Learning probabilistic dependencies among events for proactive security auditing in clouds

Security compliance auditing is a viable solution to ensure the accountability and transparency of a cloud provider to its tenants. However, the sheer size of a cloud, coupled with the high operational complexity implied by the multi-tenancy and self-service nature, can easily render existing runtime auditing techniques too expensive and non-scalable. To this end, a proactive approach, which prepares for the auditing ahead of critical events, is a promising solution to reduce the response time to a practical level. However, a key limitation of such approaches is their reliance on manual efforts to extract the dependency relationships among events, which greatly restricts their practicality. What makes things worse is the fact that, as the most important input to security auditing, the logs and configuration databases of a real world cloud platform can be unstructured and not ready to be used for efficient security auditing. In this paper, we first propose a log processing technique, which prepares raw cloud logs for different analysis purposes, and then design a learning-based proactive security auditing system, namely, LeaPS. To this end, we conduct case studies on current log formats in different real-world OpenStack (a popular cloud platform) deployments, and identify major challenges in log processing. Later, we design a stand-alone log processor for clouds, which may potentially be used for various log analyses. Consequently, we leverage the log processor outputs to extract probabilistic dependencies from runtime events for the dependency models. Finally, through these dependency models, we proactively prepare for security critical events and prevent security violations resulting from those critical events. Furthermore, we integrate LeaPS to OpenStack and perform extensive experiments in both simulated and real cloud environments that show a practical response time (e.g., 6ms to audit a cloud of 100,000 VMs) and a significant improvement (e.g., about 50% faster) over existing proactive approaches. In addition, we successfully and efficiently apply our log processor outputs to other learning techniques (e.g., executing sequence pattern mining algorithms within 18ms for 50,000 events).

[1]  Mihir Bellare,et al.  Forward Integrity For Secure Audit Logs , 1997 .

[2]  Feng Mao,et al.  Exploiting statistical correlations for proactive prediction of program behaviors , 2010, CGO '10.

[3]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[4]  Thomas Groß,et al.  Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures , 2014, ACSAC.

[5]  Janusz Zalewski,et al.  Specification and proof in real-time CSP , 1996 .

[6]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[7]  Ravi S. Sandhu,et al.  Extending OpenStack Access Control with Domain Trust , 2014, NSS.

[8]  Salve Bhagyashri Salve Bhagyashri,et al.  Privacy-Preserving Public Auditing For Secure Cloud Storage , 2014 .

[9]  Sanjai Narain,et al.  Network Configuration Management via Model Finding , 2005, LISA.

[10]  Sandeep K. S. Gupta,et al.  CAAC -- An Adaptive and Proactive Access Control Approach for Emergencies in Smart Infrastructures , 2014, ACM Trans. Auton. Adapt. Syst..

[11]  Elisa Bertino,et al.  Ghostbuster: A Fine-grained Approach for Anomaly Detection in File System Accesses , 2017, CODASPY.

[12]  Matthias Schunter,et al.  Automated Information Flow Analysis of Virtualized Infrastructures , 2011, ESORICS.

[13]  Ing-Ray Chen,et al.  Behavior Rule Specification-Based Intrusion Detection for Safety Critical Medical Cyber Physical Systems , 2015, IEEE Transactions on Dependable and Secure Computing.

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Kunihiko Hiraishi,et al.  Improving reliability in management of cloud computing infrastructure by formal methods , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[16]  Jay Ligatti,et al.  A Theory of Runtime Enforcement, with Results , 2010, ESORICS.

[17]  Jianyong Wang,et al.  Mining sequential patterns by pattern-growth: the PrefixSpan approach , 2004, IEEE Transactions on Knowledge and Data Engineering.

[18]  Khurram Shahzad,et al.  P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language , 2015, IEEE Trans. Dependable Secur. Comput..

[19]  Cong Wang,et al.  Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[20]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[21]  Bin Wu,et al.  Log analysis in cloud computing environment with Hadoop and Spark , 2013, 2013 5th IEEE International Conference on Broadband Network & Multimedia Technology.

[22]  Emal Pasarly Time , 2011, Encyclopedia of Evolutionary Psychological Science.

[23]  Vincent S. Tseng,et al.  Mining Maximal Sequential Patterns without Candidate Maintenance , 2013, ADMA.

[24]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25]  Chen Xi,et al.  An Efficient Public Batch Auditing Protocol for Data Security in Multi-cloud Storage , 2013, 2013 8th ChinaGrid Annual Conference.

