A Self-Protection Mechanism against Stepping-Stone Attacks for IaaS Clouds

For Infrastructure-as-a-Service (IaaS) clouds, stepping-stone attacks via hosted virtual machines (VMs) are critical. This type of attack uses compromised VMs as stepping stones for attacking the outside hosts. Not only compromised VMs but also IaaS providers are regarded as attackers. For self-protection, IaaS clouds should perform active response against stepping-stone attacks. However, it is difficult to stop only outgoing attacks at edge firewalls of clouds because edge firewalls can use only information in network packets. In this paper, we propose a new self-protection mechanism against stepping-stone attacks for IaaS clouds, which is called xFilter. xFilter is a packet filter running in the virtual machine monitor (VMM) underlying VMs and achieves pinpoint active response by using VM introspection. VM introspection enables xFilter in the VMM to obtain information on packet senders directly from the memory of VMs. When xFilter detects outgoing attacks, it automatically generates appropriate filtering rules with information on sender processes. Our experiments showed that xFilter could stop only outgoing attacks as much as possible. The performance degradation due to xFilter was less than 13% in usual cases.