Detecting Fraud in an OpenStack Cloud

In the cloud, high utilization is the norm, so can administrators detect attacks?

cloud security

PARIS—Securing the cloud isn't just about protecting the network layer from external attacks; it's also about being able to detect fraudulent activities running on the cloud. At the OpenStack Summit here, a group of researchers presented their findings on how to use the OpenStack Ceilometer project—used primarily for billing and metering of cloud usage—to detect fraud.

Debojyoti Dutta, principal engineer in the Office of the Cloud CTO at Cisco Systems, said that often the discussion about cloud is how to optimize for big data and application delivery, but the really important question that always needs to be answered is what is actually happening in any given cloud.

The Ceilometer project first became part of the OpenStack platform with the Grizzly release in 2013, thanks to the contributions and support of AT&T, DreamHost, Rackspace, Red Hat and Hewlett-Packard.

When looking at what's happening on a cloud, being able to detect fraud is important. Fraudulent activities can take many forms, according to Marc Solanas Tarre, software engineer in the Cloud lab at Cisco. For the purposes of his research, Tarre specifically looked to identify distributed denial-of-service (DDoS) attacks as well as mining operations for the Bitcoin cryptocurrency.

"Not all things running in the cloud are good," Tarre said. "We can use Ceilometer data, add some machine learning, and with that will get us real-time fraudulent activity detection."

There are three steps to identifying fraud in the cloud: collect, classify and then counteract.

In the collection stage, the cloud administrator collects information on the cloud, including CPU utilization, network use and disk activity. The Ceilometer data collection can also be used to collect the relevant information every 5 seconds.

In the simplest form of analysis, if there is a high degree of network utilization, there could be a DDoS attack. If there is a high degree of CPU utilization, the first thought an administrator might have is that a Bitcoin mining operation is present. Tarre cautioned, however, that in the cloud, simple analysis isn't always the right answer. For example, a Hadoop big data workload in some respects might mimic the same network and CPU usage patterns as a DDoS attack or Bitcoin mining operation.

Julio Hernandez-Castro, lecturer in computer security at the University of Kent, in Canterbury, U.K., noted that the problem of figuring out what is good and what is bad is not completely trivial. As such, he said there is a need to apply an algorithm to classify the data.

After some evaluation, Hernandez-Castro said he found that the Orange data mining tool is the most effective for his purposes to help classify the data properly.

With the data collected and properly classified, the next step is to counteract. It's possible for an administrator to set up rules to stop the cloud resource that is being abused and block the user, according to Hernandez-Castro.

While the method proposed by Hernandez-Castro can collect data every 5 seconds, he suggests what he referred to as a "metaclassifier" approach to improve accuracy. With the metaclassifier, data is collected every 5 seconds for at least an hour before a decision is made on what the cloud traffic is doing. Using the metaclassifier approach, a near 100 percent accuracy rate of detection is possible, he said.

"No one will mine Bitcoin for just 5 seconds; they're going to mine for hours or even weeks," Hernandez-Castro said. "So doing a metaclassification for an hour is OK."

From a user privacy perspective, Hernandez-Castro emphasized that monitoring the Ceilometer data is a privacy-friendly approach to fraud detection.

"This technique is noninvasive. We're just using data that we would collect anyway because we need it for billing purposes," he said. "We're not spying on anyone, and the method works even if everything is encrypted."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.