Download pdf - A Framework for Intrusion Tolerance in Cloud Computing

7/27/2019 A Framework for Intrusion Tolerance in Cloud Computing

1/10

A Framework for Intrusion Tolerance in Cloud

Computing

Vishal M. Karande and Alwyn R. Pais

Information Security Lab, Dept. of Computer Science and Engineering,National Institute of Technology Karnataka, Surathkal, India - 575025

{vishalmkarande,alwyn.pais}@gmail.com

Abstract. Cloud Computing has been envisioned as the next generationarchitecture and one of the fastest growing segments of the IT enterprises.

No matter how much investment is made in cloud intrusion detection andprevention, cloud infrastructure remains vulnerable to attacks. IntrusionTolerance in Cloud Computing is a fault tolerant design approach to de-fend cloud infrastructure against malicious attacks. Thus to ensure de-pendability we present a framework by mapping available Malicious andAccidental Fault Tolerance for Internet Applications (MAFTIA) intru-sion tolerance framework for dependencies such as availability, authen-ticity, reliability, integrity, maintainability and safety against new CloudComputing environment. The proposed framework has been validatedby integrating Intrusion Tolerance via Threshold Cryptography (ITTC)mechanism in the simulated cloud environment. Performance analysis ofthe proposed framework is also done.

Keywords: Cloud Computing, Framework,Intrusion Tolerance,Security, and Threshold Cryptography.

1 Introduction

Experience shows that attacks may never be completely prevented or detectedaccurately and on time. Thus Intrusion Tolerance combining the aspects ofprotection, detection and reaction is currently considered to be the optimalway to address information security challenges [1]. However, the architecture ofintrusion-tolerant systems, integrating multiple layers of defenses, redundancyand diversity is often considered to be costly and heavy weight to provision itdynamically. At the same time, the information technology landscape has beenevolving continuously with the introduction of new software technology CloudComputing.

Cloud computing provides simple, on-demand access to pools of highly elasticcomputing resources. Cloud Computing delivers software, platform and infras-tructure as subscription-based services to its user in a pay-as-you-go model.These services are referred to as Software as a Service (SaaS), Platform as a Ser-vice (PaaS) and Infrastructure as a Service (IaaS) wherein resources are providedas a service over a network. Corporations and individuals are concerned about

A. Abraham et al. (Eds.): ACC 2011, Part IV, CCIS 193, pp. 386395, 2011.c Springer-Verlag Berlin Heidelberg 2011


2/10

A Framework for Intrusion Tolerance in Cloud Computing 387

how security and compliance integrity can be maintained in this new rapidlyevolving cloud computing environment. Even more concerning, though, is thecorporations that are jumping to cloud computing while being oblivious to theimplications of putting critical applications and data in the cloud. So cloud com-

puting environment should be secure enough in maintaining cloud users trustlevel as small intrusion can cause a huge loss to both cloud users as well as cloudservice executives [10]. Cloud computing being new and evolving rapidly, intru-sions causing damage to its functional and operational units should be takencare of in their early stages of development.

In this paper we present a framework for intrusion tolerance in cloud com-puting environment which summarizes how a number of defenses and securitytechniques, especially those providing availability, integrity and confidentialitycan possibly be integrated in the cloud or within its services. We have studied

the MAFTIA intrusion tolerance framework. This existing framework for intru-sion tolerance does not account for essential characteristics of cloud computing,such as scalability, elasticity, ubiquitous access, computer virtualization, relativeconsistency, commodity, reliability. The new framework is obtained by mappingavailable intrusion tolerance framework for dependencies such as availability,authenticity, reliability, integrity, maintainability and safety against new cloudcomputing environment wherein for each component we provide requirement,design description (architecture, specification), reasoning and evidence (why de-scription meets the requirement under assumptions). The framework serves as

an excellent platform for making cloud services intrusion tolerant. To test thefeasibility of the proposed framework a Cloud Computing environment is simu-lated using CloudSim [12] toolkit, and using Intrusion Tolerance via ThresholdCryptography (ITTC) [7] mechanism clouds Infrastructure as a service (IaaS) ismade intrusion tolerant. Performance of the new simulated service model is mea-sured using various performance metrics such as total execution time, intrusiondetection time, recovery time, number of cloudlets etc.

