Skip to main content
SpringerLink
Log in

DeMETER in clouds: detection of malicious external thread execution in runtime with machine learning in PaaS clouds

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

Current state of PaaS allows rapid outsourcing of web applications without noticeable configuration effort. It could be foreseen that a noteworthy security guarantee in this cloud deployment model make organizations adopt PaaS easier. To date, provisioning security-guaranteed PaaS offerings required isolated processes, which is computationally-intensive and therefore expensive for the cloud provider. A novel security mechanism is proposed in this study to protect the PaaS providers against malicious behavior; thereby, their tenants. The mechanism does not strictly isolate tenants, but let them share the resources as in conventional web applications; therefore the computational efficiency is competitive. The novelty lies in classifying the malicious behavior of worker threads of web applications in a privacy-friendly way; where possible, without interfering with the threads. These threads may execute many code snippets in the same process context on behalf of the provider, the tenants or the tenants’ users in a web application server. It is cumbersome and error-prone to isolate each code snippet separately. Instead, classifying thread behavior helps to detect malicious flow of execution. The proposed mechanism is significantly different from intrusion detection systems or virus scanners as it only focuses on the processor usage and critical resource access. Historical web application attacks based on OWASP reports as well as future trends are analyzed and a sample web traffic of 100,000 requests, which includes 1% malicious traffic rooted from the most common attacks, is generated to prove the concept. The generated web traffic is tested on a cloud-based demo application on a live cloud environment. The thread behavior is monitored only based on CPU load and database access to keep the mechanism privacy-friendly for all cloud stakeholders. Even though the executed instructions are not monitored, the collected telemetry forms a vast amount of trace for classification. This privacy-friendly feature set is extracted and evaluated on several classifiers to detect malicious threads. It is observed that the classification accuracy is remarkably successful.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. This is one of the reasons the paper exemplified a Java [11] implementation. However, please note that the proposed techniques are independent from underlying programming language.

  2. Forcefully stopping a thread may cause security vulnerabilities by runtime exceptions in Java language.

  3. Types and numbers of attacks within the malicious requests are randomly distributed in each fold, yet the total number of malicious requests is preserved.

References

  1. App Engine - Platform as a Service — Google Cloud Platform (n.d.). https://cloud.google.com/appengine/

  2. Heroku | Cloud Application Platform (n.d.). https://www.heroku.com/

  3. Apache Stratos (n.d.). https://stratos.apache.org/

  4. AWS Elastic Beanstalk - Application Management - Platform as a Service (n.d.). https://aws.amazon.com/elasticbeanstalk/

  5. Sandıkkaya, M.T., Ödevci, B., Ovatman, T.: Practical Runtime Security Mechanisms for an aPaaS Cloud. In: IEEE Global Communications Conference (Globecom 2014), pp. 53–58. IEEE Communications Society (2014)

  6. Madnick, S.E., Donovan, J.J.: Application and analysis of the virtual machine approach to information system security and isolation. In: Proceedings of the Workshop on Virtual Computer Systems, pp. 210–224. ACM, New York, NY, USA (1973)

  7. He, S., Guo, L., Guo, Y., Wu, C., Ghanem, M., Han, R.: Elastic application container: a lightweight approach for cloud resource provisioning. In: IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 15–22 (2012)

  8. Sandıkkaya, M.T., Harmancı, A.E.: A security paradigm for PaaS clouds. Proc. Rom. Acad. Ser. A 16, 345–356 (2015)

    MathSciNet  Google Scholar 

  9. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown: reading Kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)

  10. Kocher, P., Horn, J., Fogh, A., , Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. In: 40th IEEE Symposium on Security and Privacy (S&P’19) (2019)

  11. Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A.: The Java\(^{\textregistered }\) Language Specification Java SE 8 Edition. Tech. rep., Oracle Corporation, Redwood City, CA, USA (2010). http://docs.oracle.com/javase/specs/jls/se8/jls8.pdf

  12. Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java\(^{{\textregistered }}\) Virtual Machine Specification Java SE 8 Edition. Tech. rep., Oracle Corporation, Redwood City, CA, USA (2010). http://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf

