Abstract
In cloud networks, edging network virtualization technology is widely adopted to protect tenants with isolated networks mainly from threats inside the cloud. However, since tenants completely rely on cloud service provider’s service interface to be aware of their current network policy, malicious admin alone or with concluded tenants is/are fully capable of acquiring any target tenant network data by attacking corresponding policies stored and enforced on the edging end hosts without tenants knowing. Therefore, this paper presents cloud insider attack detector and locator (CIADL) on multi-tenant network isolation for OpenStack. We propose an insider attack threat model with attack category. A layered state model based constructing and attack detection methods are also proposed, enabling efficient policy confliction detection between expected policy on central node and enforcing policy on end hosts. Along with a threat locating method with fine granularity of device policy rules for recovery purpose. We implements the proof of concept system of CIADL, and the experiments and analysis show our method can cover all attack types defined in threat model with low overheads, and scales well with network and policy size and attack number increase. Compared to existing work model with VM–VM state, CIADL state model with NET–NET state gets about 8.5% and 92.3% improvement on construction and verification time costs with most hostile environment (AP = 80%) and largest policy scale (PS = 4000), which suggests CIADL is both efficient and scalable.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abhishek SM, Monica OJ (2016) OpenStack ceilometer data analytics & predictions. In: 2016 IEEE international conference on cloud computing in emerging markets (CCEM). Bangalore: IEEE, pp 182–183
Bryant RE (1986) Graph-based algorithms for boolean function manipulation. Comput IEEE Trans C-35(8):677–691
Chen MK, Akihiro N (2011) Feather-weight network namespace isolation based on user-specific addressing and routing in commodity OS. Lecture notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, Berlin, pp 53–68
Gordin I et al (2018) Security assessment of OpenStack cloud using outside and inside software tools. In: 2018 14th international conference on development and application systems. Suceava: IEEE, pp 170–174
Intel Corporation (2014) Intel® software guard extensions programming reference, rev. 2. Ref. #329298-002
Joe M, Jim C, Fei Y (2016). Next generation virtual network architecture for multi-tenant distributed clouds: challenges and emerging techniques. In: Proceedings of the 4th workshop on distributed cloud computing. New York: ACM, pp 1–6
Karande V et al (2017) SGX-log: securing system logs with SGX. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security. Abu Dhabi: ACM, pp 19–30
Kevin CW, Arjun R, Kenneth Y (2016) Blender: upgrading tenant-based data center networking. In: Proceedings of the tenth ACM/IEEE symposium on Architectures for networking and communications systems. California: ACM, pp 65–75
Li K et al (2016) MVNC: a SDN-based multi-tenant virtual network customization mechanism in cloud data center. In: Proceedings of 2016 international conference on networking and network applications. Hakodate: IEEE, pp 239–243
Li J et al (2012) CyberGuarder: a virtualization security assurance architecture for green cloud computing. Future Gener Comput Syst 28(2):379–390
Lin Z, Tao D, Wang Z (2017) Dynamic construction scheme for virtualization security service in software-defined networks. Sensors 17(4):920 (1–18)
Lu D et al (2018) Trusted deviceto-devicebased heterogeneous cellular networks: a new framework for connectivity optimization. IEEE Trans Veh Technol 67(11):11219–11233
OpenStack (2018a) Neutron. https://wiki.openstack.org/wiki/Neutron. Accessed 1 May 2019
OpenStack (2018b) OpenStack ceilometer measurements. https://docs.OpenStack.org/ceilometer/latest/admin/telemetry-measurements.html. Accessed 1 May 2019
Pan HY, Wang SY (2016) Optimizing the SDN control-plane performance of the Openvswitch software switch. In: Proceedings—IEEE symposium on computers and communications. Larnaca: IEEE, pp 403–408
Piccolo VD et al (2017) A survey of network isolation solutions for multi-tenant data centers. IEEE Commun Surv Tutor 18(4):2787–2821
Rizvi S et al (2015) A stakeholder-oriented assessment index for cloud security auditing. In: International conference on ubiquitous information management and communication. ACM, pp 55–61
Taiju M et al (2011) Multi-layer network topology design for large-scale network. In: Proceedings of the 23rd international teletraffic congress. California: ACM, pp 306–307
Tiago R, Jorge B (2014) An overview of OpenStack architecture. In: Proceedings of the 18th international database engineering & applications symposium. Porto: ACM, pp 366–367
Vmware (2018) Datacenter virtualization. https://www.vmware.com/products/datacenter-virtualization.html. Accessed 1 May 2019
Wang BL, Lu KN, Chang P (2016) Design and implementation of Linux firewall based on the frame of Netfilter/IPtable. In: ICCSE 2016—11th international conference on computer science and education. Nagoya: IEEE, pp 949–953
Xiang Y et al (2016) Debugging OpenStack problems using a state graph approach. ACM Sigops Asia–Pacific workshop on systems. ACM, pp 13–20
Xu Y et al (2016) SDN state inconsistency verification in OpenStack. Comput Netw Int J Comput Telecommun Netw 110:364–376
Yasuharu K et al (2016) Security, compliance, and agile deployment of personal identifiable information solutions on a public cloud. In: 2016 IEEE 9th international conference on cloud computing (CLOUD). New York: IEEE, pp 359–366
Yu RZ et al (2015) Network function virtualization in the multi-tenant cloud. IEEE Netw 29(3):42–47
Yuan XL, Duan HY, Wang C (2016) Bringing execution assurances of pattern matching in outsourced middleboxes. In: 2016 IEEE 24th international conference on network protocols (ICNP). Singapore: IEEE, pp 1–10
Zhan J et al (2018) TPTVer: a trusted third party based trusted verifier for multi-layered outsourced big data system in cloud environment. China Commun 5(02):122–137
Acknowledgements
This work is partially supported by grants from the National Key Research and Development Program of China (Grant no. 2016YFB0800204), the China 863 High-tech Program (Grant no. 2015AA016002).
Author information
Authors and Affiliations
Contributions
JZ, XF designed the work and revised the paper; JH, YG conducted the experiments and data analysis; XX and QZ did investigation and provided experiment platform.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Zhan, J., Fan, X., Han, J. et al. CIADL: cloud insider attack detector and locator on multi-tenant network isolation: an OpenStack case study. J Ambient Intell Human Comput 11, 3473–3495 (2020). https://doi.org/10.1007/s12652-019-01471-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-019-01471-3