Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines

  • Suaad Alarifi
  • Stephen Wolthusen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


In public Infrastructure-as-a-Service (IaaS), virtual machines (VMs) are sharing the cloud with other VMs from other organisations. Each VM is under the control of its owner and security management is their responsibility. Considering this, providers should deal with the hosted VMs as potential source of attacks against other VMs and/or against the cloud infrastructure. The cloud model is flexible enough to allow consumers to initiate VMs to perform specific tasks for an hour or two, then terminate; so call VMs short-lived VMs. The provider dilemma here is monitoring these VMs, including short-lived ones, and detecting any change of behaviour on them as a sign of anomaly with a low level of intrusiveness for legal and practical reasons.

In this paper, we therefore propose a hypervisor based anomaly detection system that monitors system calls in between a VM and its host kernel. This host intrusion detection system (HIDS),is able to detect change in behaviour in even short-lived VMs without requiring any prior knowledge of them. To achieve this goal, a Hidden Markov Model (HMM) is used to build the classifier and system calls are analysed and grouped to reflect the properties of a VM-based cloud infrastructure. We also report on the experimental validation of our approach.


IDS HIDS IaaS security Cloud Computing Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: IEEE Sympsium on Security and Privacy, pp. 133–145. IEEE Computer Society (1999)Google Scholar
  2. 2.
    Shelke, P.K., Sontakke, S., Gawande, A.D.: Intrusion detection system for cloud computing. International Journal of Scientific and Technology Research 1 (2012)Google Scholar
  3. 3.
    Alarifi, S.S., Wolthusen, S.D.: Detecting anomalies in iaas environments through virtual machine host system call analysis. In: 2012 International Conference for Internet Technology and Secured Transactions, pp. 211–218 (December 2012)Google Scholar
  4. 4.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium, pp. 191–206 (2003)Google Scholar
  5. 5.
    Laureano, M., Maziero, C., Jamhour, E.: Intrusion detection in virtual machine environments. In: Proceedings of the 30th EUROMICRO Conference, EUROMICRO 2004, pp. 520–525. IEEE Computer Society, Washington, DC (2004)CrossRefGoogle Scholar
  6. 6.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128 (May 1996)Google Scholar
  7. 7.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)Google Scholar
  8. 8.
    Vieira, K., Schulter, A., Westphall, C., Westphall, C.: Intrusion detection for grid and cloud computing. IT Professional 12(4), 38–43 (2010)CrossRefGoogle Scholar
  9. 9.
    Gul, I., Hussain, M.: Distributed cloud intrusion detection model. International Journal of Advanced Science and Technology 34 (2011)Google Scholar
  10. 10.
    Hu, J., Yu, X., Qiu, D., Chen, H.H.: A simple and efficient hidden markov model scheme for host- based anomaly intrusion detection. Netwrk. Mag. of Global Internetwkg. 23(1), 42–47 (2009)CrossRefGoogle Scholar
  11. 11.
    Yan Yeung, D., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36, 229–243 (2003)zbMATHCrossRefGoogle Scholar
  12. 12.
    Kang, D.K., Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 118–125 (June 2005)Google Scholar
  13. 13.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society (1999)Google Scholar
  14. 14.
    Sultana, A., Hamou-Lhadj, A., Couture, M.: An improved hidden markov model for anomaly detection using frequent common patterns. In: ICC, pp. 1113–1117. IEEE (2012)Google Scholar
  15. 15.
    Hu, J.: Host-based anomaly intrusion detection. In: Stavroulakis, P.P., Stamp, M. (eds.) Handbook of Information and Communication Security, pp. 235–255. Springer (2010)Google Scholar
  16. 16.
    Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)CrossRefGoogle Scholar
  17. 17.
    Bernaschi, M., Gabrielli, E., Mancini, L.V.: Operating system enhancements to prevent the misuse of system calls. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS 2000, pp. 174–183. ACM, New York (2000)Google Scholar
  18. 18.
    Hoang, X., Hu, J.: An efficient hidden markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proceedings of the 12th IEEE International Conference on Networks (ICON 2004), vol. 2, pp. 470–474 (November 2004)Google Scholar
  19. 19.
    Khreich, W., Granger, E., Sabourin, R., Miri, A.: Combining hidden markov models for improved anomaly detection. In: IEEE International Conference on Communications, ICC 2009, pp. 1–6 (June 2009)Google Scholar
  20. 20.
    Khreich, W.: Towards Adaptive Anomaly Detection Systems using Boolean Combination of Hidden Markov Models. PhD thesis, Ecole De Technologie Superieure, Université Du Quebec, Canada (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Suaad Alarifi
    • 2
  • Stephen Wolthusen
    • 1
    • 2
  1. 1.Norwegian Information Security Laboratory, Department of Computer ScienceGj(ø)vik University CollegeNorway
  2. 2.Information Security Group, Department of MathematicsRoyal Holloway, University of LondonUK

Personalised recommendations