Eagle: An Agile Approach to Automaton Updating in Cloud Security Services

Automaton-based pattern matching methods have been widely used in security services for traffic inspection and filtering. However, a large scale of patterns may be updated frequently in a multi-tenant cloud, which poses new challenges to avoid attacks while updating new patterns. This paper presents an agile approach named Eagle for "on-the-fly" updating automaton in cloud security services. The approach provides three algorithms on AC and SBOM, adding, deleting and updating operation, to update state and links of automaton in high-speed online cloud traffic. Theoretical analysis shows that Eagle lowers the computational complexity of updating patterns from O (n2) to O (n). The effectiveness of this agile approach is verified when applied to a real cloud gateway. It turns out that 68% - 89% of the time can be saved and the throughput of cloud traffic filtering proves no reduction during and after the pattern update.

[1]  Jianxin Li,et al.  ShutterRoller: Preserving Social Network Privacy towards High-Speed Domain Gateway , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[2]  Toby Velte,et al.  Cloud Computing, A Practical Approach , 2009 .

[3]  Casimer M. DeCusatis,et al.  Communication within clouds: open standards and proprietary protocols for data center networking , 2012, IEEE Communications Magazine.

[4]  Hossein Shirazi,et al.  Increasing Overall Network Security by Integrating Signature-Based NIDS with Packet Filtering Firewall , 2009, 2009 International Joint Conference on Artificial Intelligence.

[5]  A. Behl,et al.  An analysis of cloud computing security issues , 2012, 2012 World Congress on Information and Communication Technologies.

[6]  Jianxin Li,et al.  Shutter: Preventing Information Leakage Based on Domain Gateway for Social Networks , 2014, 2014 IEEE 11th Intl Conf on Ubiquitous Intelligence and Computing and 2014 IEEE 11th Intl Conf on Autonomic and Trusted Computing and 2014 IEEE 14th Intl Conf on Scalable Computing and Communications and Its Associated Workshops.

[7]  Tsern-Huei Lee,et al.  An Efficient and Scalable Pattern Matching Scheme for Network Security Applications , 2008, 2008 Proceedings of 17th International Conference on Computer Communications and Networks.

[8]  Vijay Kumar,et al.  High Speed Pattern Matching for Network IDS/IPS , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[9]  Masami Shishibori,et al.  A compact and fast structure for trie retrieval algorithms , 1996, 1996 IEEE International Conference on Systems, Man and Cybernetics. Information Intelligence and Systems (Cat. No.96CH35929).

[10]  Li Guo,et al.  A factor-searching-based multiple string matching algorithm for intrusion detection , 2014, 2014 IEEE International Conference on Communications (ICC).

[11]  Zhen Chen,et al.  AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[12]  Amani S. Ibrahim,et al.  Collaboration-Based Cloud Computing Security Management Framework , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[13]  Binxing Fang,et al.  Comparison of stringmatching algorithms: an aid to information content security , 2003, Proceedings of the 2003 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.03EX693).

[14]  Naruemon Wattanapongsakorn,et al.  A Practical Network-Based Intrusion Detection and Prevention System , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Baoming Shan,et al.  Application of Improved KMP Algorithm in Tire Disfigurement Recognition , 2009, 2009 Second International Workshop on Computer Science and Engineering.

[16]  Xufei Zheng,et al.  An AIS-based cloud security model , 2010, 2010 International Conference on Intelligent Control and Information Processing.

[17]  Konstantinos G. Margaritis,et al.  A Performance Evaluation of the Preprocessing Phase of Multiple Keyword Matching Algorithms , 2011, 2011 15th Panhellenic Conference on Informatics.

[18]  Danilo Ardagna,et al.  Cloud and Multi-cloud Computing: Current Challenges and Future Applications , 2015, 2015 IEEE/ACM 7th International Workshop on Principles of Engineering Service-Oriented and Cloud Systems.