Abstract
Current state of PaaS allows rapid outsourcing of web applications without noticeable configuration effort. It could be foreseen that a noteworthy security guarantee in this cloud deployment model make organizations adopt PaaS easier. To date, provisioning security-guaranteed PaaS offerings required isolated processes, which is computationally-intensive and therefore expensive for the cloud provider. A novel security mechanism is proposed in this study to protect the PaaS providers against malicious behavior; thereby, their tenants. The mechanism does not strictly isolate tenants, but let them share the resources as in conventional web applications; therefore the computational efficiency is competitive. The novelty lies in classifying the malicious behavior of worker threads of web applications in a privacy-friendly way; where possible, without interfering with the threads. These threads may execute many code snippets in the same process context on behalf of the provider, the tenants or the tenants’ users in a web application server. It is cumbersome and error-prone to isolate each code snippet separately. Instead, classifying thread behavior helps to detect malicious flow of execution. The proposed mechanism is significantly different from intrusion detection systems or virus scanners as it only focuses on the processor usage and critical resource access. Historical web application attacks based on OWASP reports as well as future trends are analyzed and a sample web traffic of 100,000 requests, which includes 1% malicious traffic rooted from the most common attacks, is generated to prove the concept. The generated web traffic is tested on a cloud-based demo application on a live cloud environment. The thread behavior is monitored only based on CPU load and database access to keep the mechanism privacy-friendly for all cloud stakeholders. Even though the executed instructions are not monitored, the collected telemetry forms a vast amount of trace for classification. This privacy-friendly feature set is extracted and evaluated on several classifiers to detect malicious threads. It is observed that the classification accuracy is remarkably successful.
Similar content being viewed by others
Notes
This is one of the reasons the paper exemplified a Java [11] implementation. However, please note that the proposed techniques are independent from underlying programming language.
Forcefully stopping a thread may cause security vulnerabilities by runtime exceptions in Java language.
Types and numbers of attacks within the malicious requests are randomly distributed in each fold, yet the total number of malicious requests is preserved.
References
App Engine - Platform as a Service — Google Cloud Platform (n.d.). https://cloud.google.com/appengine/
Heroku | Cloud Application Platform (n.d.). https://www.heroku.com/
Apache Stratos (n.d.). https://stratos.apache.org/
AWS Elastic Beanstalk - Application Management - Platform as a Service (n.d.). https://aws.amazon.com/elasticbeanstalk/
Sandıkkaya, M.T., Ödevci, B., Ovatman, T.: Practical Runtime Security Mechanisms for an aPaaS Cloud. In: IEEE Global Communications Conference (Globecom 2014), pp. 53–58. IEEE Communications Society (2014)
Madnick, S.E., Donovan, J.J.: Application and analysis of the virtual machine approach to information system security and isolation. In: Proceedings of the Workshop on Virtual Computer Systems, pp. 210–224. ACM, New York, NY, USA (1973)
He, S., Guo, L., Guo, Y., Wu, C., Ghanem, M., Han, R.: Elastic application container: a lightweight approach for cloud resource provisioning. In: IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 15–22 (2012)
Sandıkkaya, M.T., Harmancı, A.E.: A security paradigm for PaaS clouds. Proc. Rom. Acad. Ser. A 16, 345–356 (2015)
Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown: reading Kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)
Kocher, P., Horn, J., Fogh, A., , Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. In: 40th IEEE Symposium on Security and Privacy (S&P’19) (2019)
Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A.: The Java\(^{\textregistered }\) Language Specification Java SE 8 Edition. Tech. rep., Oracle Corporation, Redwood City, CA, USA (2010). http://docs.oracle.com/javase/specs/jls/se8/jls8.pdf
Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java\(^{{\textregistered }}\) Virtual Machine Specification Java SE 8 Edition. Tech. rep., Oracle Corporation, Redwood City, CA, USA (2010). http://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf
Bellovin, S.M.: Thinking Security: Stopping Next Year’s Hackers. Addison-Wesley Professional, Boston (2015)
Griffin, K., Schneider, S., Hu, X., Chiueh, Tc: Automatic Generation of String Signatures for Malware Detection, pp. 101–120. Springer, Berlin (2009)
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in Cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)
Fan, Y., Ye, Y., Chen, L.: Malicious sequential pattern mining for automatic malware detection. Expert Syst. Appl. 52, 16–25 (2016)
Shabtai, A., Moskovitch, R., Feher, C., Dolev, S., Elovici, Y.: Detecting unknown malicious code by applying classification techniques on OpCode patterns. Secur. Inf. 1(1), 1–22 (2012)
Uppal, D., Sinha, R., Mehra, V., Jain, V.: Malware detection and classification based on extraction of API sequences. In: 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2337–2342 (2014)
Wu, S.X., Banzhaf, W.: The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10(1), 1–35 (2010)
