research-article

CloudShield: Real-time Anomaly Detection in the Cloud

Authors:

Ruby B. LeeAuthors Info & Claims

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

Pages 91 - 102

https://doi.org/10.1145/3577923.3583639

Published: 24 April 2023 Publication History

Abstract

In cloud computing, it is desirable if suspicious activities can be detected by automatic anomaly detection systems. Although anomaly detection has been investigated in the past, it remains unsolved in cloud computing. Challenges are: characterizing the normal behavior of a cloud server, distinguishing between benign and malicious anomalies (attacks), and preventing alert fatigue due to false alarms. We propose CloudShield, a practical and generalizable real-time anomaly and attack detection system for cloud computing. Cloudshield uses a general, pretrained deep learning model with different cloud workloads, to predict the normal behavior and provide real-time and continuous detection by examining the model reconstruction error distributions. Once an anomaly is detected, to reduce alert fatigue, CloudShield automatically distinguishes between benign programs, known attacks, and zero-day attacks, by examining the reconstruction error distributions. We evaluate the proposed CloudShield on representative cloud benchmarks. Our evaluation shows that CloudShield, using model pretraining, can apply to a wide scope of cloud workloads. Especially, we observe that CloudShield can detect the recently proposed speculative execution attacks, e.g., Spectre and Meltdown attacks, in milliseconds. Furthermore, we show that CloudShield accurately differentiates and prioritizes known attacks, and potential zero-day attacks, from benign programs. Thus, it significantly reduces false alarms by up to 99.0%.

References

[1]

Joseph Bonneau and Ilya Mironov. 2006. Cache-collision timing attacks against AES. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES).

Digital Library

[2]

000)]% breunig2000lof, Markus M Breunig, Hans-Peter Kriegel, Raymond T Ng, and Jörg Sander. 2000. LOF: identifying density-based local outliers. In ACM SIGMOD International Conference on Management of Data (SIGKDD).

Digital Library

[3]

, Sucheta Chauhan and Lovekesh Vig. 2015. Anomaly detection in ECG time signals via deep long short-term memory networks. In IEEE International Conference on Data Science and Advanced Analytics.

[4]

Kyunghyun Cho, Bart Van Merriënboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. 2014. Learning phrase representations using RNN encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078 (2014).

[5]

John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. ACM SIGARCH Computer Architecture News (2013).

[6]

Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina N. Toutanova. 2018. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. arXiv preprint arXiv:1810.04805 (2018).

[7]

Min Du, Zhi Chen, Chang Liu, Rajvardhan Oak, and Dawn Song. 2019. Lifelong anomaly detection through unlearning. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[8]

Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. FlushFlush: a fast and stealthy cache attack. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.

Digital Library

[9]

David Gullasch, Endre Bangerter, and Stephan Krenn. 2011. Cache Games--Bringing Access-Based Cache Attacks on AES to Practice. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[10]

Zecheng He, Guangyuan Hu, and Ruby B Lee. 2021. New Models for Understanding and Reasoning about Speculative Execution Attacks. In IEEE International Symposium on High-Performance Computer Architecture (HPCA).

[11]

Zecheng He and Ruby B Lee. 2017. How secure is your cache against side-channel attacks?. In Annual IEEE/ACM International Symposium on Microarchitecture.

Digital Library

[12]

Zecheng He, Aswin Raghavan, Guangyuan Hu, Sek Chai, and Ruby Lee. 2019. Power-Grid Controller Anomaly Detection with Enhanced Temporal Deep Learning. In IEEE International Conference On Trust, Security And Privacy In Computing (TrustCom).

[13]

John L Henning. 2006. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News (2006).

[14]

Geoffrey E Hinton and Sam Roweis. 2002. Stochastic neighbor embedding. Advances in Neural Information Processing Systems (NeurIPS) (2002).

[15]

Harold Hotelling. 1933. Analysis of a complex of statistical variables into principal components. Journal of educational psychology (1933).

[16]

Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative buffer overflows: Attacks and defenses. arXiv preprint arXiv:1807.03757 (2018).

[17]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. 2019. Spectre attacks: Exploiting speculative execution. In IEEE Symposium on Security and Privacy (S&P).

[18]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, et al. 2018. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium.

Digital Library

[19]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. 2015. Last-level cache side-channel attacks are practical. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[20]

Fei Tony Liu, Kai Ming Ting, and Zhi-Hua Zhou. 2008. Isolation forest. In IEEE International Conference on Data Mining (ICDM).

Digital Library

[21]

Pankaj Malhotra, Lovekesh Vig, Gautam Shroff, and Puneet Agarwal. 2015. Long short term memory networks for anomaly detection in time series. In European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning.

[22]

Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: the case of AES. In Cryptographers' Track at the RSA conference.

[23]

Meltem Ozsoy, Khaled N Khasawneh, Caleb Donovick, Iakov Gorelik, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2016. Hardware-based malware detection using low-level architectural features. IEEE Trans. Comput. (2016).

