ProSAS: Proactive Security Auditing System for Clouds

Abstract

The multi-tenancy in a cloud along with its dynamic and self-service nature could cause severe security concerns, such as isolation breaches among cloud tenants. To mitigate such concerns and ensure the accountability and transparency of the cloud providers towards their tenants, verifying cloud states against a list of security policies, a.k.a. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">security auditing</i> , is a promising solution. However, the existing security auditing solutions for clouds suffer from several limitations. First, the traditional auditing approach, which is retroactive in nature, can only detect violations after the fact and hence, often becomes ineffective while dealing with the dynamic nature of a cloud. Second, the existing runtime approaches can cause significant delay in the response time while dealing with the sheer size of a cloud. Finally, the current proactive approaches typically rely on prior knowledge about future changes in a cloud and also require significant manual efforts, and thus become less practical for a dynamic environment like cloud. To address those limitations, we present a novel proactive security auditing system, namely, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">ProSAS</i> , which can prevent violations to security policies at runtime with a practical response time, and yet does not require prior knowledge about future changes. More specifically, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">ProSAS</i> first establishes its models (e.g., dependency relationships between cloud events, and critical events) through learning from historical data (e.g., logs); it then predicts future critical events which would likely follow a received event by leveraging the dependency relationships; afterwards, it proactively verifies the impacts of those future events, and prevents those events which can cause violations of security policies. ProSAS is integrated into OpenStack, a popular cloud management platform, and we provide a concrete guideline to port ProSAS to other popular cloud platforms, such as Google Cloud Platform, and Amazon EC2. Our experiment results using both real and synthetic data demonstrate the improvement of efficiency (i.e., reducing response time to 1,450 nanoseconds at best and 8.5 milliseconds on average for a large-scale cloud with 10,000 tenants) and level of automation (i.e., learning more than 20 new critical events spanning 100 days) in proactive security auditing by ProSAS.