Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Slides:

Advertisements

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Advertisements

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

1 Vladimir Knežević Microsoft Software d.o.o.. 80% Održavanje 80% Održavanje 20% New Cost Reduction Keep Business Up & Running End User Productivity End.

Xen , Linux Vserver , Planet Lab

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

Cereus: CyberInfrastructure Environments for Resource Exchange and Utility Services Duke University, Department of Computer Science

NanoHUB.org online simulations and more Network for Computational Nanotechnology 1 Autonomic Live Adaptation of Virtual Computational Environments in a.

Towards Virtual Networks for Virtual Machine Grid Computing Ananth I. Sundararaj Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.

Automatic Run-time Adaptation in Virtual Execution Environments Ananth I. Sundararaj Advisor: Peter A. Dinda Prescience Lab Department of Computer Science.

Increasing Application Performance In Virtual Environments Through Run-time Inference and Adaptation Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience.

SODA : Service-On-Demand Architecture for Application Service Hosting Utility Platforms Dongyan Xu, Xuxian Jiang Lab FRIENDS (For Research In Emerging.

Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.

MobiDesk: Mobile Virtual Desktop Computing Ricardo A. Baratto, Shaya Potter, Gong Su, Jason Nieh Network Computing Laboratory Columbia University September.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

© 2008 AT&T Intellectual Property. All rights reserved. CloudNet: Where VPNs Meet Cloud Computing Flexibly and Dynamically Timothy Wood Kobus van der Merwe,

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Virtualization in Data Centers Prashant Shenoy

VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

DARPA Security Mini-task Naveen Sastry. Groups Involved BBN SRI UMass / UMich / U. Arizona UC Berkeley.

INTRODUCING: KASPERSKY Security FOR VIRTUALIZATION | LIGHT AGENT FOR MICROSOFT AND CITRIX VIRTUAL ENVIRONMENTS.

Dynamic Topology Adaptation of Virtual Networks of Virtual Machines Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience Lab Department of Computer.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Virtualization for Cloud Computing

+ Virtualization in Clusters and Grids Dr. Lizhe Wang.

Intrusion Detection System Marmagna Desai [ 520 Presentation]

A Survey on Interfaces to Network Security

5205 – IT Service Delivery and Support

1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Data Center Network Redesign using SDN

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

ATIF MEHMOOD MALIK KASHIF SIDDIQUE Improving dependability of Cloud Computing with Fault Tolerance and High Availability.

VIRTUALIZATION AND CLOUD COMPUTING Dr. John P. Abraham Professor, Computer Engineering UTPA.

MOBILE CLOUD COMPUTING

Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.

Virtualization Virtualization is the creation of substitutes for real resources – abstraction of real resources Users/Applications are typically unaware.

19 Jun 2001New Jersey Infragard1 Basic Linux/System Security Bill Stearns, Senior Research Engineer Institute for Security Technology Studies, Investigative.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

Virtualization. Virtualization  In computing, virtualization is a broad term that refers to the abstraction of computer resources  It is "a technique.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

COEN 252 Computer Forensics Collecting Network-based Evidence.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Improving Network I/O Virtualization for Cloud Computing.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.

©NEC Laboratories America 1 Huadong Liu (U. of Tennessee) Hui Zhang, Rauf Izmailov, Guofei Jiang, Xiaoqiao Meng (NEC Labs America) Presented by: Hui Zhang.

608D CloudStack 3.0 Omer Palo Readiness Specialist, WW Tech Support Readiness May 8, 2012.

Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.

High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 HoneyNets, Intrusion Detection Systems, and Network Forensics.

Security Vulnerabilities in A Virtual Environment

1 Agility in Virtualized Utility Computing Hangwei Qian, Elliot Miller, Wei Zhang Michael Rabinovich, Craig E. Wills {EECS Department, Case Western Reserve.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Cloud Computing Lecture 5-6 Muhammad Ahmad Jan.

Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad KTH Applied Information Security Lab Security aspects.

CLOUD COMPUTING WHAT IS CLOUD COMPUTING?  Cloud Computing, also known as ‘on-demand computing’, is a kind of Internet-based computing,

CSE 5810 Biomedical Informatics and Cloud Computing Zhitong Fei Computer Science & Engineering Department The University of Connecticut CSE5810: Introduction.

