An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities

Rashid Tahir; Ali Raza; Mazhar Naqvi; Fareed Zaffar; Matthew Caesar

doi:10.1109/CCGRID.2017.61

An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities

Rashid Tahir, Ali Raza, Mazhar Naqvi, Fareed Zaffar, Matthew Caesar

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The vast attack surface of clouds presents a challenge in deploying scalable and effective defenses. Traditional security mechanisms, which work from inside the VM fail to provide strong protection as attackers can bypass them easily. The only available option is to provide security from the layer below the VM i.e., the hypervisor. Previous works that attempt to secure VMs from 'outside' either incur substantial space or compute overheads making them slow and impractical or require modifications to the OS or the application codebase. To address these issues, we propose an anomaly detection fabric for clouds based on system call monitoring, which compresses the stream of system calls at their source making the system scalable and near real-Time. Our system requires no modifications to the guest OS or the application making it ideal for the data center setting. Additionally, for robust and early detection of threats, we leverage the notion of VM/container communities that share information about attacks in their early stages to provide immunity to the entire deployment. We make certain aspects of the system flexible so that vendors can tune metrics to offer customized protection to clients based on their workload types. Detailed evaluation on a prototype implementation on KVM substantiates our claims.

Original language	English (US)
Title of host publication	Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	431-441
Number of pages	11
ISBN (Electronic)	9781509066100
DOIs	https://doi.org/10.1109/CCGRID.2017.61
State	Published - Jul 10 2017
Event	17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017 - Madrid, Spain Duration: May 14 2017 → May 17 2017

Publication series

Name	Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

Other

Other	17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017
Country/Territory	Spain
City	Madrid
Period	5/14/17 → 5/17/17

Keywords

Anomaly detection
Behavior profiling
Clouds

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture

Online availability

10.1109/CCGRID.2017.61

Library availability

Discover UIUC Full Text

Cite this

Tahir, R., Raza, A., Naqvi, M., Zaffar, F., & Caesar, M. (2017). An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities. In Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017 (pp. 431-441). Article 7973729 (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CCGRID.2017.61

An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities. / Tahir, Rashid; Raza, Ali; Naqvi, Mazhar et al.
Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 431-441 7973729 (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Tahir, R, Raza, A, Naqvi, M, Zaffar, F & Caesar, M 2017, An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities. in Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017., 7973729, Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017, Institute of Electrical and Electronics Engineers Inc., pp. 431-441, 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017, Madrid, Spain, 5/14/17. https://doi.org/10.1109/CCGRID.2017.61

Tahir R, Raza A, Naqvi M, Zaffar F, Caesar M. An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities. In Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 431-441. 7973729. (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017). doi: 10.1109/CCGRID.2017.61

Tahir, Rashid ; Raza, Ali ; Naqvi, Mazhar et al. / An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities. Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 431-441 (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017).

@inproceedings{ad2af287ebf34b558f8d1877916a3018,

title = "An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities",

abstract = "The vast attack surface of clouds presents a challenge in deploying scalable and effective defenses. Traditional security mechanisms, which work from inside the VM fail to provide strong protection as attackers can bypass them easily. The only available option is to provide security from the layer below the VM i.e., the hypervisor. Previous works that attempt to secure VMs from 'outside' either incur substantial space or compute overheads making them slow and impractical or require modifications to the OS or the application codebase. To address these issues, we propose an anomaly detection fabric for clouds based on system call monitoring, which compresses the stream of system calls at their source making the system scalable and near real-Time. Our system requires no modifications to the guest OS or the application making it ideal for the data center setting. Additionally, for robust and early detection of threats, we leverage the notion of VM/container communities that share information about attacks in their early stages to provide immunity to the entire deployment. We make certain aspects of the system flexible so that vendors can tune metrics to offer customized protection to clients based on their workload types. Detailed evaluation on a prototype implementation on KVM substantiates our claims.",

keywords = "Anomaly detection, Behavior profiling, Clouds",

author = "Rashid Tahir and Ali Raza and Mazhar Naqvi and Fareed Zaffar and Matthew Caesar",

note = "Funding Information: One of us (VB) acknowledges the Brazilian agencies FAPESP, CAPES, CNPq, and Banco Santander for partial financial support. Publisher Copyright: {\textcopyright} 2017 IEEE.; 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017 ; Conference date: 14-05-2017 Through 17-05-2017",

year = "2017",

month = jul,

day = "10",

doi = "10.1109/CCGRID.2017.61",

language = "English (US)",

series = "Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "431--441",

booktitle = "Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017",

address = "United States",

}

TY - GEN

T1 - An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities

AU - Tahir, Rashid

AU - Raza, Ali

AU - Naqvi, Mazhar

AU - Zaffar, Fareed

AU - Caesar, Matthew

PY - 2017/7/10

Y1 - 2017/7/10

N2 - The vast attack surface of clouds presents a challenge in deploying scalable and effective defenses. Traditional security mechanisms, which work from inside the VM fail to provide strong protection as attackers can bypass them easily. The only available option is to provide security from the layer below the VM i.e., the hypervisor. Previous works that attempt to secure VMs from 'outside' either incur substantial space or compute overheads making them slow and impractical or require modifications to the OS or the application codebase. To address these issues, we propose an anomaly detection fabric for clouds based on system call monitoring, which compresses the stream of system calls at their source making the system scalable and near real-Time. Our system requires no modifications to the guest OS or the application making it ideal for the data center setting. Additionally, for robust and early detection of threats, we leverage the notion of VM/container communities that share information about attacks in their early stages to provide immunity to the entire deployment. We make certain aspects of the system flexible so that vendors can tune metrics to offer customized protection to clients based on their workload types. Detailed evaluation on a prototype implementation on KVM substantiates our claims.

AB - The vast attack surface of clouds presents a challenge in deploying scalable and effective defenses. Traditional security mechanisms, which work from inside the VM fail to provide strong protection as attackers can bypass them easily. The only available option is to provide security from the layer below the VM i.e., the hypervisor. Previous works that attempt to secure VMs from 'outside' either incur substantial space or compute overheads making them slow and impractical or require modifications to the OS or the application codebase. To address these issues, we propose an anomaly detection fabric for clouds based on system call monitoring, which compresses the stream of system calls at their source making the system scalable and near real-Time. Our system requires no modifications to the guest OS or the application making it ideal for the data center setting. Additionally, for robust and early detection of threats, we leverage the notion of VM/container communities that share information about attacks in their early stages to provide immunity to the entire deployment. We make certain aspects of the system flexible so that vendors can tune metrics to offer customized protection to clients based on their workload types. Detailed evaluation on a prototype implementation on KVM substantiates our claims.

KW - Anomaly detection

KW - Behavior profiling

KW - Clouds

UR - http://www.scopus.com/inward/record.url?scp=85027461143&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85027461143&partnerID=8YFLogxK

U2 - 10.1109/CCGRID.2017.61

DO - 10.1109/CCGRID.2017.61

M3 - Conference contribution

AN - SCOPUS:85027461143

T3 - Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

SP - 431

EP - 441

BT - Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

Y2 - 14 May 2017 through 17 May 2017

ER -

An Anomaly Detection Fabric for Clouds Based on Collaborative VM Communities

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this