1.nslookup

RESEARCHOpenAccessIfyouwanttoknowaboutahunter,studyhisprey:detectionofnetworkbasedattacksonKVMbasedcloudenvironmentsNikolaosPitropakis1*,DimitraAnastasopoulou1,AggelosPikrakis2andCostasLambrinoudakis1AbstractComputationalsystemsaregraduallymovingtowardsCloudComputingInfrastructures,usingtheseveraladvantagestheyhavetoofferandespeciallytheeconomicadvantagesintheeraofaneconomiccrisis.
Inadditiontothisrevolution,severalsecuritymattersemergedandespeciallytheconfrontationofmaliciousinsiders.
Thispaperproposesamethodologyfordetectingtheco-residencyandnetworkstressingattacksinthekernellayerofaKvm-basedcloudenvironment,usinganimplementationoftheSmith-Watermangeneticalgorithm.
Theproposedapproachhasbeenexploredinatestbedenvironment,producingresultsthatverifyitseffectiveness.
Keywords:Cloudcomputing;Security;Co-residency;Networkstressing;Maliciousinsider;KVM;Systemcalls;Smith-watermanIntroductionDistributedsystemshavemadeahugerenovationinInformationTechnology(IT)infrastructures.
Theircon-tinuationistheCloudComputing.
Despiteamoderntrendandaneweconomicmodel,CloudComputinghasmadeitsstatementturningintothetechnologicalmodelemployedbythemajorityoflargecompaniesandorga-nizationsforfacilitatingtheireverydayneeds.
Itiswellknownhoweverthateverynovelty,despiteofferingalotofadvantages,alsobringsseveraldisadvantages.
Thelatterusuallyremainshidden,untilahorrorstoryappears.
Werefertothesecuritythreatsthatthenewtechnologyhasraised.
Theycanbeclassifiedas:relatedtotheserviceproviderortotheinfrastructureortothehostoftheCloudSystem.
SeveralofthemarewellknownfromconventionalITinfrastructures:DistributedDenialofService[1]camewithdistributedsystemsandstilldrawstheattentionofsecurityexperts,whilesocialengineeringattacks[2],malwareandTrojanhorses[3]arealsopopularfortheirimpactonmodernITinfrastructures.
Despitetheinheritedthreats,therearenewlygeneratedrisksthatneedconfrontation.
ThemostimportantofthemareLossofgovernance[4],datainterception[3]andreplayattacks[3].
OurworkfocusesontheolderandmostunpredictablethreatthatexistedbeforeITsystemswereborn:thehumanfactor.
Werefertomaliciousinsiders[4,5]ofaCloudComputingInfrastructure.
Theiractivitiescanharmtheconfidentiality,integrityandavailabilityofthedataandservicesofacloudsystem.
Thecommonestrolethatamaliciousinsiderhasinacloudinfrastructureisthatoftheadministrator;eithertheadministratorofthehostoroneoftheadministratorsofthevirtualma-chines(VM).
Theprivilegesofanadministratorallowseveralkindsofattackstobelaunched.
However,ourworkfocusesonthenetworkattacksandespeciallythestressingofthehostnetworkandtheco-residencyat-tack[6].
TobespecificthestressingofthenetworkisthebasiccomponentofDOSandDDOSattacks[7],wherepacketsarecontinuouslysenttothetargetinordertostopitfrombehavingproperlyandeventuallydenyitsservicestoothers.
Inthecaseofco-residencyattack[6],wetalkaboutthedetectionofneighbouringVMsandtheretrievalofinformationaboutthemsuchastheiroperatingsystem.
Theleakageofsoimportantinformationcanseriouslyharmthecloudinfrastructure.
Therehavebeennumerousattemptstocounternet-workingstressingattacks[7,8]intheirDOSandDDOS*Correspondence:npitrop@unipi.
gr1DepartmentofDigitalSystems,UniversityofPiraeus,Piraeus,GreeceFulllistofauthorinformationisavailableattheendofthearticle2014Pitropakisetal.
;licenseeSpringer.
ThisisanOpenAccessarticledistributedunderthetermsoftheCreativeCommonsAttributionLicense(http://creativecommons.
org/licenses/by/4.
0),whichpermitsunrestricteduse,distribution,andreproductioninanymedium,providedtheoriginalworkisproperlycredited.
Pitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20http://www.
journalofcloudcomputing.
com/content/3/1/20form.
Therearealsoattemptsaimingtohandletheactiv-itiesofamaliciousinsiderthroughtheimplementationofseveraldifferentIDSs,connectedthroughaneventgath-erer[9].
However,noneoftheseattemptshasmanagedtosuccessfullypreventtheactionsofmaliciousinsiders.
Thispaper,presentsanovelmethodforidentifyingnetworkbasedattacksinacloudinfrastructure.
TothisrespectaKVM-based[10]systemhasbeenemployedwithitshostOSDom0havingdirectaccesstoallI/Ofunctionsofthesystem.
.
ThisaccessismaterializedbymonitoringthesystemcallsmadebythekerneloftheDom0operatingsystems.
Theproposedmethodhasuti-lizedtheSmith-Watermanalgorithm[11]toprovethatbymonitoringthesystemcalls,themaliciousactionsofapotentialcloudinsidercanbedetected.
Therestofthepaperisorganisedasfollows:SectionRelatedworkandnetworkattacksbrieflydescribestheco-residencyandthenetworkstressingattacks.
SectionDetectionmethodprovidesbackgroundinformationabouttheSmith-Watermanalgorithmanddetaileddescriptionoftheproposedmethod.
SectionTest-bedenvironmentandresultsoftheexperimentspresentsthetest-bedenviron-ment,theappliedautomationmethodologyandtheresultsofthetestsconducted.
