Biblio
Network Function Virtualization (NFV) is an implementation of cloud computing that leverages virtualization technology to provide on-demand network functions such as firewalls, domain name servers, etc., as software services. One of the methods that help us understand the design and implementation process of such a new system in an abstract way is architectural modeling. Architectural modeling can be presented through UML diagrams to show the interaction between different components and its stakeholders. Also, it can be used to analyze the security threats and the possible countermeasures to mitigate the threats. In this paper, we show some of the possible threats that may jeopardize the security of NFV. We use misuse patterns to analyze misuses based on privilege escalation and VM escape threats. The misuse patterns are part of an ongoing catalog, which is the first step toward building a security reference architecture for NFV.
We recently see a real digital revolution where all companies prefer to use cloud computing because of its capability to offer a simplest way to deploy the needed services. However, this digital transformation has generated different security challenges as the privacy vulnerability against cyber-attacks. In this work we will present a new architecture of a hybrid Intrusion detection System, IDS for virtual private clouds, this architecture combines both network-based and host-based intrusion detection system to overcome the limitation of each other, in case the intruder bypassed the Network-based IDS and gained access to a host, in intend to enhance security in private cloud environments. We propose to use a non-traditional mechanism in the conception of the IDS (the detection engine). Machine learning, ML algorithms will can be used to build the IDS in both parts, to detect malicious traffic in the Network-based part as an additional layer for network security, and also detect anomalies in the Host-based part to provide more privacy and confidentiality in the virtual machine. It's not in our scope to train an Artificial Neural Network ”ANN”, but just to propose a new scheme for IDS based ANN, In our future work we will present all the details related to the architecture and parameters of the ANN, as well as the results of some real experiments.
Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.
The failure prediction method of virtual machines (VM) guarantees reliability to cloud platforms. However, the uncertainty of VM security state will affect the reliability and task processing capabilities of the entire cloud platform. In this study, a failure prediction method of VM based on AdaBoost-Hidden Markov Model was proposed to improve the reliability of VMs and overall performance of cloud platforms. This method analyzed the deep relationship between the observation state and the hidden state of the VM through the hidden Markov model, proved the influence of the AdaBoost algorithm on the hidden Markov model (HMM), and realized the prediction of the VM failure state. Results show that the proposed method adapts to the complex dynamic cloud platform environment, can effectively predict the failure state of VMs, and improve the predictive ability of VM security state.
With the ever so growing boundaries for security in the cloud, it is necessary to develop ways to prevent from total cloud server failure. In this paper, we try to design a Game Strategy Block that sets up rules for security based on a tower defence game to secure the hypervisor from potential threats. We also try to define a utility function named the Virtual Machine Vitality Measure (VMVM) that could enlighten on the status of the virtual machines on the virtual environment.
Cloud Computing as of large is evolving at a faster pace with an ever changing set of cloud services. The amenities in the cloud are all enabled with respect to the public cloud services in their own enormous domain aspects commercially, which tend to be more insecure. These cloud services should be thus protected and secured which is very vital to the cloud infrastructures. Therefore, in this research work, we have identified security features with a self-heal approach that could be rendered on the infrastructure as a service (IaaS) in a private cloud environment. We have investigated the attack model from the virtual machine snapshots and have analyzed based on the supervised machine learning techniques. The virtual machines memory snapshots API call sequences are considered as input for the supervised and unsupervised machine learning algorithms to classify the attacked and the un-attacked virtual machine memory snapshots. The obtained set of the attacked virtual machine memory snapshots are given as input to the self-heal algorithm which is enabled to retrieve back the functionality of the virtual machines. Our method of detecting the malware attains about 93% of accuracy with respect to the virtual machine snapshots.
Network virtualization is a fundamental technology for datacenters and upcoming wireless communications (e.g., 5G). It takes advantage of software-defined networking (SDN) that provides efficient network management by converting networking fabrics into SDN-capable devices. Moreover, white-box switches, which provide flexible and fast packet processing, are broadly deployed in commercial datacenters. A white-box switch requires a specific and restricted packet processing pipeline; however, to date, there has been no SDN-based network hypervisor that can support the pipeline of white-box switches. Therefore, in this paper, we propose WhiteVisor: a network hypervisor which can support the physical network composed of white-box switches. WhiteVisor converts a flow rule from the virtual network into a packet processing pipeline compatible with the white-box switch. We implement the prototype herein and show its feasibility and effectiveness with pipeline conversion and overhead.
