Security intelligence for cloud management infrastructures

cloud management infrastructures S. Berger S. Garion Y. Moatti D. Naor D. Pendarakis A. Shulman-Peleg J. R. Rao E. Valdez Y. Weinsberg In this paper, we address the problem of protecting cloud infrastructures and customer workloads via smart auditing and logging, satisfying regulatory and compliance requirements. We observe that traditional approaches of logging and auditing events in cloud-scale infrastructures will not be effective without taking into account other controls. We introduce the concept of Cloud Security Intelligence (CSI), a new systematic approach for collecting, aggregating, correlating, and analyzing data from management, control, and data planes of cloud infrastructures, using a closed-loop architecture. Our approach cross-correlates control and data plane events, automatically deriving rules for monitoring and audits. Specifically, it sets dynamic rules concerning what and how to audit, adapting the logging accordingly, while comparing the data access patterns and configurations with the desired privileges and specifications. We have implemented CSI on two OpenStack-based systems: a closed loop network protection scheme and a cloud storage audit and risk analysis scheme for monitoring data access. In order to make cloud security approaches effective and scalable, we suggest that it is essential to use an intelligent approach such as correlating cloud logic from multiple cloud layers and components-e.g., IaaS (Infrastructure as a Service) or PaaS (Platform as a Service)-providing workload context that is maintained by cloud management systems, and using analytics on historical logs.

[1]  Cristiana Amza,et al.  Stage-aware anomaly detection through tracking log points , 2014, Middleware.

[2]  Ling Huang,et al.  Online System Problem Detection by Mining Patterns of Console Logs , 2009, 2009 Ninth IEEE International Conference on Data Mining.

[3]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[4]  Charles R Meyer,et al.  Seeing the invisible. , 2004, Minnesota medicine.

[5]  Ryan K. L. Ko,et al.  Cloud computing vulnerability incidents: a statistical overview , 2013 .

[6]  Stefano Zanero,et al.  Seeing the invisible: forensic uses of anomaly detection and machine learning , 2008, OPSR.

[7]  Dimitrios Pendarakis,et al.  Security audits of multi-tier virtual infrastructures in public infrastructure clouds , 2010, CCSW '10.

[8]  Antonio Corradi,et al.  Securing the infrastructure and the workloads of linux containers , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[9]  Stephanie Forrest,et al.  The Evolution of System-Call Monitoring , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[10]  Matthias Schunter,et al.  Automated Information Flow Analysis of Virtualized Infrastructures , 2011, ESORICS.

[11]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[12]  Matei Zaharia,et al.  Resilient Distributed Datasets , 2016 .

[13]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  Sean Thorpe,et al.  Cloud computing log forensics-the new frontier , 2014, IEEE SOUTHEASTCON 2014.

[15]  Michal Rosen-Zvi,et al.  Smarter log analysis , 2011, IBM J. Res. Dev..

[16]  R. Peleg,et al.  Secure yet usable: Protecting servers and Linux containers , 2016, IBM J. Res. Dev..

[17]  Sebastian Mödersheim,et al.  Automated verification of virtualized infrastructures , 2011, CCSW '11.