Tsai, C.F., Hsu, Y.F., Lin, C.Y., Lin, W.Y.: Intrusion detection by machine learning: a review. Expert Syst. Appl. 36(10), 11994–12000 (2009)
Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)
Win, T.Y., Tianfield, H., Mair, Q.: Detection of malware and Kernel-level rootkits in cloud computing environments. In: IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 295–300 (2015)
Özdemir, C.D., Sandıkkaya, M.T., Yaslan, Y.: Classifying malicious thread behavior in PaaS Web services. In: Proceedings of the 8th International Conference on Cloud Computing and Services Science, vol. 1, CLOSER, pp. 418–425. INSTICC, SciTePress (2018)
Bazrafshan, Z., Hashemi, H., Fard, S.M.H., Hamzeh, A.: A survey on heuristic malware detection techniques. In: \(5^{{\rm th}}\) Conference on Information and Knowledge Technology (IKT), pp. 113–120. IEEE (2013)
Pektaş, A., Acarman, T.: Classification of malware families based on runtime behaviors. J. Inf. Secur. Appl. 37, 91–100 (2017)
Pirscoveanu, R.S., Hansen, S.S., Larsen, T.M.T., Stevanovic, M., Pedersen, J.M., Czech, A.: Analysis of malware behavior: type classification using machine learning. In: International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1–7. IEEE (2015)
Uppal, D., Sinha, R., Mehra, V., Jain, V.: Malware detection and classification based on extraction of api sequences. In: ICACCI, 2014 International Conference on Advances in Computing, Communications and Informatics, pp. 2337–2342. IEEE (2014)
Shabtai, A., Moskovitch, R., Feher, C., Dolev, S., Elovici, Y.: Detecting unknown malicious code by applying classification techniques on opcode patterns. Secur. Inform. 1(1), 1 (2012)
O’Sullivan, B.: The history of threads (1996). http://www.faqs.org/faqs/os-research/part1/section-10.html
Corbató, F.J., Vyssotsky, V.A.: Introduction and Overview of the Multics System. In: Proceedings of the AFIPS ’65 November 30–December 1, 1965, Fall Joint Computer Conference, Part I, pp. 185–196. ACM, New York, NY, USA (1965)
Demichiel, L., Keith, M.: JSR 220: Enterprise JavaBeans 3.0 (2007). https://jcp.org/en/jsr/detail?id=220
OSGi Core Release 6 Specification (2014). https://osgi.org/download/r6/osgi.core-6.0.0.pdf
Palacz, K.: JSR 121: application isolation API specification (2006). https://jcp.org/en/jsr/detail?id=121
Mordani, R.: JSR 154: Java Servlet 2.4 Specification (2007). https://jcp.org/en/jsr/detail?id=154
Rodero-Merino, L., Vaquero, L.M., Caron, E., Muresan, A., Desprez, F.: Building safe PaaS clouds: a survey on security in multitenant software platforms. Comput. Secur. 31(1), 96–108 (2012)
Gong, L.: Java SE Platform Security Architecture Specification v1.2. Tech. rep., Oracle Corporation, Redwood City, CA, USA (2002). http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc.html
Czajkowski, G., Daynés, L.: Multitasking without comprimise: a virtual machine evolution. In: Proceedings of the 16th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA ’01), pp. 125–138. ACM, New York, NY, USA (2001)
Geoffray, N., Thomas, G., Muller, G., Parrend, P., Frénot, S., Folliot, B.: I-JVM: a Java virtual machine for component isolation in OSGi. In: IEEE/IFIP International Conference on Dependable Systems Networks (DSN ’09), pp. 544–553 (2009)
Back, G., Hsieh, W.C.: The KaffeOS Java runtime system. ACM Trans. Progr. Lang. Syst. 27(4), 583–630 (2005)
Java Management Extensions (JMX) Specification, version 1.4. Santa Clara, CA, USA (2006). http://docs.oracle.com/javase/7/docs/technotes/guides/jmx/JMX_1_4_specification.pdf
Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming, pp. 220–242. Springer, Berlin (1997)
Truica, C., Radulescu, F., Boicea, A., Bucur, I.: Performance evaluation for CRUD operations in asynchronously replicated document oriented database. In: 2015 20th International Conference on Control Systems and Computer Science, pp. 191–196 (2015)
Cooper, B.F., Silberstein, A., Tam, E., Ramakrishnan, R., Sears, R.: Benchmarking cloud serving systems with ycsb. In: Proceedings of the 1st ACM Symposium on Cloud Computing, SoCC ’10, pp. 143–154. ACM, New York, NY, USA (2010)
Apache JMeter (n.d.). https://jmeter.apache.org/
McMillan, R.: Up to three percent of internet traffic is malicious, researcher says (2008). www.csoonline.com/article/2122506/up-to-three-percent-of-internet-traffic-is-malicious--researcher-says.html
OWASP Top 10 - 2010 The Ten Most Critical Web Application Security Risks. Tech. rep., The Open Web Application Security Project (2017). https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf
OWASP Top 10 - 2013 The Ten Most Critical Web Application Security Risks. Tech. rep., The Open Web Application Security Project (2017). https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf
OWASP Top 10 - 2017 The Ten Most Critical Web Application Security Risks. Tech. rep., The Open Web Application Security Project (2017). https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Trustwave: 2012 Global Threats and Trends. Tech. rep. (2012)
Application Vulnerability Trends Report: 2014. Tech. Rep, Cenzic (2014)
Web Application Threat Trend Report : Trends for 2017. Tech. rep., Penta Security Systems Inc. (2017)
Alpaydın, E.: Introduction to Machine Learning. MIT Press, Cambridge (2014)
Polikar, R.: Ensemble based systems in decision making. IEEE Circ. Syst. Mag. 6(3), 21–45 (2006)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sandıkkaya, M.T., Yaslan, Y. & Özdemir, C.D. DeMETER in clouds: detection of malicious external thread execution in runtime with machine learning in PaaS clouds. Cluster Comput 23, 2565–2578 (2020). https://doi.org/10.1007/s10586-019-03027-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-019-03027-8