Anomaly detection for ephemeral cloud IaaS virtual machines

Abstract

In public Infrastructure-as-a-Service (IaaS), virtual machines (VMs) are sharing the cloud with other VMs from other organisations. Each VM is under the control of its owner and security management is their responsibility. Considering this, providers should deal with the hosted VMs as potential source of attacks against other VMs and/or against the cloud infrastructure. The cloud model is flexible enough to allow consumers to initiate VMs to perform specific tasks for an hour or two, then terminate; so call VMs short-lived VMs. The provider dilemma here is monitoring these VMs, including short-lived ones, and detecting any change of behaviour on them as a sign of anomaly with a low level of intrusiveness for legal and practical reasons. In this paper, we therefore propose a hypervisor based anomaly detection system that monitors system calls in between a VM and its host kernel. This host intrusion detection system (HIDS),is able to detect change in behaviour in even short-lived VMs without requiring any prior knowledge of them. To achieve this goal, a Hidden Markov Model (HMM) is used to build the classifier and system calls are analysed and grouped to reflect the properties of a VM-based cloud infrastructure. We also report on the experimental validation of our approach. © 2013 Springer-Verlag.