State-based attack detection for cloud

Cloud computing provides business new working paradigm with the benefit of reducing cost and sharing resource. Tasks from different users may be performed on the same machine. Therefore, one primary security concern is whether user data is secure in cloud. On the other hand, hacker may facilitate cloud computing to launch larger range of attack, such as a request of port scan in cloud with multiple virtual machines executing such malicious action. The hacker may perform a sequence of attacks in order to compromise his target system in a cloud, for example, compromsing an easy-to-exploit machine in the cloud and then using the compromised to attack the target. Such attack plan may be stealthy or inside the computing environment, so intrusion detection system or firewall has difficulty to identify it. The proposed detection system analyzes multiple logs from the cloud and extracts the intensions of the actions recorded in the logs. Stealthy reconnaissance actions are often neglected by administrator for the insignificant number of violations. Hidden Markov model is adopted to model the steps of the attack plan performed by hacker and such stealthy events in a long time frame will become significant in the state-aware model. The results show that the proposed system can identify the attack plans in the real network.