CloRExPa: Cloud resilience via execution path analysis

Despite the increasing interest around cloud concepts, current cloud technologies and services related to security are not mature enough to enable a more widespread industrial acceptance of cloud systems. Providing an adequate level of resilience to cloud services is a challenging problem due to the complexity of the environment as well as the need for efficient solutions that could preserve cloud benefits over other solutions. In this paper we provide the architectural design, implementation details, and performance results for a customizable resilience service solution for cloud guests. This solution leverages execution path analysis. In particular, we propose an architecture that can trace, analyze and control live virtual machine activity as well as intervened code and data modifications-possibly due to either malicious attacks or software faults. Execution path analysis allows the virtual machine manager (VMM) to trace the VM state and to prevent such a guest from reaching faulty states. We evaluated the effectiveness and performance trade-off of our prototype on a real cloud test bed. Experimental results support the viability of the proposed solution.

[1]  Sihan Qing,et al.  VNIDA: Building an IDS Architecture Using VMM-Based Non-Intrusive Approach , 2008, First International Workshop on Knowledge Discovery and Data Mining (WKDD 2008).

[2]  Ying Wang,et al.  VMDetector: A VMM-based Platform to Detect Hidden Process by Multi-view Comparison , 2011, 2011 IEEE 13th International Symposium on High-Assurance Systems Engineering.

[3]  Xuxian Jiang,et al.  Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction , 2010, TSEC.

[4]  Roberto Di Pietro,et al.  Secure virtualization for cloud computing , 2011, J. Netw. Comput. Appl..

[5]  Zhendong Su,et al.  Bezoar: Automated virtual machine-based full-system recovery from control-flow hijacking attacks , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[6]  David Kaeli,et al.  Virtual machine monitor-based lightweight intrusion detection , 2011, OPSR.

[7]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[9]  Engin Kirda,et al.  A security analysis of Amazon's Elastic Compute Cloud service , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[10]  Daniele Sgandurra,et al.  Semantics-Driven Introspection in a Virtual Environment , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[11]  José Oncina,et al.  Learning Stochastic Regular Grammars by Means of a State Merging Method , 1994, ICGI.

[12]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[13]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[14]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[15]  Sabrina De Capitani di Vimercati,et al.  Guest Editorial: Special Issue on Computer and Communications Security , 2008, TSEC.

[16]  Xu Jing,et al.  A new intrusion detection method based on Fuzzy HMM , 2008, 2008 3rd IEEE Conference on Industrial Electronics and Applications.

[17]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[18]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[19]  Jack W. Davidson,et al.  Safe virtual execution using software dynamic translation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[20]  Daniele Sgandurra,et al.  Measuring Semantic Integrity for Remote Attestation , 2009, TRUST.

[21]  Daniele Sgandurra,et al.  Transparent Process Monitoring in a Virtual Environment , 2009, Electron. Notes Theor. Comput. Sci..

[22]  Carlos Maziero,et al.  Protecting host-based intrusion detectors through virtual machines , 2007, Comput. Networks.

[23]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[24]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[25]  P. S. Sastry,et al.  Varieties of learning automata: an overview , 2002, IEEE Trans. Syst. Man Cybern. Part B.

[26]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[27]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[28]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[29]  Deepa Srinivasan,et al.  Scalable integrity monitoring in virtualized environments , 2010, STC '10.

[30]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[31]  Bernd Freisleben,et al.  Malware Detection and Kernel Rootkit Prevention in Cloud Computing Environments , 2011, 2011 19th International Euromicro Conference on Parallel, Distributed and Network-Based Processing.

[32]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[33]  Jianxin Li,et al.  CyberGuarder: A virtualization security assurance architecture for green cloud computing , 2012, Future Gener. Comput. Syst..

[34]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[35]  Yixian Yang,et al.  A Novel Program Analysis Method Based on Execution Path Correlation , 2009, 2009 Second International Symposium on Knowledge Acquisition and Modeling.

[36]  Jean-Claude Laprie,et al.  Resilience for the Scalability of Dependability , 2005, Fourth IEEE International Symposium on Network Computing and Applications.

[37]  Frank Schulz,et al.  High-Performance Multi-Level Graphs ∗ , 2006 .

[38]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[39]  Samuel T. King,et al.  MAVMM: Lightweight and Purpose Built VMM for Malware Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[40]  Dong Zhou Diagnosing misconfiguration with dynamic detection of configuration invariants , 2007 .