Security compliance auditing is a viable solution to ensure the accountability and transparency of a cloud provider to its tenants. However, the sheer size of a cloud, coupled with the high operational complexity implied by the multi-tenancy and self-service nature, can easily render existing runtime auditing techniques too expensive and non-scalable. To this end, a proactive approach, which prepares for the auditing ahead of critical events, is a promising solution to reduce the response time to a practical level. However, a key limitation of such approaches is their reliance on manual efforts to extract the dependency relationships among events, which greatly restricts their practicality. What makes things worse is the fact that, as the most important input to security auditing, the logs and configuration databases of a real world cloud platform can be unstructured and not ready to be used for efficient security auditing. In this paper, we first propose a log processing technique, which prepares raw cloud logs for different analysis purposes, and then design a learning-based proactive security auditing system, namely, . To this end, we conduct case studies on current log formats in different real-world OpenStack (a popular cloud platform) deployments, and identify major challenges in log processing. Later, we design a stand-alone log processor for clouds, which may potentially be used for various log analyses. Consequently, we leverage the log processor outputs to extract probabilistic dependencies from runtime events for the dependency models. Finally, through these dependency models, we proactively prepare for security critical events and prevent security violations resulting from those critical events. Furthermore, we integrate to OpenStack and perform extensive experiments in both simulated and real cloud environments that show a practical response time (e.g., 6 ms to audit a cloud of 100,000 VMs) and a significant improvement (e.g., about 50% faster) over existing proactive approaches. In addition, we successfully and efficiently apply our log processor outputs to other learning techniques (e.g., executing sequence pattern mining algorithms within 18 ms for 50,000 events).
R.Agrawal, R.Srikantet al., Fast algorithms for mining association rules, in: Proc. 20th Int. Conf. Very Large Data Bases, VLDB, Vol. 1215, 1994, pp. 487–499.
2.
C.S.Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing, Vol. 3, 2011.
M.Bellare and B.Yee, Forward integrity for secure audit logs, Technical Report, Citeseer, 1997.
7.
S.Bleikertz, T.Groß, M.Schunter and K.Eriksson, Automated information flow analysis of virtualized infrastructures, in: European Symposium on Research in Computer Security (ESORICS), Springer, 2011, pp. 392–415.
8.
S.Bleikertz, C.Vogel and T.Groß, Cloud Radar: Near real-time detection of security failures in dynamic virtualized infrastructures, in: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), ACM, 2014, pp. 26–35.
9.
S.Bleikertz, C.Vogel, T.Groß and S.Mödersheim, Proactive security analysis of changes in virtualized infrastructures, in: Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC), ACM, 2015, pp. 51–60.
J.Davies, Specification and Proof in Real Time CSP, Vol. 6, Cambridge University Press, 1993.
15.
A.P.Dempster, N.M.Laird and D.B.Rubin, Maximum likelihood from incomplete data via the EM algorithm, Journal of the Royal Statistical Society. Series B (Methodological) (1977), 1–38. doi:10.1111/j.2517-6161.1977.tb01600.x.
F.Doelitzscher, C.Fischer, D.Moskal, C.Reich, M.Knahl and N.Clarke, Validating cloud infrastructure changes by cloud audits, in: Eighth World Congress on Services (SERVICES), IEEE, 2012, pp. 377–384.
18.
E.Dolzhenko, J.Ligatti and S.Reddy, Modeling runtime enforcement with mandatory results automata, International Journal of Information Security14(1) (2015), 47–60. doi:10.1007/s10207-014-0239-8.
P.Fournier-Viger, C.-W.Wu and V.S.Tseng, Mining maximal sequential patterns without candidate maintenance, in: International Conference on Advanced Data Mining and Applications, Springer, 2013, pp. 169–180. doi:10.1007/978-3-642-53914-5_15.
23.
