1 A Multilevel Approach Towards Challenge Detection in Cloud Computing
A Multilevel Approach Towards Challenge Detection in
Cloud Computing
Noorulhassan Shirazi, Michael R. Watson, Angelos K. Marnerides, Andreas Mauthe and David Hutchison
School of Computing and Communications, Lancaster University, Lancaster, UK, LA1 4WA {n.shirazi,m.watson,a.marnerides2,a.mauthe,d.hutchison}@lancs.ac
.uk
1
Introduction and Motivation
Cloud computing is considered as an ideal solution for unified mission-critical ICT systems and infrastructures due to its elasticity and computing flexibility derived by its distributed nature. However, the critical infrastructure imposes much stronger re-quirements for security and resilience on a cloud computing environment. In this pa-per, we illustrate a methodology that exploits the hypervisor level of the cloud nodes. In particular, we consider how anomaly detection can be distributed to each node and coordinated with system level detection for overall cloud resilience based on previous work [1].
2
Methodology
Anomaly detection in cloud computing has been a ground of comprehensive re-search over the last few years as it presents several challenging problems. In general, anomaly detection techniques are based on specific assumptions about the data, for example the statistical distributions of events. If these assumptions do not match reali-ty, the outcomes can be unacceptable rates of false negatives and false positives [2]. In this work we aim to devise a methodology for anomaly detection which is suffi-ciently robust to the elasticity of cloud service provisioning environments.
We intend to incorporate statistical anomaly detection techniques in our framework due to their strength of detecting unknown attacks. We derive a model of the normal behavior of a network or system and detect divergence from the normal profile. This enables them to detect both known and unknown challenges. Normal pattern will be derived based on payload byte patterns in traffic or volume and entropy information over the traffic in a whole sample size. Both parametric as well as non-parametric techniques could be applied, however due to the fact that non parametric techniques do not generally assume the knowledge of underlying distributions [3] this could be our potential candidate. For simplicity non-parametric techniques for probability
den-sity estimation could be employed which involves using kernel functions to estimate the probability distribution functions (
3
Framework
3.1 Architecture
The overall architecture can be seen in Figure 1 with ware node in the cloud. Detection
scenario has to happen at various levels throughout the cloud infrastructure and hence the observation instances need to coordinate to any observ
Each node has a hypervisor, a host VM and a number of guests VMs. Within the host VM of each node there are software components which perform network level analysis and system level analysis. We also incorporate resilience component which provide protection and remediation actions based on the output from network and system level analysis. Such actions include de
information destined to a vulne resilience component.
3.2 Network level analysis
The purpose of the network level analysis is to categorize
to and from a cloud node and to subsequently identify anomalous traffic, suc produced by malware. This is achieved by capturing packets from the network faces of each VM and applying feature extraction and offline analysis. The work towards online feature
anomaly detection. A correlation of layer anomalies at this stage will increase the effectiveness of later correlation with system level data.
ity estimation could be employed which involves using kernel functions to estimate
the probability distribution functions (pdf) for the normal instances.
itecture can be seen in Figure 1 with A representing a single har
. Detection under various challenges such as malicious attack scenario has to happen at various levels throughout the cloud infrastructure and hence
need to coordinate to any observed anomalies.
Fig. 1. Architecture overview
Each node has a hypervisor, a host VM and a number of guests VMs. Within the host VM of each node there are software components which perform network level evel analysis. We also incorporate resilience component which provide protection and remediation actions based on the output from network and system level analysis. Such actions include destroying an infected VM or blocking information destined to a vulnerable VM, However, this paper is not concern with
analysis
The purpose of the network level analysis is to categorize normal traffic travelling to and from a cloud node and to subsequently identify anomalous traffic, such as that produced by malware. This is achieved by capturing packets from the network inte
of each VM and applying feature extraction and offline analysis. The goal is online feature extraction and analysis which would enable real-tim
A correlation of layer anomalies at this stage will increase the effectiveness of later correlation with system level data.
