Attacks on Cloud Environments and their Mitigation: Host-based Isolated and Coordinated Attacks

Suaad Alarifi

Research output: ThesisDoctoral Thesis

442 Downloads (Pure)


The main goal of this research is to improve the security of large-scale public IaaS (Infrastructure-as-a-Service) cloud computing environments on the provider side. We aim to help providers to be more aware of the cloud’s overall security and to have a sense of control in areas where they actually have no control at all (i.e. the activities inside the hosted Virtual Machines, or VMs).
In an IaaS model, computing infrastructure is delivered as a service. Consumers can deploy and run their VMs in the cloud infrastructure that acts as a hosting environment and offers virtual resources to VMs to consume. Each VM is under the full control of its owner (the client) and contains operating systems, applications, and services.
The hosted VMs are managed off-premises by the clients’ IT teams, which could be security naive, have malicious intentions, or just carelessly ignore security policies and good practices. Insecure VMs hosted in the public cloud share the service with other VMs that belong to different organisations which represent a major security threat.
Providers are trying to manage this threat through contracts and legal obligations. However, finding the source of the threat is a hard task if there are no security monitoring tools. Even though providers have no control over what is happening inside VMs, they are still responsible for protecting the hosted VMs, the infrastructure, keeping VMs from attacking each other, preventing attacks originating from their network, and most importantly being able to find the source of the threat. Therefore, detection systems are needed to monitor each of the hosted VMs without invading their privacy and with the minimum performance overhead.
Providers have to monitor VMs and detect any abnormal activities without requiring any instrumentation inside the VMs. Most of the cloud monitoring tools available today are designed for performance monitoring, not security purposes.
For this research, we developed two detection systems that are able to monitor VMs without any level of intrusiveness; we argue that this level of granularity is sufficient for capturing a number of relevant attack classes. The developed systems were able to detect abnormal activities within VMs and generate strong anomaly signals. The first detection system is based on a very low-demanding statistical method called bag of system calls (BoSC); the second system is based on a more computationally expensive machine learning method called hidden Markov model (HMM). The second system is designed specifically to monitor ephemeral VMs (VMs with a short life) because it requires less training data and less time to be ready.
In this research we also studied different cloud attacks and developed a cloud specific Denial of Service (DoS) class of attacks that work by misusing two of the main features of the cloud: over-commitment and migration. We call this newly developed class of attacks ”Cloud-Internal Denial of Service” attacks, or CIDoS. This attack targets the architecture of the cloud, not the implementation, which makes it harder to defeat. Then we suggested some detection and prevention mechanisms. After that, we developed another attack that instrumented a CIDoS attack with reverse engineered migration algorithms in the cloud to extract parameters that help improve the DoS attack and make it harder to detect and defeat.
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Wolthusen, Stephen D., Supervisor
Thesis sponsors
Award date1 Nov 2015
Publication statusUnpublished - 2015


  • IaaS cloud security
  • denial of service attack in the cloud
  • IDS in the cloud
  • Hypervisor-based intrusion detection system in the cloud
  • Cloud specific detection systms

Cite this