TY - JOUR
T1 - DeMETER in clouds
T2 - detection of malicious external thread execution in runtime with machine learning in PaaS clouds
AU - Sandıkkaya, Mehmet Tahir
AU - Yaslan, Yusuf
AU - Özdemir, Cemile Diler
N1 - Publisher Copyright:
© 2019, Springer Science+Business Media, LLC, part of Springer Nature.
PY - 2020/12/1
Y1 - 2020/12/1
N2 - Current state of PaaS allows rapid outsourcing of web applications without noticeable configuration effort. It could be foreseen that a noteworthy security guarantee in this cloud deployment model make organizations adopt PaaS easier. To date, provisioning security-guaranteed PaaS offerings required isolated processes, which is computationally-intensive and therefore expensive for the cloud provider. A novel security mechanism is proposed in this study to protect the PaaS providers against malicious behavior; thereby, their tenants. The mechanism does not strictly isolate tenants, but let them share the resources as in conventional web applications; therefore the computational efficiency is competitive. The novelty lies in classifying the malicious behavior of worker threads of web applications in a privacy-friendly way; where possible, without interfering with the threads. These threads may execute many code snippets in the same process context on behalf of the provider, the tenants or the tenants’ users in a web application server. It is cumbersome and error-prone to isolate each code snippet separately. Instead, classifying thread behavior helps to detect malicious flow of execution. The proposed mechanism is significantly different from intrusion detection systems or virus scanners as it only focuses on the processor usage and critical resource access. Historical web application attacks based on OWASP reports as well as future trends are analyzed and a sample web traffic of 100,000 requests, which includes 1% malicious traffic rooted from the most common attacks, is generated to prove the concept. The generated web traffic is tested on a cloud-based demo application on a live cloud environment. The thread behavior is monitored only based on CPU load and database access to keep the mechanism privacy-friendly for all cloud stakeholders. Even though the executed instructions are not monitored, the collected telemetry forms a vast amount of trace for classification. This privacy-friendly feature set is extracted and evaluated on several classifiers to detect malicious threads. It is observed that the classification accuracy is remarkably successful.
AB - Current state of PaaS allows rapid outsourcing of web applications without noticeable configuration effort. It could be foreseen that a noteworthy security guarantee in this cloud deployment model make organizations adopt PaaS easier. To date, provisioning security-guaranteed PaaS offerings required isolated processes, which is computationally-intensive and therefore expensive for the cloud provider. A novel security mechanism is proposed in this study to protect the PaaS providers against malicious behavior; thereby, their tenants. The mechanism does not strictly isolate tenants, but let them share the resources as in conventional web applications; therefore the computational efficiency is competitive. The novelty lies in classifying the malicious behavior of worker threads of web applications in a privacy-friendly way; where possible, without interfering with the threads. These threads may execute many code snippets in the same process context on behalf of the provider, the tenants or the tenants’ users in a web application server. It is cumbersome and error-prone to isolate each code snippet separately. Instead, classifying thread behavior helps to detect malicious flow of execution. The proposed mechanism is significantly different from intrusion detection systems or virus scanners as it only focuses on the processor usage and critical resource access. Historical web application attacks based on OWASP reports as well as future trends are analyzed and a sample web traffic of 100,000 requests, which includes 1% malicious traffic rooted from the most common attacks, is generated to prove the concept. The generated web traffic is tested on a cloud-based demo application on a live cloud environment. The thread behavior is monitored only based on CPU load and database access to keep the mechanism privacy-friendly for all cloud stakeholders. Even though the executed instructions are not monitored, the collected telemetry forms a vast amount of trace for classification. This privacy-friendly feature set is extracted and evaluated on several classifiers to detect malicious threads. It is observed that the classification accuracy is remarkably successful.
KW - Anomaly detection
KW - Cloud security
KW - Data extraction
KW - Machine learning
KW - Malicious thread execution
KW - Profile-based detection
KW - Request profiling
UR - http://www.scopus.com/inward/record.url?scp=85076836424&partnerID=8YFLogxK
U2 - 10.1007/s10586-019-03027-8
DO - 10.1007/s10586-019-03027-8
M3 - Article
AN - SCOPUS:85076836424
SN - 1386-7857
VL - 23
SP - 2565
EP - 2578
JO - Cluster Computing
JF - Cluster Computing
IS - 4
ER -