A.Gomariz, M.Campos, R.Marin and B.Goethals, ClaSP: An efficient algorithm for mining frequent closed sequences, in: Pacific-Asia Conference on Knowledge Discovery and Data Mining, Springer, 2013, pp. 50–61. doi:10.1007/978-3-642-37453-1_5.
S.Guha, Attack detection for cyber systems and probabilistic state estimation in partially observable cyber environments, PhD thesis, Arizona State University, 2016.
27.
S.Hagen, M.Seibold and A.Kemper, Efficient verification of IT change operations or: How we could have prevented Amazon’s cloud outage, in: Network Operations and Management Symposium (NOMS), IEEE, 2012, pp. 368–376.
28.
D.Heckerman, A tutorial on learning with Bayesian networks, in: Learning in Graphical Models, Springer, 1998, pp. 301–354. doi:10.1007/978-94-011-5014-9_11.
29.
R.A.Hemmat and A.Hafid, SLA violation prediction in cloud computing: A machine learning perspective, Technical Report, Université de Montréal, 2016.
30.
H.Holm, K.Shahzad, M.Buschle and M.Ekstedt, CySeMoL: Predictive, probabilistic cyber security modeling language, IEEE Transactions on Dependable and Secure Computing12(6) (2015), 626–639. doi:10.1109/TDSC.2014.2382574.
31.
A.S.Ibrahim, J.Hamlyn-Harris, J.Grundy and M.Almorsy, CloudSec: A security monitoring appliance for virtual machines in the IaaS cloud model, in: 5th International Conference on Network and System Security (NSS), IEEE, 2011, pp. 113–120.
32.
Z.Ismail, C.Kiennert, J.Leneutre and L.Chen, Auditing a cloud provider’s compliance with data backup requirements: A game theoretical analysis, IEEE Transactions on Information Forensics and Security11(8) (2016), 1685–1699. doi:10.1109/TIFS.2016.2549002.
33.
ISO Std IEC, ISO 27017, Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) (2012), Available at: http://www.iso27001security.com/html/27017.html.
34.
ISO Std IEC, ISO 27002: 2005, Information technology-security techniques – Code of practice for information security management. ISO (2005).
35.
Y.Jiang, E.Z.Zhang, K.Tian, F.Mao, M.Gethers, X.Shen and Y.Gao, Exploiting statistical correlations for proactive prediction of program behaviors, in: Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization, ACM, 2010, pp. 248–256.
36.
H.Kai, H.Chuanhe, W.Jinhai, Z.Hao, C.Xi, L.Yilong, Z.Lianzhen and W.Bin, An efficient public batch auditing protocol for data security in multi-cloud storage, in: 8th ChinaGrid Annual Conference (ChinaGrid), IEEE, 2013, pp. 51–56.
37.
P.Kazemian, M.Chang, H.Zeng, G.Varghese, N.McKeown and S.Whyte, Real time network policy checking using header space analysis, in: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2013.
38.
A.Khurshid, W.Zhou, M.Caesar and P.Godfrey, Veriflow: Verifying network-wide invariants in real time, in: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2013.
39.
S.Kikuchi and K.Hiraishi, Improving reliability in management of cloud computing infrastructure by formal methods, in: Network Operations and Management Symposium (NOMS), IEEE, 2014, pp. 1–7.
40.
L.Lamport, Time, clocks, and the ordering of events in a distributed system, Communications of the ACM21(7) (1978), 558–565. doi:10.1145/359545.359563.
41.
S.L.Lauritzen, The EM algorithm for graphical association models with missing data, Computational Statistics & Data Analysis19(2) (1995), 191–201. doi:10.1016/0167-9473(93)E0056-A.
42.
M.Li, W.Zang, K.Bai, M.Yu and P.Liu, MyCloud: Supporting user-configured privacy protection in cloud computing, in: Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC), ACM, 2013, pp. 59–68. doi:10.1145/2523649.2523680.
43.
