An Approach for Preventing and Detecting Attacks in the Cloud

Preventing and detecting attacks in the cloud are difficult tasks involving technical, financial, and legal challenges. Baseline security solutions from cloud providers are often inadequate to secure cloud instances properly. In addition, entry-level cloud instances offer few resources, as little as 512MB of RAM, and particular actions are either costly or limited by cloud providers, hindering the operation of commercial security solutions, such as antivirus software, and intrusion detection and prevention (IDP) systems. State-of-the-art research IDP systems have made great progress using machine and deep learning but they encounter certain limitations when operating in the cloud. We introduce Xshield, a lightweight IDP framework designed for the cloud, that consists of a limited number of Producers constantly gathering malicious information, analyzing it through one or more arbitrary intrusion detection and/or prevention strategies and passing the processed information along to Consumers, an IDP agent on cloud customers’ instances. We implement and evaluate a Producer prototype by deploying 138 Producers on a cloud provider across 15 regions for seven days and use the collected information to demonstrate how a limited number but strategically placed Producers are capable of protecting cloud customers’ instances as well as present insights on attacker behavior in the cloud. We then discuss, based on attacker behavior insights, what kind of existing IDP strategies can be adapted to operate on Producers.