Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines. / Alarifi, Suaad; Wolthusen, Stephen D.

Proceedings of the 7th International Conference on Network and System Security (NSS 2013. Springer-Verlag, 2013. p. 321-335.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines. / Alarifi, Suaad; Wolthusen, Stephen D.

Proceedings of the 7th International Conference on Network and System Security (NSS 2013. Springer-Verlag, 2013. p. 321-335.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Alarifi, S & Wolthusen, SD 2013, Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines. in Proceedings of the 7th International Conference on Network and System Security (NSS 2013. Springer-Verlag, pp. 321-335. https://doi.org/10.1007/978-3-642-38631-2_24

APA

Alarifi, S., & Wolthusen, S. D. (2013). Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines. In Proceedings of the 7th International Conference on Network and System Security (NSS 2013 (pp. 321-335). Springer-Verlag. https://doi.org/10.1007/978-3-642-38631-2_24

Vancouver

Alarifi S, Wolthusen SD. Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines. In Proceedings of the 7th International Conference on Network and System Security (NSS 2013. Springer-Verlag. 2013. p. 321-335 https://doi.org/10.1007/978-3-642-38631-2_24

Author

Alarifi, Suaad ; Wolthusen, Stephen D. / Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines. Proceedings of the 7th International Conference on Network and System Security (NSS 2013. Springer-Verlag, 2013. pp. 321-335

BibTeX

@inproceedings{bea65043026943d79224a56cedd733ea,
title = "Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines",
abstract = "In public Infrastructure-as-a-Service (IaaS), virtual machines (VMs) are sharing the cloud with other VMs from other organisations. Each VM is under the control of its owner and security management is their responsibility. Considering this, providers should deal with the hosted VMs as potential source of attacks against other VMs and/or against the cloud infrastructure. The cloud model is flexible enough to allow consumers to initiate VMs to perform specific tasks for an hour or two, then terminate; so call VMs short-lived VMs. The provider dilemma here is monitoring these VMs, including short-lived ones, and detecting any change of behaviour on them as a sign of anomaly with a low level of intrusiveness for legal and practical reasons.In this paper, we therefore propose a hypervisor based anomaly detection system that monitors system calls in between a VM and its host kernel. This host intrusion detection system (HIDS),is able to detect change in behaviour in even short-lived VMs without requiring any prior knowledge of them. To achieve this goal, a Hidden Markov Model (HMM) is used to build the classifier and system calls are analysed and grouped to reflect the properties of a VM-based cloud infrastructure. We also report on the experimental validation of our approach.",
author = "Suaad Alarifi and Wolthusen, {Stephen D.}",
year = "2013",
doi = "10.1007/978-3-642-38631-2_24",
language = "English",
pages = "321--335",
booktitle = "Proceedings of the 7th International Conference on Network and System Security (NSS 2013",
publisher = "Springer-Verlag",

}

RIS

TY - GEN

T1 - Anomaly Detection for Ephemeral Cloud IaaS Virtual Machines

AU - Alarifi, Suaad

AU - Wolthusen, Stephen D.

PY - 2013

Y1 - 2013

N2 - In public Infrastructure-as-a-Service (IaaS), virtual machines (VMs) are sharing the cloud with other VMs from other organisations. Each VM is under the control of its owner and security management is their responsibility. Considering this, providers should deal with the hosted VMs as potential source of attacks against other VMs and/or against the cloud infrastructure. The cloud model is flexible enough to allow consumers to initiate VMs to perform specific tasks for an hour or two, then terminate; so call VMs short-lived VMs. The provider dilemma here is monitoring these VMs, including short-lived ones, and detecting any change of behaviour on them as a sign of anomaly with a low level of intrusiveness for legal and practical reasons.In this paper, we therefore propose a hypervisor based anomaly detection system that monitors system calls in between a VM and its host kernel. This host intrusion detection system (HIDS),is able to detect change in behaviour in even short-lived VMs without requiring any prior knowledge of them. To achieve this goal, a Hidden Markov Model (HMM) is used to build the classifier and system calls are analysed and grouped to reflect the properties of a VM-based cloud infrastructure. We also report on the experimental validation of our approach.

AB - In public Infrastructure-as-a-Service (IaaS), virtual machines (VMs) are sharing the cloud with other VMs from other organisations. Each VM is under the control of its owner and security management is their responsibility. Considering this, providers should deal with the hosted VMs as potential source of attacks against other VMs and/or against the cloud infrastructure. The cloud model is flexible enough to allow consumers to initiate VMs to perform specific tasks for an hour or two, then terminate; so call VMs short-lived VMs. The provider dilemma here is monitoring these VMs, including short-lived ones, and detecting any change of behaviour on them as a sign of anomaly with a low level of intrusiveness for legal and practical reasons.In this paper, we therefore propose a hypervisor based anomaly detection system that monitors system calls in between a VM and its host kernel. This host intrusion detection system (HIDS),is able to detect change in behaviour in even short-lived VMs without requiring any prior knowledge of them. To achieve this goal, a Hidden Markov Model (HMM) is used to build the classifier and system calls are analysed and grouped to reflect the properties of a VM-based cloud infrastructure. We also report on the experimental validation of our approach.

U2 - 10.1007/978-3-642-38631-2_24

DO - 10.1007/978-3-642-38631-2_24

M3 - Conference contribution

SP - 321

EP - 335

BT - Proceedings of the 7th International Conference on Network and System Security (NSS 2013

PB - Springer-Verlag

ER -