Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack

Azadeh Tabiban; Yosr Jarraya; Mengyuan Zhang; Makan Pourzandi; Lingyu Wang; Mourad Debbabi

doi:10.1109/CNS48642.2020.9162251

Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack

Azadeh Tabiban, Yosr Jarraya, Mengyuan Zhang, Makan Pourzandi, Lingyu Wang, Mourad Debbabi

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a management-level solution can provide a big picture about the root cause in a more scalable manner. In this paper, we propose DOMINOCATCHER, a novel provenance-based solution for explaining the root cause of security incidents in terms of management operations in clouds. Specifically, we first define our provenance model to capture the interdependencies between cloud management operations, virtual resources and inputs. Based on this model, we design a framework to intercept cloud management operations and to extract and prune provenance metadata. We implement DOMINOCATCHER on OpenStack platform as an attached middleware and validate its effectiveness using security incidents based on real-world attacks. We also evaluate the performance through experiments on our testbed, and the results demonstrate that DOMINOCATCHER incurs insignificant overhead and is scalable for clouds.

Original language	English
Title of host publication	2020 IEEE Conference on Communications and Network Security, CNS 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781728147604
DOIs	https://doi.org/10.1109/CNS48642.2020.9162251
Publication status	Published - 1 Jun 2020
Externally published	Yes
Event	2020 IEEE Conference on Communications and Network Security, CNS 2020 - Virtual, Online, France Duration: 29 Jun 2020 → 1 Jul 2020

Conference

Conference	2020 IEEE Conference on Communications and Network Security, CNS 2020
Country/Territory	France
City	Virtual, Online
Period	29/06/20 → 1/07/20

Funding

We thank the anonymous reviewers for their valuable comments and suggestions. This work was supported partially by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under the Industrial Research Chair (IRC) in SDN/NFV Security.

Funders	Funder number
Ericsson Canada
Industrial Research Chair
Natural Sciences and Engineering Research Council of Canada

Access to Document

10.1109/CNS48642.2020.9162251

Persistent URL (handle)

Persistent link

Cite this

Tabiban, A., Jarraya, Y., Zhang, M., Pourzandi, M., Wang, L., & Debbabi, M. (2020). Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack. In 2020 IEEE Conference on Communications and Network Security, CNS 2020 Article 9162251 Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CNS48642.2020.9162251

@inproceedings{f130ee552a9c431faedd3676d580a5c1,

title = "Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack",

abstract = "The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a management-level solution can provide a big picture about the root cause in a more scalable manner. In this paper, we propose DOMINOCATCHER, a novel provenance-based solution for explaining the root cause of security incidents in terms of management operations in clouds. Specifically, we first define our provenance model to capture the interdependencies between cloud management operations, virtual resources and inputs. Based on this model, we design a framework to intercept cloud management operations and to extract and prune provenance metadata. We implement DOMINOCATCHER on OpenStack platform as an attached middleware and validate its effectiveness using security incidents based on real-world attacks. We also evaluate the performance through experiments on our testbed, and the results demonstrate that DOMINOCATCHER incurs insignificant overhead and is scalable for clouds.",

author = "Azadeh Tabiban and Yosr Jarraya and Mengyuan Zhang and Makan Pourzandi and Lingyu Wang and Mourad Debbabi",

year = "2020",

month = jun,

day = "1",

doi = "10.1109/CNS48642.2020.9162251",

language = "English",

booktitle = "2020 IEEE Conference on Communications and Network Security, CNS 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

note = "2020 IEEE Conference on Communications and Network Security, CNS 2020 ; Conference date: 29-06-2020 Through 01-07-2020",

}

Tabiban, A, Jarraya, Y, Zhang, M, Pourzandi, M, Wang, L & Debbabi, M 2020, Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack. in 2020 IEEE Conference on Communications and Network Security, CNS 2020., 9162251, Institute of Electrical and Electronics Engineers Inc., 2020 IEEE Conference on Communications and Network Security, CNS 2020, Virtual, Online, France, 29/06/20. https://doi.org/10.1109/CNS48642.2020.9162251

Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack. / Tabiban, Azadeh; Jarraya, Yosr; Zhang, Mengyuan et al.
2020 IEEE Conference on Communications and Network Security, CNS 2020. Institute of Electrical and Electronics Engineers Inc., 2020. 9162251.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Catching Falling Dominoes

T2 - 2020 IEEE Conference on Communications and Network Security, CNS 2020

AU - Tabiban, Azadeh

AU - Jarraya, Yosr

AU - Zhang, Mengyuan

AU - Pourzandi, Makan

AU - Wang, Lingyu

AU - Debbabi, Mourad

PY - 2020/6/1

Y1 - 2020/6/1

N2 - The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a management-level solution can provide a big picture about the root cause in a more scalable manner. In this paper, we propose DOMINOCATCHER, a novel provenance-based solution for explaining the root cause of security incidents in terms of management operations in clouds. Specifically, we first define our provenance model to capture the interdependencies between cloud management operations, virtual resources and inputs. Based on this model, we design a framework to intercept cloud management operations and to extract and prune provenance metadata. We implement DOMINOCATCHER on OpenStack platform as an attached middleware and validate its effectiveness using security incidents based on real-world attacks. We also evaluate the performance through experiments on our testbed, and the results demonstrate that DOMINOCATCHER incurs insignificant overhead and is scalable for clouds.

AB - The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a management-level solution can provide a big picture about the root cause in a more scalable manner. In this paper, we propose DOMINOCATCHER, a novel provenance-based solution for explaining the root cause of security incidents in terms of management operations in clouds. Specifically, we first define our provenance model to capture the interdependencies between cloud management operations, virtual resources and inputs. Based on this model, we design a framework to intercept cloud management operations and to extract and prune provenance metadata. We implement DOMINOCATCHER on OpenStack platform as an attached middleware and validate its effectiveness using security incidents based on real-world attacks. We also evaluate the performance through experiments on our testbed, and the results demonstrate that DOMINOCATCHER incurs insignificant overhead and is scalable for clouds.

UR - http://www.scopus.com/inward/record.url?scp=85090167225&partnerID=8YFLogxK

U2 - 10.1109/CNS48642.2020.9162251

DO - 10.1109/CNS48642.2020.9162251

M3 - Conference contribution

BT - 2020 IEEE Conference on Communications and Network Security, CNS 2020

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 29 June 2020 through 1 July 2020

ER -

Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack

Abstract

Conference

Funding

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this