Utilizing Static Probe Instrumentation Data for A Non-Intrusive VMM-based Anomaly Detection System

The Dataset

 

Physical Network Architecture:

Physical Architecture

 

Hardware Setup:

l   Host specification was a dual Intel Xeon CPU 1.86GHz with 8GB memory and 320GB hard-disk running Ubuntu 14.04.

l   VM specification was a single Qemu Virtual CPU with 1GB memory and 20GB hard-disk space running Ubuntu 14.04.

 

Normal Scenario:

VM: Monitored VM

l   Serving RUBiS

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

 

Victim

Attacker

 

Synflood Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Ext2: Attack Generator

l   Ran hping3: # sudo hping3 --flood -S -p 80 <target>

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

 

 

Synflood Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

l   Ran hping3: # sudo hping3 --flood -S -p 80 <target>

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

SlowHTTP Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Ext2: Attack Generator

l   Ran slowhttptest: # slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -l 450 -r 200 -s 8192 -t FAKEVERB -u <target> -x 10 -p 3

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

 

SlowHTTP Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

l   Ran slowhttptest: # slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -l 450 -r 200 -s 8192 –t FAKEVERB -u <target> -x 10 -p 3

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

Password Brute Force Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Ext2: Attack Generator

l   Ran ncrack: # ncrack -m http -u <user> -P <dict_file> <target>

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

 

Password Brute Force Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

l   Ran ncrack: # ncrack -m http -u <user> -P <dict_file> <target>

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

Portscan Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Ext2: Attack Generator

l   Ran nmap: # nmap -A -oN <file> <target>

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

Portscan Attack Scenario:

VM: Monitored VM

l   Serving RUBiS

l   Ran nmap: # nmap -A -oN <file> <target>

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 400

Host: Capture monitored data for 2s with interval 1s

SProbe | Syscall

 

Peak Scenario:

VM: Monitored VM

l   Serving RUBiS

Ext1: Web traffic generator

l   RUBiS Client. Set eworkload number of clients per nodef in rubis.properties file to 2000

Host: Capture monitored data for 2s with interval 1s

SProbe |