SectionDiscussioncontainsanno-tationsabouttheresults,whilesectionConclusionandfu-tureworkdrawstheconclusionsgivingsomepointerstofuturework.
RelatedworkandnetworkattacksThereareseveralapproachesattemptingtotrack,dis-ableoreveneliminatethemaliciousinsiderthreat.
Someofthemfocusonaspecificaspectofthecloudsuchastheemployeesorthenetwork,whileotherstrytopresentaglobalsolution.
Fewofthemareabletodiffer-entiatethemselvesfromexistingsolutions,inheritedbyconventionalinformationsystems.
Springsuggeststhatafirewallatthecloudborderthatblockstroublesomepacketscanlimit,butcannotelimin-ate,accesstoknownmaliciousentities[12].
Alzain,Pardede,SohandThomsuggestthatmovingfromsinglecloudtomulti-cloudswillgreatlyreducethemaliciousinsidersthreatastheinformationisspreadamongtheintercloudsandcantberetrievedfromasingleCloudIn-frastructure[13].
Anothereffortfocusesonemployinglo-gisticregressionmodelstoestimatefalsepositive/negativesinintrusiondetectionandidentificationofmaliciousin-siders.
Furthermore,itinsistsondevelopingnewprotocolsthatcopewithdenialofserviceandinsiderattacksanden-surepredictabledeliveryofmissioncriticaldata[14].
Magklaras,FurnellandPapadaki[15]suggestanauditengineforlogginguseractionsinrelationalmode(LUARM)thatattemptstosolvetwofundamentalprob-lemsoftheinsiderITmisusedomain.
Firstly,isthelackofinsidermisusecasedatarepositoriesthatcouldbeusedbypost-caseforensicexaminerstoaidincidentinvestigationsand,secondly,howinformationsecurityresearcherscanenhancetheirabilitytoaccuratelyspecifyinsiderthreatsatsystemlevel.
TripathiandMishra[16]insistthatcloudprovidersshouldprovidecontrolstocustomer,whichcandetectandpreventmaliciousinsidersthreats.
Theyaddthatmaliciousinsiderthreatscanbemitigatedbyspecifyinghumanresourcesrequirementsaspartoflegalcontracts,conductingacomprehensivesupplierassessment.
Thisprocedurewouldleadtoreportinganddeterminingsecuritybreachnotificationprocesses.
Fogcomputing[17]suggestsanapproachtotallydiffer-entfromtheothers.
Theaccessoperationsofeachclouduseraremonitored,realisingasortofprofilingforeachuser.
Thisprofilingfacilitatesthedetectionofabnormalbe-haviour.
Whenunauthorizedaccessissuspectedandthenverified,themethodusesdisinformationattacksbyreturn-inglargeamountsofdecoyinformationtothemaliciousin-siders,keepingthiswaytheprivacyoftherealusersdata.
Anapproach,whichistotallydifferentfromthelatter,isthatofCuongHoangH.
Lee[18],whichachievessecurityinaXenbasedhypervisor[19]bytrappinghypercalls,astheyarefewerthansystemcalls.
Thehypercallsarecheckedbeforetheirexecutionandthusmaliciousonescanbede-tected.
Acombinationofthetwolattermethodstakesad-vantageofthesystemcalls,collectingthemandclassifyingtheminnormalandabnormalthroughbinaryweightedco-sinemetricandknearestneighbourclassifier[20].
Payingspecialattentiontoaccesscontrolmechanisms,KollamandSunnyvale[21]presentamechanismthatgeneratesimmutablesecuritypoliciesforaclient,propa-gatesandenforcesthemattheprovidersinfrastructure.
Thisisoneofthefewmethodsaimingdirectlyatmali-ciousinsidersandespeciallysystemadministrators.
Thereferencetoco-residenceor(co-tenancy)impliesthatmultipleindependentcustomerssharethesamephys-icalinfrastructure[22].
ThisfactresultsinaschemewhereVirtualMachinesownedbydifferentcustomersmaybeplacedinthesamephysicalmachine.
ThereareseveralmethodsthatcanachievethediscoveryofneighbouringVirtualMachinesinaCloudinfrastructure.
Therearealsoothermethodswhowishtocounterthisspecificattack.
AdamBates[23],claimsthatco-residencydetectionisalsopossiblethroughnetworkflowwatermarking.
Tobespecific,thisisatypeofnetworkconvertingtimingchannel,capableofbreakinganonymitybytracingthepathofthenetworkflow.
Itcanalsoperformavarietyoftrafficanalysistasks.
However,manydrawbacksexistinthismethod,withthemostimportantonebeingtheintroductionofaconsiderabledelayinthenetwork.
Ristenpart[6]presentstheco-residencypotentialattacksonAmazonEC2,oneofthelargestCloudInfrastructures.
InhismethodologyheincludesnetworktoolssuchasPitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page2of10http://www.
journalofcloudcomputing.
com/content/3/1/20nmap[24],hping[25]andwget[26],whichareutilizedinordertocreatenetworkprobesthatwillacquirethead-dressesofthepotentialtargets.
Additionally,theaddressesareusedtomakeahypotheticmapofthecloudnetworkthatwillbetestedinthethirdstep.
Inthemanifestationofthemethodheexploreswhethertwoinstancesareco-resi-dentornotthroughaseriesofchecksthatdependon:1.
matchingDom0IPaddress,2.
smallpacketroundtriptimes,or3.
numericallycloseinternalIPaddressProjectSilverline[27]aimstoachievebothdataandnetworkisolation.
Pseudorandomly-allocatedIPad-dressareusedforeachVM,hidingtheactualIPad-dressesprovidedbythecloudprovider.
Then,ineachDom0,SilverLinereplacesthepseudoIPaddressesbytheactualaddressesbeforepacketsleavethemachine.
