Ji-Ming Chen,Shi Chen,Xiang Wang,Lin,Li Wang

DOI: https://doi.org/10.1155/2021/2729949

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:With the rapid development of Internet of Things technology, a large amount of user information needs to be uploaded to the cloud server for computing and storage. Side-channel attacks steal the private information of other virtual machines by coresident virtual machines to bring huge security threats to edge computing. Virtual machine migration technology is currently the main way to defend against side-channel attacks. VM migration can effectively prevent attackers from realizing coresident virtual machines, thereby ensuring data security and privacy protection of edge computing based on the Internet of Things. This paper considers the relevance between application services and proposes a VM migration strategy based on service correlation. This strategy defines service relevance factors to quantify the degree of service relevance, build VM migration groups through service relevance factors, and effectively reduce communication overhead between servers during migration, design and implement the VM memory migration based on the post-copy method, effectively reduce the occurrence of page fault interruption, and improve the efficiency of VM migration.

Jie Lin,Chuanyi Liu,Binxing Fang

DOI: https://doi.org/10.1145/2660267.2662377

2014-01-01

Abstract:Building a trustworthy cloud is critical for its practical use. Most current researches usually take integrity measurements using trusted computing to address trust issue, such as integrity measurement architecture (IMA) implemented in Linux kernel. However, some runtime attacks intrude the system while not tampering with the programs, which cannot be detected by integrity mechanism. We call them non-tampering attacks. This paper presents TraceVirt, a framework for detecting these non-tampering attacks, which combines the strong isolation and event-driven capacity to log runtime information. The logging data is processed by remote intrusion analysis cluster to analyze potential attacks. The experimental results show that TraceVirt can detect the real world non-tampering attacks and the performance overhead is acceptable.

Rui Yang,Xiao Fu,Xiaojiang Du,Bin Luo

DOI: https://doi.org/10.4108/eai.18-6-2016.2264107

2016-01-01

Abstract:In IaaS (such as Amazon EC2 and Microsoft Azure), several VM (virtual-machine) instances usually run in one physical machine so as to improve resource utilization. However this also caused more attack opportunities. A typical example is a cross-VM timing channel. Recent studies show that this kind of covert channel can successfully steal private information (e.g. private key) from the co-resident VM instances. It brought great challenges to the security of the cloud and has absorbed more and more attention in recent years. But to our knowledge, there is still little work on detecting and investigating such covert channel. Therefore, we propose a behavior-based method to automatically detect and investigate the timing channel. First, in order to record the behavior of this covert channel, a page-level memory monitoring method is designed. Second, an automatic identification algorithm is proposed based on some memory activity signatures. Finally, in order to confirm the result, the memory dump will be obtained and the binary code of the suspicious process will be analyzed. We have implemented a prototype on Xen, and the experimental results show that all of these kinds of attacks can be detected even under the disturbance from normal processes.

Weijie Liu,Ximeng Liu,Zhi Li,Bin Liu,Rongwei Yu,Lina Wang

DOI: https://doi.org/10.1109/tifs.2022.3183409

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud attack provenance is a well-established industrial practice for assuring transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for attack provenance due to the privilege isolation, the stealthiness of state-of-the-art attacks and the lack of precise information make existing attack provenance solutions difficult to fulfill real-time forensics when tracking enormous suspicious behaviors. To this end, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and provenance, we advocate Last Branch Record (LBR) profiling, to extract the suspicious execution flows. With the hardware assistance and software-based virtualization introspection, we show that the framework can provide an effective response to threats in different cases, thereby enabling a quick attack provenance with high fidelity. The evaluation shows that our prototype introduces negligible performance penalties.