  13. Bellovin, S.M.: Thinking Security: Stopping Next Year’s Hackers. Addison-Wesley Professional, Boston (2015)

    Google Scholar 

  14. Griffin, K., Schneider, S., Hu, X., Chiueh, Tc: Automatic Generation of String Signatures for Malware Detection, pp. 101–120. Springer, Berlin (2009)

    Google Scholar 

  15. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in Cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)

    Article  Google Scholar 

  16. Fan, Y., Ye, Y., Chen, L.: Malicious sequential pattern mining for automatic malware detection. Expert Syst. Appl. 52, 16–25 (2016)

    Article  Google Scholar 

  17. Shabtai, A., Moskovitch, R., Feher, C., Dolev, S., Elovici, Y.: Detecting unknown malicious code by applying classification techniques on OpCode patterns. Secur. Inf. 1(1), 1–22 (2012)

    Article  Google Scholar 

  18. Uppal, D., Sinha, R., Mehra, V., Jain, V.: Malware detection and classification based on extraction of API sequences. In: 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2337–2342 (2014)

  19. Wu, S.X., Banzhaf, W.: The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10(1), 1–35 (2010)

    Article  Google Scholar 

  20. Tsai, C.F., Hsu, Y.F., Lin, C.Y., Lin, W.Y.: Intrusion detection by machine learning: a review. Expert Syst. Appl. 36(10), 11994–12000 (2009)

    Article  Google Scholar 

  21. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)

    Article  Google Scholar 

  22. Win, T.Y., Tianfield, H., Mair, Q.: Detection of malware and Kernel-level rootkits in cloud computing environments. In: IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 295–300 (2015)

  23. Özdemir, C.D., Sandıkkaya, M.T., Yaslan, Y.: Classifying malicious thread behavior in PaaS Web services. In: Proceedings of the 8th International Conference on Cloud Computing and Services Science, vol. 1, CLOSER, pp. 418–425. INSTICC, SciTePress (2018)

  24. Bazrafshan, Z., Hashemi, H., Fard, S.M.H., Hamzeh, A.: A survey on heuristic malware detection techniques. In: \(5^{{\rm th}}\) Conference on Information and Knowledge Technology (IKT), pp. 113–120. IEEE (2013)

  25. Pektaş, A., Acarman, T.: Classification of malware families based on runtime behaviors. J. Inf. Secur. Appl. 37, 91–100 (2017)

    Google Scholar 

  26. Pirscoveanu, R.S., Hansen, S.S., Larsen, T.M.T., Stevanovic, M., Pedersen, J.M., Czech, A.: Analysis of malware behavior: type classification using machine learning. In: International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1–7. IEEE (2015)

  27. Uppal, D., Sinha, R., Mehra, V., Jain, V.: Malware detection and classification based on extraction of api sequences. In: ICACCI, 2014 International Conference on Advances in Computing, Communications and Informatics, pp. 2337–2342. IEEE (2014)

  28. Shabtai, A., Moskovitch, R., Feher, C., Dolev, S., Elovici, Y.: Detecting unknown malicious code by applying classification techniques on opcode patterns. Secur. Inform. 1(1), 1 (2012)

    Article  Google Scholar 

  29. O’Sullivan, B.: The history of threads (1996). http://www.faqs.org/faqs/os-research/part1/section-10.html

  30. Corbató, F.J., Vyssotsky, V.A.: Introduction and Overview of the Multics System. In: Proceedings of the AFIPS ’65 November 30–December 1, 1965, Fall Joint Computer Conference, Part I, pp. 185–196. ACM, New York, NY, USA (1965)

  31. Demichiel, L., Keith, M.: JSR 220: Enterprise JavaBeans 3.0 (2007). https://jcp.org/en/jsr/detail?id=220

  32. OSGi Core Release 6 Specification (2014). https://osgi.org/download/r6/osgi.core-6.0.0.pdf

  33. Palacz, K.: JSR 121: application isolation API specification (2006). https://jcp.org/en/jsr/detail?id=121

  34. Mordani, R.: JSR 154: Java Servlet 2.4 Specification (2007). https://jcp.org/en/jsr/detail?id=154

  35. Rodero-Merino, L., Vaquero, L.M., Caron, E., Muresan, A., Desprez, F.: Building safe PaaS clouds: a survey on security in multitenant software platforms. Comput. Secur. 31(1), 96–108 (2012)

