Information Technology Reference
In-Depth Information
hardware, i.e. by contracting Infrastructure as a Service (IaaS) provider such as
Amazon's “elastic compute cloud” EC2 cloud) [1, 2]. Therefore it is not surpris-
ing that corporations opt to outsource IT related computing units, such as hosts
or services, to such clouds (
cloud-sourcing
) to become cloud
tenants
. Leading
analysts forecast a dramatic increase of cloud services revenue, i.e. Gartner, Inc.
forecast Software as a Service (SaaS) to increase 17.9% from the 2011 revenue
of $12.3 billion.
1
Cloud tenants though, often have to pay a price. Increased
scalability of resources demands dynamical compositions of computing machin-
ery resulting in design inherent weaknesses, for instance, tenants share the same
cloud and are potentially allowed to interact by design [3].
This results in potentially hostile machines residing within the corporate net-
work that has to be secured. Hostile machines on the network tear security holes
in multiple layers of computation. Infrastructure items, such as hosts, can be
broken into by a competing company to attain confidential information about
its users and other data that is stored on the machine. This in turn allows
workflows to be changed, i.e. by breaking in a system and patching the code-
base or the platform itself [4, 5], or simply by reverse engineering workflows and
creating rogue clients. A thusly changed workflow has semantical consequences
on its logic, for instance, bypassed checks for sucient funds in a credit card
application, a compromised XACML (or Kerberos) infrastructure that grants
authorizational access to restricted entities.
Another problem is that attacks themselves have become sneakier. Attackers
tend to use more advanced techniques, and more persistence to eventually mask
an attack as inside job
2
. For example, if credentials of legitimate service users
are stolen and information is leaked gradually and persistently over a longer time
period. Such attacks usually manifest in a change of behavior of entities involved
in any given activity (e.g. behavioural changes observed in off-key working hours,
spiking access over document data etc.).
To decrease the chance of successful attacks, security monitoring was intro-
duced to analyse events committed by sensors in the corporate network. The
analysis of events usually involves
signature-based
methods. Features, extracted
from logged event data, are compared to features in attack signatures which in
turn are provided by experts [6, 7]. Other approaches, e.g.
anomaly detection
,
often make use of machine learning-based algorithms [8]. Anomalies are an unex-
pected event (or a series of unexpected events) that exhibit a significant change in
behaviour of an entity, for example, a user. If anomalous behavior can be distin-
guished from normal behavior by hard bounds that are known beforehand, then
signature-based approaches can be used to classify attacks immediately. How-
ever, when it is hard to specify all entities and their normal behaviour completely
beforehand, then statistical measures have to be used to classify deviations in
oder to detect possible attacks.
cessed: July 30, 2012.
Search WWH ::
Custom Search