Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for."— Presentation transcript:

1 Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for Education and Research in Information Assurance and Security (CERIAS), and School of Electrical and Computer Engineering at Purdue University

2 Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

3 Why application service hosting? –Reflection of the vision of Utility Computing –Outsourcing –CDN services What is challenging? –Private house vs. apartment building –Openness –Sharing –Mutual isolation, confinement, and protection Motivations

4 To build a value-added secure application service hosting platform based on a shared infrastructure, achieving: –On-demand creation and provisioning –Isolation –Protection –Accountability –Privacy Goals

5 Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

6 SODA Service-On-Demand Architecture –On-demand creation and provisioning –Isolation Two-level application service hosting platform –Key technique: Virtualization

7 SODA Host (physical) AS AS’ SODA Architecture

8 Virtualization: Key Technique Two-level OS structure –Host OS –Guest OS Strong isolation –Administration isolation –Installation isolation –Fault / attack Isolation –Recovery, migration, and forensics One SODA host Host OS … Guest OS AS 1 AS n

9 For detailed information about SODA: –Xuxian Jiang, Dongyan Xu, "SODA: a Service-On- Demand Architecture for Application Service Hosting Utility Platforms", Proceedings of The 12th IEEE International Symposium on High Performance Distributed Computing (HPDC-12), Seattle, WA, June 2003."SODA: a Service-On- Demand Architecture for Application Service Hosting Utility Platforms"HPDC-12

10 Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

11 Security and Protection Controlled communication IDS in guest OS kernel Untamperable logging ( ‘ blackbox ’ -ing) Host OS … Guest OS AS 1 AS n

12 Virtual machine (with IP address) SODA host (Invisible on Internet) Controlled Communication

13 Kernort : IDS in Guest OS Kernel Guest OS

14 VM-based IDS: deployed in each VM Inside guest OS kernel: a unique vista point –Customizable without affecting host OS –Clearer view –Untamperable logging (saved to SODA host) –Fail-close instead of fail-open Kernort : IDS in Guest OS Kernel (2)

15 Kernort : IDS in Guest OS Kernel (3) Kernort sensor Renewable signature set Event-driven (system call and packet reception) Kernort blackbox Untamperable logging Privacy preservation of ASes Analyzer Exhaustive signature matching Detection of complex attack patterns Session replay

16 Kernort : IDS in Guest OS Kernel (4)

17 Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

18 System Performance Overhead

19 Network Throughput & Latency Slowdown

20 Real-Time Alert

21 Session Re-play

22 Outline Motivations and Goals SODA: a Service-On-Demand Architecture –Two-level application service hosting platform Security & Protection –Controlled communication –Kernort –Untamperable logging Evaluation Related Work Conclusion

23 Related Work Utility computing architectures –IBM Oceano, HP UDC Grid platforms –Computation: Globus, Condor, Legion, NetSolve, Harness, Cactus –Storage and data: SRB, NeST, Data Grid, OceanStore Shared infrastructure –PlanetLab, Emulab

24 Related Work Intrusion detection systems –Snort, VMM-based, retrospection Virtualization technologies –Virtual super computer (aggregation): NOW, HPVM –Virtual OS, isolation kernel (slicing): VMWare, Xen (Cambridge), Denali (UW), UML, UMLinux, Virtual Private Server (Ensim) –Grid computing on VM: Virtuoso (Northwestern), Entropia –Virtual cluster: Cluster-on-Demand (Duke) Resource isolation –GARA, QLinux (UMass), Virtual service (UMich), Resource Container, Cluster Reserves (Rice)

25 New challenges in application service hosting platform –Openness, sharing, mutual isolation, confinement, and protection Two-level architecture for service provisioning Efficient security & protection mechanisms for ASHP –Virtual switching and firewalling –Kernort –Untamperable logging Conclusion

26 Thank you. For more information: {jiangx,dxu}@cs.purdue.edujiangx,dxu}@cs.purdue.edu http://www.cs.purdue.edu/~jiangx/soda

27 Backup Slides

28 Kernort vs. conventional IDS Problems with traditional IDS –Encrypted traffic (e.g. ssh) makes NIDS less effective –App-level IDS process will be “ killed ”, once a machine is compromised –Log may be tampered with –Fail-open Inside guest OS kernel: a unique vista point –Customizable without affecting host OS –Clearer view –Untamperable logging (saved to SODA host) –Fail-close instead of fail-open

Download ppt "Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for."

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.

The Case for Enterprise Ready Virtual Private Clouds Timothy Wood, Alexandre Gerber *, K.K. Ramakrishnan *, Jacobus van der Merwe *, and Prashant Shenoy.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
1 Vladimir Knežević Microsoft Software d.o.o.. 80% Održavanje 80% Održavanje 20% New Cost Reduction Keep Business Up & Running End User Productivity End.

1 Vladimir Knežević Microsoft Software d.o.o.. 80% Održavanje 80% Održavanje 20% New Cost Reduction Keep Business Up & Running End User Productivity End.
Xen , Linux Vserver , Planet Lab

Xen , Linux Vserver , Planet Lab
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Cereus: CyberInfrastructure Environments for Resource Exchange and Utility Services Duke University, Department of Computer Science

Cereus: CyberInfrastructure Environments for Resource Exchange and Utility Services Duke University, Department of Computer Science
NanoHUB.org online simulations and more Network for Computational Nanotechnology 1 Autonomic Live Adaptation of Virtual Computational Environments in a.

NanoHUB.org online simulations and more Network for Computational Nanotechnology 1 Autonomic Live Adaptation of Virtual Computational Environments in a.
Towards Virtual Networks for Virtual Machine Grid Computing Ananth I. Sundararaj Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.

Towards Virtual Networks for Virtual Machine Grid Computing Ananth I. Sundararaj Peter A. Dinda Prescience Lab Department of Computer Science Northwestern.
Automatic Run-time Adaptation in Virtual Execution Environments Ananth I. Sundararaj Advisor: Peter A. Dinda Prescience Lab Department of Computer Science.

Automatic Run-time Adaptation in Virtual Execution Environments Ananth I. Sundararaj Advisor: Peter A. Dinda Prescience Lab Department of Computer Science.
Increasing Application Performance In Virtual Environments Through Run-time Inference and Adaptation Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience.

Increasing Application Performance In Virtual Environments Through Run-time Inference and Adaptation Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience.
SODA : Service-On-Demand Architecture for Application Service Hosting Utility Platforms Dongyan Xu, Xuxian Jiang Lab FRIENDS (For Research In Emerging.

SODA : Service-On-Demand Architecture for Application Service Hosting Utility Platforms Dongyan Xu, Xuxian Jiang Lab FRIENDS (For Research In Emerging.
Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.

Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.
MobiDesk: Mobile Virtual Desktop Computing Ricardo A. Baratto, Shaya Potter, Gong Su, Jason Nieh Network Computing Laboratory Columbia University September.

MobiDesk: Mobile Virtual Desktop Computing Ricardo A. Baratto, Shaya Potter, Gong Su, Jason Nieh Network Computing Laboratory Columbia University September.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
© 2008 AT&T Intellectual Property. All rights reserved. CloudNet: Where VPNs Meet Cloud Computing Flexibly and Dynamically Timothy Wood Kobus van der Merwe,

© 2008 AT&T Intellectual Property. All rights reserved. CloudNet: Where VPNs Meet Cloud Computing Flexibly and Dynamically Timothy Wood Kobus van der Merwe,
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Virtualization in Data Centers Prashant Shenoy

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Virtualization in Data Centers Prashant Shenoy
VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)

VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

Similar presentations

Ads by Google