M., Gionis, A., Rastogi, R., Seshadri, S., Shim, K.: Xtract: learning document type descriptors from xml document collections. Data Min. Knowl. Discov. 7(1), 23–56 (2003)MathSciNetCrossRefGoogle Scholar
  69. 69.
    Garrett, J.J.: Ajax. (2005). Accessed 27 March 2013
  70. 70.
    Geraci, A., Katki, F., McMonegal, L., Meyer, B., Lane, J., Wilson, P., Radatz, J., Yee, M., Porteous, H., Springsteel, F.: IEEE Standard Computer Dictionary: Compilation of IEEE Standard Computer Glossaries. IEEE, Piscataway (1991)Google Scholar
  71. 71.
    Gerhards, R.: The Syslog Protocol. RFC 5424 (Proposed Standard) (2009).
  72. 72.
    Goodloe, A., Pike, L.: Monitoring distributed real-time systems: a survey and future directions. Tech. Rep. NASA/CR-2010-216724. NASA Langley Research Center (2010)Google Scholar
  73. 73.
    Google Developers: Geolocation. (2014). Accessed 09 Sept 2014
  74. 74.
    Görnitz, N., Kloft, M., Rieck, K., Brefeld, U.: Active learning for network intrusion detection. In: Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence, AISec’09, pp. 47–54. ACM, New York (2009)Google Scholar
  75. 75.
    Gottschalk, K., Graham, S., Kreger, H., Snell, J.: Introduction to web services architecture. IBM Syst. J. 41(2), 170–177 (2002)CrossRefGoogle Scholar
  76. 76.
    Grijzenhout, S., Marx, M.: The quality of the xml web. In: Proceedings of the 20th ACM International Conference on Information and Knowledge Management, CIKM’11, pp. 1719–1724. ACM, New York (2011)Google Scholar
  77. 77.
    Hadžiosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: N-gram against the machine: on the feasibility of the n-gram network analysis for binary protocols. In: Research in Attacks, Intrusions, and Defenses – RAID’12. Lecture Notes in Computer Science, vol. 7462, pp. 354–373. Springer, Heidelberg (2012)Google Scholar
  78. 78.
    Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the USENIX Security Symposium, SECURITY’01. USENIX Association (2001)Google Scholar
  79. 79.
    Harrington, D., Presuhn, R., Wijnen, B.: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. RFC 3411 (INTERNET STANDARD). (2002). Updated by RFCs 5343, 5590
  80. 80.
    Hauck, R., Reiser, H.: Monitoring of service level agreements with exible and extensible agents. In: Workshop of the OpenView University Association, OVUA’99. Citeseer (1999)Google Scholar
  81. 81.
    Hegewald, J., Naumann, F., Weis, M.: Xstruct: efficient schema extraction from multiple and large xml documents. In: 22nd International Conference on Data Engineering Workshops, ICDEW’06, pp. 81–81. IEEE, Atlanta (2006)Google Scholar
  82. 82.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)Google Scholar
  83. 83.
    Hofstede, R., Drago, I., Sperotto, A., Pras, A.: Flow monitoring experiences at the ethernet-layer. In: Energy-Aware Communications – EUNICE’11. Lecture Notes in Computer Science, vol. 6955, pp. 134–145. Springer, Heidelberg (2011)Google Scholar
  84. 84.
    Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.D.: Adversarial machine learning. In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, AISec’11, pp. 43–58. ACM, New York (2011)Google Scholar
  85. 85.
    Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning dfa representations of http for protecting web applications. Comput. Netw. 51(5), 1239–1255 (2007)zbMATHCrossRefGoogle Scholar
  86. 86.
    Internet Explorer Dev Center: Introduction to the Geolocation API. (2014). Accessed 09 Sept 2014
  87. 87.
    iOS Developer Library: CMMotionManager Class Reference. (2013). Accessed 09 Sept 2014
  88. 88.
    Jaakkola, H., Thalheim, B.: Exception-aware (information) systems. In: Information Modelling and Knowledge Bases XXIV. Frontiers in Artificial Intelligence and Applications, vol. 251, pp. 300–313. IOS Press, Amsterdam (2013)Google Scholar
  89. 89.
    Jayashree, K., Anand, S.: Web service diagnoser model for managing faults in web services. Comput. Stand. Interfaces 36(1), 154–164 (2013)CrossRefGoogle Scholar
  90. 90.
    Jensen, M., Gruschka, N., Herkenhöner, R.: A survey of attacks on web services. Comput. Sci. Res. Dev. 24(4), 185–197 (2009)CrossRefGoogle Scholar
  91. 91.
