Journal Home > Volume 21 , Issue 3
Tsinghua Science and Technology 2016, 21(3): 322-332 https://doi.org/10.1109/TST.2016.7488743
Open Access | Issue | Published: 13 June 2016

An Anomalous Behavior Detection Model in Cloud Computing

Show Author's Information Xiaoming Ye Xingshu Chen( ) Haizhou Wang Xuemei Zeng Guolin Shao Xueyuan Yin Chun Xu
College of Computer Science, Cybersecurity Research Institute, Sichuan University, Chengdu 610065, China.
Keywords:
cloud computing, virtual machine, network behavior, anomaly detection
Cite this article:
Ye X, Chen X, Wang H, et al. An Anomalous Behavior Detection Model in Cloud Computing. Tsinghua Science and Technology, 2016, 21(3): 322-332. https://doi.org/10.1109/TST.2016.7488743
Download citation
EndNote(RIS)
BibTeX

563

Views

33

Downloads

Citations

18

Crossref

N/A

WoS

24

Scopus

7

CSCD

Abstract Full text About this article

This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed—leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.


menu
Abstract
Full text
Outline
About this article

An Anomalous Behavior Detection Model in Cloud Computing

Show Author's information Xiaoming YeXingshu Chen( )Haizhou WangXuemei ZengGuolin ShaoXueyuan YinChun Xu
College of Computer Science, Cybersecurity Research Institute, Sichuan University, Chengdu 610065, China.

Abstract

This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed—leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.

Keywords: cloud computing, virtual machine, network behavior, anomaly detection

References(31)

