Detecting anomalies in IaaS environments through virtual machine host system call analysis

Detecting anomalies in IaaS environments through virtual machine host system call analysis

Providers and consumers of Infrastructure-as-a-Service (IaaS) virtual machine resources may be the subject of a number of attacks, particularly in public cloud environments. Detecting anomalies is hence critical both to protect against misuse and attacks, but is subject to constraints. These include...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Alarifi, S. S., Wolthusen, S. D.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Cloud Computing Security
Hidden Markov models
Host-Based Anomaly Detection
IaaS Security
IDS
Internet
Linux
Monitoring
Security
System Calls Monitoring
Virtual Machine Monitoring
Virtual machining
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 218
container_issue
container_start_page 211
container_title
container_volume
creator Alarifi, S. S.
Wolthusen, S. D.
description Providers and consumers of Infrastructure-as-a-Service (IaaS) virtual machine resources may be the subject of a number of attacks, particularly in public cloud environments. Detecting anomalies is hence critical both to protect against misuse and attacks, but is subject to constraints. These include primarily efficiency, but also legal and contractual restrictions limiting the depth of intrusiveness, which can be achieved by an intrusion detection system. In many cases, the IaaS provider will also have very limited insights into the actual workloads used by clients. In this paper we therefore propose to monitor system calls at the VM host level without requiring any instrumentation within VMs and argue that this level of granularity is sufficient to capture a number of relevant attack classes. This, together with the efficiency and efficacy of the approach is shown through experiments and statistical analysis in a Linux KVM-based reference scenario. The proposed system, unlike other systems such as VM Introspection (VMI), does not require any knowledge about VMs from inside nor requiring any OS or hypervisor modifications.
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_6470945</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6470945</ieee_id><sourcerecordid>6470945</sourcerecordid><originalsourceid>FETCH-LOGICAL-i105t-15679c04182cf4fef82032b2d1998a3fe73bab98848c4c8cd6abe73fbf3d6cc73</originalsourceid><addsrcrecordid>eNotzMtKxDAUgOGICOrYJ3CTFyjk1lyWMt4GBmahbtwMp-nJNNKm0mSEvr0FXf3wLf4Lcssds1IwZs0lqZyxXGkjGykadk2qnL8YY5wzLaW4IZ-PWNCXmE4U0jTCEDHTmOgO4I1i-onzlEZMJdPSz9P51NOVyhkGOoLvY0LaT7nQvOSCI_UwDOsHhiXHfEeuAgwZq_9uyMfz0_v2td4fXnbbh30dOWtKzRttnGeKW-GDChisYFK0ouPOWZABjWyhddYq65W3vtPQrhbaIDvtvZEbcv_3jYh4_J7jCPNy1Mowpxr5C5riT-U</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Detecting anomalies in IaaS environments through virtual machine host system call analysis</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Alarifi, S. S. ; Wolthusen, S. D.</creator><creatorcontrib>Alarifi, S. S. ; Wolthusen, S. D.</creatorcontrib><description>Providers and consumers of Infrastructure-as-a-Service (IaaS) virtual machine resources may be the subject of a number of attacks, particularly in public cloud environments. Detecting anomalies is hence critical both to protect against misuse and attacks, but is subject to constraints. These include primarily efficiency, but also legal and contractual restrictions limiting the depth of intrusiveness, which can be achieved by an intrusion detection system. In many cases, the IaaS provider will also have very limited insights into the actual workloads used by clients. In this paper we therefore propose to monitor system calls at the VM host level without requiring any instrumentation within VMs and argue that this level of granularity is sufficient to capture a number of relevant attack classes. This, together with the efficiency and efficacy of the approach is shown through experiments and statistical analysis in a Linux KVM-based reference scenario. The proposed system, unlike other systems such as VM Introspection (VMI), does not require any knowledge about VMs from inside nor requiring any OS or hypervisor modifications.</description><identifier>ISBN: 9781467353250</identifier><identifier>ISBN: 1467353256</identifier><identifier>EISBN: 1908320087</identifier><identifier>EISBN: 9781908320087</identifier><language>eng</language><publisher>IEEE</publisher><subject>Cloud Computing Security ; Hidden Markov models ; Host-Based Anomaly Detection ; IaaS Security ; IDS ; Internet ; Linux ; Monitoring ; Security ; System Calls Monitoring ; Virtual Machine Monitoring ; Virtual machining</subject><ispartof>2012 International Conference for Internet Technology and Secured Transactions, 2012, p.211-218</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6470945$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,2058,54920</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6470945$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Alarifi, S. S.</creatorcontrib><creatorcontrib>Wolthusen, S. D.