DistAppGaurd: Distributed Application Behaviour Profiling in Cloud-Based Environment

Mohammad Mahdi Ghorbani; Fereydoun Farrahi Moghaddam; Mengyuan Zhang; Makan Pourzandi; Kim Khoa Nguyen; Mohamed Cheriet

doi:10.1145/3485832.3485907

DistAppGaurd: Distributed Application Behaviour Profiling in Cloud-Based Environment

Mohammad Mahdi Ghorbani, Fereydoun Farrahi Moghaddam, Mengyuan Zhang, Makan Pourzandi, Kim Khoa Nguyen, Mohamed Cheriet

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Today, Machine Learning (ML) techniques are increasingly used to detect abnormal behaviours of industrial applications. Since many of these applications are moving to the cloud environments, classical ML approaches are facing new challenges in accurately identifying abnormal behaviours due to the highly dynamic and heterogeneous nature of the cloud. In this paper, we propose a novel framework, DistAppGaurd, for profiling simultaneously the behaviour of all microservice components of a distributed application in the cloud. The framework can therefore, detect complex attacks that are not observable by monitoring a single process or a single microservice. DistAppGaurd utilizes the system calls executed by all the processes of an application to build a graph consisting of data exchanges among different application entities (e.g., processes and files) representing the behaviour of the application. This representation is then used by our novel miroservice-aware Autoencoder model to perform anomaly detection at runtime. The efficiency and feasibility of our approach is shown by implementing several different real-world attacks, which yields high detection rates (94%-97%) at 0.01% false alarm rate.

Original language	English
Title of host publication	Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021
Publisher	Association for Computing Machinery
Pages	837-848
ISBN (Electronic)	9781450385794
DOIs	https://doi.org/10.1145/3485832.3485907
Publication status	Published - 6 Dec 2021
Externally published	Yes
Event	37th Annual Computer Security Applications Conference, ACSAC 2021 - Virtual, Online, United States Duration: 6 Dec 2021 → 10 Dec 2021

Conference

Conference	37th Annual Computer Security Applications Conference, ACSAC 2021
Country/Territory	United States
City	Virtual, Online
Period	6/12/21 → 10/12/21

Funding

[1] Amr S. Abed, Charles Clancy, and David S. Levy. 2015. Intrusion Detection System for Applications Using Linux Containers. In 11th International Workshop on Security and Trust Management. 123-135.

Access to Document

10.1145/3485832.3485907

Persistent URL (handle)

Persistent link

Cite this

@inproceedings{bfe8100d2ce64531936097b1c8b9bee0,

title = "DistAppGaurd: Distributed Application Behaviour Profiling in Cloud-Based Environment",

abstract = "Today, Machine Learning (ML) techniques are increasingly used to detect abnormal behaviours of industrial applications. Since many of these applications are moving to the cloud environments, classical ML approaches are facing new challenges in accurately identifying abnormal behaviours due to the highly dynamic and heterogeneous nature of the cloud. In this paper, we propose a novel framework, DistAppGaurd, for profiling simultaneously the behaviour of all microservice components of a distributed application in the cloud. The framework can therefore, detect complex attacks that are not observable by monitoring a single process or a single microservice. DistAppGaurd utilizes the system calls executed by all the processes of an application to build a graph consisting of data exchanges among different application entities (e.g., processes and files) representing the behaviour of the application. This representation is then used by our novel miroservice-aware Autoencoder model to perform anomaly detection at runtime. The efficiency and feasibility of our approach is shown by implementing several different real-world attacks, which yields high detection rates (94%-97%) at 0.01% false alarm rate.",

author = "Ghorbani, {Mohammad Mahdi} and Moghaddam, {Fereydoun Farrahi} and Mengyuan Zhang and Makan Pourzandi and Nguyen, {Kim Khoa} and Mohamed Cheriet",

year = "2021",

month = dec,

day = "6",

doi = "10.1145/3485832.3485907",

language = "English",

pages = "837--848",

booktitle = "Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021",

publisher = "Association for Computing Machinery",

note = "37th Annual Computer Security Applications Conference, ACSAC 2021 ; Conference date: 06-12-2021 Through 10-12-2021",

}

Ghorbani, MM, Moghaddam, FF, Zhang, M, Pourzandi, M, Nguyen, KK & Cheriet, M 2021, DistAppGaurd: Distributed Application Behaviour Profiling in Cloud-Based Environment. in Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021. Association for Computing Machinery, pp. 837-848, 37th Annual Computer Security Applications Conference, ACSAC 2021, Virtual, Online, United States, 6/12/21. https://doi.org/10.1145/3485832.3485907

DistAppGaurd: Distributed Application Behaviour Profiling in Cloud-Based Environment. / Ghorbani, Mohammad Mahdi; Moghaddam, Fereydoun Farrahi; Zhang, Mengyuan et al.
Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021. Association for Computing Machinery, 2021. p. 837-848.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - DistAppGaurd

T2 - 37th Annual Computer Security Applications Conference, ACSAC 2021

AU - Ghorbani, Mohammad Mahdi

AU - Moghaddam, Fereydoun Farrahi

AU - Zhang, Mengyuan

AU - Pourzandi, Makan

AU - Nguyen, Kim Khoa

AU - Cheriet, Mohamed

PY - 2021/12/6

Y1 - 2021/12/6

N2 - Today, Machine Learning (ML) techniques are increasingly used to detect abnormal behaviours of industrial applications. Since many of these applications are moving to the cloud environments, classical ML approaches are facing new challenges in accurately identifying abnormal behaviours due to the highly dynamic and heterogeneous nature of the cloud. In this paper, we propose a novel framework, DistAppGaurd, for profiling simultaneously the behaviour of all microservice components of a distributed application in the cloud. The framework can therefore, detect complex attacks that are not observable by monitoring a single process or a single microservice. DistAppGaurd utilizes the system calls executed by all the processes of an application to build a graph consisting of data exchanges among different application entities (e.g., processes and files) representing the behaviour of the application. This representation is then used by our novel miroservice-aware Autoencoder model to perform anomaly detection at runtime. The efficiency and feasibility of our approach is shown by implementing several different real-world attacks, which yields high detection rates (94%-97%) at 0.01% false alarm rate.

AB - Today, Machine Learning (ML) techniques are increasingly used to detect abnormal behaviours of industrial applications. Since many of these applications are moving to the cloud environments, classical ML approaches are facing new challenges in accurately identifying abnormal behaviours due to the highly dynamic and heterogeneous nature of the cloud. In this paper, we propose a novel framework, DistAppGaurd, for profiling simultaneously the behaviour of all microservice components of a distributed application in the cloud. The framework can therefore, detect complex attacks that are not observable by monitoring a single process or a single microservice. DistAppGaurd utilizes the system calls executed by all the processes of an application to build a graph consisting of data exchanges among different application entities (e.g., processes and files) representing the behaviour of the application. This representation is then used by our novel miroservice-aware Autoencoder model to perform anomaly detection at runtime. The efficiency and feasibility of our approach is shown by implementing several different real-world attacks, which yields high detection rates (94%-97%) at 0.01% false alarm rate.

UR - http://www.scopus.com/inward/record.url?scp=85121638675&partnerID=8YFLogxK

U2 - 10.1145/3485832.3485907

DO - 10.1145/3485832.3485907

M3 - Conference contribution

SP - 837

EP - 848

BT - Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021

PB - Association for Computing Machinery

Y2 - 6 December 2021 through 10 December 2021

ER -

DistAppGaurd: Distributed Application Behaviour Profiling in Cloud-Based Environment

Abstract

Conference

Funding

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this