DeMETER in clouds: detection of malicious external thread execution in runtime with machine learning in PaaS clouds

Abstract

Current state of PaaS allows rapid outsourcing of web applications without noticeable configuration effort. It could be foreseen that a noteworthy security guarantee in this cloud deployment model make organizations adopt PaaS easier. To date, provisioning security-guaranteed PaaS offerings required isolated processes, which is computationally-intensive and therefore expensive for the cloud provider. A novel security mechanism is proposed in this study to protect the PaaS providers against malicious behavior; thereby, their tenants. The mechanism does not strictly isolate tenants, but let them share the resources as in conventional web applications; therefore the computational efficiency is competitive. The novelty lies in classifying the malicious behavior of worker threads of web applications in a privacy-friendly way; where possible, without interfering with the threads. These threads may execute many code snippets in the same process context on behalf of the provider, the tenants or the tenants’ users in a web application server. It is cumbersome and error-prone to isolate each code snippet separately. Instead, classifying thread behavior helps to detect malicious flow of execution. The proposed mechanism is significantly different from intrusion detection systems or virus scanners as it only focuses on the processor usage and critical resource access. Historical web application attacks based on OWASP reports as well as future trends are analyzed and a sample web traffic of 100,000 requests, which includes 1% malicious traffic rooted from the most common attacks, is generated to prove the concept. The generated web traffic is tested on a cloud-based demo application on a live cloud environment. The thread behavior is monitored only based on CPU load and database access to keep the mechanism privacy-friendly for all cloud stakeholders. Even though the executed instructions are not monitored, the collected telemetry forms a vast amount of trace for classification. This privacy-friendly feature set is extracted and evaluated on several classifiers to detect malicious threads. It is observed that the classification accuracy is remarkably successful.