    Joshi, K.R., Bunker, G., Jahanian, F., van Moorsel, A., Weinman, J.: Dependability in the cloud: challenges and opportunities. In: IEEE/IFIP International Conference on Dependable Systems & Networks, 2009, DSN’09, pp. 103–104. IEEE, Lisbon (2009)Google Scholar
  92. 92.
    Keller, A., Ludwig, H.: IBM research report the WSLA framework: specifying and monitoring service level agreements for web services the WSLA framework: specifying and monitoring. J. Netw. Syst. Manag. 11(1), 57–81 (2003)CrossRefGoogle Scholar
  93. 93.
    Kirchner, M.: A framework for detecting anomalies in http traffic using instance-based learning and k-nearest neighbor classification. In: 2nd International Workshop on Security and Communication Networks, IWSCN’10, pp. 1–8. IEEE, Karlstad (2010)Google Scholar
  94. 94.
    Ko, C., Fink, G., Levitt, K.: Automated detection of vulnerabilities in privileged programs by execution monitoring. In: 10th Annual Computer Security Applications Conference, ACSAC’94, pp. 134–144. IEEE, Orlando (1994)Google Scholar
  95. 95.
    Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: IEEE Symposium on Security and Privacy, S&P’97, pp. 175–187. IEEE, Oakland (1997)Google Scholar
  96. 96.
    Kosala, R., Blockeel, H., Bruynooghe, M., Van den Bussche, J.: Information extraction from structured documents using k-testable tree automaton inference. Data Knowl. Eng. 58(2), 129–158 (2006)CrossRefGoogle Scholar
  97. 97.
    Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communication Security, CCS’03, pp. 251–261. ACM, New York (2003)Google Scholar
  98. 98.
    Krüger, T., Gehl, C., Rieck, K., Laskov, P.: Tokdoc: a self-healing web application firewall. In: Proceedings of the 2010 ACM Symposium on Applied Computing, SAC’10, pp. 1846–1853. ACM, New York (2010)Google Scholar
  99. 99.
    Krüger, T., Krämer, N., Rieck, K.: Asap: automatic semantics-aware analysis of network payloads. In: Privacy and Security Issues in Data Mining and Machine Learning – PSDML’10. Lecture Notes of Computer Science, vol. 6549, pp. 50–63. Springer, Heidelberg (2011)Google Scholar
  100. 100.
    Kumar, V., Madhusudan, P., Viswanathan, M.: Minimization, learning, and conformance testing of boolean programs. In: CONCUR 2006 – Concurrency Theory. Lecture Notes of Computer Science, vol. 4137, pp. 203–217. Springer, Heidelberg (2006)Google Scholar
  101. 101.
    Kumar, V., Madhusudan, P., Viswanathan, M.: Visibly pushdown automata for streaming xml. In: Proceedings of the 16th International Conference on World Wide Web, WWW’07, pp. 1053–1062. ACM, New York (2007)Google Scholar
  102. 102.
    Lamanna, D.D., Skene, J., Emmerich, W.: Slang: a language for service level agreements. In: Proceedings of the 9th IEEE Workshop on Future Trends of Distributed Computing Systems, FTDCS’03, pp. 100–106. IEEE, Washington (2003)Google Scholar
  103. 103.
    Lampesberger, H.: A grammatical inference approach to language-based anomaly detection in xml. In: 2013 International Conference on Availability, Reliability and Security, ECTCM’13 Workshop, pp. 685–693. IEEE, Washington (2013)Google Scholar
  104. 104.
    Lampesberger, H.: Technologies for Web and cloud service interaction: a survey. Serv. Oriented Comput. Appl. (2015) doi:  10.1007/s11761-015-0174-12015 Google Scholar
  105. 105.
    Lampesberger, H., Winter, P., Zeilinger, M., Hermann, E.: An on-line learning statistical model to detect malicious web requests. In: Security and Privacy in Communication Networks. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 96, pp. 19–38. Springer, Heidelberg (2012)Google Scholar
  106. 106.
    Lampesberger, H., Zeilinger, M., Hermann, E.: Statistical modeling of web requests for anomaly detection in web applications. In: Advances in IT Early Warning, pp. 91–101. Fraunhofer AISEC, Garching (2013)Google Scholar
  107. 107.
    Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. SE-3(2), 125–143 (1977)MathSciNetCrossRefGoogle Scholar
  108. 108.
