Biblio

Runtime cloud security auditing plays a vital role in mitigating security concerns in a cloud. However, there currently does not exist a comprehensive solution that can protect a cloud tenant against the threats rendered from the multiple levels (e.g., user, virtual, and physical) of the cloud design. Furthermore, most of the existing solutions suffer from slow response time and require significant manual efforts. Therefore, a simple integration of the existing solutions for different levels is not a practical solution. In this paper, we propose a multilevel proactive security auditing system, which overcomes all the above-mentioned limitations. To this end, our main idea is to automatically build a predictive model based on the dependency relationships between cloud events, proactively verify the security policies related to different levels of a cloud by leveraging this model, and finally enforce those policies on the cloud based on the verification results. Our experiments using both synthetic and real data show the practicality and effectiveness of this solution (e.g., responding in a few milliseconds to verify each level of the cloud).

Security auditing allows cloud tenants to verify the compliance of cloud infrastructure with respect to desirable security properties, e.g., whether a tenant's virtual network is properly isolated from other tenants' networks. However, the input to such an auditing task, such as the detailed topology of the underlying cloud infrastructure, typically contains sensitive information which a cloud provider may be reluctant to hand over to a third party auditor. Additionally, auditing results intended for one tenant may inadvertently reveal private information about other tenants, e.g., another tenant's VM is reachable due to a misconfiguration. How to anonymize both the input data and the auditing results in order to prevent such information leakage is a novel challenge that has received little attention. Directly applying most of the existing anonymization techniques to such a context would either lead to insufficient protection or render the data unsuitable for auditing. In this paper, we propose SegGuard, a novel anonymization approach that prevents cross-tenant information leakage through per-tenant encryption, and prevents information leakage to auditors through hiding real input segments among fake ones; in addition, applying property-preserving encryption in an innovative way enables SegGuard to preserve the data utility for auditing while mitigating semantic attacks. We implement SegGuard based on OpenStack, and evaluate its effectiveness and overhead using both synthetic and real data. Our experimental results demonstrate that SegGuard can reduce the information leakage to a negligible level (e.g., less than 1% for an adversary with 50% pre-knowledge) with a practical response time (e.g., 62 seconds to anonymize a cloud infrastructure with 25,000 virtual machines).

As network security monitoring grows more sophisticated, there is an increasing need for outsourcing such tasks to third-party analysts. However, organizations are usually reluctant to share their network traces due to privacy concerns over sensitive information, e.g., network and system configuration, which may potentially be exploited for attacks. In cases where data owners are convinced to share their network traces, the data are typically subjected to certain anonymization techniques, e.g., CryptoPAn, which replaces real IP addresses with prefix-preserving pseudonyms. However, most such techniques either are vulnerable to adversaries with prior knowledge about some network flows in the traces, or require heavy data sanitization or perturbation, both of which may result in a significant loss of data utility. In this paper, we aim to preserve both privacy and utility through shifting the trade-off from between privacy and utility to between privacy and computational cost. The key idea is for the analysts to generate and analyze multiple anonymized views of the original network traces; those views are designed to be sufficiently indistinguishable even to adversaries armed with prior knowledge, which preserves the privacy, whereas one of the views will yield true analysis results privately retrieved by the data owner, which preserves the utility. We formally analyze the privacy of our solution and experimentally evaluate it using real network traces provided by a major ISP. The results show that our approach can significantly reduce the level of information leakage (e.g., less than 1% of the information leaked by CryptoPAn) with comparable utility.