SinceIPaddressesarealsodiscoveredthroughDNSre-quests,theSilverLinealsorewritesDNSresponsestoap-propriatepseudoaddresses.
Anotherapproach,namelyHomealone[28]allowstheverificationofthephysicalisolationofaVirtualMachinethroughthesametoolthatcanlaunchco-residencyattacks,performedthroughsidechannelsthatusuallyoffervulnerabilities.
L2memorycacheisapopularwaytoreachthedataofanotherVM.
However,inthelattersce-narioL2memoryissilencedfortheperiodoftimeneededbythesystemwithupperpurposetheresidenceinforma-tionnottobeacquiredbyanotherphysicalmachine.
InpracticethisisratherdifficultastheL2memoryinavir-tualizedenvironmentisneverquietandinmostcasesthereisnophysicalisolationamongtheVirtualMachines.
TherearenumerousattemptstoprotectCloudInfra-structures,notonlyfromtheco-residencyattackbutfromothernetworkstressingattackstoo,byemployingIntrusionDetectionSystems(IDS).
MostofthemmakeuseofmultipleagentsthatareinstalledindifferentVirtualMachinesandcollectthedataintoacentralizedpoint.
Thedisadvantageisthattheyintroduceconsiderableover-headtotheCloudinfrastructure,sincetheyconsumesignificantamountofresources[29-34].
AninterestingapproachisthatofBakshiandYogesh[7],whotransferthetargetedapplicationstoVMshostedinanotherdatacenterwhentheypickupgrosslyabnormalspikeinin-boundtraffic.
Itcanbededucedthatthemajorityofattacksthatcanbelaunchedbyinsidersfordetectingneighbouringvir-tualmachinesorjuststressingthenetworkofaCloudInfrastructure,arebasedonsimplenetworkattacks.
Inasimilarfashiontheattacksthathavebeenutilizedinthispaperfordemonstratingtheproposeddetectionmethodareverysimple.
Beforeexplainingtheattacksitshouldbestatedthatinordertolaunchthemtheattackershouldknowtheipaddressofthevirtualmachine.
InourscenariotheattackeristheadministratorofavirtualmachinewiththeKaliLinuxOperatingSystem[35],theancestorofBacktrackOperatingSystem[36],whichofferstoourhypotheticmaliciousinsideravarietyoftools.
Inthecaseoftheco-residecnyattack,theattackerafterobtainingtheipaddressofhisvirtualmachine,isworkingonfindingtheDomainNameSystem(DNS)ad-dress.
ThiscanbeeasilyretrievedthroughthecommandnslookupfollowedbytheipaddressoftheVirtualMachine(VM).
Thiscommand,executedintheKaliLinuxkernel,willreturntheDNSaddress.
AfterobtainingtheDNSaddress,theattackercanusethenmapcom-mandtoacquiretheipaddressesofallvirtualmachines(includinghost)utilisingthespecificDNS.
SpecificallythecommandexecutedisnmapsPDNS_Adress/24.
Hav-ingtheipaddressesofallvirtualmachinesthatusethesameDNS,theattackercanidentifytheOperatingSystemofeithertheHostoroftheotherVirtualMachines,byexecutingthecommandnmapvOIp_address.
Throughtheaforementionedthreedistinctsteps,allco-residentscanbeidentifiedalongwithadditionalinforma-tionabouttheiroperatingsystems,somethingthatcanallowtheattackertolaunchfurtherattacksharmingtheCloudInfrastructure.
Networkstressisexecutedbylaunchingasmurfattack[37]onaspeciallyconfiguredvirtualnetwork.
Inordertoperformasmurfattack,theattackerneedstheIPv6ad-dressofthevictim.
ThevictimcanbetheHostoranyotherVirtualMachineonthesamenetwork.
HisIPv6ad-dresscanbeobtainedusingtwomethods.
Thefirstoneisviatheifconfigcommand,whichcanbeexecutedontheHost.
ThesecondmethodisdetectingIPv6-activehostsonthesamenetworkviatheping6command[38].
Theat-tackercaneasilypingthelink-localall-nodemulticastad-dressff02::1fromanyvirtualmachinebyexecutingthecommand"ping6-Iff02::1".
AfterobtainingtheIPv6address,theattackercanusethesmurf6tooltoperformtheattack,executingthecommand"smurf6victim_ipv6_address".
ThroughthismethodtheattackerVM(ortheHost)willfloodtheVirtualNetworkwithspoofedICMPv6echorequestpackets,thesourcead-dressofwhichistheIPv6addressofthevictimmachineanddestinationaddressisthelink-localall-nodemulticastaddressff02::1.
ThentheremainingmachinesonthesamenetworkwillfloodthevictimwithICMPv6echoreplies,thusstressingthevirtualnetworkevenmore.
DetectionmethodAlgorithmTheproposeddetectionschemehasadoptedthestand-ardSmith-Watermanalgorithmwhichwasoriginallyintroducedinthecontextofmolecularsequenceanalysis[9].
ThiswaspossiblebecausethedatastreamsunderPitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page3of10http://www.
journalofcloudcomputing.
com/content/3/1/20studyconsistofsymbolsdrawnfromafinitediscretealphabet.
Aminormodificationintroducedhastodowithtwoparameterswhichrefertothenumberofhorizontalandverticalpredecessorswhichareallowedtobescannedinordertodeterminetheaccumulatedcostateachnodeofthesimilaritygrid.
Inotherwords,thesetwoparametersdefinethemaximumallowablegaplength,bothhorizon-tallyandvertically.
Thistypeofminormodificationcausesasignificantimprovementinresponsetimesanditisalsoinaccordancewiththenatureofthedatathatareproc-essed.
