Upload File

detecting virtual machine co residency in cloud computing with active traffic analysis

  • Home
  • Technology
  • Detecting virtual machine co residency in cloud computing with active traffic analysis
31
Detecting Virtual Machine Co-Residency in Cloud Computing With Active Traffic Analysis September 4, 2015 James A. Savage Tennessee State University Computer and Information Systems Engineering Advisor: Dr. Sachin Shetty AFRL Research Presentation

Upload: james-a-savage

Post on 16-Apr-2017

660 views

Category:

Technology


2 download

Report

TRANSCRIPT

PowerPoint Presentation

Detecting Virtual Machine Co-Residency in Cloud Computing With Active Traffic Analysis

September 4, 2015

James A. Savage

Tennessee State UniversityComputer and Information Systems EngineeringAdvisor: Dr. Sachin Shetty

AFRL Research Presentation

Agenda

Virtualization and Cloud Computing

Virtual Machines and Co-Residency

Virtual Machine Side-Channel Vulnerability

Watermarking network traffic

Attempts to Reproduce Published Research Results

Implications for Production Environments

What is Virtualization?

A virtual machine is an instance of an operating system that runs in a software container that provides all of the hardware-related components the operating system expects, using software emulation for the machines instruction set.

Virtual machine technology allows a single computer to host multiple virtual machines, each potentially running a different operating system.

The hypervisor, or virtual machine monitor (VMM) is the only software running in kernel mode; it provides multiple copies of the actual hardware to the virtual machines.

The operating system running in a virtual machine is called a guest operating system.

What is Virtualization?

Image: http://software.intel.com/en-us/articles/creating-a-virtual-machine-on-vmware-tutorial

Virtualization is the Foundation of Cloud Computing

Image: http://modelschoolscnyric.pbworks.com/w/page/39729119/Cloud%20Computing

Virtual Infrastructure in the Cloud

Image: http://www.cisco.com/DRS: Distributed Resource SchedulerHA: High Availability

HA High Availability (form of redundancy)

DRS Distributed Resource Scheduler6

Virtual Machine Co-Residency

Image: http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/ucs-m81kr-virtual-interface-card/white_paper_c11-618838.html

Problem: Side-Channel Attack

Image: http://docs.openstack.org/security-guide/content/ch052_devices.html

References

Detecting Co-Residency paper:

A. Bates, B. Mood, J. Pletcher, H. Pruse, M. Valafar, and K. Butler, "Detecting Co-Residency with Active Traffic Analysis Techniques," in CCSW12 (Cloud Computing Security Workshop), October 19, 2012, Raleigh, North Carolina, USA.

Adam Bates, PhD student, and colleagues at CIS Dept, University of Oregon9

Co-Residency Attack Model

Two colluding hosts:

Client (e.g., a browser on the Internet)

Flooder (injects UDP packets)

A victim:Web Server

Capture the network flow from the web server to client

UDP User Datagram ProtocolTCP Transmission Control Protocol10

Co-Residency Attack Model

Client contacts server (e.g., web server)

Requests web page (HTTP request)

Server responds (HTTP response)

Flooder injects UDP packets into network flow

Network packet arrivals are captured and analyzed for co-location

Image: http://www.oracle.com/technetwork/java/tutorial-138750.html

Co-Residency Attack Model

Server and Flooder reside on the same virtual host and network

Active traffic analysis

Network Interface Card (NIC)

Packet Arrivals at the Client

Network Traffic Analysis

Injected UDP packets create an intermittent delay in Servers network traffic flow

Delay creates an intermittent pattern resulting in two distinct packet distributions

Distinct packet distributions act like a beacon to test for co-location

Flooding Creates Watermark

Distinctive network traffic pattern from flooding creates a type of watermark to easily identify co-residency

Hypothesis test can be applied to identify flooding traffic (Kolmogorov-Smirnov KS - test)

Allows for detection of co-residency when KS test fails

Packet Arrivals at the Client

Packet Arrivals at the Client

No Flooding (i.e., Normal Traffic)With Flooding(i.e., Co-Resident Traffic)

Packet Arrivals at the Client

With FloodingNo Flooding

Experimental Configuration

VMware Workstation 9.0 host environment:

Apache 2 httpd server VM (Server)

Ubuntu 14.04 VM (Flooder), using Packit network injection

Web application uses AJAX and JSON to request/return data from large file to client

Windows 7 Professional not a VM (Client)

.NET 4.5 C# Forms application (Client application)

PERL (Flooder socket application) and C (Flooder flooding application)

All nodes are on the same network (subnet)

Why Werent Bates Results Reproduced?

Network Interface Card (NIC) capacity:Greater capacity (1000 Mbps) may result in less latency

All machines on same subnet (network):Locating client on a different subnet may increase latency

Hypervisor differences:Xen versus VMware versus Hyper-V

Dynamic nature of TCP/IP network trafficCongestion algorithm

Congestion Algorithm

The Congestion Algorithm dynamically manages network traffic flow

Graph shows data transferred per iteration

Traffic flow changes based on window size of client and server

Traditional Packet Management in Virtual Environment

Image: PCI-SIG SR-IOV Primer (Intel)

Traditional Packet Management in Virtual Environment

Single Root I/O Virtualization (SR-IOV)

Image: PCI-SIG SR-IOV Primer (Intel)

Benefits of Research

Explore feasibility of simple co-residency detection techniques

Demonstrate relative ease of attack deployment

Demonstrate simplicity of co-residency detection technique

Deployment in physical and cloud environments (data centers)