[1]
Antonopoulos N. and Gillam L., Cloud Computing: Principles, Systems and Applications. Springer Science Business Media, 2010.
Google Scholar
[2]
Grobauer B., Walloschek T., and Stocker E., Understanding cloud computing vulnerabilities, IEEE Security & Privacy, vol. 9, no. 2, pp. 50-57, 2011.
DOI Google Scholar
[3]
Oktay U. and Sahingoz O. K., Attack types and intrusion detection systems in cloud computing, in 2013 6th International Information Security & Cryptology Conference, 2013, pp. 71-76.
DOI
[4]
George R., Cloud Application Architectures: Building Applications and Infrastructure in the Cloud. O’Reilly Media, Inc., 2009.
Google Scholar
[5]
Gartner Press Release, Gartnesr says 60 percent of virtualized servers will be less secure than the physical servers they replace through 2012, http:// www.gartner.com/newsroom/id/1322414, 2015.
[6]
Lee J. H., Park M. W., Eom J. H., and Chung T. M., Multilevel intrusion detection system and log management in cloud computing, in Advanced Communication Technology (ICACT), 2011 13th International Conference on. IEEE, 2011, pp. 552-555.
[7]
Tupakula U., Varadharajan V., and Akku N., Intrusion detection techniques for infrastructure as a service cloud, in Dependable Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on, 2011, pp. 744-751.
DOI
[8]
Casas P., Mazel J., Owezarski P., Casas P., and Mazel J., Unsupervised network intrusion detection systems: Detecting the unknown without  knowledge, Computer Communications, vol. 35, no. 7, pp. 772-783, 2012.10.1016/j.comcom.2012.01.016
DOI Google Scholar
[9]
Koc L., Mazzuchi T. A., and Sarkani S., A network intrusion detection system based on a hidden naïve Bayes multiclass classifier, Expert Systems with Applications, vol. 39, no. 18, pp. 13492-13500, 2012.
DOI Google Scholar
[10]
Snort, https://www.snort.org, 2015.
[11]
Snort Users Manual, http://manual.snort.org, 2015.
[12]
Modi C. N., Patel D. R., Patel A., and Muttukrishnan R., Bayesian classifier and Snort based network intrusion detection system in cloud computing, in Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on, 2012, pp. 1-7.
DOI
[13]
Xing T., Huang D., Xu L., Chung C. J., and Khatkar P., Snortflow: A openflow-based intrusion prevention system in cloud environment, in Research and Educational Experiment Workshop (GREE), 2013 Second GENI, 2013, pp. 89-92.
DOI
[14]
McKeown N., Anderson T., Balakrishnan H., Parulkar G., Peterson L., Rexford J., Shenker S., and Turner J., OpenFlow: Enabling innovation in campus networks, Computer Communication Review, vol. 38, no. 2, pp. 69-74, 2008.
DOI Google Scholar
[15]
Shin S. and Gu G., CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?),   in Network Protocols (ICNP), 2012 20th IEEE International Conference on, 2012, pp. 1-6.
[16]
Callado A., Kamienski C., Szabo G., Ger B. P., Kelner J., Fernandes S., and Sadok D., A survey on internet traffic identification, IEEE Communications Surveys and Tutorials - COMSUR, vol. 11, no. 3, pp. 37-52, 2009.
DOI Google Scholar
[17]
Zhang J., Xiang Y., Zhou W., and Wang Y., Unsupervised traffic classification using flow statistical properties and IP packet payload, Journal of Computer and System Sciences, vol. 79, no. 5, pp. 573-585, 2013.
DOI Google Scholar
[18]
Zhang J., Xiang Y., Wang Y., Zhou W., Xiang Y., and Guan Y., Network traffic classification using correlation information, IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 1, pp. 104-117, 2013.
DOI Google Scholar
[19]
Jin Y., Duffield N., Erman J., Haffner P., Sen S., and Zhang Z., A modular machine learning system for flow-level traffic classification in large networks,  ACM Transactions on Knowledge Discovery From Data (TKDD), vol. 6, no.1, p. 4, 2012.10.1145/2133360.2133364
DOI Google Scholar
[20]
Tongaonkar A., Torres R., Iliofotou M., Keralapura R., and Nucci A., Towards self adaptive network traffic classification, Computer Communications, vol. 56, no. 1, pp. 35-46, 2015.
DOI Google Scholar
[21]
Freund Y. and Schapire R. E., Experiments with a new boosting algorithm, in Int’l Conf. Machine Learning (ICML), 1996, pp. 148-156.
[22]
Liu B., Carey M. J., and Ceri S., Web Data Mining. Springer, 2011.
Google Scholar
[23]
Box G. E. P., Jenkins G. M., and Reinsel G. C., Time Series Analysis: Forecasting and Control. John Wiley & Sons, 2008.
DOI Google Scholar
[24]
Zhao D., Traore I., Sayed B., Lu W., Saad S., Ghorbani A., and Garant D., Botnet detection based on traffic behavior analysis and flow intervals, Computers & Security, vol. 39, pp. 2-16, 2013.
DOI Google Scholar
[25]
Lin Y. D., Lai Y. C., Lu C. N., Hsu P. K., and Lee C. Y., Three-phase behavior-based detection and classification of known and unknown malware, Security and Communication Networks, vol. 8, no. 11, pp. 2004-2015, 2015.
DOI Google Scholar
[26]
Koch R., Golling M., and Rodosek G. D., Behavior-based intrusion detection in encrypted environments, Communications Magazine, vol. 52, no. 7, pp. 124-131, 2014.
DOI Google Scholar
[27]
Chen L., Chen X. S., Jiang J. F., Yin X. Y., and Shao G. L., Research and practice of dynamic network security architecture for IaaS platforms, Tsinghua Science and Technology, vol. 19, no. 5, pp. 496-507, 2014.
DOI Google Scholar
[28]
KDD Cup 1999 Data, http://kdd.ics.uci.edu/databases/ kddcup99/kddcup99.html, 2015.
[29]
Kumar P. A. R. and Selvakumar S., Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems, Computer Communications, vol. 36, no. 3, pp. 303-319, 2013.
DOI Google Scholar
[30]
Sathya S. S., Ramani R. G., and Sivaselvi K., Discriminant analysis based feature selection in kdd intrusion dataset, International Journal of Computer Applications, vol. 31, no. 11, pp. 1-7, 2011.
Google Scholar
[31]
Casas P., Mazel J., and Owezarski P., Unsupervised network intrusion detection systems: Detecting the unknown without knowledge, Computer Communications, vol. 35, no. 7, pp. 772-783, 2011.
DOI Google Scholar
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 09 January 2016
Accepted: 07 March 2016
Published: 13 June 2016
Issue date: June 2016

Copyright

© The author(s) 2016

Acknowledgements

This work was supported by the National Natural Science Foundation of China (No. 61272447) and the National Key Technologies Research and Development Program of China (No. 2012BAH18B05).

Rights and permissions

Return