Computer security has gained more and more attention in a public over the last years, since computer systems are suffering from significant and increasing security threats that cause security breaches by exploiting software vulnerabilities. The most efficient way to ensure the system security is to patch the vulnerable system before a malicious attack occurs. Besides the commonly-used push-type patch management, the pull-type patch management is also adopted. The main issues in the pull-type patch management are two-fold; when to check the vulnerability information and when to apply a patch? This paper considers the security patch management for a virtual machine (VM) based intrusion tolerant system (ITS), where the system undergoes the patch management with a periodic vulnerability checking strategy, and evaluates the system security from the availability aspect. A composite stochastic reward net (SRN) model is applied to capture the attack behavior of adversary and the defense behaviors of system. Two availability measures; interval availability and point-wise availability are formulated to quantify the system security via phase expansion. The proposed approach and metrics not only enable us to quantitatively assess the system security, but also provide insights on the patch management. In numerical experiments, we evaluate effects of the intrusion rate and the number of vulnerability checking on the system security.
Computer networks are overwhelmed by self propagating malware (worms, viruses, trojans). Although the number of security vulnerabilities grows every day, not the same thing can be said about the number of defense methods. But the most delicate problem in the information security domain remains detecting unknown attacks known as zero-day attacks. This paper presents methods for isolating the malicious traffic by using a honeypot system and analyzing it in order to automatically generate attack signatures for the Snort intrusion detection/prevention system. The honeypot is deployed as a virtual machine and its job is to log as much information as it can about the attacks. Then, using a protected machine, the logs are collected remotely, through a safe connection, for analysis. The challenge is to mitigate the risk we are exposed to and at the same time search for unknown attacks.
Distributed denial of service (DDoS) attacks is a serious cyberattack that exhausts target machine's processing capacity by sending a huge number of packets from hijacked machines. To minimize resource consumption caused by DDoS attacks, filtering attack packets at source machines is the best approach. Although many studies have explored the detection of DDoS attacks, few studies have proposed DDoS attack prevention schemes that work at source machines. We propose a reliable, lightweight, transparent, and flexible DDoS attack prevention scheme that works at source machines. In this scheme, we employ a hypervisor with a packet filtering mechanism on each managed machine to allow the administrator to easily and reliably suppress packet transmissions. To make the proposed scheme lightweight and transparent, we exploit a thin hypervisor that allows pass-through access to hardware (except for network devices) from the operating system, thereby reducing virtualization overhead and avoiding compromising user experience. To make the proposed scheme flexible, we exploit a configurable packet filtering mechanism with a guaranteed safe code execution mechanism that allows the administrator to provide a filtering policy as executable code. In this study, we implemented the proposed scheme using BitVisor and the Berkeley Packet Filter. Experimental results show that the proposed scheme can suppress arbitrary packet transmissions with negligible latency and throughput overhead compared to a bare metal system without filtering mechanisms.
Advances in our understanding of the nature of cognition in its myriad forms (Embodied, Embedded, Extended, and Enactive) displayed in all living beings (cellular organisms, animals, plants, and humans) and new theories of information, info-computation and knowledge are throwing light on how we should build software systems in the digital universe which mimic and interact with intelligent, sentient and resilient beings in the physical universe. Recent attempts to infuse cognition into computing systems to push the boundaries of Church-Turing thesis have led to new computing models that mimic biological systems in encoding knowledge structures using both algorithms executed in stored program control machines and neural networks. This paper presents a new model and implements an application as hierarchical named network composed of microservices to create a managed process workflow by enabling dynamic configuration and reconfiguration of the microservice network. We demonstrate the resiliency, efficiency and scaling of the named microservice network using a novel edge cloud platform by Platina Systems. The platform eliminates the need for Virtual Machine overlay and provides high performance and low-latency with L3 based 100 GbE network and SSD support with RDMA and NVMeoE. The hierarchical named microservice network using Kubernetes provisioning stack provides all the cloud features such as elasticity, autoscaling, self-repair and live-migration without reboot. The model is derived from a recent theoretical framework for unification of different models of computation using "Structural Machines.'' They are shown to simulate Turing machines, inductive Turing machines and also are proved to be more efficient than Turing machines. The structural machine framework with a hierarchy of controllers managing the named service connections provides dynamic reconfiguration of the service network from browsers to database to address rapid fluctuations in the demand for or the availability of resources without having to reconfigure IP address base networks.