J.Ligatti, L.Bauer and D.Walker, Run-time enforcement of nonsafety policies, ACM Transactions on Information and System Security (TISSEC)12(3) (2009), 19. doi:10.1145/1455526.1455532.
44.
J.Ligatti and S.Reddy, A theory of runtime enforcement, with results, in: European Symposium on Research in Computer Security (ESORICS), Springer, 2010, pp. 87–100.
45.
X.Lin, P.Wang and B.Wu, Log analysis in cloud computing environment with Hadoop and Spark, in: 5th IEEE International Conference on Broadband Network & Multimedia Technology (IC-BNMT), IEEE, 2013, pp. 273–276.
46.
T.Madi, S.Majumdar, Y.Wang, Y.Jarraya, M.Pourzandi and L.Wang, Auditing security compliance of the virtualized infrastructure in the cloud: Application to openstack, in: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY), ACM, 2016, pp. 195–206.
47.
S.Majumdar, Y.Jarraya, T.Madi, A.Alimohammadifar, M.Pourzandi, L.Wang and M.Debbabi, Proactive verification of security compliance for clouds through pre-computation: Application to OpenStack, in: European Symposium on Research in Computer Security (ESORICS), Springer, 2016, pp. 47–66.
48.
S.Majumdar, Y.Jarraya, M.Oqaily, A.Alimohammadifar, M.Pourzandi, L.Wang and M.Debbabi, LeaPS: Learning-based proactive security auditing for clouds, in: European Symposium on Research in Computer Security (ESORICS), Springer, 2017, pp. 265–285.
49.
S.Majumdar, T.Madi, Y.Wang, Y.Jarraya, M.Pourzandi, L.Wang and M.Debbabi, Security compliance auditing of identity and access management in the cloud: Application to OpenStack, in: 7th International Conference on Cloud Computing Technology and Science (CloudCom), IEEE, 2015, pp. 58–65.
50.
A.Maña, A.Muñoz and J.González, Dynamic security monitoring for virtualized environments in cloud computing, in: 1st International Workshop on Securing Services on the Cloud (IWSSC), IEEE, 2011, pp. 1–6.
51.
S.Mehnaz and E.Bertino, Ghostbuster: A fine-grained approach for anomaly detection in file system accesses, in: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (CODASPY), ACM, 2017, pp. 3–14.
R.Mitchell and R.Chen, Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems, IEEE Transactions on Dependable and Secure Computing12(1) (2015), 16–30. doi:10.1109/TDSC.2014.2312327.
55.
K.Murphy, A Brief Introduction to Graphical Models and Bayesian Networks, 1998.
56.
S.Narain, Network configuration management via model finding, in: Proceedings of the 19th Conference on Large Installation System Administration Conference (LISA), 2005, pp. 15.
57.
NIST, SP 800-53, Recommended security controls for federal information systems, 2003.
B.D.Payne, M.Carbone, M.Sharif and W.Lee, Lares: An architecture for secure active monitoring using virtualization, in: IEEE Symposium on Security and Privacy (SP), IEEE, 2008, pp. 233–247.
67.
J.Pearl, Causality: Models, Reasoning and Inference, Cambridge University Press, 2000.
68.
J.Pei, J.Han, B.Mortazavi-Asl, J.Wang, H.Pinto, Q.Chen, U.Dayal and M.-C.Hsu, Mining sequential patterns by pattern-growth: The prefixspan approach, IEEE Transactions on knowledge and data engineering16(11) (2004), 1424–1440. doi:10.1109/TKDE.2004.77.
69.
D.Petcu and C.Craciun, Towards a security SLA-based cloud monitoring service, in: Proceedings of the 4th International Conference on Cloud Computing and Services Science (CLOSER), 2014, pp. 598–603.
70.
S.Pinisetty, V.Preoteasa, S.Tripakis, T.Jéron, Y.Falcone and H.Marchand, Predictive runtime enforcement, Formal Methods in System Design51(1) (2017), 154–199. doi:10.1007/s10703-017-0271-1.
