research-article

Rectify: black-box intrusion recovery in PaaS clouds

Authors:
David R. Matos

Universidade de Lisboa, Lisboa, Portugal

Universidade de Lisboa, Lisboa, Portugal
View Profile

,
Miguel L. Pardal

Universidade de Lisboa, Lisboa, Portugal

Universidade de Lisboa, Lisboa, Portugal
View Profile

,
Miguel Correia

Universidade de Lisboa, Lisboa, Portugal

Universidade de Lisboa, Lisboa, Portugal
View Profile

Middleware '17: Proceedings of the 18th ACM/IFIP/USENIX Middleware ConferenceDecember 2017Pages 209–221https://doi.org/10.1145/3135974.3135978

Published:11 December 2017Publication History

Middleware '17: Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference

Pages 209–221

ABSTRACT

Web applications hosted on the cloud are exposed to cyberattacks and can be compromised by HTTP requests that exploit vulnerabilities. Platform as a Service (PaaS) offerings often provide a backup service that allows restoring application state after a serious attack, but all valid state changes since the last backup are lost. We propose Rectify, a new approach to recover from intrusions on applications running in a PaaS. Rectify is a service designed to be deployed alongside the application in a PaaS container. It does not require modifications to the software and the recovery can be performed by a system administrator. Machine learning techniques are used to associate the requests received by the application to the statements issued to the database. Rectify was evaluated using three widely used web applications - Wordpress, LimeSurvey and MediaWiki - and the results show that the effects of malicious requests can be removed whilst preserving the valid application data.

