Misbehavior Detection Framework for Community-Based Cloud ...

2015 3rd International Conference on Future Internet of Things and Cloud

Misbehavior Detection Framework for Community-based Cloud Computing Omar Abdel Wahab∗ , Jamal Bentahar∗ , Hadi Otrok†∗ , Azzam Mourad‡

∗ Concordia

Institute for Information Systems Engineering, Concordia University, Montreal, Canada of ECE, Khalifa University of Science, Technology & Research, Abu Dhabi, UAE ‡ Department of Computer science and Mathematics, Lebanese American University, Beirut, Lebanon Email addresses: {o abul, bentahar}@ciise.concordia.ca, [email protected], [email protected] † Department

tendency of users to use cloud computing motivates service providers to create and publish a wide set of services having different functional and non-functional properties. As a result, several related challenges arise. First, with the vast number of deployed cloud services, it becomes challenging to find or discover the relevant services [3]. Second, as the number of cloud services offering the same functionality becomes quite large, forming composite services in the cloud is alas an NP-hard optimization problem [4]. Third, finding optimal tradeoffs between the offered Quality of Service (QoS) and its operational costs in such a way to maintain a good level of competitiveness in the presence of such a large number of services is a continuous dilemma for service providers [5].

Abstract—The success and continuation of cloud computing depends to a large extent on the quality and performance of the offered services. We propose in this paper a novel architecture for cloud computing called Community-based Cloud Computing whose main goal is to improve the quality and performance of the cloud services. In this architecture, cloud services sharing the same domain of interest are partitioned into a set of communities led by a central entity called master. The advantages of such an architecture are (1) facilitating the discovery of cloud services, (2) providing efficient means for better QoS management and resources utilization, and (3) easing intra-layer and cross-layer compositions. However, one of the serious challenges against the success of such an architecture is the presence of malicious services that launch attacks either against the whole community or against some partners in that community. Therefore, we address this problem by proposing a misbehavior detection framework based on the Support Vector Machine (SVM) learning technique. In this framework, the master of the community monitors the behavior of its community members to populate the training set of the classifier. Thereafter, SVM is used to analyze this set and predict the final classes of the cloud services. Simulation results show that our framework is able to produce highly accurate classifiers, while maximizing the attack detection rate and minimizing the false alarms. They show also that the framework is quite resilient to the increase in the number of malicious services.

In this paper, we propose a novel architecture for cloud computing called Community-based Cloud Computing that aims to address the foregoing challenges. The idea is to group the cloud services that provide similar functionalities into a set of communities that are led by a central entity called master. The advantages of such an architecture are three-fold. First, the discovery process of cloud services will be facilitated as the visibility of services towards users is enhanced. Practically, finding a community of Email services is much easier than finding a single Email service in large-scale markets of services. Second, the community-based architecture enables cooperation and interoperability among community members, which helps realize better management of QoS and efficient utilization of resources. For example, a service that is overwhelmed by a large number of requests may delegate some requests to other services in the community to perform them in a timely fashion. Third, the intra-layer and cross-layer compositions will be facilitated. In practice, the community, serving as a pocket of functionally-similar services, will be responsible for selecting the best candidate(s) to participate in the composition requests (See Section III-A for more details). Nonetheless, a self-evident drawback against the success of such an architecture is the existence of misbehaving services that launch different types of misbehaviors against communities. Therefore, we complement the architecture by proposing a misbehavior detection framework.

Keywords—Community-based Cloud Computing, Misbehavior detection, malicious services, Support Vector Machine, Cloud Computing

I.