Thevaluesofthesetwoparameters,alongwiththegappenaltyhavebeentheresultofextensiveexperimen-tation.
NexttheadoptedSmith-Watermanalgorithmispresented.
Firstofall,thepairwise(local)similaritybetweentheindividualelementsofthetwosymbolsequencesmustbedefined.
Tothisend,letAandBbethetwosymbolsequencesandA(i),i=1,M,B(j),j=1,N,bethei-thsymbolofAandj-thsymbolofB,respectively.
Thelocalsimilarity,S(i,j),betweenA(i)andB(j)isthendefinedasSi;j1;ifAiBjandSi;jGp;ifAi≠Bj;whereGpisthepenaltyfordissimilarity(aparametertoourmethod).
InitializationThenasimilaritygrid,H,iscreatedwithitsfirstrowandcolumnbeinginitializedtozeros,i.
e.
,H0;j0;j0;NandHi;00;i0;MAsaresult,thedimensionsofthesimilaritygridare(M+1)x(N+1),itsrowsareindexed0,.
.
,Manditscol-umnsareindexed0,N.
IterationForeachnode,(i,j),i>=1,j>=1,ofthegrid,theaccumu-latedsimilaritycostiscomputedaccordingtotheequation:Hi;jmax0;Hi1;j1Si;j;Hik;j1kGp;k1;Pv;Hi;jl1lGpl1;Ph;8>>>:9>>=>>;;i1;;M;j1;;N;wherePvandPharethemaximumallowableverticalandhorizontalgaps(measuredinnumberofsymbols)respectivelyandGpisthepreviouslyintroduceddissimilar-itypenalty(whichinthiscasealsoservesasagappenalty).
Theaboveequationisrepeatedforallnodesofthegrid,startingfromthelowestrow(i=1)andmovingfromlefttoright(increasingindexj).
Itcanbeseenthatverticalandhorizontaltransitions(thirdandfourthbranchoftheequation)introduceagappenalty,i.
e.
,reducetheaccumu-latedsimilaritybyanamountwhichisproportionaltothenumberofnodesthatarebeingskipped(lengthofthegap).
Inaddition,iftheaccumulatedsimilarity,H(i,j),isnegative,thenitissettozero(firstbranchoftheequation)andthefictitiousnode(0,0)becomesthepredecessorof(i,j).
If,ontheotherhand,theaccumulatedsimilarityispositive,thepredecessorof(i,j)isthenodewhichmaxi-mizesH(i,j).
Thecoordinatesofthebestpredecessorofeachnodearestoredinaseparatematrix.
Concerningthefirstrowandfirstcolumnofthegrid,thepredecessorisalwaysthefictitiousnode(0,0).
BacktrackingAftertheaccumulatedcosthasbeencomputedforallnodes,thenodewhichcorrespondstothemaximumde-tectedvalueisselectedandthechainofpredecessorsisfolloweduntila(0,0)nodeisencountered.
Thisproced-ureisknownasbacktrackingandtheresultingchainofnodesisthebest(optimalalignment)path.
Intheexperimentsperformed,differentvaluesoftheparametersPv,PhandGphavebeenusedandfinallythevaluesthatprovidedthemostsatisfactoryperform-ancehavebeenselected.
ProposedmethodFictionalcharacterDavidRossi,inspiredbyJohnE.
Douglas,oneofthecreatorsofcriminalprofilingpro-gram,oncesaidIfyouwanttoknowaboutahunterstudyhisprey[39].
Theproposedmethodologyhasbeeninspiredbytheabovequote.
Theworkofamali-ciousinsideronaKVM-basedcloudsystem,isper-formedwithsystemcallsofthehostoperatingsystem.
Inordertoinvestigatethetypeandsequenceofsystemcallsemployed,theLinuxAudit[40]toolhasbeenusedforcapturingthem.
Theprocedurethathasbeenfollowedisthefollowing:Thesystemcallsengagedduringtheexecutionofthenslookupcommand(firststepoftheco-residencyattack),nmapsPDNS_Adress/24command(secondstepoftheco-residencyattack),nmapvOIp_address(thirdstepoftheco-residencyattack)andsmurf6victim_ipv6_address(smurfattack)arecaptured.
Thesystemcallsengagedduringthesametimeperiodofnormalsystemoperation(noattackisbeinglaunched)arecaptured.
Pitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page4of10http://www.
journalofcloudcomputing.
com/content/3/1/20Theabovelogfileshavebeenprocessedwiththeuseofregularexpressionsandthe"sed"command[41],leavingonlytheIDofeachsystemcall.
Finally,theSmith-Watermanalgorithmhasbeenemployedtocomparethelogs(everysystemcallIDisbeingusedbythealgorithmasaDNAelement).
Initially,thesimilaritybetweenmultipleexecutionsofeachattackstep,atdifferenttimeperiods,wascalculatedwiththeuseofanautomatedsystemthatreducedtheerrorsbecauseofthehumanresponsiveness.
Thenthesimilaritybetweenanattackstepandtherespectivetimeperiodofnormaloperationwasderived.
Ideally,thisapproachwouldfacilitatetheidentificationofspecificsystemcallpatternsthatwillformtheattacksignature.
Test-bedenvironmentandresultsoftheexperimentsSetuptheenvironmentInordertolaunchtheattackandmonitorthesystemlogs,aminimalCloudInfrastructurewasbuiltusingoneDellPowerEdgeT410serverwiththefollowingconfigur-ation:IntelXeonE5607asCentralProcessingUnit,8Gigabytesofmemoryrunningat1333MHzand300GigabytesSASHDD@10000rpms.
Theserverwasrun-ningOpenSuseLinux12.
1[42].