Meng Liu,Wanchun Dou,Shui Yu

DOI: https://doi.org/10.1504/ijaacs.2017.082734

2017-01-01

Abstract:Cloud computing has become a hot spot in both industry and academia due to its rapid elasticity and on demand service. However, with outsourcing the data and business applications to a third party, security and privacy issues have become a critical concern. To decrease cloud availability, which is one of the most representative security attributes, DDoS attacks can be launched. In this paper, we try to show how a hacker can launch a DDoS attack based on virtual machine (VM) co-residence to deny the service of cloud data centre in a private infrastructure-as-a-service (IaaS) cloud. We first introduce how to launch this attack. Then we build a Markov-chain model to simulate this attack and analyse performance of cloud data centre. Finally, we also conduct several experiments to show how VM co-residence has impact on performance of physical machines (PMs).

Mansaf Alam,Shuchi Sethi

DOI: https://doi.org/10.48550/arXiv.1504.03539

2015-04-14

Distributed, Parallel, and Cluster Computing

Abstract:Recent research shows that colluded malware in different VMs sharing a single physical host may use a resource as a channel to leak critical information. Covert channels employ time or storage characteristics to transmit confidential information to attackers leaving no trail.These channels were not meant for communication and hence control mechanisms do not exist. This means these remain undetected by traditional security measures employed in firewalls etc in a network. The comprehensive survey to address the issue highlights that accurate methods for fast detection in cloud are very expensive in terms of storage and processing. The proposed framework builds signature by extracting features which accurately classify the regular from covert traffic in cloud and estimates difference in distribution of data under analysis by means of scores. It then adds context to the signature and finally using machine learning (Support Vector Machines),a model is built and trained for deploying in cloud. The results show that the framework proposed is high in accuracy while being low cost and robust as it is tested after adding noise which is likely to exist in public cloud environments.

Yao Wang,Yaqiang Mao,Yuan Luo

DOI: https://doi.org/10.1109/ICCT.2012.6511306

2012-01-01

Abstract:As we know, the biggest challenge for SaaS (software as a service) cloud computing systems is guaranteeing user-level security. For this end, some approaches and systems have been proposed for virtual machine in cloud platform. However, the integrity measurement methods used in virtual machine, cannot detect dynamic attacks, such as measuring applications periodically or statically (measuring before execution). This paper first presents an In-Out-VM dynamic measurement architecture (IODMA) especially for Xen virtual machine (VM), which aims at user's running applications rather than static executable files. By comparison, it has advantages in three aspects. Firstly, it detects dynamic attacks and has a better performance than the static ones. Secondly, the measurements are done at any time on demand rather than at specific time. Thirdly, it supports fine-grained protection such as measuring the code segment and the argument segment separately. In addition, it is implemented by a hybrid of In-VM method and Out-of-VM method. The In-VM part of the hybrid effectively reduces the switching overheads between privileged virtual machine and guest virtual machines, while the Out-of-VM part improves the security. Finally, an implementation of IODMA is given equipped with the Trusted Platform Module (TPM), which achieves above goals with good performance.

Yu Si,Gui Xiaolin,Lin Jiancai,Zhang Xuejun,Wang Junfei

DOI: https://doi.org/10.5755/j01.eee.19.5.2422

2013-01-01

Elektronika ir Elektrotechnika

Abstract:Virtual machine technology enables the cloud to offer large scale and flexible computing ability. However, it also introduces a range of new vulnerabilities. Malicious users can extract sensitive information from other users covertly via side channel attacks, which breaks the isolation between the virtual machines (VMs). In this paper, we investigate such a security threat and propose the VMs Co-residency Detection Scheme via cache-based side channel attacks (VCDS) to get the location of the specified VM. Using load pre-processor based on cubic spline interpolation, VCDS makes the raw measurements more smoothing and relevant. With the load predictor based on linear regression model, VCDS probes cache load changes produced by the victim VM more accurately. Based on the normal cloud model, VCDS computes the co-residency probability to describe VMs co-residency quantitatively. The experimental results show that VCDS improves the true detection rate even with the interference of the co-resident noisy VM compared to the existing schemes.