ity estimation could be employed which involves using kernel functions to estimate
representing a single hard-such as malicious attack scenario has to happen at various levels throughout the cloud infrastructure and hence
Each node has a hypervisor, a host VM and a number of guests VMs. Within the host VM of each node there are software components which perform network level evel analysis. We also incorporate resilience component which provide protection and remediation actions based on the output from network and ng an infected VM or blocking with traffic travelling that inter-goal is to time A correlation of layer anomalies at this stage will increase the
The network level analysis components comprises of various software scripts that
allow an automate post processing by calling tcpdump filtering routines alongside
several precompiled tools that are integrated within the CAIDA’s CoralReef toolbox1.
These scripts perform feature extraction from the outputs of the CoralReef tools and spans into several post processing outputs that convert STDIN input into various normalized statistical properties on a per-packet (e.g. inter-arrival times, etc) and per flow basis (e.g. counts of packets /bytes per flow, average packet size etc.). These scripts also have an interface with MATLAB for further analysis. The output from these scripts is shown in fig. 2 below. The malware sample (Kelihos) is injected in test bed for sixty minutes and custom scripts were used to analyse network features (packets and flow rate) over sixty minutes of recording.
Fig. 2. Packets (left) and Flow (right) per second for sixty minutes of kelihos injection
3.3 System level analysis
The system level detection of anomalies is achieved through the observation of VM memory from the hypervisor using virtual machine introspection, such as that
provided by the libVMI introspection library. The approach is similar to that applied
in the network level, but applied to system level information where we first try to understand the normal behaviour with respect to the operation of processes, after which anomalous behaviour can be identified.
The system level component also comprises of various scripts which invoke cus-tom plug-in for feature extraction and provide interface with Matlab for visual 1 CoralReef: http://www.caida.org/tools/measurement/coralreef/more_information.xml 0 500 1000 1500 2000 2500 3000 3500 4000 3.85 3.9 3.95 4 4.05 4.1 4.15 4.2 4.25 Packet Rate Time in seconds Packets / Sec 0 500 1000 1500 2000 2500 3000 3500 4000 0 0.5 1 1.5 2 2.5 3 3.5 4 Flow Rate Time in seconds Flows / Sec
sis, as Fig.3 shows, virtual size of memory per bytes (Kelihos) in test bed for sixty minutes.
Fig. 3. Virtual size of memory
4
Summary
Critical infrastructure imposes much stronger requirements for security and resil ence on cloud computing environment. Therefore, these
dressed through layered approach i.e., coordinated work-level properties towards
Acknowledgements
This work is sponsored by for Critical Infrastructure IT), g IU-ATC project, grant agreeme
sis, as Fig.3 shows, virtual size of memory per bytes during injection of test sam (Kelihos) in test bed for sixty minutes.
of memory per bytes over sixty minutes of Kelihos injection
infrastructure imposes much stronger requirements for security and resil ence on cloud computing environment. Therefore, these challenges need to be
layered approach i.e., coordinated analysis of both system and ne owards overall resilience of the cloud infrastructure.
This work is sponsored by EU FP7 Project ‘SECCRIT’ (Secure Cloud Computing for Critical Infrastructure IT), grant agreement no. 312758 and UK-EPSRC funded
project, grant agreement no. EP/J016675/1.
test sample
infrastructure imposes much stronger requirements for security and ad-analysis of both system and
net-FP7 Project ‘SECCRIT’ (Secure Cloud Computing EPSRC funded
References
1. A. K. Marnerides, D. P. Pezaros, and D. Hutchison. Detection and mitigation of abnormal traffic behaviour in autonomic networked environments. In Proceedings of ACM SIGCOMM CoNEXT Conference 2008.
2. P. Angelov, P. Sadeghi-Tehran, R. Ramezani, A real time approach to autonomous novelty detection and object tracking in video stream. International Journal of Intelligent Systems, vol.26 (3) 189-205, 2011.
3. V.Cahndola, A. Banerjee, Anomaly detection: A Survey. In Proceedings of ACM Compu-ting Surveys, September 2009.