AlsotheLinuxaudit[40]toolwasinstalled;thistoolhasaconfigurationfilethatstoresalistofrulesthatspecifywhichtypeofsystemcallswillbelogged.
Toavoidlosingvaluableinformationduringourexperimentsallsystemcallswerecaptured.
Specificallytheruleusedwas-aentry,alwayssall.
Fi-nally,twoVMswithKaliLinux[35],containingthemajor-ityofthetoolsusedforpenetrationtestingandattacks,weresetupontheserver(seeFigure1).
AutomatingtheattackandsystemcallsauditingprocedureDuringourefforttoautomatetheattackandthesystemcallauditingprocedure,ascriptwaswritteninExpect[43].
ExpectisanextensiontotheTclscriptinglanguageandit'susedtoautomateinteractionswithprogramsthatexposeatextterminalinterface.
Thisfeaturecanbeinstalledthroughtheexpectpackage.
Ourscriptfocusesonwaitingforexpectedoutputwiththeuseofthe"expect"command,sendingproperinputwiththeuseofthe"send"commandandeventuallyexecutetheneces-sarybashcommandswiththeuseofthe"system"com-mand.
Initially,adirectoryinwhichthesystemcallsaregoingtobesaved,wascreated.
Next,the"spawn"com-mandtoopentheVirshconsole[44]andconnecttothevirtualmachineviaaconfiguredserialconsole,wasexe-cuted.
Virshisacommandlineinterfacetool,usedforthemanagementofguestsandthehypervisor.
ThentheLinuxauditingsystemwasenabledandtheattackcom-mandwassenttothevirtualmachinethatwillbeexe-cuted.
KnowledgeaboutwhentheattackisfinishedisacquiredbywaitingforaspecificoutputoftheexpectFigure1Test-bedenvironment.
Pitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page5of10http://www.
journalofcloudcomputing.
com/content/3/1/20command.
Finally,theLinuxauditingsystemisdisabledandthethesavedsystemcallsareextracted.
LaunchingtheattackHavingsetuptheenvironment,eachoneofthethreestepsoftheco-residencyattack(nslookup,nmapandnmapvOIp_addresscommands;seesectionProposedmethod)andthestepofsmurfattack(smurf6victim_ipv6_address)wereexecutedsixtimes,eachtimecapturingthesystemcallsengaged.
Aftereverysingleexecutionofacommand(attackstep),thesystemwasleftworkinginnormalstateforatimeperiodequaltotheexecutiontimeofthecommand,capturingagainallthesystemcallsengagedduringthatperiod.
ThetimeperiodsfortheattackandtherespectivenormalstateperiodsaredepictedinFigures2and3.
ThenbyemployingtheSmithWatermanimplementa-tion(seeSectionAlgorithm)inMatlab,usingGpequalto1/3and1/5,PvandPhequalto5thefollowinglogsetswerecomparedbetweenthem:Figure2Timeperiodsfortheexecutionofthethreeattackstepsandtherespectivetimeperiodsthatthesystemwaskeptinnormalstate.
Figure3Timeperiodsfortheexecutionofthesmurfattackandtherespectivetimeperiodsthatthesystemwaskeptinnormalstate.
Pitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page6of10http://www.
journalofcloudcomputing.
com/content/3/1/20Thesixlogfiles(oneforeachexecutionround)ofthefirstattackstep;nslookupcommand.
Thesixlogfiles(oneforeachexecutionround)ofthesecondattackstep;nmapsPDNS_address/24command.
Thesixlogfiles(oneforeachexecutionround)ofthethirdattackstep;nmapvOIp_addresscommand.
Thesixlogfiles(oneforeachexecutionround)ofthesmurfattackstep.
Thetwentyfourlogfilesoftheattack(sixlogfilesforallexecutionsofeachattackstepandsmurfattack)withtherespectivelogfilesfornormalsystemoperation.
Asdemonstratedinthenextsection,theresultsmetourinitialhypothesis.
Greatersimilaritywasfoundbe-tweenthelogfilescorrespondingtotheattackstepsratherthanbetweentheattacklogsandthelogsofanormalsys-temstate.
ResultsTheresultsofthelogfilescomparisonarepresentedinthefollowingTables1,2,3,4,5,6,7,8and9.
Asillus-tratedinFigure2andFigure3,thelogsofthefirstat-tacksteparereferredasfirststep,thelogsofthesecondattackstepassecondstep,thelogsofthethirdoneasthirdstepandthelogsofthesmurfattackassmurfstep.
Furthermore,thelogscorrespondingtonormalsystemoperationforatimeperiodequaltothatofthefirstat-tacksteparereferredasfnormal,ofthesecondattacksteparereferredassnormal,ofthethirdattacksteparereferredastnormalandofthesmurfattackassmnormal.
Theestimatedsimilaritynumbersthatap-pearintheGpcolumnsrepresentthelongestsubse-riesofsystemcallsthatwarefoundsimilarusingtheSmithWatermanalgorithm.
ItisexpectedfromtheTable1Comparisonofthesixlogfiles(oneforeachexecutionround)ofthefirstattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5firststep1-21697.
0000001783.
800000firststep2-32065.
0000002160.
600000firststep3-42116.
3333332212.
600000firststep4-51825.
0000001939.
400000firststep5-61805.
3333331898.
600000Table2Comparisonofthesixlogfiles(oneforeachexecutionround)ofthefirstattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5firststep1fnormal1571.
333333630.
800000firststep2fnormal21180.
6666671261.
400000firststep3fnormal31162.
6666671227.
800000firststep4fnormal41107.
6666671189.
000000firststep5fnormal51198.
0000001261.
200000firststep6fnormal6144.
000000247.
000000Table3Comparisonofthesixlogfiles(oneforeachexecutionround)ofthesecondattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5secondstep1-22419.
