Trustworthy services built on event-based probing for layered defense

Read Sprabery, Zachary J. Estrada, Zbigniew Kalbarczyk, Ravishankar Iyer, Rakesh B. Bobba, Roy Campbell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Numerous event-based probing methods exist for cloud computing environments allowing a hypervisor to gain insight into guest activities. Such event-based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and for inserting exploit detectors before a system can be patched, among others. Here, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event-based probing mechanisms do not address. Challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events. The log powers a cloud-tuned Intrusion Detection System (IDS). New event types are identified that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to increase guarantees of log completeness when faced with attacks on the guest kernel. Promising results (less that 10% for guests) are shown when a guest relaxes the trade-off between log completeness and overhead. Our demonstrative IDS detects common attack scenarios with simple policies built using our guest behavior recording system.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages215-225
Number of pages11
ISBN (Electronic)9781509058174
DOIs
StatePublished - May 9 2017
Event2017 IEEE International Conference on Cloud Engineering, IC2E 2017 - Vancouver, Canada
Duration: Apr 4 2017Apr 7 2017

Publication series

NameProceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017

Other

Other2017 IEEE International Conference on Cloud Engineering, IC2E 2017
CountryCanada
CityVancouver
Period4/4/174/7/17

Fingerprint

Intrusion detection
Cloud computing
Detectors
Attack
Completeness
Intrusion detection system
Logging

Keywords

  • VMI
  • defense-in-depth
  • intrusion detection
  • virtual appliance

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Information Systems and Management

Cite this

Sprabery, R., Estrada, Z. J., Kalbarczyk, Z., Iyer, R., Bobba, R. B., & Campbell, R. (2017). Trustworthy services built on event-based probing for layered defense. In Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017 (pp. 215-225). [7923805] (Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/IC2E.2017.36

Trustworthy services built on event-based probing for layered defense. / Sprabery, Read; Estrada, Zachary J.; Kalbarczyk, Zbigniew; Iyer, Ravishankar; Bobba, Rakesh B.; Campbell, Roy.

Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 215-225 7923805 (Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Sprabery, R, Estrada, ZJ, Kalbarczyk, Z, Iyer, R, Bobba, RB & Campbell, R 2017, Trustworthy services built on event-based probing for layered defense. in Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017., 7923805, Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017, Institute of Electrical and Electronics Engineers Inc., pp. 215-225, 2017 IEEE International Conference on Cloud Engineering, IC2E 2017, Vancouver, Canada, 4/4/17. https://doi.org/10.1109/IC2E.2017.36
Sprabery R, Estrada ZJ, Kalbarczyk Z, Iyer R, Bobba RB, Campbell R. Trustworthy services built on event-based probing for layered defense. In Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 215-225. 7923805. (Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017). https://doi.org/10.1109/IC2E.2017.36
Sprabery, Read ; Estrada, Zachary J. ; Kalbarczyk, Zbigniew ; Iyer, Ravishankar ; Bobba, Rakesh B. ; Campbell, Roy. / Trustworthy services built on event-based probing for layered defense. Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 215-225 (Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017).
@inproceedings{692c49984d4e4af7a4b721321f61be9c,
title = "Trustworthy services built on event-based probing for layered defense",
abstract = "Numerous event-based probing methods exist for cloud computing environments allowing a hypervisor to gain insight into guest activities. Such event-based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and for inserting exploit detectors before a system can be patched, among others. Here, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event-based probing mechanisms do not address. Challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events. The log powers a cloud-tuned Intrusion Detection System (IDS). New event types are identified that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to increase guarantees of log completeness when faced with attacks on the guest kernel. Promising results (less that 10{\%} for guests) are shown when a guest relaxes the trade-off between log completeness and overhead. Our demonstrative IDS detects common attack scenarios with simple policies built using our guest behavior recording system.",
keywords = "VMI, defense-in-depth, intrusion detection, virtual appliance",
author = "Read Sprabery and Estrada, {Zachary J.} and Zbigniew Kalbarczyk and Ravishankar Iyer and Bobba, {Rakesh B.} and Roy Campbell",
year = "2017",
month = "5",
day = "9",
doi = "10.1109/IC2E.2017.36",
language = "English (US)",
series = "Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "215--225",
booktitle = "Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017",
address = "United States",

}

TY - GEN

T1 - Trustworthy services built on event-based probing for layered defense

AU - Sprabery, Read

AU - Estrada, Zachary J.

AU - Kalbarczyk, Zbigniew

AU - Iyer, Ravishankar

AU - Bobba, Rakesh B.

AU - Campbell, Roy

PY - 2017/5/9

Y1 - 2017/5/9

N2 - Numerous event-based probing methods exist for cloud computing environments allowing a hypervisor to gain insight into guest activities. Such event-based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and for inserting exploit detectors before a system can be patched, among others. Here, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event-based probing mechanisms do not address. Challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events. The log powers a cloud-tuned Intrusion Detection System (IDS). New event types are identified that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to increase guarantees of log completeness when faced with attacks on the guest kernel. Promising results (less that 10% for guests) are shown when a guest relaxes the trade-off between log completeness and overhead. Our demonstrative IDS detects common attack scenarios with simple policies built using our guest behavior recording system.

AB - Numerous event-based probing methods exist for cloud computing environments allowing a hypervisor to gain insight into guest activities. Such event-based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and for inserting exploit detectors before a system can be patched, among others. Here, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event-based probing mechanisms do not address. Challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events. The log powers a cloud-tuned Intrusion Detection System (IDS). New event types are identified that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to increase guarantees of log completeness when faced with attacks on the guest kernel. Promising results (less that 10% for guests) are shown when a guest relaxes the trade-off between log completeness and overhead. Our demonstrative IDS detects common attack scenarios with simple policies built using our guest behavior recording system.

KW - VMI

KW - defense-in-depth

KW - intrusion detection

KW - virtual appliance

UR - http://www.scopus.com/inward/record.url?scp=85020210025&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85020210025&partnerID=8YFLogxK

U2 - 10.1109/IC2E.2017.36

DO - 10.1109/IC2E.2017.36

M3 - Conference contribution

AN - SCOPUS:85020210025

T3 - Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017

SP - 215

EP - 225

BT - Proceedings - 2017 IEEE International Conference on Cloud Engineering, IC2E 2017

PB - Institute of Electrical and Electronics Engineers Inc.

ER -