Ye X, Chen X, Wang H, et al. An Anomalous Behavior Detection Model in Cloud Computing. Tsinghua Science and Technology, 2016, 21(3): 322-332. https://doi.org/10.1109/TST.2016.7488743
This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed—leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.
College of Computer Science, Cybersecurity Research Institute, Sichuan University, Chengdu610065, China.
Abstract
This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed—leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.
Oktay U. and Sahingoz O. K., Attack types and intrusion detection systems in cloud computing, in 2013 6th International Information Security & Cryptology Conference, 2013, pp. 71-76.
Gartner Press Release, Gartnesr says 60 percent of virtualized servers will be less secure than the physical servers they replace through 2012, http:// www.gartner.com/newsroom/id/1322414, 2015.
[6]
Lee J. H., Park M. W., Eom J. H., and Chung T. M., Multilevel intrusion detection system and log management in cloud computing, in Advanced Communication Technology (ICACT), 2011 13th International Conference on. IEEE, 2011, pp. 552-555.
[7]
Tupakula U., Varadharajan V., and Akku N., Intrusion detection techniques for infrastructure as a service cloud, in Dependable Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on, 2011, pp. 744-751.
Koc L., Mazzuchi T. A., and Sarkani S., A network intrusion detection system based on a hidden naïve Bayes multiclass classifier, Expert Systems with Applications, vol. 39, no. 18, pp. 13492-13500, 2012.
Modi C. N., Patel D. R., Patel A., and Muttukrishnan R., Bayesian classifier and Snort based network intrusion detection system in cloud computing, in Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on, 2012, pp. 1-7.
Xing T., Huang D., Xu L., Chung C. J., and Khatkar P., Snortflow: A openflow-based intrusion prevention system in cloud environment, in Research and Educational Experiment Workshop (GREE), 2013 Second GENI, 2013, pp. 89-92.
ShinS. and GuG., CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?), in Network Protocols (ICNP), 2012 20th IEEE International Conference on, 2012, pp. 1-6.
[16]
Callado A., Kamienski C., Szabo G., Ger B. P., Kelner J., Fernandes S., and Sadok D., A survey on internet traffic identification, IEEE Communications Surveys and Tutorials - COMSUR, vol. 11, no. 3, pp. 37-52, 2009.
Zhang J., Xiang Y., Zhou W., and Wang Y., Unsupervised traffic classification using flow statistical properties and IP packet payload, Journal of Computer and System Sciences, vol. 79, no. 5, pp. 573-585, 2013.
Zhang J., Xiang Y., Wang Y., Zhou W., Xiang Y., and Guan Y., Network traffic classification using correlation information, IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 1, pp. 104-117, 2013.
JinY., DuffieldN., ErmanJ., HaffnerP., SenS., and ZhangZ., A modular machine learning system for flow-level traffic classification in large networks, , vol. 6, no.1, p. 4, 2012.10.1145/2133360.2133364
Tongaonkar A., Torres R., Iliofotou M., Keralapura R., and Nucci A., Towards self adaptive network traffic classification, Computer Communications, vol. 56, no. 1, pp. 35-46, 2015.
Zhao D., Traore I., Sayed B., Lu W., Saad S., Ghorbani A., and Garant D., Botnet detection based on traffic behavior analysis and flow intervals, Computers & Security, vol. 39, pp. 2-16, 2013.
Lin Y. D., Lai Y. C., Lu C. N., Hsu P. K., and Lee C. Y., Three-phase behavior-based detection and classification of known and unknown malware, Security and Communication Networks, vol. 8, no. 11, pp. 2004-2015, 2015.
Koch R., Golling M., and Rodosek G. D., Behavior-based intrusion detection in encrypted environments, Communications Magazine, vol. 52, no. 7, pp. 124-131, 2014.
Chen L., Chen X. S., Jiang J. F., Yin X. Y., and Shao G. L., Research and practice of dynamic network security architecture for IaaS platforms, Tsinghua Science and Technology, vol. 19, no. 5, pp. 496-507, 2014.
Kumar P. A. R. and Selvakumar S., Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems, Computer Communications, vol. 36, no. 3, pp. 303-319, 2013.
Sathya S. S., Ramani R. G., and Sivaselvi K., Discriminant analysis based feature selection in kdd intrusion dataset, International Journal of Computer Applications, vol. 31, no. 11, pp. 1-7, 2011.
This work was supported by the National Natural Science Foundation of China (No. 61272447) and the National Key Technologies Research and Development Program of China (No. 2012BAH18B05).