References

İ. E. AkkuŞ and A. Goel. 2010. Data recovery for web applications. In Proceedings of the 40th IEEE/IFIP International Conference on Dependable Systems and Networks. 81--90.Google Scholar
P. Ammann, S. Jajodia, and P. Liu. 2002. Recovery from malicious transactions. IEEE Transactions on Knowledge and Data Engineering 14, 5 (2002), 1167--1185. Google ScholarDigital Library
D. J. Barrett. 2008. MediaWiki. O'Reilly. Google ScholarDigital Library
A. Brazell. 2011. WordPress Bible. John Wiley and Sons. Google ScholarDigital Library
A. Brown, L. Chung, W. Kakes, C. Ling, and D. Patterson. 2004. Experience with evaluating human-assisted recovery processes. In Proceedings of the 34th IEEE/IFIP International Conference on Dependable Systems and Networks. 405--410. Google ScholarDigital Library
A. Brown and D. Patterson. 2003. Undo for Operators: Building an Undoable E-mail Store. In Proceedings of the USENIX Annual Technical Conference. 1--14. Google ScholarDigital Library
R. Chandra, T. Kim, M. Shah, N. Narula, and N. Zeldovich. 2011. Intrusion recovery for database-backed web applications. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles. 101--114. Google ScholarDigital Library
R. Chandra, T. Kim, and N. Zeldovich. 2013. Asynchronous intrusion recovery for interconnected web services. In Proceedings of the 24th ACM Symposium on Operating Systems Principles. 213--227. Google ScholarDigital Library
T. Chiueh and D. Pilania. 2005. Design, implementation, and evaluation of a repairable database management system. In Proceedings of the 21st IEEE International Conference on Data Engineering. 1024--1035. Google ScholarDigital Library
E. Ciurana. 2009. Developing with Google App Engine. A Press. Google ScholarDigital Library
B. Cohen. 2013. PaaS: new opportunities for cloud application development. Computer 46, 9 (2013), 97--100. Google ScholarDigital Library
H. Garcia-Molina, J. Ullman, and J. Widom. 2008. Database Systems: The Complete Book (2nd ed.). Pearson. Google ScholarDigital Library
M. Gegick, E. Isakson, and L. Williams. 2006. An early testing and defense web application framework for malicious input attacks. In ISSRE Supplementary Conference Proceedings.Google Scholar
A. Goel, K. Po, K. Farhadi, Z. Li, and E. De Lara. 2005. The Taser intrusion recovery system. In ACM SIGOPS Operating Systems Review, Vol. 39. 163--176. Google ScholarDigital Library
W. G. Halfond, J. Viegas, and A. Orso. 2006. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering. 13--15.Google Scholar
E. H. Halili. 2008. Apache JMeter: A practical beginner's guide to automated testing and performance measurement for your websites. Packt Publishing Ltd. Google ScholarDigital Library
M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten. 2009. The WEKA data mining software: an update. ACM SIGKDD Explorations Newsletter 11, 1 (2009), 10--18. Google ScholarDigital Library
A. Heydon and M. Najork. 1999. Mercator: A scalable, extensible web crawler. World Wide Web 2, 4 (1999), 219--229. Google ScholarDigital Library
K. L. Ingham and H. Inoue. 2007. Comparing anomaly detection techniques for HTTP. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. 42--62. Google ScholarDigital Library
T. Kim, X. Wang, N. Zeldovich, and M. F. Kaashoek. 2010. Intrusion Recovery Using Selective Re-execution. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. 89--104. Google ScholarDigital Library
H. F. Korth, E. Levy, and A. Silberschatz. 1990. A Formal Approach to Recovery by Compensating Transactions. In Proceedings of the 16th International Conference on Very Large Data Bases. 95--106. Google ScholarDigital Library
S. B. Kotsiantis. 2007. Supervised Machine Learning: A Review of Classification Techniques. In Proceedings of the 2007 Conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies. 3--24. Google ScholarDigital Library
C. Kruegel, G. Vigna, and W. Robertson. 2005. A multi-model approach to the detection of web-based attacks. Computer Networks 48, 5 (2005), 717--738. Google ScholarDigital Library
P. A. Larson, J. Goldstein, and J. Zhou. Mtcache: Transparent mid-tier database caching in SQL server. In Data Engineering, 2004. Proceedings. 20th International Conference on. 177--188. Google ScholarDigital Library
LimeSurvey. 2017. An open source survey tool. (2017). https://www.limesurvey.org.Google Scholar
P. Liu, J. Jing, P. Luenam, Y. Wang, L. Li, and S. Ingsriswang. 2004. The design and implementation of a self-healing database system. Journal of Intelligent Information Systems 23, 3 (2004), 247--269. Google ScholarDigital Library
Q. Luo and J. F. Naughton. 2001. Form-based proxy caching for database-backed web sites. In Proceedings of the 27th International Conference on Very Large Data Bases. 191--200. Google ScholarDigital Library
D. Matos and M. Correia. 2016. NoSQL Undo: Recovering NoSQL Databases by Undoing Operations. In Proceedings of the 15th IEEE International Symposium on Network Computing and Applications.Google Scholar
P. Mell and T. Grance. 2011. The NIST Definition of Cloud Computing. National Institute of Standards and Technology (2011).Google Scholar
D. Nascimento and M. Correia. 2015. Shuttle: Intrusion Recovery for PaaS. In Proceedings of the 35th IEEE International Conference on Distributed Computing Systems. 653--663.Google Scholar
G. Nascimento and M. Correia. 2011. Anomaly-based intrusion detection in software as a service. In IEEE/IFIP International Conference on Dependable Systems and Networks Workshops. Google ScholarDigital Library
D. Oliveira, J. R. Crandall, G. Wassermann, S. Ye, S. F. Wu, Z. Su, and F. T. Chong. 2008. Bezoar: Automated virtual machine-based full-system recovery from control-flow hijacking attacks. In Proceedings of the IEEE Network Operations and Management Symposium. 121--128.Google Scholar
M. R. Palankar, A. Iamnitchi, M. Ripeanu, and S. Garfinkel. 2008. Amazon S3 for science grids: a viable solution?. In Proceedings of the International Workshop on Data-Aware Distributed Computing. 55--64. Google ScholarDigital Library
R. Peinl, F. Holzschuher, and F. Pfitzer. 2016. Docker Cluster Management for the Cloud - Survey Results and Own Solution. Journal of Grid Computing (2016), 1--18. Google ScholarDigital Library
S. Pousty and K. Miller. 2014. Getting started with OpenShift. O'Reilly. Google ScholarDigital Library
W. Robertson, G. Vigna, C. Kruegel, and R. Kemmerer. 2006. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In Proceedings of the 13th Symposium on Network andDistributedSystem Security.Google Scholar
M. Safronov and J. Winesett. 2014. Web Application Development with Yii 2 and PHP. Packt Publishing Ltd. Google ScholarDigital Library
Z. Su and G. Wassermann. 2006. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles Of Programming Languages. Google ScholarDigital Library
L. M. Vaquero, L. Rodero-Merino, and Ra. Buyya. 2011. Dynamically scaling applications in the cloud. ACM SIGCOMM Computer Communication Review 41, 1 (2011), 45--52. Google ScholarDigital Library
L. M. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner. 2008. A break in the clouds: towards a cloud definition. ACM SIGCOMM Computer Communication Review 39, 1 (2008), 50--55. Google ScholarDigital Library
J. Varia and S. Mathew. 2014. Overview of Amazon Web Services. Amazon Web Services (2014).Google Scholar
G. Vigna, F. Valeur, D. Balzarotti, W. Robertson, C. Kruegel, and E. Kirda. 2009. Reducing errors in the anomaly-based detection of web-based attacks through the combined analysis of web requests and SQL queries. Journal of Computer Security 17, 3 (2009), 305--329. Google ScholarDigital Library
C. D. Weissman and S. Bobrowski. 2009. The Design of the Force.com Multitenant Internet Application Development Platform. In Proceedings of the 2009 ACM SIGMOD International Conference on Management of Data. 889--896. Google ScholarDigital Library
J. Williams and D. Wichers. 2013. OWASP Top 10 - The Ten Most Critical Web Application Security Risks. Technical Report. OWASP Foundation.Google Scholar

