IBM J. Res. Dev

Closing the loop: Network and in-host monitoring tandem for comprehensive cloud security visibility

View publication


Cloud computing has not only become attractive for organizations and end-users but also for attackers that use cloud environments to exploit the offered economies of scale - a cloud environment consists of a large set of systems with an excellent network connectivity setup and similar configurations. In this paper, we propose a comprehensive approach towards monitoring cloud computing environments by building an awareness framework combining passive network monitoring principles with in-host monitoring. Passive network monitoring is able to detect suspicious activities from observations on the network layer but cannot provide any attribution to processes on cloud computing instances. In contrast, in-host auditing subsystem monitoring provides fine-grained information of events within a given instance but misses the higher-level perspective of events across the environment. We have devised a system using a big data approach combining analytics on both levels. The analytics complement each other to detect advanced cyber security attacks and provide contextual links to security analysts investigating these attacks. We demonstrate the utility and efficacy of the framework by means of a study of a sophisticated advanced persistent threat style internal spear-phishing attack on a large-scale productive cloud environment.