Intrusion Detection Techniques for Infrastructure as a Service Cloud Udaya Tupakula Vijay Varadharajan Naveen Akku Information & Networked Systems Security Research, Department of Computing Faculty of Science, Macquarie University, Sydney, Australia {udaya, vijay, naveen}@ics.mq.edu.au Abstract— Today, cloud computing is one of the increasingly popular technology where the customer can use the resources of the cloud services providers to perform their tasks and only pay for the resources they use. The customer virtual machines in the cloud are vulnerable to different types of attacks. In this paper we propose techniques for securing customer virtual machines from different types of attacks in the Infrastructure as a Service cloud and describe how this can be achieved in practice. Our model enables to differentiate attack traffic originating from each virtual machine even if multiple virtual machines on a VMM are sharing a single IP address. Keywords – IaaS, Cloud Security, Virtual machine based Security, Intrusion detection I. INTRODUCTION Today, cloud computing [1-4] is one of the increasingly popular technology where the cloud services providers provide computing resources to the customers to host their data or perform their computing tasks. Cloud computing can be categorized [2] into different services such as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). In this paper we consider techniques for securing customer virtual machine in IaaS cloud environment. Virtualisation is one of the key technologies for the IaaS cloud. Since the customer can be running different operating systems and applications in their virtual machines, it is difficult task for the cloud service provider to secure their customer virtual machines. Furthermore due to extremely large size of the operating systems and inherent weakness in the TCP/IP stack, the attacker can easily exploit their weakness and generate different types of attacks on the customer virtual machines. Also several new (zero day) attacks are appearing on a daily basis and techniques such as polymorphism and metamorphism make it extremely difficult to detect and prevent the attacks. Furthermore, it is shown [5] that it is not a difficult task for the attacker to obtain information regarding the victim machine in the IaaS cloud and perform attack by co- locating a malicious virtual machine with the victim virtual machine. Although there are specific tools such as intrusion detection systems, honey pots, antivirus, anti malware there are some limitations for such tools to detect and prevent such attacks. The host based tools have good visibility of internal state of the monitored system and can efficiently detect the attacks. However since the tools are implemented on the monitored system itself, they are vulnerable to attacks by the attacker. The network based tools detect the attacks by monitoring the incoming and outgoing traffic from the monitored machines. They have poor visibility into the state of monitored machines but offer high attack resistance. Hence for efficient detection of attacks, it is desirable to have good visibility of the monitored system while at the same time the tool should offer high resistance to the attacks. The limitations of the existing tools can be overcome by implementing the security tools [6, 7] using Virtual Machine Monitors [8]. A VMM [8] is an additional software layer which has complete control on the physical resources and enables to run multiple operating systems on a scalable computer. Since the VMM has complete control on the resources, good visibility into the internal state of the virtual machines and isolated from the virtual machines, they can be used [7] for improving the attack detection/prevention efficiency of the security tools. In this paper, we consider the design choices for comprehensive attack detection and propose a novel architecture based on the virtual machine monitor to efficiently deal with the attacks on the customer virtual machines in the IaaS cloud. We discuss techniques to capture the dynamic updates to the operating systems and applications in virtual machines and thereby helping to reduce the semantic gap. We also develop techniques to identify each virtual machine separately and efficiently deal with the attacks. The paper is organized as follows. Section II presents some of the related work. In Section III, we consider the design choices for comprehensive attack detection and propose techniques for securing customer virtual machines in the IaaS cloud environment. Section IV presents the analysis of our model and Section V concludes. II. RELATED WORK In this section, we present some of the important techniques that are related to our proposed architecture. Dunlap et al [6] proposed ReVirt architecture for secure logging by placing the logging tool inside the VMM. ReVirt claims to log enough information such as real time clock, keyboard, mouse events, user inputs and system calls, which enables the administrator to replay the execution of virtual machine. Since the logs are isolated from the virtual machine, they can be used to replay the logged information and analyse the attacks in case of compromise of the virtual machines. 2011 Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing 978-0-7695-4612-4/11 $26.00 © 2011 IEEE DOI 10.1109/DASC.2011.128 745 2011 Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing 978-0-7695-4612-4/11 $26.00 © 2011 IEEE DOI 10.1109/DASC.2011.128 745 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing 978-0-7695-4612-4/11 $26.00 © 2011 IEEE DOI 10.1109/DASC.2011.128 745 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing 978-0-7695-4612-4/11 $26.00 © 2011 IEEE DOI 10.1109/DASC.2011.128 744