Index Terms

Rectify: black-box intrusion recovery in PaaS clouds
1. Computer systems organization
  1. Dependable and fault-tolerant systems and networks
    1. Maintainability and maintenance

Recommendations

Pricing as a Service: Personalized Pricing Strategy in Cloud Computing
CIT '12: Proceedings of the 2012 IEEE 12th International Conference on Computer and Information Technology

Cloud computing is emerging as a model in support of "everything-as-a-service". Virtualized physical resources, virtualized infrastructure, as well as virtualized middleware platforms and business applications are being provided and consumed as services ...
Read More
Cloud Multi-Tenancy: Issues and Developments
UCC '17 Companion: Companion Proceedings of the10th International Conference on Utility and Cloud Computing

Cloud Computing (CC) is a computational paradigm that provides pay-per use services to customers from a pool of networked computing resources that are provided on demand. Customers therefore does not need to worry about infrastructure or storage. Cloud ...
Read More
Managing elasticity across multiple cloud providers
MultiCloud '13: Proceedings of the 2013 international workshop on Multi-cloud applications and federated clouds

In the context of cloud computing, elasticity is the capacity to scale computing resources up and down easily. Currently, most Platforms as a Service (PaaS) manage application elasticity within a single cloud provider. However, the not so infrequent ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
Middleware '17: Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference
December 2017
268 pages
ISBN:9781450347204
DOI:10.1145/3135974
General Chairs:
K. R. Jayaram
IBM T. J. Watson Research Center
,
Anshul Gandhi
Stony Brook University
,
Program Chairs:
Bettina Kemme
McGill University
,
Peter Pietzuch
Imperial College London
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 December 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
PaaS
intrusion removal
recovery
rollback
Qualifiers
- research-article
Conference

Acceptance Rates
Middleware '17 Paper Acceptance Rate20of85submissions,24%Overall Acceptance Rate203of948submissions,21%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 163
  Total Downloads
- Downloads (Last 12 months)18
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Rectify: black-box intrusion recovery in PaaS clouds

Middleware '17: Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Pricing as a Service: Personalized Pricing Strategy in Cloud Computing

Cloud Multi-Tenancy: Issues and Developments

Managing elasticity across multiple cloud providers