Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack

The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a management-level solution can provide a big picture about the root cause in a more scalable manner. In this paper, we propose DOMINOCATCHER, a novel provenance-based solution for explaining the root cause of security incidents in terms of management operations in clouds. Specifically, we first define our provenance model to capture the interdependencies between cloud management operations, virtual resources and inputs. Based on this model, we design a framework to intercept cloud management operations and to extract and prune provenance metadata. We implement DOMINOCATCHER on OpenStack platform as an attached middleware and validate its effectiveness using security incidents based on real-world attacks. We also evaluate the performance through experiments on our testbed, and the results demonstrate that DOMINOCATCHER incurs insignificant overhead and is scalable for clouds.

[1]  Gbadebo Ayoade,et al.  A Survey on Hypervisor-Based Monitoring , 2015, ACM Comput. Surv..

[2]  Lingyu Wang,et al.  TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation , 2017, NDSS.

[3]  Lingyu Wang,et al.  Learning probabilistic dependencies among events for proactive security auditing in clouds , 2019, J. Comput. Secur..

[4]  Jaehong Park,et al.  Adopting Provenance-Based Access Control in OpenStack Cloud IaaS , 2014, NSS.

[5]  Zhonghai Wu,et al.  OpenStack Security Modules: A Least-Invasive Access Control Framework for the Cloud , 2016, 2016 IEEE 9th International Conference on Cloud Computing (CLOUD).

[6]  Andreas Haeberlen,et al.  Diagnosing missing events in distributed systems with negative provenance , 2015, SIGCOMM 2015.

[7]  Lingyu Wang,et al.  LeaPS: Learning-Based Proactive Security Auditing for Clouds , 2017, ESORICS.

[8]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[9]  Margo I. Seltzer,et al.  FRAPpuccino: Fault-detection through Runtime Analysis of Provenance , 2017, HotCloud.

[10]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[11]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[12]  Lingyu Wang,et al.  PERMON: An OpenStack Middleware for Runtime Security Policy Enforcement in Clouds , 2018, 2018 IEEE Conference on Communications and Network Security (CNS).

[13]  Nabil Schear,et al.  Bootstrapping and maintaining trust in the cloud , 2016, ACSAC.

[14]  Qi Wang,et al.  Fear and Logging in the Internet of Things , 2018, NDSS.

[15]  David M. Eyers,et al.  Practical whole-system provenance capture , 2017, SoCC.

[16]  Lingyu Wang,et al.  QuantiC: Distance Metrics for Evaluating Multi-Tenancy Threats in Public Cloud , 2018, 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).

[17]  Yolanda Gil,et al.  PROV-DM: The PROV Data Model , 2013 .

[18]  William H. Sanders,et al.  Cross-App Poisoning in Software-Defined Networking , 2018, CCS.

[19]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[20]  Peng Liu,et al.  MyCloud: supporting user-configured privacy protection in cloud computing , 2013, ACSAC.

[21]  Claus Pahl,et al.  A Controller Architecture for Anomaly Detection, Root Cause Analysis and Self-Adaptation for Cluster Architectures , 2019 .

[22]  Thomas Moyer,et al.  Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs , 2018, NDSS.

[23]  Kevin R. B. Butler,et al.  Towards secure provenance-based access control in cloud environments , 2013, CODASPY.

[24]  Xiaohui Liang,et al.  Secure provenance: the essential of bread and butter of data forensics in cloud computing , 2010, ASIACCS '10.

[25]  Ding Li,et al.  NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage , 2019, NDSS.

[26]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[27]  Lingyu Wang,et al.  ISOTOP: Auditing Virtual Networks Isolation Across Cloud Layers in OpenStack , 2019, ACM Trans. Priv. Secur..

[28]  Sebastian Mödersheim,et al.  Proactive Security Analysis of Changes in Virtualized Infrastructures , 2015, ACSAC.

[29]  Lei Xu,et al.  Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era , 2018, CCS.

[30]  Marianne Winslett,et al.  The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance , 2009, FAST.