    Lazarevic, A., Kumar, V., Srivastava, J.: Intrusion detection: a survey. In: Managing Cyber Threats. Massive Computing, vol. 5, pp. 19–78. Springer, New York (2005)Google Scholar
  109. 109.
    ldv_alt: Project page: strace. Online. Accessed 18 Oct 2013
  110. 110.
    Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., Jones, L.: SOCKS Protocol Version 5. RFC 1928 (Proposed Standard) (1996).
  111. 111.
    Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Logic Algebraic Program. 78(5), 293–303 (2009)zbMATHCrossRefGoogle Scholar
  112. 112.
    Ludwig, H., Keller, A., Dan, A., King, R.P., Franck, R.: Web Service Level Agreement WSLA Language Specification. IBM Corporation, pp. 815–824 (2003)Google Scholar
  113. 113.
    Lynch, N.A.: Distributed Algorithms. Morgan Kaufmann, San Francisco (1996)zbMATHGoogle Scholar
  114. 114.
    Magazinius, J., Russo, A., Sabelfeld, A.: On-the-fly inlining of dynamic security monitors. Comput. Secur. 31(7), 827–843 (2012)CrossRefGoogle Scholar
  115. 115.
    Magazinius, J., Hedlin, D., Sabelfeld, A.: Architectures for inlining security monitors in web applications. In: International Symposium on Engineering Secure Software and Systems, ESSoS’14. Springer, Heidelberg (2014)Google Scholar
  116. 116.
    Maggi, F., Robertson, W., Kruegel, C., Vigna, G.: Protecting a moving target: addressing web application concept drift. In: Recent Advances in Intrusion Detection – RAID’09. Lecture Notes of Computer Science, vol. 5758, pp. 21–40. Springer, Heidelberg (2009)Google Scholar
  117. 117.
    Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)CrossRefGoogle Scholar
  118. 118.
    Maggi, F., Zanero, S.: Is the future web more insecure? Distractions and solutions of new-old security issues and measures. In: 2nd Worldwide Cybersecurity Summit, WCS’11, pp. 1–9. IEEE, London (2011)Google Scholar
  119. 119.
    Mahoney, M.V.: Network traffic anomaly detection based on packet bytes. In: Proceedings of the 2003 ACM Symposium on Applied computing, SAC’03, pp. 346–350. ACM, New York (2003)Google Scholar
  120. 120.
    Mahoney, M.V., Chan, P.K.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD’02, pp. 376–385. ACM, New York (2002)Google Scholar
  121. 121.
    Martens, W., Neven, F., Schwentick, T., Bex, G.J.: Expressiveness and complexity of XML schema. ACM Trans. Database Syst. 31(3), 770–813 (2006)CrossRefGoogle Scholar
  122. 122.
    Michael, C.C., Ghosh, A.: Simple, state-based approaches to program-based anomaly detection. ACM Trans. Inf. Syst. Secur. 5(3), 203–237 (2002)CrossRefGoogle Scholar
  123. 123.
    Mlýnková, I.: An analysis of approaches to XML schema inference. In: IEEE International Conference on Signal Image Technology and Internet Based Systems, SITIS’08, pp. 16–23. IEEE, Bali (2008)Google Scholar
  124. 124.
    Mlýnková, I., Nečaský, M.: Towards inference of more realistic xsds. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC’09, pp. 639–646. ACM, New York (2009)Google Scholar
  125. 125.
    Molina-Jimenez, C., Shrivastava, S., Crowcroft, J., Gevros, P.: On the monitoring of contractual service level agreements. In: 1st IEEE International Workshop on Electronic Contracting, WEC’04, pp. 1–8. IEEE, San Diego (2004)Google Scholar
  126. 126.
    Mooney, J.D.: Bringing portability to the software process. Department of Statistics and Computer Science, West Virginia University, Morgantown (1997)Google Scholar
  127. 127.
    Murata, M.: Relax ng. (2013). Accessed 01 Feb 2013
  128. 128.
    Murata, M., Lee, D., Mani, M., Kawaguchi, K.: Taxonomy of xml schema languages using formal language theory. ACM Trans. Internet Technol. 5(4), 660–704 (2005)CrossRefGoogle Scholar
  129. 129.
    Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)CrossRefGoogle Scholar
  130. 130.
    Nance, K., Bishop, M., Hay, B.: Virtual machine introspection: observation or interference? IEEE Secur. Privacy Mag. 6(5), 32–37 (2008)CrossRefGoogle Scholar
  131. 131.