Implications for Production Environments

Attack detection internal and external environments

Co-residency snooping from inside the organization may be the largest threat

Simple reconnaissance tool

Detection of potential side-channel attack victims

Attack Detection

Firewall detection of outbound UDP packet flooding (e.g. for cloud-based web server)

Intrusion Prevention Systems (IPS) to detect UDP packet floods in data center traffic

Machine Learning to sample network traffic for pattern identification (similar to email spam detection)

Network sniffing of data center traffic to detect UDP packets with same data payload (could be randomized to avoid detection)

Future WorkIntroduce one or more subnets to separate client and server/flooder virtual machines (introduce router latency)

Migrate the system to different virtual platforms (i.e., eliminate hypervisor differences)

Analyze network flow for other statistical distribution characteristics that may support Bates results

QuestionsImage: http://www.cedar-rapids.org/government/departments/police/PublishingImages/Question-Mark.jpg


An Efficient Algorithm for Detecting Traffic Congestion …icact.org/upload/2016/0183/20160183_finalpaper.pdf ·  · 2016-02-05An Efficient Algorithm for Detecting Traffic Congestion

Detecting APT Activity with Network Traffic Analysis

On Monitoring and Predicting Mobile Network Traffic Abnormality · 2015. 4. 29. · Traffic analysis and traffic abnormality detection are emerged as an efficient way of detecting

Detecting bots using multi- level traffic analysis - C-MRiC · 3 network traffic classification for botnet detection. First, we use supervised machine learning as the algorithm of

Analyzing Huge Data for Suspicious Traffic Christian ... · Set up alerts for unusual patterns ... of course Carefully selected ... Detecting malicious traffic - Forget „silver

Detecting Hackers (Analyzing Network Traffic) by Poisson Model Measure

An Efficient Algorithm for Detecting Traffic Congestion ... Traffic light posts are positioned at road intersections and pedestrian crossings. Traffic light posts blink the light Signals

Detecting!Botnet!Traffic!with!the!! CiscoCyber!Threat ... › c › dam › en_us › solutions › ... · Detecting(Botnet(Traffic(with(the(CiscoCyber(Threat(Defense(Solution1.0(!SolutionComponents(TheCiscoCyberThreat!DefenseSolution!1.0!is!composed!ofthreeintegrated

Detecting Skype flows Hidden in Web Traffic

Detecting and Blocking Suspicious Internal Network Traffic

Ensuring Acceptable QoS by Detecting MLPPP Fragment Loss ... · Low Density Traffic Problem Statement 1 Low Density Traffic Problem Statement Consider the following scenario: a 3G

Detecting Co-Residency with Active Traffic Analysis …bates/documents/Bates_Ccsw12.pdfDetecting Co-Residency with Active Traffic Analysis Techniques Adam Bates, Benjamin Mood, Joe

Video Analytics towards Vision Zero - Bellevue...Milestone 1: Demonstrate the capability of vision technologies by detecting relevant events in the sample traffic videos (e.g., detecting

IoTSniffer: Detecting Unauthorized Traffic in Industrial IoT · 2 days ago · Traffic in Industrial IoT Swarun Kumar ... • Lightweight Security for IoT Fog Networks (with PI Osman

Detecting fraud through traffic analytics

Detecting Traffic Snooping in Tor Using Decoysangelos/Papers/2011/tor_decoys.pdf · Detecting Tra c Snooping in Tor Using Decoys Sambuddho Chakravarty, Georgios Portokalidis, Michalis

Detecting Traffic Snooping in Anonymity Networks Using Decoys

Detecting Ransomware in Encrypted Network Traffic Using

Detecting APT Activity with Network Traffic Analysis · PDF filePAGE 1 | DETECTiNG APT ACTiViTY WiTH NETWORK TRAFFiC ANALYSiS About this PAPer Today’s successful targeted attacks

Detecting APT Activity with Network Traffic Analysis 2 | DETECTiNG APT ACTiViTY WiTH NETWORK TRAFFiC ANALYSiS While new executable files that cannot be detected without new file signatures

Optimized Invariant Representation of Network Traffic for ... · Optimized Invariant Representation of Network Traffic for Detecting Unseen Malware Variants ... approach is to transform

Road Traffic RFID Pedestrians Detecting System for Vehicles

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs

Application Form-Landmark Residency @@ 9999913391 @@ Landmark Residency Gurgaon, Landmark Residency 103, Landmark Residency Dwarka Expressway Gurgaon, Landmark Residency Sector 103,

A Machine Learning Approach to Detecting Attacks by ...pkc/theses/mahoney03.pdf · The current approach to detecting novel attacks in network traffic is to model the normal frequency

wildaboutcarsonline.comwildaboutcarsonline.com/members/AardvarkPublisher... · GPS-Iinked option offers Route Guidance — reading upcoming street names aloud, detecting traffic incidents

A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic

From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based

Detecting Traffic Anomalies through Aggregate …dl.ifip.org/db/conf/networking/networking2004/KimRV04.pdfDetecting Traffic Anomalies through aggregate analysis of packet header data

Detecting co residency with active traffic analysis techniques

Detecting Traffic Differentiation in Backbone ISPs with NetPolice Ying Zhang Zhuoqing Morley Mao Ming Zhang

Detecting VoIP Traffic Based on Human Conversation Patterns

Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection

A Machine Learning Approach to Detecting Attacks by ...mmahoney/dist/diss.pdf · A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic by

Detecting APT Malware Infections Based on …...G. Zhao et al.: Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis the C&C servers, it helps the attacker