Rogue Virtual Machine Identification in DaISy Clouds

Lead Research Organisation: Imperial College London
Department Name: Computing

Abstract

Our work in this proposal focuses primarily on the safe and secure cloud computing challenge of the EPSRC DaISy call. In addition, it also addresses closely issues relevant to the extracting meaningful information challenge, specifically extracting meaning from large-scale monitoring information collected in a cloud computing environment, and the ensuring confidence in collaborative working challenge by developing meta-data and methods that enable users to monitor how their digital assets are being used in shared environments.

The proposal builds on the investigators' expertise in building secure cloud computing systems (especially the IC-Cloud system), developing large-scale data analysis systems and developing algorithms and methods for the security analysis of program behaviour to develop develop and evaluate novel methods to detect subtle attacks by adversaries who have already gained access to a VM within a secure cloud system.

Our general methodology for this 1-year project is based on 1) Building on the existing IC-Cloud platform as a test-bed our research. The use of the in-house infrastructure based on the popular XEN Hypervisor enables us to rapidly develop and evaluate monitoring tools, to develop and test different attack scenarios and collect the log data from the real applications. 2) Building on our in-house repertoire of data mining and analysis tools developed over the years for classification, clustering and association analysis and on our recent expertise developed in real-time data mining methods and Bayesian analysis frameworks for modeling and analysis anomalies in large scale sensor data for environmental and security applications. 3) Close collaboration with partners and collaborators of the Institute and Security Science and Technology to receive ongoing feedback on our methodology, results and methods as we develop them.

Planned Impact

Improved security and trust in Cloud computing
 
Description Through the research fund on this grant, we have achieved three significant achievement:
1. We present a novel cloud security monitoring and intrusion detection framework based on using statistical anomaly detection techniques over data that monitor the behaviour of applications and VMs in a cloud environment. The framework allows the collection of monitoring such data either from inside a VM instance (In-VM monitoring) or outside it (Out-VM monitoring). By enabling the use of a mix of In-VM and Out-VM methods, the behaviour of a wide variety of applications and VMs can be monitored effectively.
2. To validate the framework, we investigate three types of potential attacks in a cloud environment; (1) Data Asset Attack, (2) Network Application Attack and (3) Cache Memory Side-channel Attack. For each case study, we investigate the data that need to be monitored and choose the most suitable data for detecting the attack and also investigate the specific anomaly detection tools that can be used for different attacks.
3. To evaluate our approach we conduct and present evaluation studies conducted using synthetic and real data sets. One such real data set was conducted in a special workshop during the Urban Prototyping London crackathon event in April 2013. Our experimental evaluation on both the real and synthetic cases shows that our tools work well in practical situations.
Exploitation Route Our research outcome can be taken forward as follows:

Academic route:
In the future work, we plan to make our framework to be available in other cloud computing environment. Since our investigations were conducted on the IC-Cloud infrastructure but are easily portable to other cloud computing environments since the data collected by our monitors is independent of the cloud system itself. Our approach and methods are applicable to a wide variety of applications beyond cloud computing where anomalies in user behaviour or in messages received by a system can be detected by analysing access logs in real-time. In addition, different types of anomaly detection techniques will be applied to evaluate the framework. Machine learning approach can be applied in future study.

Non-academic route:
The intrusion detection framework can be used to integrate with existing cloud infrastructure, such as Openstack.
Sectors Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Security and Diplomacy
 
Description The findings have been used in four different ways. 1. The real time data collected from the crackathon has been used to publish a conference paper. Collecting the real data and real user behaviour using the system are helpful for future research and development of the intrusion detection framework, this is because we can then use machine learning algorithms to learn the real user behaviour pattern, this can improve the efficiency of the intrusion detection framework. 2. The intrusion detection framework has been integrated into IC cloud. We are constantly working on integrating the framework to different cloud systems. In such as way, the cloud systems can then be protected by the framework. 3. The code and the data obtained from experiments have been sent to Ministry of Defence for further investigation. They will use the code and the data to develop their own cloud systems. 4. The intrusion detection framework is an open source that allows developers to modify and improve the functionalities of the framework. This can enable the intrusion detection framework to be develop and improve at an unprecedented pace. In terms of social impact, this intrusion detection framework play a role of detecting intrusion behaviour in order to protect data privacy of users in the cloud environment. In terms of economic impact, cloud security has been highlighted for a number of years, this can reduce the possibility of economic loss from intrusion.
Sector Education
Impact Types Societal