Digital Library

[24]

Han Qiu, Tian Dong, Tianwei Zhang, Jialiang Lu, Gerard Memmi, and Meikang Qiu. 2020. Adversarial Attacks against Network Intrusion Detection in IoT Systems. IEEE Internet of Things Journal (2020).

[25]

Bernhard Schölkopf, Robert C Williamson, Alex J Smola, John Shawe-Taylor, and John C Platt. 2000. Support vector method for novelty detection. In Advances in Neural Information Processing Systems (NeurIPS).

[26]

Guanhua Wang, Sudipta Chattopadhyay, Arnab Kumar Biswas, Tulika Mitra, and Abhik Roychoudhury. 2020. Kleespectre: Detecting information leakage through speculative cache attacks via symbolic execution. ACM Transactions on Software Engineering and Methodology (2020).

[27]

Xueyang Wang and Ramesh Karri. 2014. Detecting kernel control-flow modifying Rootkits. In Network Science and Cybersecurity.

[28]

Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, and Ramesh Karri. 2015. Confirm: Detecting firmware modifications in embedded systems using hardware performance counters. In International Conference on Computer-Aided Design (ICCAD).

Digital Library

[29]

Xinran Wang, Chi-Chun Pan, Peng Liu, and Sencun Zhu. 2008. Sigfree: A signature-free buffer overflow attack blocker. IEEE Transactions on Dependable and Secure Computing (2008).

[30]

Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution. Technical Report.

[31]

Yuval Yarom and Katrina Falkner. 2014. FLUSHRELOAD: a high resolution, low noise, L3 cache side-channel attack. In USENIX Security Symposium.

[32]

Tianwei Zhang, Yinqian Zhang, and Ruby B Lee. 2016. Cloudradar: A real-time side-channel attack detection system in clouds. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID). io

Cited By

Sun SSankararaman ANarayanaswamy BSalakhutdinov RKolter ZHeller KWeller AOliver NScarlett JBerkenkamp F(2024)Online adaptive anomaly thresholding with confidence sequencesProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3693987(47105-47132)Online publication date: 21-Jul-2024
https://dl.acm.org/doi/10.5555/3692070.3693987
Jiao JWen RLi Y(2024)T-Smade: A Two-Stage Smart Detector for Evasive Spectre Attacks Under Various WorkloadsElectronics10.3390/electronics1320409013:20(4090)Online publication date: 17-Oct-2024
https://doi.org/10.3390/electronics13204090
Sus WNawrocki P(2024)Signature-based Adaptive Cloud Resource Usage Prediction Using Machine Learning and Anomaly DetectionJournal of Grid Computing10.1007/s10723-024-09764-422:2Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1007/s10723-024-09764-4

Index Terms

CloudShield: Real-time Anomaly Detection in the Cloud
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

A Systematic Review on Anomaly Detection for Cloud Computing Environments
AICCC '20: Proceedings of the 2020 3rd Artificial Intelligence and Cloud Computing Conference

The detection of anomalies in data is a far-reaching field of research which also applies to the field of cloud computing in several different ways: from the detection of various types of intrusions to the detection of hardware failures, many ...
An LOF-Based Adaptive Anomaly Detection Scheme for Cloud Computing
COMPSACW '13: Proceedings of the 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops

One of the most attractive things about cloud computing from the perspective of business people is that it provides an effective means to outsource IT. The behaviors of business applications on cloud are constantly evolving due to technical upgrading, ...
Cloud-based multiclass anomaly detection and categorization using ensemble learning
Abstract
The world of the Internet and networking is exposed to many cyber-attacks and threats. Over the years, machine learning models have progressed to be integrated into many scenarios to detect anomalies accurately. This paper proposes a novel ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

April 2023

304 pages

ISBN:9798400700675

DOI:10.1145/3577923

General Chair:
Mohamed Shehab
University of North Carolina at Charlotte, USA
,
Program Chairs:
Maribel Fernandez
King's College London, UK
,
Ninghui Li
Purdue University, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 April 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

CODASPY '23

Sponsor:

SIGSAC

CODASPY '23: Thirteenth ACM Conference on Data and Application Security and Privacy

April 24 - 26, 2023

NC, Charlotte, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
203
Total Downloads

Downloads (Last 12 months)91
Downloads (Last 6 weeks)7

Reflects downloads up to 12 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sun SSankararaman ANarayanaswamy BSalakhutdinov RKolter ZHeller KWeller AOliver NScarlett JBerkenkamp F(2024)Online adaptive anomaly thresholding with confidence sequencesProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3693987(47105-47132)Online publication date: 21-Jul-2024
https://dl.acm.org/doi/10.5555/3692070.3693987
Jiao JWen RLi Y(2024)T-Smade: A Two-Stage Smart Detector for Evasive Spectre Attacks Under Various WorkloadsElectronics10.3390/electronics1320409013:20(4090)Online publication date: 17-Oct-2024
https://doi.org/10.3390/electronics13204090
Sus WNawrocki P(2024)Signature-based Adaptive Cloud Resource Usage Prediction Using Machine Learning and Anomaly DetectionJournal of Grid Computing10.1007/s10723-024-09764-422:2Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1007/s10723-024-09764-4

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten