Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ij...
Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ij...
Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ij...
Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ij...
Upcoming SlideShare
Loading in …5
×

Ea33762765

69 views

Published on

International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
69
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ea33762765

  1. 1. Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ijera.comVol. 3, Issue 3, May-Jun 2013, pp.762-765762 | P a g eFocus on Nefarious Behavior threats in CloudSrinivas Naik*, Rajesh Adepu***(Department of Computer Science, Princeton College of Engineering, Hyderabad- 501 301)** (Department of Computer Science, Princeton College of Engineering, Hyderabad – 501 301)ABSTRACTComputing over cloud is emerging intointernet space with virtual platform basedapplications and attracting users with itseffortless deployments. This enhanced featuresof cloud computing has withdrawn attention ofintruders and has made prone to threats due towhich it has lead to security concerns. As moreservices migrate to cloud architecture the cloudwill become a more appealing target for cybercriminals. This journal discusses current threatsto cloud computing as well as summarizing thecurrently available detection systems formalware in the cloud.Keywords – Cloud threats, Malware, Security,Threat Detection,INTRODUCTIONCloud Computing is emerging as the defacto service model for modern enterprises. CloudServices such as Apple’s iCloud, and establishedproducts, such as Dropbox, have proven thatremote storage and seamless access to data acrossmultiple devices are popular features amongconsumers. In the future we will see an increase inthe reliance of cloud computing as more and moreconsumers move to mobile platforms for theircomputing needs.Cloud technologies are made possiblethrough the use of virtualization in order to sharephysical server resources between multiple virtualmachines (VMs) and resources as in FIG 1. Theadvantages of this approach include an increase inthe number of clients that can be serviced perphysical server and the ability to provideinfrastructure as a service (IaaS).Fig 1Disadvantages include a more complex softwarestack and a relatively small understanding ofsecurity issues. The security issues of regularoperating systems (OSs) are well known due todecades of testing and experience in this area.Security breaches now commonly occur at theapplication level and are less commonly due to aflaw in the OS itself. Exceptions to this are usuallydue to the inclusion of new features into an OSkernel either to provide new functionality or tosupport new hardware. Virtualisation is not onlysubject to the security issues of applications andoperating systems, but also introduces new securityissues that are not as well understood, such as thesharing of hardware resources between VMs.Clouds themselves are composed of anumber of virtualized environments which arenetworked together. The compact topology of thisnetwork and the high probability of relativehomogeneity across VMs create an idealenvironment for rapid malware propagation.Protecting against malware in the cloud thereforerequires a certain level of coordination betweenvirtualized environments if threats are to be reliablydetected and dealt with.In this journal we review previous workon malware detection, both conventional and in thepresence of virtualization in order to determine thebest approach for detection in the cloud. We alsoargue the benefits of distributing detectionthroughout the cloud and present a novel approachto coordinating detection across the cloud. Belowphases provides background to the research area,specifically: cloud technologies, security in thecloud, malware detection and detection in thecloud. Further phase will focuses on malwaredetection at the hypervisor level and introduces ourwork in this area.BACKGROUNDA. Cloud TechnologiesCloud computing is an umbrella term forservices that offer offsite computing and storage.There are three main types of cloud computing:software as a service (SaaS), platform as a service(PaaS) and infrastructure as a service (IaaS). Notall of these require virtualisation, SaaS for examplecould be implemented as a typical client/serverservice, but virtualisation allows hardware to bebetter utilised and enables the infrastructure itselfto be hired out, as is the case in IaaS.
  2. 2. Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ijera.comVol. 3, Issue 3, May-Jun 2013, pp.762-765763 | P a g eThere are various implementations ofvirtualisation, but they areall built on the concept ofvirtual machines (VMs). The VMs exist as a virtualcomputer system and each have their ownoperating system (OS) and applications. The VMsare managed by a virtual machine monitor (VMM),which is sometimes referred to as a hypervisor.Virtualization products such as VM Ware ESXi,Xen Hypervisor, KVM Hypervisor, etc areexamples of bare-metal hypervisors. Another formof virtualization exists at application level withinan OS, known as hosted hypervisors. Basicallyreferring it as type-I and type-II hypervisorsrespectively. Type-I hypervisors are focused in thisjournal due to their use for cloud services.The cloud itself is usually composed ofmany physical server machines, or hardware nodes.These nodes each have their own VMM hostingsome VMs. There are a number of reasons forhaving multiple hardware nodes, the first beinglimited resources. It is important not to run toomany VMs on a single hardware node because ofthe limited size of RAM and disk space available.With more than one physical machine it is possibleto load balance based on CPU, RAM or networkutilisation. Another reason for multiple hardwarenodes is redundancy. If a fault is detected on aserver the VMs can be migrated to another serverbefore it goes down. This is achieved in the sameway as load balancing, but solves a slightlydifferent problem.B. Security in the CloudPrevious work on cloud security has suggested thatthere are a number of security issues associatedwith cloud computing. Below are the followingthreats to cloud computing:Threat 1: Data BreachesThreat 2: Data Loss or LeakageThreat 3: Account or Service HijackingThreat 4: Insecure Interfaces and APIsThreat 5: Denial of ServiceThreat 6: Malicious InsidersThreat 7:Abuse and wicked Use of CloudComputingThreat 8: Unknown Security ProfileThreat 9: Shared Technology IssuesOf these, threats 3, 4 and 9 are directlyrelated to malware. Account and Service Hijackingcan be targeted by XSS malware for example toperform unauthorized activities. Insecure Interfacesand APIs would allow malware running on oneVM to execute code or access data on another VM.Shared Technology Issues include the sharing ofphysical memory between multiple VMs.This could lead to a new form of worm that, insteadof spreading via networks, could spread by writingto the memory owned by another VM. This kind ofpropagation would be unique to virtualizedenvironments. Few Threats could be indirectlyrelated to malware, for example in the deploymentof malware by malicious individuals. Fewvulnerabilities fall into Denial of Service (Threat 5)when a specific input gets triggered. MaliciousInsiders (Threat 6) is a similar threat, but instead ofbeing customers the malicious individuals areinstead employees of the cloud providers. Abuseand Nefarious Use of Cloud Computing (Threat 7)is possible due to the relative anonymity of cloudsubscription. Malicious organizations could usecloud space as a platform to launch attacks.Account Hijacking (Threat 3) is acommon threat throughout the Internet and wouldallow malicious individuals to perform similaractions to threats 1 and 4. Threats 2 and 8 are notrelated to malware and are concerned with dataloss, which is a natural occurance in computersystems, and the opacity that is inherent in thecloud. Data Loss or Leakage is exacerbated invirtualised environments because the system as awhole is more complicated than a single OScomputer system. Unknown Security Profile is incontrast to in-house servers where theimplementation of data storage and networking isknown. A customer has no guarantee that thesecurity measures promised by a cloud provider areactually in place; there is a level of opacity that isnot an issue in alternatives to the cloud.The below table briefs the level of relevance ofexisting threats (2013-Q1)Threat Description CurrentRelevance (%)Data Breaches 91Data Loss or Leakage 91AccountorService Hijacking 87Insecure Interfaces and APIs 90Denial of Service 81Malicious Insiders 88Abuse and wicked Use of CloudComputing84Unknown Security Profile 81Shared Technology Issues 82Table. 1TABLE 1 explores the relevance of threats that hasbeen studied in current quarter. When usingsoftware, especially complex software, there isalways a risk of an improper implementation orconfiguration, more so than when using hardwarefor the same task. Take for example a simpleserver. The remotely exploitable vulnerabilities areconfined to the OS and application software. Thesame server implemented as a VM is subject to thevulnerabilities of the VMM, OS and applications. Itcan therefore be assumed that hardware sharingunder the management of software is inherentlyless secure than distinctly separate machines.C. Malware Detection
  3. 3. Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ijera.comVol. 3, Issue 3, May-Jun 2013, pp.762-765764 | P a g eMalware detection has been an important issue incomputing since the late ’80s. Since then thepredominant method of malware detection is toscan a computer system for infection by matchingmalware signatures to files on the computer.Although detection of known samples is extremelyreliable, signature based detection only works formalware that has been obtained, analyzed and asuitable signature identified. It has to be understoodthat signature based detection can be thwarted byanalysing the malware instructions and identifyingthe instructions that comprise the signature. Byaltering this specific portion of code it is possible toevade detection; in effect the process takes a knownsample and converts it into an unknown sample.Another downside to signature based detection isthe maintenance of the signature database. With theconstant evolution of malware and the polymorphicnature of many samples it has become necessary todrop old samples from databases. If this practicecontinues malware samples which have alreadybeen identified will become undetectable and willonce again become useful to cyber criminals.Other malware detection techniques areavailable in order to overcome the problems ofobfuscation and polymorphism. Instead of scanningfor matching signatures it is possible to analyze thebehavior of a malware sample and base detectionon observation of running processes. There are avariety of ways this could be