Business Logic Abuse Detection in Cloud Computing Systems Grzegorz Kołaczek 1st International IBM Cloud Academy Conference Research Triangle Park, NC April 19-20,2012

Agenda Introduction Business logic abuses Spatial statistics Detection of business logic abuses Conclusions

Introduction Ten most interesting to industry consumers and security professionals security service categories according to Cloud Security Alliance (2011): –1: Identity and Access Management –2: Data Loss Prevention –3: Web Security –4: Security –5: Security Assessments –6: Intrusion Management –7: Security Information and Event Management (SIEM) –8: Encryption –9: Business Continuity and Disaster Recovery –10: Network Security

Introduction Some of these categories are well known and typical for a very broad range of computer systems The importance of the others is relatively new and strictly related to cloud and service oriented systems e.g.: –web security –identity and access management –security information and event management

Introduction One of such security related research area, which is crucial for further evolution of Cloud Computing is business logic abuse detection. Business logic abuse is the abuse of the legitimate business logic of a website or other function that allows interaction. Business logic abuse is usually aimed to exploit in some way the system that supports certain business logic e.g. by an illicit use of a legitimate website function.

Business logic abuses Examples of business logic abuse: –password guessing Password guessing is a mechanism for a intruder to gain access to an account without having the password –using the credit card verification function of a website to confirm validity and expiration dates of stolen credit cards –mass registering accounts or stealing accounts on a website to send spam to the website’s users, and scraping “personal identifiable information”

Business logic abuses Detection of business logic abuse is difficult because the offenders are using the same functionality as the legitimate users and therefore, their actions are likely intermixed with real actions. For example in password guessing –Intruder is using the login function of the website to perpetrate his fraud –The website doesn’t want to turn off the login function, but still needs to stop the intruder from stealing accounts

Business logic abuses While the intruder is using a legitimate flow on a website or other application, so disabling that flow would influence also the interactions of legitimate users. This is why the new and versatile methods are required to support the Cloud Computing with appropriate services that could secure them from this type of risk

Business logic abuses One of possible solution of the business logic abuses is anomaly detection approach. The proposition how to solve the problem of business logic abuses by detection of anomalies in statistical spatial analysis reports is the main point of the current presentation.

Spatial statistics Spatial analysis is the process of discovering interesting and previously unknown, but potentially useful patterns from spatial datasets. Extracting interesting and useful patterns from spatial datasets is more challenging than extracting the corresponding patterns from traditional data. This difficulty arises from the complexity of spatial relationships and spatial auto-correlation

Spatial statistics The research focuses on a statistical model to represent observations of interactions among services constituting some composite services delivered by cloud computing environment. The spatial relationships which are often used as a synonymous with geographical distance between objects, in this case have been redefined as the logical distance between services in an execution graph. The execution graph is created as the description of the sequence in which atomic services must be executed to provide required functionality.

Spatial statistics Composite services description is generated from the high level description of business processes. This means that the distance between services is measured as a distance between nodes in a graph rep- resenting composite service execution plan This model has been used for estimation and description of spatial correlations among network nodes.

Spatial statistics Spatial outliers are observations which appear to be inconsistent with their neighborhoods. A spatial outlier can be defined as a spatially referenced object whose non-spatial attribute values differ significantly from those of other spatially referenced objects in its spatial neighborhood. Informally, a spatial outlier is a local instability. –For example, an atomic service (e.g. password validation) executed several times during single complex service execution (e.g. user authentication using LDAP) can be assumed as an abnormal behavior and so as a potential business logic abuse.

Detection of business logic abuses The aim of this research was to verify the possibility to detect the abrupt changes in execution of the composite services in cloud computing environment. Following spatial analysis methods were applied: –Moran-I tests analysis –Local Moran tests analysis –Spatial correlogram analysis

Detection of business logic abuses For testing purposes, two types of composite services have been generated The general assumption for both execution plans is that the first service executed is a service denoted by V1 and then, all subsequent services are executed one by one till the last service in the plan.

Detection of business logic abuses For both variants of composite services two scenarios have been simulated and then investigated with the spatial statistical methods: –secure behavior the execution of atomic services exactly follows the execution plan –business logic abuse demonstrates the influence of the potential business logic abuses on the spatial correlations measured during the complex service execution.

Detection of business logic abuses The execution plan of the first composite service has been disturbed by repeating execution of the service V2. –This can be interpreted e.g. as the password guessing.

Detection of business logic abuses The execution of the second complex service, multipart complex service, has been disturbed by simultaneously executing the ‘hidden complex service’ composed by services V3, V5,V7,V8. –This can be interpreted as e.g. privileges escalation or intruder search for additional functionalities.

Detection of business logic abuses Moran-I test results –The first scenario with normal execution of the composite services there is significant positive spatial correlation of the execution time of the atomic services. –The second scenario with business logic abuses the value of the spatial correlation is negative,

Detection of business logic abuses

Local Moran test results (simple composite service) –The first scenario with normal execution of the composite services there is no significant positive local spatial correlations there are no ‘clusters’ of services and also there are no ‘outliers’ –The second scenario with business logic abuses as in the previous scenario there are no valid positive local correlations and so there are no ‘clusters’ the service V2 is local ‘outlier’ local Moran test give us significant information about the source of the problems while executing composite service

Detection of business logic abuses Spatial correlogram –Spatial correlogram allows to tests and visualize whether the observed value of a variable at one location is independent of values of that variable at neighboring locations. –Positive spatial autocorrelation indicates that similar values appear close to each other, or cluster, in space –Negative spatial autocorrelation indicates that neighboring values are dissimilar or that similar values are dispersed. –Null spatial autocorrelation indicates that the spatial pattern is random. –In this research the correlogram of input/output flows of the corresponding network nodes has been investigated.

Detection of business logic abuses

Conclusions The paper presented an original approach to detection of logical business abuses appearing during execution of complex services in cloud systems. The proposed method of logical business abuses identification benefits form the statistical spatial analysis. The presented method of composite services execution analysis can be used to support various security related tasks for example can be used as anomaly detection technique or for detecting frauds. The preliminary results discussed in this paper are very promising, so the further research in this field has been planned. Presented spatial analysis based method can be used for detection of services which are spatial outliers in a cloud services. The services which would be classified as spatial outliers could indicate problems with resources utilization planning or suspicious functionality of the service.

Thank you for your attention The research presented in this work was partially supported by the European Union within the European Regional Development Fund program no. POIG /08: New SOA information technologies for industry and information society