Diego Zamboni

Cloud security is not (just) virtualization security: a short paper

Cloud infrastructure commonly relies on virtualization. Customers provide their own VMs, and the cloud provider runs them often without knowledge of the guest OSes or their configurations. However, cloud customers also want effective and efficient security for their VMs. Cloud providers offering security-as-a-service based on VM introspection promise the best of both worlds: efficient centralization and effective protection. Since customers can move images from one cloud to another, an effective solution requires learning what guest OS runs in each VM and securing the guest OS without relying on the guest OS functionality or an initially secure guest VM state. We present a solution that is highly scalable in that it (i) centralizes guest protection into a security VM, (ii) supports Linux and Windows operating systems and can be easily extended to support new operating systems, (iii) does not assume any a-priori semantic knowledge of the guest, (iv) does not require any a-priori trust assumptions into any state of the guest VM. While other introspection monitoring solutions exist, to our knowledge none of them monitor guests on the semantic level required to effectively support both white- and black-listing of kernel functions, or allows to start monitoring VMs at any state during run-time, resumed from saved state, and cold-boot without the assumptions of a secure start state for monitoring.

Guest Editorial: From intrusion detection to self-protection

Modern computer systems have become so complex and interdependent that the traditional model of system defense, utilizing layers and including an intrusion detection system that provides alerts to a human who responds to them, is becoming unfeasible. Effective human-guided real-time responses are no longer a reasonable expectation for large scale systems--this is particularly troublesome because a failure to respond correctly and rapidly can have disastrous consequences. In an ideal world, our systems would automatically detect and respond to threats of all kinds, including but not limited to automated attacks, human-guided attacks, and the constant onslaught of unsolicited email (spam). Traditionally, these threats have been dealt with by separate communities--the anti-virus community, the intrusion-detection/firewall community, and the anti-spam community. Today however, we see an increasing need for integrating different technologies toward achieving a common goal. In this special issue, we surveyed the research community with the intent of identifying novel, multidisciplinary and integrated approaches to system defense that contribute towards development of true self-protecting and self-healing systems. The result is reflected in the articles we selected.

A data mining approach for analysis of worm activity through automatic signature generation

This paper proposes a novel framework to automatically discover and analyze traffic generated by computer worms and other anomalous behaviors that interact with a non-solicited traffic monitoring system. Network packets are analyzed by an Intrusion Detection System (IDS), and new signatures are generated clustering those which remain unknown for the IDS. Furthermore, the framework provides a mechanism to cluster the alarms produced by the IDS producing a correlated vision of the traffic observed. Both the automatic signature generation and the alarm clusters are accomplished using data mining techniques.

How to hook worms [computer network security]

This paper discusses the use of intrusion detection systems to protect against the various threats faced by computer systems by way of worms, viruses and other forms of attacks. Intrusion detection systems attempt to detect things that are wrong in a computer network or system. The main problems of these systems, however, are the many false alarms they produce, their lack of resistance to both malicious attacks and accidental failures, and the constant appearance of new attacks and vulnerabilities. IBM Zurich Research Laboratory has developed a system that specifically targets worms rather than trying to prevent all breaches of computer security. Called Billy Goat, the specialized worm detection system runs on a dedicated machine connected to the network and detects worm-infected machines anywhere in it. Billy Goat has been proven effective at detecting worm-infected machines in a network. It is currently used in several large corporate intranets, and it is normally able to detect infected machines within seconds of their becoming infected. Furthermore, not only is it able to detect the presence of a worm in the network, it can even provide the addresses of the infected machines. This makes it considerably easier to remedy the problem.