Pengze Guo,Yongkai Zhou,Zhi Xue,Xinxing Yin,Liang Pang,Yan Zhu,Xiao Chen,Fangbiao Li

2014-01-01

Abstract:The past decade has witnessed the rapid development of cloud computing. Virtualization, which is the basis of delivering Infrastructure as a Service (IaaS), has led to an explosive growth in the cloud computing industry. Meanwhile, new threats are also introduced. This paper explores different aspects of cloud virtualization security, including security threats of virtualization infrastructure and attacks that can be launched on virtual cloud. The research mainly focuses on hypervisor security, vSwitch security and virtual machine security. The paper also discusses state-of-the-art solutions to those threats, which are beneficial for implementing effective protection methods for virtual cloud environment.

Ziqi Wang,Rui Yang,Xiao Fu,Xiaojiang Du,Bin Luo

DOI: https://doi.org/10.1109/INFCOMW.2016.7562068

2016-01-01

Abstract:Cloud providers usually use virtualization to maximize the utilization of their computing resources, e.g. many virtual machines (VMs) run on a shared physical infrastructure. However co-residency with other VMs will cause high security risks, such as side channel attacks. This kind of attack is difficult to detect and prevent, so it's necessary to study it deeply. Recent research has shown attackers can build up cross-VM side channels to obtain sensitive information. However, due to the features of shared resources (e.g. CPU cache), the sensitive information obtained is usually limited and coarse-grained. In this paper, we present a novel side channel, which is based on shared physical memory and exploits the vulnerabilities of balloon driver. Balloon driver is a very popular mechanism used by current virtual machine managers (VMMs) to balance physical memory among several VMs. Because it is widely used in IaaS cloud, our side channel attack can achieve a high success rate. And compared with current cross-VM side channels, it can transmit more fine-grained data. Using Xen as a case study, we explore how to transmit data by this side channel.

Mohammad Bazm,Rida Khatoun,Youcef Begriche,Lyes Khoukhi,Xiuzhen Chen,Ahmed Serhrouchni

DOI: https://doi.org/10.1109/cloudtech.2015.7336986

2015-01-01

Abstract:Cloud computing aims to provide enormous resources and services, parallel processing and reliable access for users on the networks. The flexible resources of clouds could be used by malicious actors to attack other infrastructures. Cloud can be used as a platform to perform these attacks, a virtual machine(VM) in the Cloud can play the role of a malicious VM belonging to a Botnet and sends a heavy traffic to the victim. For cloud service providers, preventing their infrastructure from being turned into an attack platform is very challenging since it requires detecting attacks at the source, in a highly dynamic and heterogeneous environment. In this paper, an approach to detect these malicious behaviors in the Cloud based on the analysis of network parameters is proposed. This approach is a source-based attack detection, which applies both Entropy and clustering methods on network parameters. The environment of Cloud is simulated on Cloudsim. The data clustering allows achieving high performance, with a high percentage of correctly clustered VMs.

Li Lin,Huanzeng Yang,Jing Zhan,Xuhui Lv

DOI: https://doi.org/10.1155/2022/1242576

IF: 1.968

2022-04-16

Security and Communication Networks

Abstract:Edge-assisted Internet of things applications often need to use cloud virtual network services to transmit data. However, the internal threats such as illegal management and configuration to cloud platform intentionally or unintentionally will lead to virtual network security problems such as malicious changes of user network and hijacked data flow. It will eventually affect edge-assisted Internet of things applications. We propose a virtual network internal threat detection method called VNGuarder in a cloud computing environment, which can effectively monitor whether the virtual network configuration of legitimate users under the IaaS cloud platform has been maliciously changed or destroyed by insiders. First, based on the life cycle of cloud virtual network services, we summarized two types of internal attacks involving illegal use of virtualization management tools and illegal invocation of virtual network-related processes. Second, based on normal behavior of tenants, a hierarchical trusted call correlation scheme is proposed to provide a basis for discovering that insiders illegally call virtualized management tools and virtual network-related processes on the controller node of the cloud platform or the network node and compute node. Third, a trace-enable mechanism combining real-time monitoring and log analysis is introduced. By collecting and recording the complete call process of virtual network management and configuration in the cloud platform, and comparing it with the result of the hierarchical trusted call correlation, abnormal operations can be reported to the tenants in time. Comprehensive simulation experiments on the Openstack platform show that VNGuarder can effectively detect illegal management and configuration of virtual networks by insiders without significantly affecting the creation time of tenant networks and the utilization of CPU and memory.