The rest of the paper includes following structure, Section 2 provides a briefsummary of the related work in this area. In section 3, we propose our framework.

Section 4 gives the validation of our proposed framework and the paper concludesin Section 5.

2 Related Work

A dependable system is defined as one that is able to deliver a service that canjustifiably be trusted [1]. Attributes of dependability include availability (readi-ness for correct service), reliability (continuity of correct service), confidentiality

(prevention of unauthorized disclosure of information), and integrity (the ab-sence of improper system state alterations). An intrusion-tolerant system is asystem that is capable of self diagnosis, repair, and reconfiguration while contin-uing to provide a correct service to legitimate users in the presence of intrusions.


3/10

388 V.M. Karande and A.R. Pais

The MAFTIA Project, funded by the European Union, systematically inves-tigated the tolerance paradigm for security in order to propose an integratedarchitecture built on this paradigm and to realize a concrete design that can beused to support the dependability of many applications [4]. MAFTIA was the

first project that uniformly applied the tolerance paradigm to the dependabilityof complete large-scale applications in a hostile environment and not just forsingle components of such systems. Its major innovation was a comprehensiveapproach for tolerating both accidental faults and malicious attacks in large-scaledistributed systems, including attacks by external hackers and by corrupt insid-ers. The framework proposed is strongly inspired by the MAFTIA framework,but we have applied it to an emerging Cloud Computing environment.

A Component Based Framework for Intrusion Tolerance (CoBFIT) [5] pro-vides a platform for building and testing a variety of Intrusion tolerant

distributed systems. The CoBFIT framework, by virtue of its design and im-plementation principles, can serve as a convenient base for building componentsthat implement intrusion-tolerant protocols and for combining these compo-nents in an efficient manner to provide a number of services for dependability.This framework is studied to identify the possible components in the proposedframework.

The Intrusion Tolerance by Unpredictable Adaptation (ITUA) Project pro-poses to develop a middleware-based intrusion-tolerant solution that helps ap-plications survive certain kinds of attacks. The main goal of ITUA is to add

intrusion tolerance to CORBA architecture by modifying the middleware it-self and an existing crash tolerant group communication system (C Ensemble).These projects do not directly address the specific problem of intrusion tolerancein cloud environment, but they include the notions of replication, reconfigurationthat also belong to our framework.

3 The Framework

3.1 Overview of Framework

Fig. 1 shows the intrusion tolerance framework based on the layered design ofcloud computing architecture. In layered design, physical cloud resources alongwith core middleware capabilities form the basis for delivering IaaS and PaaS.The user-level middleware aims at providing SaaS capabilities. The top layerfocuses on application services (SaaS) by making use of services provided bythe lower layer services. PaaS/SaaS services are often developed and providedby third party service providers, who are different from the IaaS providers. Inthese service layers, framework components implement the structure of intru-

sion tolerance in the form of abstractions, primitives, and supporting softwaremechanisms that are commonly needed for the creation of intrusion-tolerant ser-vices. The framework also shows the components which are to be managed bythe Cloud Security Administration System to make Cloud services intrusion tol-erant. It is important to note that implementing any of the cloud computingservice in the proposed framework will not make the service intrusion-tolerant.


4/10


Fig.1. Intrusion Tolerance Framework based on Layerd Design of Cloud ComputingArchitecture

The service will be intrusion tolerant only if the protocol or the algorithm uponwhich the service is based is intrusion tolerant by design.