[26]  Ruby B. Lee,et al.  CloudMonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[27]  Peng Liu,et al.  MyCloud: supporting user-configured privacy protection in cloud computing , 2013, ACSAC.

[28]  Antonio Mana,et al.  Dynamic security monitoring for Virtualized Environments in Cloud computing , 2011, 2011 1st International Workshop on Securing Services on the Cloud (IWSSC).

[29]  Junda Liu,et al.  Libra: Divide and Conquer to Verify Forwarding Tables in Huge Networks , 2014, NSDI.

[30]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[31]  Lingyu Wang,et al.  Security Compliance Auditing of Identity and Access Management in the Cloud: Application to OpenStack , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[32]  J. Pearl Causality: Models, Reasoning and Inference , 2000 .

[33]  Kevin Murphy,et al.  A brief introduction to graphical models and bayesian networks , 1998 .

[34]  Lingyu Wang,et al.  Proactive Verification of Security Compliance for Clouds Through Pre-computation: Application to OpenStack , 2016, ESORICS.

[35]  Deshuai Wang,et al.  Mass log data processing and mining based on Hadoop and cloud computing , 2012, 2012 7th International Conference on Computer Science & Education (ICCSE).

[36]  Sebastian Mödersheim,et al.  Proactive Security Analysis of Changes in Virtualized Infrastructures , 2015, ACSAC.

[37]  Abdelhakim Hafid,et al.  SLA Violation Prediction In Cloud Computing: A Machine Learning Perspective , 2016, ArXiv.

[38]  Roque Marín,et al.  ClaSP: An Efficient Algorithm for Mining Frequent Closed Sequences , 2013, PAKDD.

[39]  Lin Chen,et al.  Auditing a Cloud Provider’s Compliance With Data Backup Requirements: A Game Theoretical Analysis , 2016, IEEE Transactions on Information Forensics and Security.

[40]  Dana Petcu,et al.  Towards a Security SLA-based Cloud Monitoring Service , 2014, CLOSER.

[41]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[42]  Alfons Kemper,et al.  Efficient verification of IT change operations or: How we could have prevented Amazon's cloud outage , 2012, 2012 IEEE Network Operations and Management Symposium.

[43]  Stephen S. Yau,et al.  Protecting Critical Cloud Infrastructures with Predictive Capability , 2015, 2015 IEEE 8th International Conference on Cloud Computing.

[44]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[45]  Frank Doelitzscher,et al.  Security audit compliance for cloud computing , 2014 .

[46]  S. Lauritzen The EM algorithm for graphical association models with missing data , 1995 .

[47]  Jukka Ylitalo,et al.  Towards Building an Automated Security Compliance Tool for the Cloud , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[48]  Jay Ligatti,et al.  Modeling runtime enforcement with mandatory results automata , 2014, International Journal of Information Security.

[49]  David Heckerman,et al.  A Tutorial on Learning with Bayesian Networks , 1998, Learning in Graphical Models.

[50]  Lingyu Wang,et al.  Auditing Security Compliance of the Virtualized Infrastructure in the Cloud: Application to OpenStack , 2016, CODASPY.

[51]  Simon N. Foley,et al.  A firewall algebra for OpenStack , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[52]  Debojyoti Dutta,et al.  Detecting fraudulent activity in a cloud using privacy-friendly data aggregates , 2014, ArXiv.

[53]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[54]  Keke Gai,et al.  Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry , 2018, Future Gener. Comput. Syst..

[55]  Jiankun Hu,et al.  Identity-Based Data Outsourcing With Comprehensive Auditing in Clouds , 2017, IEEE Transactions on Information Forensics and Security.

[56]  Sayantan Guha,et al.  Attack Detection for Cyber Systems and Probabilistic State Estimation in Partially Observable Cyber Environments , 2016 .

[57]  Thierry Jéron,et al.  Predictive runtime enforcement , 2017, Formal Methods Syst. Des..

[58]  Lingyu Wang,et al.  LeaPS: Learning-Based Proactive Security Auditing for Clouds , 2017, ESORICS.

[59]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[60]  Martin Knahl,et al.  Validating Cloud Infrastructure Changes by Cloud Audits , 2012, 2012 IEEE Eighth World Congress on Services.

[61]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[62]  Philip S. Yu,et al.  Matching heterogeneous events with patterns , 2014, 2014 IEEE 30th International Conference on Data Engineering.

[63]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[64]  D. Rubin,et al.  Maximum likelihood from incomplete data via the EM - algorithm plus discussions on the paper , 1977 .