</creatorcontrib><title>Detecting anomalies in IaaS environments through virtual machine host system call analysis</title><title>2012 International Conference for Internet Technology and Secured Transactions</title><addtitle>ICITST</addtitle><description>Providers and consumers of Infrastructure-as-a-Service (IaaS) virtual machine resources may be the subject of a number of attacks, particularly in public cloud environments. Detecting anomalies is hence critical both to protect against misuse and attacks, but is subject to constraints. These include primarily efficiency, but also legal and contractual restrictions limiting the depth of intrusiveness, which can be achieved by an intrusion detection system. In many cases, the IaaS provider will also have very limited insights into the actual workloads used by clients. In this paper we therefore propose to monitor system calls at the VM host level without requiring any instrumentation within VMs and argue that this level of granularity is sufficient to capture a number of relevant attack classes. This, together with the efficiency and efficacy of the approach is shown through experiments and statistical analysis in a Linux KVM-based reference scenario. The proposed system, unlike other systems such as VM Introspection (VMI), does not require any knowledge about VMs from inside nor requiring any OS or hypervisor modifications.</description><subject>Cloud Computing Security</subject><subject>Hidden Markov models</subject><subject>Host-Based Anomaly Detection</subject><subject>IaaS Security</subject><subject>IDS</subject><subject>Internet</subject><subject>Linux</subject><subject>Monitoring</subject><subject>Security</subject><subject>System Calls Monitoring</subject><subject>Virtual Machine Monitoring</subject><subject>Virtual machining</subject><isbn>9781467353250</isbn><isbn>1467353256</isbn><isbn>1908320087</isbn><isbn>9781908320087</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2012</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotzMtKxDAUgOGICOrYJ3CTFyjk1lyWMt4GBmahbtwMp-nJNNKm0mSEvr0FXf3wLf4Lcssds1IwZs0lqZyxXGkjGykadk2qnL8YY5wzLaW4IZ-PWNCXmE4U0jTCEDHTmOgO4I1i-onzlEZMJdPSz9P51NOVyhkGOoLvY0LaT7nQvOSCI_UwDOsHhiXHfEeuAgwZq_9uyMfz0_v2td4fXnbbh30dOWtKzRttnGeKW-GDChisYFK0ouPOWZABjWyhddYq65W3vtPQrhbaIDvtvZEbcv_3jYh4_J7jCPNy1Mowpxr5C5riT-U</recordid><startdate>201212</startdate><enddate>201212</enddate><creator>Alarifi, S. S.</creator><creator>Wolthusen, S. D.</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>201212</creationdate><title>Detecting anomalies in IaaS environments through virtual machine host system call analysis</title><author>Alarifi, S. S. ; Wolthusen, S. D.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i105t-15679c04182cf4fef82032b2d1998a3fe73bab98848c4c8cd6abe73fbf3d6cc73</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2012</creationdate><topic>Cloud Computing Security</topic><topic>Hidden Markov models</topic><topic>Host-Based Anomaly Detection</topic><topic>IaaS Security</topic><topic>IDS</topic><topic>Internet</topic><topic>Linux</topic><topic>Monitoring</topic><topic>Security</topic><topic>System Calls Monitoring</topic><topic>Virtual Machine Monitoring</topic><topic>Virtual machining</topic><toplevel>online_resources</toplevel><creatorcontrib>Alarifi, S. S.</creatorcontrib><creatorcontrib>Wolthusen, S. D.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Alarifi, S. S.</au><au>Wolthusen, S. D.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Detecting anomalies in IaaS environments through virtual machine host system call analysis</atitle><btitle>2012 International Conference for Internet Technology and Secured Transactions</btitle><stitle>ICITST</stitle><date>2012-12</date><risdate>2012</risdate><spage>211</spage><epage>218</epage><pages>211-218</pages><isbn>9781467353250</isbn><isbn>1467353256</isbn><eisbn>1908320087</eisbn><eisbn>9781908320087</eisbn><abstract>Providers and consumers of Infrastructure-as-a-Service (IaaS) virtual machine resources may be the subject of a number of attacks, particularly in public cloud environments. Detecting anomalies is hence critical both to protect against misuse and attacks, but is subject to constraints. These include primarily efficiency, but also legal and contractual restrictions limiting the depth of intrusiveness, which can be achieved by an intrusion detection system. In many cases, the IaaS provider will also have very limited insights into the actual workloads used by clients. In this paper we therefore propose to monitor system calls at the VM host level without requiring any instrumentation within VMs and argue that this level of granularity is sufficient to capture a number of relevant attack classes. This, together with the efficiency and efficacy of the approach is shown through experiments and statistical analysis in a Linux KVM-based reference scenario. The proposed system, unlike other systems such as VM Introspection (VMI), does not require any knowledge about VMs from inside nor requiring any OS or hypervisor modifications.</abstract><pub>IEEE</pub><tpages>8</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISBN: 9781467353250
ispartof 2012 International Conference for Internet Technology and Secured Transactions, 2012, p.211-218
issn
language eng
recordid cdi_ieee_primary_6470945
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Cloud Computing Security
Hidden Markov models
Host-Based Anomaly Detection
IaaS Security
IDS
Internet
Linux
Monitoring
Security
System Calls Monitoring
Virtual Machine Monitoring
Virtual machining
title Detecting anomalies in IaaS environments through virtual machine host system call analysis
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T22%3A41%3A35IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Detecting%20anomalies%20in%20IaaS%20environments%20through%20virtual%20machine%20host%20system%20call%20analysis&rft.btitle=2012%20International%20Conference%20for%20Internet%20Technology%20and%20Secured%20Transactions&rft.au=Alarifi,%20S.%20S.&rft.date=2012-12&rft.spage=211&rft.epage=218&rft.pages=211-218&rft.isbn=9781467353250&rft.isbn_list=1467353256&rft_id=info:doi/&rft_dat=%3Cieee_6IE%3E6470945%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&rft.eisbn=1908320087&rft.eisbn_list=9781908320087&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=6470945&rfr_iscdi=true