1、Business Logic Abuse Detection in Cloud Computing Systems Grzegorz Koaczek,1st International IBM Cloud Academy ConferenceResearch Triangle Park, NC April 19-20,2012,Agenda,Introduction Business logic abuses Spatial statistics Detection of business logic abuses Conclusions,Introduction,Ten most inter
2、esting to industry consumers and security professionals security service categories according to Cloud Security Alliance (2011): 1: Identity and Access Management 2: Data Loss Prevention 3: Web Security 4: Email Security 5: Security Assessments 6: Intrusion Management 7: Security Information and Eve
3、nt Management (SIEM) 8: Encryption 9: Business Continuity and Disaster Recovery 10: Network Security,Introduction,Some of these categories are well known and typical for a very broad range of computer systemsThe importance of the others is relatively new and strictly related to cloud and service ori
4、ented systems e.g.: web security identity and access management security information and event management,Introduction,One of such security related research area, which is crucial for further evolution of Cloud Computing is business logic abuse detection. Business logic abuse is the abuse of the leg
5、itimate business logic of a website or other function that allows interaction. Business logic abuse is usually aimed to exploit in some way the system that supports certain business logic e.g. by an illicit use of a legitimate website function.,Business logic abuses,Examples of business logic abuse:
6、 password guessing Password guessing is a mechanism for a intruder to gain access to an account without having the passwordusing the credit card verification function of a website to confirm validity and expiration dates of stolen credit cardsmass registering accounts or stealing accounts on a websi
7、te to send spam to the websites users, and scraping “personal identifiable information”,Business logic abuses,Detection of business logic abuse is difficult because the offenders are using the same functionality as the legitimate users and therefore, their actions are likely intermixed with real act
8、ions. For example in password guessing Intruder is using the login function of the website to perpetrate his fraud The website doesnt want to turn off the login function, but still needs to stop the intruder from stealing accounts,Business logic abuses,While the intruder is using a legitimate flow o
9、n a website or other application, so disabling that flow would influence also the interactions of legitimate users. This is why the new and versatile methods are required to support the Cloud Computing with appropriate services that could secure them from this type of risk,Business logic abuses,One
10、of possible solution of the business logic abuses is anomaly detection approach. The proposition how to solve the problem of business logic abuses by detection of anomalies in statistical spatial analysis reports is the main point of the current presentation.,Spatial statistics,Spatial analysis is t
11、he process of discovering interesting and previously unknown, but potentially useful patterns from spatial datasets. Extracting interesting and useful patterns from spatial datasets is more challenging than extracting the corresponding patterns from traditional data. This difficulty arises from the
12、complexity of spatial relationships and spatial auto-correlation,Spatial statistics,The research focuses on a statistical model to represent observations of interactions among services constituting some composite services delivered by cloud computing environment. The spatial relationships which are
13、often used as a synonymous with geographical distance between objects, in this case have been redefined as the logical distance between services in an execution graph. The execution graph is created as the description of the sequence in which atomic services must be executed to provide required func
14、tionality.,Spatial statistics,Composite services description is generated from the high level description of business processes. This means that the distance between services is measured as a distance between nodes in a graph rep-resenting composite service execution plan This model has been used fo
15、r estimation and description of spatial correlations among network nodes.,Spatial statistics,Spatial outliers are observations which appear to be inconsistent with their neighborhoods. A spatial outlier can be defined as a spatially referenced object whose non-spatial attribute values differ signifi
16、cantly from those of other spatially referenced objects in its spatial neighborhood. Informally, a spatial outlier is a local instability. For example, an atomic service (e.g. password validation) executed several times during single complex service execution (e.g. user authentication using LDAP) ca
17、n be assumed as an abnormal behavior and so as a potential business logic abuse.,Detection of business logic abuses,The aim of this research was to verify the possibility to detect the abrupt changes in execution of the composite services in cloud computing environment. Following spatial analysis me
18、thods were applied: Moran-I tests analysis Local Moran tests analysis Spatial correlogram analysis,Detection of business logic abuses,For testing purposes, two types of composite services have been generatedThe general assumption for both execution plans is that the first service executed is a servi
19、ce denoted by V1 and then, all subsequent services are executed one by one till the last service in the plan.,Detection of business logic abuses,For both variants of composite services two scenarios have been simulated and then investigated with the spatial statistical methods: secure behavior the e
20、xecution of atomic services exactly follows the execution plan business logic abuse demonstrates the influence of the potential business logic abuses on the spatial correlations measured during the complex service execution.,Detection of business logic abuses,The execution plan of the first composit
21、e service has been disturbed by repeating execution of the service V2. This can be interpreted e.g. as the password guessing.,Detection of business logic abuses,The execution of the second complex service, multipart complex service, has been disturbed by simultaneously executing the hidden complex s
22、ervice composed by services V3, V5,V7,V8 . This can be interpreted as e.g. privileges escalation or intruder search for additional functionalities.,Detection of business logic abuses,Moran-I test results The first scenario with normal execution of the composite services there is significant positive
23、 spatial correlation of the execution time of the atomic services. The second scenario with business logic abuses the value of the spatial correlation is negative,Detection of business logic abuses,Detection of business logic abuses,Local Moran test results (simple composite service) The first scena
24、rio with normal execution of the composite services there is no significant positive local spatial correlations there are no clusters of services and also there are no outliers The second scenario with business logic abuses as in the previous scenario there are no valid positive local correlations a
25、nd so there are no clusters the service V2 is local outlier local Moran test give us significant information about the source of the problems while executing composite service,Detection of business logic abuses,Spatial correlogram Spatial correlogram allows to tests and visualize whether the observe
26、d value of a variable at one location is independent of values of that variable at neighboring locations. Positive spatial autocorrelation indicates that similar values appear close to each other, or cluster, in space Negative spatial autocorrelation indicates that neighboring values are dissimilar
27、or that similar values are dispersed. Null spatial autocorrelation indicates that the spatial pattern is random. In this research the correlogram of input/output flows of the corresponding network nodes has been investigated.,Detection of business logic abuses,Conclusions,The paper presented an orig
28、inal approach to detection of logical business abuses appearing during execution of complex services in cloud systems. The proposed method of logical business abuses identification benefits form the statistical spatial analysis. The presented method of composite services execution analysis can be us
29、ed to support various security related tasks for example can be used as anomaly detection technique or for detecting frauds. The preliminary results discussed in this paper are very promising, so the further research in this field has been planned. Presented spatial analysis based method can be used
30、 for detection of services which are spatial outliers in a cloud services. The services which would be classified as spatial outliers could indicate problems with resources utilization planning or suspicious functionality of the service.,Thank you for your attention,The research presented in this work was partially supported by the European Union within the European Regional Development Fund program no. POIG.01.03.01-00-008/08: New SOA information technologies for industry and information society,