The concept of Virtualized Network Functions (VNFs) aims to move Network Functions (NFs) out of dedicated hardware devices into software that runs on commodity hardware. A single NF consists of multiple VNF instances, usually running on virtual machines in a cloud infrastructure. The elastic management of an NF refers to load management across the VNF instances and the autonomic scaling of the number of VNF instances as the load on the NF changes. In this paper, we present EL-SEC, an autonomic framework to elastically manage security NFs on a virtualized infrastructure. As a use case, we deploy the Snort Intrusion Detection System as the NF on the GENI testbed. Concepts from control theory are used to create an Elastic Manager, which implements various controllers - in this paper, Proportional Integral (PI) and Proportional Integral Derivative (PID) - to direct traffic across the VNF Snort instances by monitoring the current load. RINA (a clean-slate Recursive InterNetwork Architecture) is used to build a distributed application that monitors load and collects Snort alerts, which are processed by the Elastic Manager and an Attack Analyzer, respectively. Software Defined Networking (SDN) is used to steer traffic through the VNF instances, and to block attack traffic. Our results show that virtualized security NFs can be easily deployed using our EL-SEC framework. With the help of real-time graphs, we show that PI and PID controllers can be used to easily scale the system, which leads to quicker detection of attacks.
This paper presents CapeVM, a sensor node virtual machine aimed at delivering both high performance and a sandboxed execution environment that ensures malicious code cannot corrupt the VM's internal state or perform actions not allowed by the VM. CapeVM uses Ahead-of-Time compilation and introduces a range of optimisations to eliminate most of the overhead present in previous work on sensor node AOT compilers. A sandboxed execution environment is guaranteed by a set of checks. The structured nature of the VM's instruction set allows the VM to perform most checks at load time, reducing the need for expensive run-time checks compared to native code approaches. While some overhead from using a VM and adding sandbox checks cannot be avoided, CapeVM's optimisations reduce this overhead dramatically. We evaluate CapeVM using a set of IoT applications and show this results in a performance just 2.1x slower than unsandboxed native code. Thus, CapeVM combines the desirable properties ofexisting work on both sandboxed execution and virtual machines for sensor nodes, with significantly improved performance.
Infrastructure-as-a-Service clouds provide out-of-band remote management for users to access their virtual machines (VMs). Out-of-band remote management is a method for indirectly accessing VMs via their virtual devices. While virtual devices running in the virtualized system are managed by cloud operators, not all cloud operators are always trusted in clouds. To prevent information leakage from virtual devices and tampering with their I/O data, several systems have been proposed by trusting the hypervisor in the virtualized system. However, they have various issues on security and management. This paper proposes VSBypass, which enables secure out-of-band remote management outside the virtualized system using a technique called transparent passthrough. VSBypass runs the entire virtualized system in an outer VM using nested virtualization. Then it intercepts I/O requests of out-of-band remote management and processes those requests in shadow devices, which run outside the virtualized system. We have implemented VSBypass in Xen for the virtual serial console and GUI remote access. We confirmed that information leakage was prevented and that the performance was comparable to that in traditional out-of-band remote management.
The diagnosis of performance issues in cloud environments is a challenging problem, due to the different levels of virtualization, the diversity of applications and their interactions on the same physical host. Moreover, because of privacy, security, ease of deployment and execution overhead, an agent-less method, which limits its data collection to the physical host level, is often the only acceptable solution. In this paper, a precise host-based method, to recover wait state for the processes inside a given Virtual Machine (VM), is proposed. The virtual Process State Detection (vPSD) algorithm computes the state of processes through host kernel tracing. The state of a virtual Process (vProcess) is displayed in an interactive trace viewer (Trace Compass) for further inspection. Our proposed VM trace analysis algorithm has been open-sourced for further enhancements and for the benefit of other developers. Experimental evaluations were conducted using a mix of workload types (CPU, Disk, and Network), with different applications like Hadoop, MySQL, and Apache. vPSD, being based on host hypervisor tracing, brings a lower overhead (around 0.03%) as compared to other approaches.