3.2 Framework Components

Layered Design

1. User Level: This layer includes applications that are directly available toend-users. We define end-users as the active entity that utilizes the SaaSapplications over the Internet. These applications may be supplied by theCloud provider (SaaS providers) and accessed by end-users either via a sub-scription model or a pay-per-use basis. Alternatively, in this layer, users

deploy their own applications.2. Middleware: Cloud computing services rely on several layers of middleware

services that must be able to withstand intrusions and attacks from a verywide range of players. For an intrusion tolerant service by design, its protocolor algorithm should be implemented in middleware. It is composed of UserLevel Middleware and Core Middleware.


5/10


(a) User Level Middleware provides those programming environments andcomposition tools that ease the creation, deployment, and execution ofapplications in clouds.

(b) Core Middleware implements the platform level services that provide

runtime environment for hosting and managing User-Level applicationservices. Core services at this layer include Dynamic SLA Management,accounting, billing, execution monitoring and management, and pricing.

3. System Level: The computing power in Cloud environments is suppliedby a collection of Datacenters that are typically installed with hundreds tothousands of hosts. At the System Level layer there exist massive physicalresources (storage servers and application servers) that power the data cen-ters. At system level the cloud resources are reconfigured to support intrusiontolerance.

Attack and Vulnerablity Prevention. The Intrusion Prevention is the com-bined application of attack and vulnerability prevention, as well as attack andvulnerability removal. This component consists of the introduction of mecha-nisms such as authentication, authorization and firewalls, which prevent at-tacks in that they push back the attacks to the level of the additional barriersthese mechanisms introduce.

Error Processing

1. Event Analysis: Event Analysis provides Cloud Security Administrator withan effective mechanism to update Security Plans, Security Assessment Re-ports, and Plans of Action and Milestones. The sensor is the component ofthe system collecting raw data (e.g., a sniffer or an audit log). Event Analysisinvolves,(a) Security impact analyses on proposed or actual changes to computing

systems and environments of operation.(b) Assessment of selected security controls (including system-specific, hy-

brid, and common controls) based on the defined continuous monitoringstrategy.

(c) Security status reporting to appropriate officials.2. Error Detection: We distinguish two basic generic component types, In-

trusion Intolerant components and Intrusion Tolerant components. At bothmiddleware and system levels error can be detected in any of the abovetwo components. However, only intrusion tolerant components are capableof acting autonomously to implement error recovery.

3. Fault Model: According to basic fault model a fault leads to error and then

to failure of the system. Thus for both middleware and system level faultsshould be identified by Cloud Security Administration as an auditing partof event analysis. In Cloud Computing environment faults can be physical,design, interaction, accidental/intentional, transient/intermittent, internalexternal. It is necessary to distinguish the internal detectable impairment(error) from the causing impairment (fault) since there may be multiple


6/10


causes that could give rise to the same detectable impairment. Also it isnecessary to distinguish the internal detectable impairment (error) from theexternal impairment (i.e., failure in the service delivered to a user) thatintrusion tolerance techniques aim to prevent [4].

Fault Treatment. At middleware and system level of cloud computing, CloudSecurity Admisnistration is responsible for fault handling.

1. Fault Diagnosis: Fault diagnosis is concerned with identifying the type andlocations of faults that need to be isolated before carrying out system recon-figuration or initiating corrective maintenance. It involves,(a) Intrusion diagnosis, i.e., trying to assess the degree of success of an in-

truder in terms of system corruption.

(b) Vulnerability diagnosis, i.e., trying to understand the channels throughwhich the intrusion took place so that corrective maintenance can becarried out.

(c) Attack diagnosis, i.e., finding out who or what organization is responsiblefor the attack in order that appropriate litigation or retaliation may beinitiated.

2. Fault Isolation: In Cloud Computing environment fault isolation is neededto make sure that the source of the detected error(s) is prevented fromproducing further error(s). It involves,

(a) Blocking cloud service request from an intrusion containment region thatis diagnosed as corrupt.(b) Removing a corrupted host from the datacenter or, with reference to the

root vulnerability/attack causes.(c) Uninstalling software versions with newly-found vulnerabilities(d) Arresting and taking legal action on an attacker.