3333333103.
000000secondstep2-31870.
6666672662.
200000secondstep3-41907.
6666672816.
600000secondstep4-52477.
3333333276.
600000secondstep5-61668.
0000002351.
200000Table4Comparisonofthesixlogfiles(oneforeachexecutionround)ofthesecondattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5secondstep1snormal1171.
333333174.
400000secondstep2snormal2452.
333333889.
200000secondstep3snormal31004.
6666671343.
800000secondstep4snormal4562.
000000977.
600000secondstep5snormal5787.
0000001123.
400000secondstep6snormal6595.
0000001051.
800000Table5Comparisonofthesixlogfiles(oneforeachexecutionround)ofthethirdattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5thirdstep1-22024.
0000002776.
000000thirdstep2-32739.
6666673691.
000000thirdstep3-42486.
6666673447.
000000thirdstep4-53226.
0000004222.
800000thirdstep5-63129.
3333334140.
600000Table6Comparisonofthesixlogfiles(oneforeachexecutionround)ofthethirdattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5thirdstep1tnormal1536.
666667559.
200000thirdstep2tnormal2573.
6666671042.
400000thirdstep3tnormal3688.
6666671269.
000000thirdstep4tnormal4478.
666667970.
600000thirdstep5tnormal5878.
0000001323.
400000thirdstep6tnormal6562.
333333973.
200000Pitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page7of10http://www.
journalofcloudcomputing.
com/content/3/1/20trainingprocedurethatthesimilarityvalueswillbelargerwhencomparingthelogsoftheattacksteps,andsmallerwhencomparingthelogsofanattackstepandthere-spectivelogofnormalsystemoperation;i.
e.
itisexpectedthatforthesameGpthefirstep12willhavelargersimi-larityfromthesimilarityoffirstep1-fnormal1.
Thisas-sumptionisstrengthenedwiththeresultsofourlastTable9wherewecomparethelogsoftheexecutionofeachstepoftheattackwiththelogsofasystemthatper-formsalargeamountofnetworkoperationsthatgreatlyincreasesthenumberofsystemcalls.
Allresultsarevisu-alizedinFigure4.
DiscussionRecallingourmainobjective,thatwastoidentifytheexistenceofanattackthroughthesequencesofthesystemcalls.
Theresults,whichwerepresentedintheprevioussection,haveindeedverifiedthatapproach,sincethecomparisonofthesystemcallstriggeredduringtheattackstepsexhibitsamuchlargersimilar-itythanthatproducedwhencomparingthelogsfromsomeattackstepandtherespectivelogsfornormalsystemoperation.
Thisassumptioncametrueforallthreestepsoftheco-residenceattackandthesmurfattack.
Itwouldbeacommonquerywhethertheresultsareaccurateornot,andhowcanweverifytheircorrectness.
Thisquestioncanbeeasilyansweredthroughtheerrorparameter,Gp,whichwasused.
Tobespecific,Gpisavariablethatoffersflexibilitytothealgorithmandde-fineshowtolerantthealgorithmwillbeduringthecom-parisonofthedatasets.
Ifweusetheerrorvalueof1/3,wehavealesstolerantalgorithmthanwhenweusethevalue1/5.
ThisassumptionleadstogreatersimilarityfiguresbeingproducedwithaGpof1/5thanwithaGpTable7Comparisonofthesixlogfiles(oneforeachexecutionround)ofthesmurfattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5smurfstep1-23155.
3333333277.
000000smurfstep2-32758.
3333332891.
400000smurfstep3-43093.
3333333179.
800000smurfstep4-53230.
6666673304.
800000smurfstep5-62712.
6666672838.
400000Table8Comparisonofthesixlogfiles(oneforeachexecutionround)ofthesmurfattackstepforGpequalto1/3and1/5LogfilecomparisonGp=1/3Gp=1/5smurfstep1smnormal1217.
000000443.
600000smurfstep2smnormal2176.
666667403.
400000smurfstep3smnormal3641.
333333791.
600000smurfstep4smnormal4695.
666667922.
400000smurfstep5smnormal5106.
000000265.
000000smurfstep6smnormal6738.
3333331052.
800000Table9ComparisonofthetwologfilesforeachattackstepwithnormalexecutionwithalargeamountofnetworkoperationsforGpequalto1/3LogfilecomparisonGp=1/3firststep1fnormal1422.
000000firststep2fnormal2449.
000000secondstep1snormal1529.
666667secondstep2snormal2556.
333333thirdstep1snormal1218.
666667thirdstep2snormal2259.
666667smurfstep1-smnormal1126.
333333smurfstep2-smnormal2211.
666667Figure4Graphdepictingsimilaritybetweenattacksandbetweenattacksandnormalsystemstateforgp1/3and1/5respectively.
Lowergpoffersgreatersimilarity.
Pitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page8of10http://www.
journalofcloudcomputing.
com/content/3/1/20of1/3.
Ofcoursethisisprovedwithourresults,whichwerepresentedintheprevioussection.
Inadditiontothat,wehavetopayattentiontothefactthatthemoretolerantthealgorithmis,thebetterthesimilaritythatwegetamongthelogsoftheattacksteps.
However,thisisnotthecaseforthecomparisonoflogsproducedduringanattackstepandtherespectivenor-maloperation;specifically,eventhoughthesimilarityisbetterforbiggervaluesofGp,thescalingisnotthesame.
Anotherimportantissuethatshouldbeconsideredistheworkloadofthesystem.
Duringourexperimenta-tionsweusedthreeVirtualMachinesandnoneofthemhadanypermanentjobsotherthanthosecorrespondingtotheattacksteps.