71.
M.Qiu, K.Gai, B.Thuraisingham, L.Tao and H.Zhao, Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry, Future Generation Computer Systems80 (2018), 421–429. doi:10.1016/j.future.2016.01.006.
K.Ren, C.Wang and Q.Wang, Security challenges for the public cloud, IEEE Internet Computing16(1) (2012), 69–73. doi:10.1109/MIC.2012.14.
74.
R.S.Sandhu, E.J.Coyne, H.L.Feinstein and C.E.Youman, Role-based access control models, Computer29(2) (1996), 38–47. doi:10.1109/2.485845.
75.
F.B.Schneider, Enforceable security policies, Transactions on Information and System Security (TISSEC)3(1) (2000), 30–50. doi:10.1145/353323.353382.
76.
S.A.Schneider, Security properties and CSP, in: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, pp. 174–187. doi:10.1109/SECPRI.1996.502680.
77.
M.Solanas, J.Hernandez-Castro and D.Dutta, Detecting fraudulent activity in a cloud using privacy-friendly data aggregates, 2014, Technical Report, arXiv preprint.
78.
N.Tamura and M.Banbara, Sugar: A CSP to SAT translator based on order encoding, in: Proceedings of the Second International CSP Solver Competition, 2008, pp. 65–69.
79.
B.Tang and R.Sandhu, Extending OpenStack access control with domain trust, in: Network and System Security, Springer, 2014, pp. 54–69.
80.
K.W.Ullah, A.S.Ahmed and J.Ylitalo, Towards building an automated security compliance tool for the cloud, in: 12th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE, 2013, pp. 1587–1593.
81.
K.K.Venkatasubramanian, T.Mukherjee and S.K.Gupta, CAAC – an adaptive and proactive access control approach for emergencies in smart infrastructures, ACM Transactions on Autonomous and Adaptive Systems (TAAS)8(4) (2014), 20.
C.Wang, S.S.Chow, Q.Wang, K.Ren and W.Lou, Privacy-preserving public auditing for secure cloud storage, IEEE transactions on computers62(2) (2013), 362–375. doi:10.1109/TC.2011.245.
84.
Y.Wang, Q.Wu, B.Qin, W.Shi, R.H.Deng and J.Hu, Identity-based data outsourcing with comprehensive auditing in clouds, IEEE Transactions on Information Forensics and Security12(4) (2017), 940–952. doi:10.1109/TIFS.2016.2646913.
85.
Y.Wang, Q.Wu, B.Qin, W.Shi, R.H.Deng and J.Hu, Identity-based data outsourcing with comprehensive auditing in clouds, IEEE Transactions on Information Forensics and Security12(4) (2017), 940–952. doi:10.1109/TIFS.2016.2646913.
S.S.Yau, A.B.Buduru and V.Nagaraja, Protecting critical cloud infrastructures with predictive capability, in: 8th International Conference on Cloud Computing (CLOUD), IEEE, 2015, pp. 1119–1124.
88.
H.Yu and D.Wang, Mass log data processing and mining based on Hadoop and cloud computing, in: 7th International Conference on Computer Science & Education (ICCSE), IEEE, 2012, pp. 197–202.
89.
H.Zeng, S.Zhang, F.Ye, V.Jeyakumar, M.Ju, J.Liu, N.McKeown and A.Vahdat, Libra: Divide and conquer to verify forwarding tables in huge networks, in: Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI), Vol. 14, 2014, pp. 87–99.
90.
T.Zhang and R.B.Lee, CloudMonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing, in: 42nd Annual International Symposium on Computer Architecture (ISCA), IEEE, 2015, pp. 362–374.
91.
X.Zhu, S.Song, J.Wang, S.Y.Philip and J.Sun, Matching heterogeneous events with patterns, in: 30th International Conference on Data Engineering (ICDE), IEEE, 2014, pp. 376–387.