3. System Reconfiguration: All the protocols and algorithms required for cloudservices provisioning are implemented in middleware level. Depending onthe damage level caused due to intrusion in the system, reconfiguration in

both middleware and system level is required to be carried out by CloudSecurity Administrator. In an intrusion tolerant Cloud environment possiblereconfiguration actions include,(a) Virtualization software downgrades or upgrades (using appropriate ver-

sions are available on-line for this to be done automatically)(b) Changing a voting threshold (say from 5-out-of-9 voting to 6-out-of-9

voting) after two corrupt servers have been isolated, so that a furtherintrusion can be masked

Cloud Security Administration System. Cloud Security AdministrationSystem is responsible for handling and treating security issues in Cloud en-vironment. Standards that are relevant to security management practices inthe cloud are Information Technology Infrastructure Library (ITIL), ISO/IEC27001/27002 and Open Virtualization Format (OVF) [6]. Information Technol-ogy Infrastructure Library is set of best practices and guidelines that define


7/10


an integrated, process-based approach for managing information technology ser-vices. Open Virtualization Format (OVF) enables efficient, flexible, and securedistribution of enterprise software, facilitating the mobility of virtual machinesand giving customers vendor and platform independence.

4 Framework Validation

4.1 Simulation Environment

To test the feasibility of the proposed framework a Cloud Computing environ-ment as shown in Fig. 2 was simulated using CloudSim [12] toolkit.

Fig. 2. Cloud Computing Simulation Environment

In Cloud Computing user submits a cloudlet (cloud service request) to U-Broker who is responsible for finding a suitable cloud for servicing user. CloudExchange keeps information about various clouds such as currently availableresources. Upon accepting cloudlets the Cloud Coordinator sends it to D-Brokerwho is responsible for creating Virtual Machines on Hosts Machines constitutinga Datacenter. All the cloudlets are scheduled and executed on these VirtualMachines. The results are updated and sent back to the user.

Intrusion Tolerance via Threshold Cryptography. The simulation toolkitis extended to add Intrusion Tolerance capability by adding new classes into it. Inthis environment, Cloud Coordinator can execute cloud request (cloudlets) onlyif the hosts running inside the datacenter are legitimate. For this the datacenterauthentication key is distributed among the hosts using Shamir Secret Sharingalgorithm [2].


8/10


Fig.3. Total Execution Time Vs Number of Cloudlets

Fig.4. Total Execution Time Vs Number of Hosts in a Datacenter

Fig.5. Total Execution Time Vs Number of Hosts Failed


9/10


1. Key Management: For n number of hosts in a datacenter, its authenticationkey S is shared among k number of hosts as s0, s1,s2, , sk in such a waythat,(a) Knowledge of k or more number of shares makes secret S computable

and(b) Knowledge of k-1 or fewer shares makes secret S completely undeter-

mined.Such a scheme is called a (k, n) threshold scheme. Secret shares s0, s1..., skare distributed to h1, h2..., hk respectively. A robust key management for(k, n) scheme can be obtained with n=2k-1. Every time when a new Hostis added or deleted from the datacenter secret share values are regeneratedand distributed to hosts by Key Management module.

2. Intrusion Detection Module: A Sensor module continuously tests all possible

combinations of hosts for valid secret generation and detects compromisedhosts. Thus for (k, n) threshold scheme, nCk combinations are tested bygenerating secret key for every combination and negative results are used todetect compromised hosts. Sensor module is capable of detecting intrusionsin all n hosts. Sensor module also generates alert and initiates recoverymodule when intrusion is detected.

3. Recovery Module: In recovery process, reconfiguration module reallocatesall the virtual machines running on the penetrated host(s), and the faultisolation module removes compromised host(s) machine from the Host group

constituting a datacenter. Recovery module then invokes key managementmodule for generating and redistributing new secret shares.