    Necula, G.C., McPeak, S., Rahul, S., Weimer, W.: Cil: Intermediate language and tools for analysis and transformation of c programs. In: Compiler Construction. Lecture Notes in Computer Science, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)Google Scholar
  132. 132.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Not. 42(6), 89–100 (2007)CrossRefGoogle Scholar
  133. 133.
    Niemi, O.P., Levomäki, A., Manner, J.: Dismantling intrusion prevention systems. ACM SIGCOMM Comput. Commun. Rev. 42(4), 285–286 (2012)CrossRefGoogle Scholar
  134. 134.
    Nusayr, A., Cook, J.: Extending AOP to support broad runtime monitoring needs. In: Conference on Software Engineering and Knowledge Engineering, pp. 438–441 (2009)Google Scholar
  135. 135.
    Nusayr, A., Cook, J.: Using aop for detailed runtime monitoring instrumentation. In: Proceedings of the Seventh International Workshop on Dynamic Analysis, WODA’09, pp. 8–14. ACM, New York (2009)Google Scholar
  136. 136.
    OpenSuSe Documentation: Understanding linux audit. Accessed 18 Oct 2013
  137. 137.
    Oracle: Solaris dynamic tracing guide. Accessed 18 Oct 2013
  138. 138.
    Parameswaran, A., Chaddha, A.: Cloud interoperability and standardization. SETLabs Brief. 7(7), 19–26 (2009)Google Scholar
  139. 139.
    Pautasso, C., Zimmermann, O., Leymann, F.: Restful web services vs. “big”’ web services: making the right architectural decision. In: Proceedings of the 17th International Conference on World Wide Web, WWW’08, pp. 805–814. ACM, New York (2008)Google Scholar
  140. 140.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)CrossRefGoogle Scholar
  141. 141.
    Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: Mcpad: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 53(6), 864–881 (2009)zbMATHCrossRefGoogle Scholar
  142. 142.
    Picalausa, F., Servais, F., Zimányi, E.: Xevolve: an XML schema evolution framework. In: Proceedings of the 2011 ACM Symposium on Applied Computing, SAC’11, pp. 1645–1650. ACM, New York (2011)Google Scholar
  143. 143.
    Plattner, B., Nievergelt, J.: Monitoring program execution: a survey. Computer 14(11), 76–93 (1981)CrossRefGoogle Scholar
  144. 144.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Tech. rep., Secure Networks, Inc. (1998). Accessed 13 Oct 2013
  145. 145.
    Rady, M.: Parameters for service level agreements generation in cloud computing a client-centric vision. In: Advances in Conceptual Modeling – CMS’12. Lecture Notes of Computer Science, vol. 7518, pp. 13–22. Springer, Heidelberg (2012)Google Scholar
  146. 146.
    Rady, M.: Generating an excerpt of a service level agreement from a formal definition of non-functional aspects using owl. J. Univers. Comput. Sci. 20(3), 366–384 (2014)MathSciNetGoogle Scholar
  147. 147.
    Raeymaekers, S., Bruynooghe, M., den Bussche, J.: Learning (k, l)-contextual tree languages for information extraction from web pages. Mach. Learn. 71(2), 155–183 (2008)CrossRefGoogle Scholar
  148. 148.
    Rescorla, E., Modadugu, N.: Datagram Transport Layer Security Version 1.2. RFC 6347 (Proposed Standard). (2012)
  149. 149.
    Richters, M., Gogolla, M.: Aspect-oriented monitoring of uml and ocl constraints. In: AOSD Modeling With UML Workshop, 6th International Conference on the Unified Modeling Language (UML) (2003)Google Scholar
  150. 150.
    Rieck, K.: Machine learning for application-layer intrusion detection. Ph.D. thesis, Berlin Institute of Technology, TU Berlin (2009)Google Scholar
  151. 151.
    Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Proceedings of the Network and Distributed System Security Symposium, NDSS’06 (2006)Google Scholar
  152. 152.
    Robertson, W., Maggi, F., Kruegel, C., Vigna, G.: Effective anomaly detection with scarce training data. In: Proceedings of the Network and Distributed System Security Symposium, NDSS’10 (2010)Google Scholar
  153. 153.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA’99, pp. 229–238. USENIX Association, Seattle (1999)Google Scholar
  154. 154.
    Romano, L., De Mari, D., Jerzak, Z., Fetzer, C.: A novel approach to qos monitoring in the cloud. In: 1st International Conference on Data Compression, Communications and Processing, CCP’11, pp. 45–51. IEEE, Palinuro (2011)Google Scholar
  155. 155.
