Online risk assessment and prediction models for Autonomic Cloud Intrusion srevention systems

The extensive use of virtualization in implementing cloud infrastructure brings unrivaled security concerns for cloud tenants or customers and introduces an additional layer that itself must be completely configured and secured. Intruders can exploit the large amount of cloud resources for their attacks. Most of the current security technologies do not provide the essential security features for cloud systems such as early warnings about future ongoing attacks, autonomic prevention actions, and risk measure. This paper discusses the integration of these three features to our Autonomic Cloud Intrusion Detection Framework (ACIDF). The early warnings are signaled through a new finite State Hidden Markov prediction model that captures the interaction between the attackers and cloud assets. The risk assessment model measures the potential impact of a threat on assets given its occurrence probability. The estimated risk of each security alert is updated dynamically as the alert is correlated to prior ones. This enables the adaptive risk metric to evaluate the cloud's overall security state. The prediction system raises early warnings about potential attacks to the autonomic component, controller. Thus, the controller can take proactive corrective actions before the attacks pose a serious security risk to the system. According to our experiments, both risk metric and prediction model have successfully signaled early warning alerts 39.6 minutes before the launching of the LLDDoS1.0 attack. This gives the system administrator or an autonomic controller ample time to take preventive measures.