CLOUD COMPUTING Presented to Graduate Students Mechanical Engineering Dr. John P. Abraham Professor, Computer Engineering UTPA.

Virtualization Virtualization is the creation of substitutes for real resources – abstraction of real resources Users/Applications are typically unaware.

VMware NSX and Micro-Segmentation

Dr. John P. Abraham Professor, Computer Engineering UTPA

Virtualization Layer Virtual Hardware Virtual Networking

Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience Lab

Presentation transcript:

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for Education and Research in Information Assurance and Security (CERIAS), and School of Electrical and Computer Engineering at Purdue University

Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

Why application service hosting? –Reflection of the vision of Utility Computing –Outsourcing –CDN services What is challenging? –Private house vs. apartment building –Openness –Sharing –Mutual isolation, confinement, and protection Motivations

To build a value-added secure application service hosting platform based on a shared infrastructure, achieving: –On-demand creation and provisioning –Isolation –Protection –Accountability –Privacy Goals

Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

SODA Service-On-Demand Architecture –On-demand creation and provisioning –Isolation Two-level application service hosting platform –Key technique: Virtualization

SODA Host (physical) AS AS’ SODA Architecture

Virtualization: Key Technique Two-level OS structure –Host OS –Guest OS Strong isolation –Administration isolation –Installation isolation –Fault / attack Isolation –Recovery, migration, and forensics One SODA host Host OS … Guest OS AS 1 AS n

For detailed information about SODA: –Xuxian Jiang, Dongyan Xu, "SODA: a Service-On- Demand Architecture for Application Service Hosting Utility Platforms", Proceedings of The 12th IEEE International Symposium on High Performance Distributed Computing (HPDC-12), Seattle, WA, June 2003."SODA: a Service-On- Demand Architecture for Application Service Hosting Utility Platforms"HPDC-12

Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

Security and Protection Controlled communication IDS in guest OS kernel Untamperable logging ( ‘ blackbox ’ -ing) Host OS … Guest OS AS 1 AS n

Virtual machine (with IP address) SODA host (Invisible on Internet) Controlled Communication

Kernort : IDS in Guest OS Kernel Guest OS

VM-based IDS: deployed in each VM Inside guest OS kernel: a unique vista point –Customizable without affecting host OS –Clearer view –Untamperable logging (saved to SODA host) –Fail-close instead of fail-open Kernort : IDS in Guest OS Kernel (2)

Kernort : IDS in Guest OS Kernel (3) Kernort sensor Renewable signature set Event-driven (system call and packet reception) Kernort blackbox Untamperable logging Privacy preservation of ASes Analyzer Exhaustive signature matching Detection of complex attack patterns Session replay

Kernort : IDS in Guest OS Kernel (4)

Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

System Performance Overhead

Network Throughput & Latency Slowdown

Real-Time Alert

Session Re-play

Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

Related Work Utility computing architectures –IBM Oceano, HP UDC Grid platforms –Computation: Globus, Condor, Legion, NetSolve, Harness, Cactus –Storage and data: SRB, NeST, Data Grid, OceanStore Shared infrastructure –PlanetLab, Emulab

Related Work Intrusion detection systems –Snort, VMM-based, retrospection Virtualization technologies –Virtual super computer (aggregation): NOW, HPVM –Virtual OS, isolation kernel (slicing): VMWare, Xen (Cambridge), Denali (UW), UML, UMLinux, Virtual Private Server (Ensim) –Grid computing on VM: Virtuoso (Northwestern), Entropia –Virtual cluster: Cluster-on-Demand (Duke) Resource isolation –GARA, QLinux (UMass), Virtual service (UMich), Resource Container, Cluster Reserves (Rice)

New challenges in application service hosting platform –Openness, sharing, mutual isolation, confinement, and protection Two-level architecture for service provisioning Efficient security & protection mechanisms for ASHP –Virtual switching and firewalling –Kernort –Untamperable logging Conclusion

Thank you. For more information:

Backup Slides

Kernort vs. conventional IDS Problems with traditional IDS –Encrypted traffic (e.g. ssh) makes NIDS less effective –App-level IDS process will be “ killed ”, once a machine is compromised –Log may be tampered with –Fail-open Inside guest OS kernel: a unique vista point –Customizable without affecting host OS –Clearer view –Untamperable logging (saved to SODA host) –Fail-close instead of fail-open