Inarealtimeenvironment,whichhasextraloadonthevirtualmachines,thenumberofsystemcallswouldbemuchlarger,withresultsonthetimerequiredforprocessingthelogfiles(asdescribedearlierinthepaper).
Furthermore,thetrackingoftheattackinthisworkloadwouldbemoredifficultasthealgorithmcomparesidentitieswithoutbeingabletorecognizewhetherornotaspecificelementisusefulornot.
Nevertheless,aninitialsetofexperimentsperformedwithincreasedworkloadindicatethattheaccuracyandeffectivenessoftheproposeddetectionmethodremainsunaltered.
ConclusionandfutureworkInthispaperapracticalmethodfordetectingmali-ciousinsiderattacksfromthesystemcallsoftheHostOperatingSystemofaKVMbasedCloudInfrastructurehasbeenproposed.
Theapproachhasbeenevaluatedbycomparingthelistofsystemcallsproducedduringthedifferentstepsoftheattack,notonlywithotherexe-cutionsofthesameattacksteps,butalsowiththenormalsystemstateduringthesametimetheattacktookplace.
Theresultshaveconfirmedtheinitialassumptionthatthesystemcallscanbeutilizedforthedetectionofanin-siderattack.
Thefocusofourcurrentresearchworkistheconstruc-tionofsystemcallpatternsthatwillbeusedas'attacksignatures.
ThelatterwillhelpusbuildanIDSmechan-ism,whichwillbeusedforthegenerationofalertsandthepreventionofmanymaliciousactions.
CompetinginterestsTheauthorsdeclarethattheyhavenocompetinginterests.
AuthorscontributionsAPwastheonewhoproposedtheutilizationoftheSmith-Watermanalgorithm,workedonitsconfigurationandthespecificimplementation,whilehewrotethesectionabouttheSmith-Watermanalgorithm.
DAwasresponsibleforsettingupthesmurfattackandforconductingtheexperimentstogetherwithNP.
ShewrotetheappropriatesectionsaboutthesmurfattackandKVMhypervisor.
NPwasresponsibleforalltechnicalissuesandforsettingupthetestbedenvironmentandthesystemcallsrecoverymethod.
Healsowrotetheremainingsectionsofthepaper.
CLsupervisedthewholeeffortprovidingadviceandguidelinesonscientificissues,ontheexperimentalmethodsadoptedandonthewritingprocess.
Allauthorsreadandapprovedthefinalmanuscript.
AcknowledgementsWesincerelythankalltheresearchersoftheSystemsSecurityLaboratoryatUniversityofPiraeusfortheinspirationtheyprovideandtheirusefulcommentsthroughoutourresearch.
Authordetails1DepartmentofDigitalSystems,UniversityofPiraeus,Piraeus,Greece.
2DepartmentofInformatics,UniversityofPiraeus,Piraeus,Greece.
Received:9August2014Accepted:21November2014References1.
DouligerisC,MitrokotsaA(2004)DdosAttacksAndDefenseMechanisms:ClassificationAndState-Of-The-Art.
In:ComputerNetworks.
,pp6436662.
OrgillGL,RomneyGW,BaileyMG,OrgillPM(2004)TheUrgencyforEffectiveUserPrivacy-educationtoCounterSocialEngineeringAttacksonSecureComputerSystems.
ProceedingsoftheConferenceonInformationTechnologyEducation,CITC53.
KrutzRL,VinesRD(2010)CloudSecurity:AComprehensiveGuideToSecureCloudComputing.
WileyPublishingInc.
,Indianapolis4.
Enisa,CloudComputingBenefits,risksandrecommendationsforinformationsecurity(2009)5.
KandiasM.
,VirvilisN.
,GritzalisD.
,"TheInsiderThreatinCloudComputing",inProc.
ofthe6thInternationalConferenceonCriticalInfrastructureSecurity(CRITIS-2011),WolthusenS.
,etal.
(Eds.
),pp.
95106,Springer,Switzerland,September2011.
6.
RistenpartT,TromerE,ShachamH,SavageS(2009)Hey,You,GetOffofMyCloud:ExploringInformationLeakageinThird-PartyComputeClouds.
InACMCCS,Chicago7.
Bakshi,Aman,andB.
Yogesh.
"Securingcloudfromddosattacksusingintrusiondetectionsysteminvirtualmachine.
"CommunicationSoftwareandNetworks,2010.
ICCSN'10.
SecondInternationalConferenceon.
IEEE,20108.
Liu,Huan.
"AnewformofDOSattackinacloudanditsavoidancemechanism.
"Proceedingsofthe2010ACMworkshoponCloudcomputingsecurityworkshop.
ACM,20109.
RoschkeS,ChengF,MeinelC(2010)AnAdvancedIDSManagementArchitecture.
JInformAssurSecurity5:24625510.
KVMHypervisor.
http://www.
linux-kvm.
org/page/Main_Page11.
SmithTF,WatermanMS(1981)Identificationofcommonmolecularsubsequences.
JMolBiol147.
1:19519712.
SpringJ(2011)"MonitoringCloudComputingByLayer,Part1.
".
Security&Privacy,IEEE9.
2,pp666813.
AlZainMA,PardedeE,SohB,ThomJACloudcomputingsecurity:fromsingletomulti-clouds.
SystemScience(HICSS),201245thHawaiiInternationalConferenceon.
IEEE,2012.
14.
SandhuR,BoppanaR,KrishnanR,ReichJ,WolffT,ZachryJ(2010)"TowardsADisciplineOfMission-AwareCloudComputing.
"ProceedingsOfThe2010ACMWorkshopOnCloudComputingSecurityWorkshop.
ACM,Chicago15.
MagklarasG,FurnellS,PapadakiM(2011)LUARM:Anauditengineforinsidermisusedetection.