computer science, information systems,telecommunications

Jian-wei Tian,Hong-yu Zhu,Xi Li,Zhen Tian

DOI: https://doi.org/10.1109/icsess.2018.8663848

2018-01-01

Abstract:Web attacks are increases both magnitude and complexity. It is difficult but important to detect the attack from massive web log. This paper proposes a real-time online detection method to detect the Web attack on flow data analysis. Firstly, the study constructs the framework of attack detection and hash method to cache log data. Then attack detecting method with multi-pattern matching algorithm based flow data analysis is presented. This paper also conducts application to evaluate effectiveness of the techniques.

Si Yu,Xiaolin Gui,Jiancai Lin,Feng Tian,Jianqiang Zhao,Min Dai

DOI: https://doi.org/10.1155/2014/805923

2014-01-01

The Scientific World JOURNAL

Abstract:Cloud computing gets increasing attention for its capacity to leverage developers from infrastructure management tasks. However, recent works reveal that side channel attacks can lead to privacy leakage in the cloud. Enhancing isolation between users is an effective solution to eliminate the attack. In this paper, to eliminate side channel attacks, we investigate the isolation enhancement scheme from the aspect of virtual machine (VM) management. The security-awareness VMs management scheme (SVMS), a VMs isolation enhancement scheme to defend against side channel attacks, is proposed. First, we use the aggressive conflict of interest relation (ACIR) and aggressive in ally with relation (AIAR) to describe user constraint relations. Second, based on the Chinese wall policy, we put forward four isolation rules. Third, the VMs placement and migration algorithms are designed to enforce VMs isolation between the conflict users. Finally, based on the normal distribution, we conduct a series of experiments to evaluate SVMS. The experimental results show that SVMS is efficient in guaranteeing isolation between VMs owned by conflict users, while the resource utilization rate decreases but not by much.

Xin LIANG,Xiao-Lin GUI,Hui-Jun DAI,Chen ZHANG

DOI: https://doi.org/10.11897/SP.J.1016.2017.00317

2017-01-01

Chinese Journal of Computers

Abstract:In cloud-computing,virtual machines(VMs)of different tenants might be scheduled to run on the same physical machine,namely VMs co-residency.Co-resident VMs would share the underlying computing resources of the physical machine,relying on the virtual machine monitor to allocate and schedule system resources.Cross-domain sharing of underlying computing resources,albeit improving the utilization efficiency of available resources extremely,poses a serious threat to users' privacy concerns.A malicious VM could break the isolation mechanism and extract private information from other co-resident VMs,simply by probing the responses of shared resources and establishing a special leakage model.This attack pattern described above is usually called side-channel attacks.This paper deeply studied the mechanism and implementation of cross-VM cache side-channel attacks,and summarized its research status and advances.First,the essential cause of cache-based side-channel information leakage is analyzed and summarized.Next,the origin and research progress of cross-VM cache side-channel attacks are reviewed,the differences and relations between classic cache side-channel attacks and cross-VM cache side-channel attacks are discussed,followed by presentation of the universal model of access-driven cross-VM cache side-channel attacks.Then,the related issues of VMs co-residency and the latest mainstream methods for cross-VM cache-based side-channel information probing are categorized and expounded in detail.Finally,the current problems existing in the research and the future research directions of this field are presented.