    Article  Google Scholar 

  36. Gong, L.: Java SE Platform Security Architecture Specification v1.2. Tech. rep., Oracle Corporation, Redwood City, CA, USA (2002). http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc.html

  37. Czajkowski, G., Daynés, L.: Multitasking without comprimise: a virtual machine evolution. In: Proceedings of the 16th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA ’01), pp. 125–138. ACM, New York, NY, USA (2001)

  38. Geoffray, N., Thomas, G., Muller, G., Parrend, P., Frénot, S., Folliot, B.: I-JVM: a Java virtual machine for component isolation in OSGi. In: IEEE/IFIP International Conference on Dependable Systems Networks (DSN ’09), pp. 544–553 (2009)

  39. Back, G., Hsieh, W.C.: The KaffeOS Java runtime system. ACM Trans. Progr. Lang. Syst. 27(4), 583–630 (2005)

    Article  Google Scholar 

  40. Java Management Extensions (JMX) Specification, version 1.4. Santa Clara, CA, USA (2006). http://docs.oracle.com/javase/7/docs/technotes/guides/jmx/JMX_1_4_specification.pdf

  41. Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming, pp. 220–242. Springer, Berlin (1997)

    Google Scholar 

  42. Truica, C., Radulescu, F., Boicea, A., Bucur, I.: Performance evaluation for CRUD operations in asynchronously replicated document oriented database. In: 2015 20th International Conference on Control Systems and Computer Science, pp. 191–196 (2015)

  43. Cooper, B.F., Silberstein, A., Tam, E., Ramakrishnan, R., Sears, R.: Benchmarking cloud serving systems with ycsb. In: Proceedings of the 1st ACM Symposium on Cloud Computing, SoCC ’10, pp. 143–154. ACM, New York, NY, USA (2010)

  44. Apache JMeter (n.d.). https://jmeter.apache.org/

  45. McMillan, R.: Up to three percent of internet traffic is malicious, researcher says (2008). www.csoonline.com/article/2122506/up-to-three-percent-of-internet-traffic-is-malicious--researcher-says.html

  46. OWASP Top 10 - 2010 The Ten Most Critical Web Application Security Risks. Tech. rep., The Open Web Application Security Project (2017). https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf

  47. OWASP Top 10 - 2013 The Ten Most Critical Web Application Security Risks. Tech. rep., The Open Web Application Security Project (2017). https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf

  48. OWASP Top 10 - 2017 The Ten Most Critical Web Application Security Risks. Tech. rep., The Open Web Application Security Project (2017). https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

  49. Trustwave: 2012 Global Threats and Trends. Tech. rep. (2012)

  50. Application Vulnerability Trends Report: 2014. Tech. Rep, Cenzic (2014)

  51. Web Application Threat Trend Report : Trends for 2017. Tech. rep., Penta Security Systems Inc. (2017)

  52. Alpaydın, E.: Introduction to Machine Learning. MIT Press, Cambridge (2014)

    MATH  Google Scholar 

  53. Polikar, R.: Ensemble based systems in decision making. IEEE Circ. Syst. Mag. 6(3), 21–45 (2006)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Engineering Department, Istanbul Technical University, 34469, Sariyer, Istanbul, Turkey

    Mehmet Tahir Sandıkkaya, Yusuf Yaslan & Cemile Diler Özdemir

Authors
  1. Mehmet Tahir Sandıkkaya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yusuf Yaslan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cemile Diler Özdemir
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mehmet Tahir Sandıkkaya.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sandıkkaya, M.T., Yaslan, Y. & Özdemir, C.D. DeMETER in clouds: detection of malicious external thread execution in runtime with machine learning in PaaS clouds. Cluster Comput 23, 2565–2578 (2020). https://doi.org/10.1007/s10586-019-03027-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-019-03027-8

Keywords

Search

Navigation