IntJDigitalCrimeForensics3(3):374916.
Tripathi,Alok,andAbhinavMishra.
"Cloudcomputingsecurityconsiderations.
"SignalProcessing,CommunicationsandComputing(ICSPCC),2011IEEEInternationalConferenceon.
IEEE,2011.
17.
Stolfo,SalvatoreJ.
,MalekBenSalem,andAngelosD.
Keromytis.
"Fogcomputing:Mitigatinginsiderdatatheftattacksinthecloud.
"SecurityandPrivacyWorkshops(SPW),2012IEEESymposiumon.
IEEE,2012.
18.
HoangC(2009)ProtectingXenhypercalls,MSCthesis.
UniversityofBritishColumbia,Canada19.
XEN,http://www.
xenproject.
org/developers/teams/hypervisor.
html20.
RawatS,GulatiVP,PujariAK,VemuriVR(2006)Intrusiondetectionusingtextprocessingtechniqueswithabinary-weightedcosinemetric.
JInformAssurSecurity1(1):435021.
SundararajanS,NarayananH,PavithranV,VorungatiK,AchuthanK(2011)PreventingInsiderattacksintheCloud.
In:AdvancesinComputingandCommunications.
Springer,BerlinHeidelberg,pp488500Pitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page9of10http://www.
journalofcloudcomputing.
com/content/3/1/2022.
XiaoZ.
,XiaoY.
,SecurityandPrivacyinCloudComputing,CommunicationsSurveys&Tutorials,IEEE,vol.
PPno.
99,pp.
1-17,201223.
BatesA,MoodB,PletcherJ,PruseH,ValafarM,ButlerK(2012)Detectingco-residencywithactivetrafficanalysistechniques.
In:Proceedingsofthe2012ACMWorkshoponCloudcomputingsecurityworkshop.
ACM,NC,USA,pp11224.
Nmap,http://nmap.
org/25.
Hping,http://sectools.
org/tool/hping/26.
Wget,http://www.
gnu.
org/software/wget/27.
MundadaY,RamachndranA,FeamsterN(2011)SilverLine:Dataandnetworkisolationforcloudservices,InProceedingsoftheUSENIXWorkshoponHotTopicsinCloudComputing(HotCloud)28.
ZhangY,JuelsA,OpreaA,ReiterA(2011)HomeAlone:Co-ResidencyDetectionintheCloudviaSide-ChannelAnalysis.
SecurityandPrivacyIEEESymposium,Berkeley,CA29.
MazzarielloC,BifulcoR,CanonicoR(2010)integratingaNetworkIDSintoanOpenSourceCloudComputingEnvironment,SixthInternationalConferenceonInformationAssuranceandSecurity30.
SchulterA,VieiraK,WestphalC,WestaphalC,AbderrrahimS(2008)IntrusionDetectionForComputationalGrids.
In:Proc.
2ndIntlConf.
NewTechnologiesMobility,andSecurity.
IEEEPress,Tangier,Morocco31.
ChengF,RoschkeS,MeinelC(2009)ImplementingIDSManagementonLock-Keeper,Proceedingsof5thInformationSecurityPracticeandExperienceConference(ISPEC09).
SpringerLNCS5451:36037132.
ChengF,RoschkeS,MeinelC(2010)AnAdvancedIDSManagementArchitecture,JournalofInformationAssuranceandSecurity,DynamicPublishersInc.
,vol.
51,Atlanta,GA30362,USA.
ISSN15541010:24625533.
ChengF,RoschkeS,MeinelC(2009)IntrusionDetectionintheCloud,EighthIEEEInternationalConferenceonDependable.
AutonomicandSecureComputing,China34.
BharadwajaS.
,SunW.
,NiamatM.
,ShenF.
,Collabra:AxenHypervisorbasedCollaborativeIntrusionDetectionSystem,Proceedingsofthe8thInternationalConferenceonInformationTechnology:NewGenerations(ITNG11),pp.
695700,LasVegas,Nev,USA,201135.
KaliLinux.
http://www.
kali.
org/36.
BacktrackLinux.
http://www.
backtrack-linux.
org/37.
SmurfAttack,http://www.
ciscopress.
com/articles/article.
aspp=131279638.
IPv6Ping,http://www.
tldp.
org/HOWTO/Linux%2BIPv6-HOWTO/x811.
html39.
JohnE.
Douglas,http://en.
wikipedia.
org/wiki/John_E.
_Douglas40.
LinuxAudit,http://doc.
opensuse.
org/products/draft/SLES/SLES-security_sd_draft/cha.
audit.
comp.
html41.
Sedcommand,http://linux.
die.
net/man/1/sed42.
OpenSuse,http://www.
opensuse.
org/43.
TCLScripting,http://www.
tcl.
tk/man/expect5.
31/expect.
1.
html44.
Virsh,https://access.
redhat.
com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chapVirtualization_Administration_Guide-Managing_guests_with_virsh.
htmldoi:10.
1186/s13677-014-0020-6Citethisarticleas:Pitropakisetal.
:Ifyouwanttoknowaboutahunter,studyhisprey:detectionofnetworkbasedattacksonKVMbasedcloudenvironments.
JournalofCloudComputing:Advances,SystemsandApplications20143:20.
Submityourmanuscripttoajournalandbenetfrom:7Convenientonlinesubmission7Rigorouspeerreview7Immediatepublicationonacceptance7Openaccess:articlesfreelyavailableonline7Highvisibilitywithintheeld7RetainingthecopyrighttoyourarticleSubmityournextmanuscriptat7springeropen.
comPitropakisetal.
JournalofCloudComputing:Advances,SystemsandApplications2014,3:20Page10of10http://www.
journalofcloudcomputing.
com/content/3/1/20