Qian Liu,Chuliang Weng,Minglu Li,Yuan Luo

DOI: https://doi.org/10.1109/MSP.2010.143

IF: 3.105

2010-01-01

IEEE Security & Privacy

Abstract:Cloud computing relies heavily on virtualization. Virtualization technology has developed rapidly because of the rapid decrease in hardware cost and concurrent increase in hardware computing power. A virtual machine monitor (VMM, also called a hγpervisor) between the hardware and the OS enables multiple virtual machines (VMs) to run on top of a single physical machine. The VMM manages scheduling and dispatching the physical resources to the individual VMs as needed, and the VMs appear to users as separate computers. Widely used virtualization technologies include VMWare, Xen, Denali, and the Kernel-Based Virtual Machine (KVM). In this framework, a module measures executables running in virtual machines (VMs) and transfers the values to a trusted VM. Comparing those values to a reference table containing the trusted measurement values of running executables verifies the executable/s status.

Lin Jie,Liu Chuanyi,Fang Binxing

DOI: https://doi.org/10.19682/j.cnki.1005-8885.2020.0037

2020-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:The harm caused by malware in cloud computing environment is more and more serious. Traditional anti-virus software is in danger of being attacked when it is deployed in virtual machine on a large scale, and it tends not to be accepted by tenants in terms of performance. In this paper, a method of scanning malicious programs outside the virtual machine is proposed, and the prototype is implemented. This method transforms the memory of the virtual machine to the host machine so that the latter can access it. The user space and kernel space of virtual machine memory are analyzed via semantics, and suspicious processes are scanned by signature database. Experimental results show that malicious programs can be effectively scanned outside the virtual machine, and the performance impact on the virtual machine is low, meeting the needs of tenants.

CHEN Zhu-Hong,CUI Chao-Yuan,WANG Ru-Jing,ZHOU Ji-Dong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.07.015

2013-01-01

Abstract:As the foundation of cloud computing,virtualization technology’s security problems are gained more and more attention of the specialists with the development of cloud computing.This paper presents a virtual machine system kernel intrusion detection system,which use the introspection technology provided by Xen hypervisor to get internal states of kernel of the virtual machine.To achieve the goal of monitoring the kernel and preventing it from being compromised.This system can effectively defend the case of attack that dynamically modifies the kernel code and kernel unchanged data structure.

Liz Izhikevich,Manda Tran,Michalis Kallitsis,Aurore Fass,Zakir Durumeric

DOI: https://doi.org/10.1145/3618257.3624818

2023-09-29

Abstract:Cloud computing has dramatically changed service deployment patterns. In this work, we analyze how attackers identify and target cloud services in contrast to traditional enterprise networks and network telescopes. Using a diverse set of cloud honeypots in 5~providers and 23~countries as well as 2~educational networks and 1~network telescope, we analyze how IP address assignment, geography, network, and service-port selection, influence what services are targeted in the cloud. We find that scanners that target cloud compute are selective: they avoid scanning networks without legitimate services and they discriminate between geographic regions. Further, attackers mine Internet-service search engines to find exploitable services and, in some cases, they avoid targeting IANA-assigned protocols, causing researchers to misclassify at least 15\% of traffic on select ports. Based on our results, we derive recommendations for researchers and operators.

Cryptography and Security,Networking and Internet Architecture

Luo Liang,Liudong Xing,Gregory Levitin

DOI: https://doi.org/10.1016/j.ress.2018.09.014

2019-01-01

Abstract:Utilizing the virtualization technology, multiple virtual machines (VMs) can be created on a single physical server for different tasks, enabling cost-effective resource sharing in cloud computing systems. However, this co-resident VM architecture can be exploited by malicious attackers, posing unique survivability and security risks for cloud users. This paper addresses one of such risks called co-residence attacks, where a malicious attacker can steal or corrupt a user's sensitive information through co-residing the attacker's VM with the target user's VM on the same physical server. We model users’ data protection policy in which sensitive data are replicated and stored on different VMs to enhance data survivability. Both user's and attacker's VMs are distributed among cloud servers at random. The arrival of attacker's requests for creating VMs is modeled by a Poisson stochastic process. We propose a probabilistic model to obtain dynamic data survivability and security indices. Based on the suggested evaluation model, dynamic data replication policies are analyzed and optimized. Numerical examples are presented to demonstrate impacts of different model parameters on the dynamic data survivability and security.