    Rosenberg, F., Platzer, C., Dustdar, S.: Bootstrapping performance and dependability attributes of web services. In: International Conference on Web Services, ICWS’06, pp. 205–212. IEEE, Chicago (2006)Google Scholar
  156. 156.
    Rubinstein, B.I., Nelson, B., Huang, L., Joseph, A.D., Lau, S.h., Rao, S., Taft, N., Tygar, J.D.: Antidote: understanding and defending against poisoning of anomaly detectors. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement, IMC’09, pp. 1–14. ACM, New York (2009)Google Scholar
  157. 157.
    Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Select. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  158. 158.
    Sahai, A., Machiraju, V., Sayal, M., Moorsel, A., Casati, F.: Automated sla monitoring for web services. In: Management Technologies for E-Commerce and E-Business Applications – DSOM’02. Lecture Notes in Computer Science, vol. 2506, pp. 28–41. Springer, Heidelberg (2002)Google Scholar
  159. 159.
    Salfner, F., Lenk, M., Malek, M.: A survey of online failure prediction methods. ACM Comput. Surv. 42(3), 1–42 (2010)CrossRefGoogle Scholar
  160. 160.
    Sandhu, R., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)CrossRefGoogle Scholar
  161. 161.
    SAP: Message Flow Monitoring. (2011). Accessed 11 Sept 2014
  162. 162.
    Sassaman, L., Patterson, M., Bratus, S., Locasto, M.: Security applications of formal language theory. IEEE Syst. J. 7(3), 489–500 (2013)CrossRefGoogle Scholar
  163. 163.
    Schewe, K.D., Bósa, K., Lampesberger, H., Ma, J., Rady, M., Vleju, M.B.: Challenges in cloud computing. Scalable Comput. Pract. Exp. 12(4), 385–390 (2011)Google Scholar
  164. 164.
    Schewe, K.D., Thalheim, B., Wang, Q.: Updates, schema updates and validation of xml documents - using abstract state machines with automata-defined states. J. Univers. Comput. Sci. 15(10), 2028–2057 (2009)zbMATHMathSciNetGoogle Scholar
  165. 165.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)CrossRefGoogle Scholar
  166. 166.
    Schroeder, B.: On-line monitoring: a tutorial. Computer 28(6), 72–78 (1995)CrossRefGoogle Scholar
  167. 167.
    Segoufin, L., Vianu, V.: Validating streaming XML documents. In: Proceedings of the 21st ACM Symposium on Principles of Database Systems, PODS’02, pp. 53–64. ACM, New York (2002)Google Scholar
  168. 168.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, S&P’01, pp. 144–155. IEEE, Washington (2001)Google Scholar
  169. 169.
    Shackel, B.: Usability-context, framework, definition, design and evaluation. In: Human Factors for Informatics Usability, pp. 21–37. Cambridge University Press, Cambridge (1991)Google Scholar
  170. 170.
    Somayaji, A., Forrest, S.: Automated response using system-call delays. In: Proceedings of the 9th USENIX Security Symposium, SECURITY’00 (2000)Google Scholar
  171. 171.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: IEEE Symposium on Security and Privacy, pp. 305–316 (2010)Google Scholar
  172. 172.
    Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07, pp. 541–551. ACM, New York (2007)Google Scholar
  173. 173.
    Song, Y., Keromytis, A., Stolfo, S.J.: Spectrogram: a mixture-of-markov-chains model for anomaly detection in web traffic. In: Proceedings of the Network and Distributed System Security Symposium, NDSS’09 (2009)Google Scholar
  174. 174.
    Soylu, A., Mödritscher, F., Wild, F., Causmaecker, P.D., Desmet, P.: Mashups by orchestration and widget-based personal environments: key challenges, solution strategies, and an application. Program Electron. Libr. Inf. Syst. 46(4), 383–428 (2012)CrossRefGoogle Scholar
  175. 175.
    Spring, J.: Monitoring cloud computing by layer, part 1. IEEE Secur. Privacy Mag. 9(2), 66–68 (2011)CrossRefGoogle Scholar
  176. 176.
    Spring, J.: Monitoring cloud computing by layer, part 2. IEEE Secur. Privacy Mag. 9(3), 52–55 (2011)CrossRefGoogle Scholar
  177. 177.
    Stevens, W.R.: TCP/IP Illustrated: The Protocols, vol. 1. Addison-Wesley, Boston (1993)zbMATHGoogle Scholar
  178. 178.