achieved. Oneapproach is to monitor the process namesthemselves. Unfamiliar or uncommon processescan be assumed to be malicious until furtherinformation can be obtained. Another approach isto base detection on the behavior of the processitself. If a process begins executing instructionsthat match the behavior of a known malwaresample then that process can be consideredharmful. Similar techniques can be applied to themonitoring of network activity. If certain addressesor port numbers, or some other features, are presentin the traffic directed towards or away from thecomputer system it can be assumed that malware iseither targeting the system or is already runningwithin the system.The downside to both signature andbehavior-based detection is that they occur withinthe OS itself. This gives malware the opportunity toalter the information that is provided to thedetection software by the OS. If, for example, thesecurity software polls the OS for a list of runningprocesses it is possible that malware can alter thislist so that the malware process itself is not presentin the list. The detection software will then have noknowledge of the malware process and the malwarewill have escaped detection. This behavior isusually associated with rootkits, but could beemployed by any malware.To combat, AntiMalware organizationoffers sandboxing products available in the market.Non-OS processes can be encapsulated in a safeexecution environment that monitors for malwareusing both behaviour-based and signature-baseddetection. There is, however, no guarantee thatmalware has not infected the OS prior toinstallation of the detection software, or thatinfection could occur due to processes runningoutside of the sandbox. As long as the detectionsoftware exists in the same execution environmentas other processes, including malware processes,there is an opportunity for subversion. A betterapproach would be to perform the detection fromoutside looking in.D. Detection in the CloudAs mentioned in the previous subsection,detection would be best achieved from outside ofthe OS. This is possible in clouds because they arebuilt on virtualisation which encapsulates each OSin its own VM. Detection is now possible byexecuting detection software in a privilegeddomain within the virtualization environment.There needs to be further step in providing librariesto create monitoring softwares through VMintrospection.Detection in the cloud not only enablesintrospection, it could also improve the reliabilityof statistics based approaches. Behavioural andanomaly detection techniques are built on statisticalanalysis and are subject to a level of uncertainty. Inan isolated computer system this uncertainty cannotbe improved upon because access to additionalinformation is not possible. Detection at thehypervisor level, however, can combine the datafrom many VMs which has the potential to reduceuncertainty and false positives in any results.Although the solutions for malware detectiondiscussed so far seem promising there is anothersecurity risk that is unique to the cloud. Thecompact network topology of clouds coupled withthe likelihood of homogeneous softwaredeployment could allow rapidly propagatingmalware, such as worms, to propagate even fasterand with an increased success rate. This indicatesthat coordination across the cloud is an importantconsideration. Not only would a certain level ofcommunication between detection softwareCONCLUSIONIn this journal we summarized the securityissues facing cloud Computing. It was determinedthat as well as conventional attack vectors, whichare present in operating systems, virtualization alsointroduces new opportunities for malware writers.These are due to the sharing of physical resourcesthrough software mechanisms, which ifimplemented incorrectly would allow malware toaccess the memory in other VMs. This could leadto new forms of malware that spread in a worm-
  4. 4. Srinivas Naik, Rajesh Adepu / International Journal of Engineering Research and Applications(IJERA) ISSN: 2248-9622 www.ijera.comVol. 3, Issue 3, May-Jun 2013, pp.762-765765 | P a g elike way by writing to memory instead of spreadingvia the network.REFERENCESJournal Papers:[1] Krešimir Popović, Željko Hocenski,“Cloud computing security issues andchallenges” Proc. MIPRO 2010, May 24-28, 2010, Opatija, Croatia.[2] A. Moser, C. Kruegel, and E. Kirda,“Exploring multiple execution paths formalware analysis,” in Security andPrivacy, 2007. SP’07. IEEE Symposiumon, 2007, pp. 231–245[3] Shivlal Mewada, Umesh Kumar Singh,Pradeep Sharma, “Security Based Modelfor Cloud Computing”, IRACST–International Journal of ComputerNetworks and Wireless Communications(IJCNWC), Vol. 1, No. 1, pp(13-19),December 2011Proceedings Papers:[4] U. Gurav and R. Shaikh, “Virtualization: akey feature of cloud computing,” inProceedings of the InternationalConference and Workshop on EmergingTrends in Technology, 2010, pp. 227–229[5] A. Dinaburg, P. Royal, M. Sharif, and W.Lee, “Ether: malware analysis viahardware virtualization extensions,” inProceedings of the 15th ACM conferenceon Computer and communicationssecurity, 2008, pp. 51–62W.J. Book,Modelling design and control of flexiblemanipulator arms: A tutorial review, Proc.29th IEEE Conf. on Decision and Control,San Francisco, CA, 1990, 500-506.[6] Meiko Jensen, J¨org Schwenk, NilsGruschka, Luigi Lo Iacono “ OnTechnical Security Issues in CloudComputing” 2009 IEEE InternationalConference on Cloud Computing

×