Abstract

Organizations increasingly utilize cloud services such as Infrastructure as a Service (IaaS) where virtualized IT infrastructure are offered on demand by cloud providers. A major challenge for cloud providers is the security of virtual resources provided to its customers. In particular, a key concern is whether, for example, virtual machines (VMs) in the datacenter are performing tasks that are not expected of those machines. Given the scale of datacenters, continuous security monitoring of the virtual assets is essential to detect unexpected (and potentially malicious) behavior. In this paper, we develop a continuous monitoring framework for cloud IaaS. The proposed framework uses a modified version of sequential K-means clustering algorithm for anomaly detection based on variations in resource utilization that can be observed when cloud insiders or malware perform malicious tasks on cloud customers' VMs. Our approach assumes no prior knowledge of the installed applications on the VMs. Finally, our experiments are performed on data collected from our OpenStack (a popular open-source cloud IaaS software) testbed based on a standard 3-tier web architecture with the ability to scale-out (i.e., multiple copies of the server are spawned) and scale-back (i.e., the number of copies are reduced) on demand. The experiments are based on real-world as well as synthetically injected anomalies.