4.2 Simulation Results

The performance overhead of incorporating Intrusion Tolerance is measured un-der different scenarios, with varying threshold of secret sharing i.e. k (Fig. 3),number of hosts in a datacenter i.e. n (Fig. 4), number of hosts failed in a data-center (Fig. 5). Fig. 3 shows that performance overhead (measured with varying

cloudlets) is maximum for n=2k-1 i.e. 5 out of 9 hosts sharing a secret. Fig. 4shows performance overhead increases with increase in the number of Hosts in adatacenter keeping the number of cloudlets constant. In case of intrusions, thetotal execution cost involves intrusion detection cost and system recovery cost.Fig. 5 shows datacenter performance in case of failure of Hosts. Total executiontime increases with the number of Hosts failed.

5 Conclusion and Future Work

In this paper, we have proposed a framework for intrusion tolerance based onthe layered design of Cloud Computing architecture. For the validation of frame-work, we have simulated Intrusion Tolerant Cloud environment with securitycontrols and techniques required for intrusion tolerance. We have used Intru-sion Tolerance via Threshold Cryptography mechanism for validation. It is ob-served that our framework is capable of detecting and recovering intrusions in


10/10


the Cloud Computing environment. Performance analysis of framework showsthat the overhead of integrating intrusion detection and recovery mechanism inCloud Computing environment increases with the number of hosts in a datacen-ter for the given application. The framework components were designed to be

generic. Future work includes (1) refining and extending the implementation offramework components, and (2) exploring additional supporting mechanisms forintrusion tolerance that can be added to the proposed framework.

References

1. Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic Concepts and Taxon-omy of Dependable and Secure Computing. IEEE Trans., Dependable and SecureComputing 1(1), 1133 (2004)

2. Shamir, A.: How to share a secret. Comm. of the ACM 22, 612613 (1979)3. Saidane, A., Nicomette, V., Deswarte, Y.: The Design of a Generic Intrusion-

Tolerant Architecture for Web Servers. IEEE Trans. 6, 4558 (2009)4. Powell, D., Stroud, R.: Malicious-and Accidental-Fault Tolerance for Internet Ap-

plications: Conceptual Model and Architecture. Technical Report 03011, ProjectIST-1999-11583 MAFTIA, Deliverable D21, LAAS-CNRS (January 2003)

5. Ramasamy, H.V., Agbaria, A., Sanders, W.H.: CoBFIT: A Component-BasedFramework for Intrusion Tolerance. In: 30th EUROMICRO Conference (EUROMI-CRO 2004), pp. 591600 (2004)

6. Information Technology Infrastructure Library,http://www.itil-officialsite.com/home/

7. Intrusion Tolerance via Threshold Cryptography,http://crypto.stanford.edu/~dabo/ITTC/

8. Reynolds, J.C., Just, J., Clough, L., Maglich, R.: On-Line Intrusion Detectionand Attack Prevention Using Diversity, Generate-and-Test, and Generalization.In: HICSS 2003, Track -9, vol. 9 (2003)

9. Pal, P., Schantz, R., Atighetchi, M., Loyall, J.: What Next in Intrusion Tolerance.BBN Technologies, Cambridge

10. Popovic, K., Hocenski, Z.: Cloud computing security issues and challenges. In:

IEEE Trans. MIPRO, 2010 Proceedings of the 33rd International Convention, pp.344349 (May 2010)11. Proposed Security Assessment and Authorization for U.S. Government Cloud Com-

puting (November 2010), http://www.govinfosecurity.com/12. Buyya, R., Ranjan, R., Calheiros, R.N.: Modeling and Simulation of Scalable Cloud

Computing Environments and the CloudSim Toolkit: Challenges and Opportuni-ties. University of Melbourne, Australia (July 2009)
http://www.itil-officialsite.com/home/http://crypto.stanford.edu/~dabo/ITTC/http://crypto.stanford.edu/~dabo/ITTC/http://crypto.stanford.edu/~dabo/ITTC/http://www.govinfosecurity.com/http://www.govinfosecurity.com/http://crypto.stanford.edu/~dabo/ITTC/http://www.itil-officialsite.com/home/