    Thalheim, B.: Towards a theory of conceptual modelling. J. Univers. Comput. Sci. 16(20), 3102–3137 (2010)zbMATHGoogle Scholar
  179. 179.
    The Apache Software Foundation: Apache module mod_proxy. (2013). Accessed 18 Nov 2013
  180. 180.
    The Network Encyclopedia: Circuit level gateway. (2013). Accessed 15 Sept 2014
  181. 181.
    The SAX Project: Simple api for xml (sax). (2004). Accessed 24 Jan 2013
  182. 182.
    Thottan, M., Ji, C.: Anomaly detection in ip networks. IEEE Trans. Signal Process. 51(8), 2191–2204 (2003)CrossRefGoogle Scholar
  183. 183.
    TrustedBSD Project: Openbsm: Open source basic security module (bsm) audit implementation. Accessed 18 Oct 2013
  184. 184.
    Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Recent Advances in Intrusion Detection – RAID’00. Lecture Notes in Computer Science, vol. 1907, pp. 80–93. Springer, Heidelberg (2000)Google Scholar
  185. 185.
    W3C: Web Services Addressing (WS-Addressing). (2004). Accessed 03 March 2014
  186. 186.
    W3C: Document object model (dom). (2005). Accessed 24 Jan 2013
  187. 187.
    W3C: SOAP Version 1.2 Part 1: Messaging Framework, 2nd edn. (2007). Accessed 20 Feb 2014
  188. 188.
    W3C: XML Schema. (2010). Accessed 11 Feb 2013
  189. 189.
    W3C: XML Schema Part 2: Datatypes, 2nd edn. (2012). Accessed 22 March 2013
  190. 190.
    Wagner, D., Dean, R.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy, S&P’01, pp. 156–168. IEEE, Washington (2001)Google Scholar
  191. 191.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS’02, pp. 255–264. ACM, New York (2002)Google Scholar
  192. 192.
    Wang, J., Bigham, J.: Anomaly detection in the case of message oriented middleware. In: Proceedings of the 2008 Workshop on Middleware Security, MidSec’08, pp. 40–42. ACM, New York (2008)Google Scholar
  193. 193.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Recent Advances in Intrusion Detection – RAID’04. Lecture Notes of Computer Science, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)Google Scholar
  194. 194.
    Wang, K., Parekh, J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to mimicry attack. In: Recent Advances in Intrusion Detection – RAID’06. Lecture Notes of Computer Science, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)Google Scholar
  195. 195.
    Wang, C., Ren, K., Lou, W., Li, J.: Toward publicly auditable secure cloud data storage services. IEEE Netw. 24(4), 19–24 (2010)CrossRefGoogle Scholar
  196. 196.
    WebSphere Software: Introduction to Oracle Fusion Middleware Audit Framework. (2011). Accessed 11 Sept 2014
  197. 197.
  198. 198.
    Wieder, P., Butler, J.M., Theilmann, W., Yahyapour, R.: Service Level Agreements for Cloud Computing. Springer, New York (2011)CrossRefGoogle Scholar
  199. 199.
    Winter, P., Lampesberger, H., Zeilinger, M., Hermann, E.: On detecting abrupt changes in network entropy time series. In: Communications and Multimedia Security – CMS’11. Lecture Notes of Computer Science, vol. 7025, pp. 194–205. Springer, Heidelberg (2011)Google Scholar
  200. 200.
    Wojtczuk, R.: Libnids. (2010). Accessed 01 Nov 2013
  201. 201.
    Xie, Y., Yu, S.Z.: A dynamic anomaly detection model for web user behavior based on hsmm. In: 10th International Conference on Computer Supported Cooperative Work in Design, CSCWD’06, pp. 1–6. IEEE, Nanjing (2006)Google Scholar
  202. 202.
    Xie, Y., Yu, S.Z.: A large-scale hidden semi-markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans. Netw. 17(1), 54–65 (2009)CrossRefGoogle Scholar
  203. 203.
    Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM Symposium on Applied Computing, SAC’04, pp. 412–419. ACM, New York (2004)Google Scholar
  204. 204.
    Zhou, J., Gollman, D.: A fair non-repudiation protocol. In: IEEE Symposium on Security and Privacy, S&P’96, pp. 55–61. IEEE, Washington (1996)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Christian Doppler Laboratory for Client-Centric Cloud ComputingJohannes Kepler University LinzHagenbergAustria

Personalised recommendations