Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines
In public Infrastructure-as-a-Service (IaaS), virtual machines (VMs) are sharing the cloud with other VMs from other organisations. Each VM is under the control of its owner and security management is their responsibility. Considering this, providers should deal with the hosted VMs as potential source of attacks against other VMs and/or against the cloud infrastructure. The cloud model is flexible enough to allow consumers to initiate VMs to perform specific tasks for an hour or two, then terminate; so call VMs short-lived VMs. The provider dilemma here is monitoring these VMs, including short-lived ones, and detecting any change of behaviour on them as a sign of anomaly with a low level of intrusiveness for legal and practical reasons.
In this paper, we therefore propose a hypervisor based anomaly detection system that monitors system calls in between a VM and its host kernel. This host intrusion detection system (HIDS),is able to detect change in behaviour in even short-lived VMs without requiring any prior knowledge of them. To achieve this goal, a Hidden Markov Model (HMM) is used to build the classifier and system calls are analysed and grouped to reflect the properties of a VM-based cloud infrastructure. We also report on the experimental validation of our approach.
KeywordsIDS HIDS IaaS security Cloud Computing Security
Unable to display preview. Download preview PDF.
- 1.Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: IEEE Sympsium on Security and Privacy, pp. 133–145. IEEE Computer Society (1999)Google Scholar
- 2.Shelke, P.K., Sontakke, S., Gawande, A.D.: Intrusion detection system for cloud computing. International Journal of Scientific and Technology Research 1 (2012)Google Scholar
- 3.Alarifi, S.S., Wolthusen, S.D.: Detecting anomalies in iaas environments through virtual machine host system call analysis. In: 2012 International Conference for Internet Technology and Secured Transactions, pp. 211–218 (December 2012)Google Scholar
- 4.Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium, pp. 191–206 (2003)Google Scholar
- 6.Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128 (May 1996)Google Scholar
- 7.Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)Google Scholar
- 9.Gul, I., Hussain, M.: Distributed cloud intrusion detection model. International Journal of Advanced Science and Technology 34 (2011)Google Scholar
- 12.Kang, D.K., Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 118–125 (June 2005)Google Scholar
- 13.Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society (1999)Google Scholar
- 14.Sultana, A., Hamou-Lhadj, A., Couture, M.: An improved hidden markov model for anomaly detection using frequent common patterns. In: ICC, pp. 1113–1117. IEEE (2012)Google Scholar
- 15.Hu, J.: Host-based anomaly intrusion detection. In: Stavroulakis, P.P., Stamp, M. (eds.) Handbook of Information and Communication Security, pp. 235–255. Springer (2010)Google Scholar
- 17.Bernaschi, M., Gabrielli, E., Mancini, L.V.: Operating system enhancements to prevent the misuse of system calls. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS 2000, pp. 174–183. ACM, New York (2000)Google Scholar
- 18.Hoang, X., Hu, J.: An efficient hidden markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proceedings of the 12th IEEE International Conference on Networks (ICON 2004), vol. 2, pp. 470–474 (November 2004)Google Scholar
- 19.Khreich, W., Granger, E., Sabourin, R., Miri, A.: Combining hidden markov models for improved anomaly detection. In: IEEE International Conference on Communications, ICC 2009, pp. 1–6 (June 2009)Google Scholar
- 20.Khreich, W.: Towards Adaptive Anomaly Detection Systems using Boolean Combination of Hidden Markov Models. PhD thesis, Ecole De Technologie Superieure, Université Du Quebec, Canada (2011)Google Scholar