Now a days, Cloud computing has brought a unbelievable change in companies, organizations, firm and institutions etc. IT industries is advantage with low investment in infrastructure and maintenance with the growth of cloud computing. The Virtualization technique is examine as the big thing in cloud computing. Even though, cloud computing has more benefits; the disadvantage of the cloud computing environment is ensuring security. Security means, the Cloud Service Provider to ensure the basic integrity, availability, privacy, confidentiality, authentication and authorization in data storage, virtual machine security etc. In this paper, we presented a Local outlier factors mechanism, which may be helpful for the detection of Distributed Denial of Service attack in a cloud computing environment. As DDoS attack becomes strong with the passing of time, and then the attack may be reduced, if it is detected at first. So we fully focused on detecting DDoS attack to secure the cloud environment. In addition, our scheme is able to identify their possible sources, giving important clues for cloud computing administrators to spot the outliers. By using WEKA (Waikato Environment for Knowledge Analysis) we have analyzed our scheme with other clustering algorithm on the basis of higher detection rates and lower false alarm rate. DR-LOF would serve as a better DDoS detection tool, which helps to improve security framework in cloud computing.
Data privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform - OpenStack - under various security requirements and system conditions, and propose countermeasures for mitigation.
ARM devices (mobile phone, IoT devices) are getting more popular in our daily life due to the low power consumption and cost. These devices carry a huge number of user's private information, which attracts attackers' attention and increase the security risk. The operating systems (e.g., Android, Linux) works out many memory data protection strategies on user's private information. However, the monolithic OS may contain security vulnerabilities that are exploited by the attacker to get root or even kernel privilege. Once the kernel privilege is obtained by the attacker, all data protection strategies will be gone and user's private information can be taken away. In this paper, we propose a hardened memory data protection framework called H-Securebox to defeat kernel-level memory data stolen attacks. H-Securebox leverages ARM hardware virtualization technique to protect the data on the memory with hypervisor privilege. We designed three types H-Securebox for programing developers to use. Although the attacker may have kernel privilege, she can not touch private data inside H-Securebox, since hypervisor privilege is higher than kernel privilege. With the implementation of H-Securebox system assisting by a tiny hypervisor on Raspberry Pi2 development board, we measure the performance overhead of our system and do the security evaluations. The results positively show that the overhead is negligible and the malicious application with root or kernel privilege can not access the private data protected by our system.
This is very true for the Windows operating system (OS) used by government and private organizations. With Windows, the closed source nature of the operating system has unfortunately meant that hidden security issues are discovered very late and the fixes are not found in real time. There needs to be a reexamination of current static methods of malware detection. This paper presents an integrated system for automated and real-time monitoring and prediction of rootkit and malware threats for the Windows OS. We propose to host the target Windows machines on the widely used Xen hypervisor, and collect process behavior using virtual memory introspection (VMI). The collected data will be analyzed using state of the art machine learning techniques to quickly isolate malicious process behavior and alert system administrators about potential cyber breaches. This research has two focus areas: identifying memory data structures and developing prediction tools to detect malware. The first part of research focuses on identifying memory data structures affected by malware. This includes extracting the kernel data structures with VMI that are frequently targeted by rootkits/malware. The second part of the research will involve development of a prediction tool using machine learning techniques.
With the extensive application of cloud computing technology developing, security is of paramount importance in Cloud Computing. In the cloud computing environment, surveys have been provided on several intrusion detection techniques for detecting intrusions. We will summarize some literature surveys of various attack taxonomy, which might cause various threats in cloud environment. Such as attacks in virtual machines, attacks on virtual machine monitor, and attacks in tenant network. Besides, we review massive existing solutions proposed in the literature, such as misuse detection techniques, behavior analysis of network traffic, behavior analysis of programs, virtual machine introspection (VMI) techniques, etc. In addition, we have summarized some innovations in the field of cloud security, such as CloudVMI, data mining techniques, artificial intelligence, and block chain technology, etc. At the same time, our team designed and implemented the prototype system of CloudI (Cloud Introspection). CloudI has characteristics of high security, high performance, high expandability and multiple functions.