A Streaming Intrusion Monitoring and Classification System for IaaS Cloud

To secure IaaS cloud environments, multiple layers of security mechanisms must be deployed and monitored. When a threat is detected, it must be appropriately acted upon. A common problem with monitoring such approaches is the sheer volume of alarms generated. Some alerts may be false positives, others are informational. It is challenging for cloud providers to quickly interpret which events to act upon and the priority of events. Another challenge is the dynamic nature of cloud environments. Tenant instances and security sensors may come and go. Systems that depend on the existence of a particular sensor are less effective in IaaS environments. Our work supports a defense in depth approach by leveraging multiple distributed intrusion detection and security system sensors in an IaaS cloud computing environment. We propose and demonstrate a streaming cloud intrusion monitoring and classification system (SCIMCS) to assist cloud providers with multiple security systems by filtering noisy alert messages and classifying previously recognized attacks. Our approach consists of three steps: Summarize and Score, Detect Anomalies, and Classify Attacks. We demonstrate the effectiveness of our framework in an IaaS cloud environment running Eucalyptus where we execute real attacks with a total alert reduction of 95.9 percent and a zero miss rate for problematic alarms. In addition, we demonstrate a 100 percent classification rate for trained attacks.