CIADL: cloud insider attack detector and locator on multi-tenant network isolation: an OpenStack case study

In cloud networks, edging network virtualization technology is widely adopted to protect tenants with isolated networks mainly from threats inside the cloud. However, since tenants completely rely on cloud service provider’s service interface to be aware of their current network policy, malicious admin alone or with concluded tenants is/are fully capable of acquiring any target tenant network data by attacking corresponding policies stored and enforced on the edging end hosts without tenants knowing. Therefore, this paper presents cloud insider attack detector and locator (CIADL) on multi-tenant network isolation for OpenStack. We propose an insider attack threat model with attack category. A layered state model based constructing and attack detection methods are also proposed, enabling efficient policy confliction detection between expected policy on central node and enforcing policy on end hosts. Along with a threat locating method with fine granularity of device policy rules for recovery purpose. We implements the proof of concept system of CIADL, and the experiments and analysis show our method can cover all attack types defined in threat model with low overheads, and scales well with network and policy size and attack number increase. Compared to existing work model with VM–VM state, CIADL state model with NET–NET state gets about 8.5% and 92.3% improvement on construction and verification time costs with most hostile environment (AP = 80%) and largest policy scale (PS = 4000), which suggests CIADL is both efficient and scalable.