I NTRODUCTION

Cloud computing can be regarded as a new paradigm of computing in which dynamically scalable (often virtualized) resources are being offered as services via the Internet [1]. These services are presented as a layered cloud computing architecture that consists of three main layers: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) [2]. SaaS provides ondemand running of application software remotely from the cloud. PaaS refers to computing platforms offered as a service such as operating systems, Web servers, databases, and programming languages execution environments. IaaS provides users with computing resources such as virtualized computers whose processing power, bandwidth, and Internet access are guaranteed. Based on the foregoing definitions, one can easily observe the advantages of cloud computing, which are mostly related to the high availability of services, cost reduction, and scalability in accommodating larger workloads. Unfortunately, every rose has its thorn. Practically, the increasing 978-1-4673-8103-1/15 $31.00 © 2015 IEEE DOI 10.1109/FiCloud.2015.94

More specifically, the problem arises when services, supposed to well-behave within communities, misbehave and begin launching malicious attacks against their communities or against some partners in that community. Suppose, for example, the case of request dropping attack. In this attack, a service that is supposed to fulfill the requests coming to a certain community misbehaves and drops all or some 181

of the requests. This leads to drain the reputation of the whole community towards users and other service providers. Therefore, preventive and/or detective measures are required to mitigate such security threats. Some approaches [6], [7], [8] have been proposed to tackle the problem of misbehaving services in the community-based architecture in the domain of Web services [9]. However, these approaches have two main drawbacks that limit their effectiveness in capturing the dynamism of the malicious misbehaviors. Firstly, they deal with misbehaving services as passive or selfish agents whose objective is to manipulate their reputation scores; thus disregarding the malicious services that launch active attacks against their partners/communities. Secondly, these approaches restrict the analysis to few parameters such as responsiveness and user satisfaction in the process of building trust towards services; thus ignoring some other metrics that may also be important. A detailed survey on this topic can be found in [9].

same functionality [15], [16], [17], [18], [19]. The objective is to facilitate the discovery of services and optimize the composition process. As the number of services offering the same functionality tends to be huge, the community provides a high-level description for the functionality of each group of services. The community is managed by a central entity called master whose responsibilities include (1) attracting new Web services to join the community, (2) selecting the Web services that will participate in the compositions, and (3) monitoring the performance of the community members. In this paper, we extend the concept of community to the domain of cloud computing. In addition to the advantages of communities to Web services, the community-based cloud computing aids in facilitating cross-layer compositions (i.e., compositions between SaaS services, PaaS services, and IaaS services). Moreover, the community-based cloud computing helps optimize the QoS management and resources utilization among cloud service providers.

To address the aforementioned problems, we propose a flexible detection framework based on the Support Vector Machine (SVM) learning technique [10]. The proposed framework poses no limitations neither on the number and type of parameters used to judge services nor on the type of addressed misbehaviors. Our solution can be summarized as follows. Upon assigning tasks to the appropriate cloud services, the master acts as a watchdog [11] to monitor the behavior of its community members. This results in a dataset consisting of a collection of representative evidences. Thereafter, the master uses SVM to analyze this dataset and classify the services either cooperative or malicious. The reasons behind choosing SVM as a classification technique stem from its ability to produce very accurate classifiers for binary (two classes) classifications [12], its effectiveness in high dimensional datasets consisting of large number of attributes [13], and its robustness against outliers and overfitting [14]. In summary, the contributions of this paper can be summarized in the following points: •

Contribution #1: We propose a novel architecture for cloud computing that is able to facilitate the (1) discovery of cloud services, (2) intra-layer and cross-layer services compositions, and (3) QoS and resources management.

•

Contribution #2: We present a misbehavior detection framework for the proposed community-based architecture. This framework is flexible to the type of misbehaviors (i.e., active and passive) as well as to the number and type of parameters used to judge services.

In the domain of cloud computing, there have been recently few attempts to investigate a similar architecture for the cloud services providers. In [20], the authors have proposed a coalition formation game theoretical model among cloud services providers. The objective is to exploit the under-utilized resources when the internal demand is less than the capacity of providers. Different from this approach, we propose a comprehensive architecture for cloud services providers that aims not only to facilitate the cooperation and increase the efficiency of resources management but also to enhance the visibility of the cloud services, facilitate their discovery, and support intra-layer and cross-layer compositions. Moreover, the cloud services in the coalition are assumed to be purely cooperative, which is not always the case in the real markets of cloud services. On the contrary, the community-based architecture assumes that cloud services may be cooperative but also competitive, which raises the problem of malicious services we address in this paper. As for the security perspective, few approaches have been proposed to address the problem of misbehaving services in a community-based environment. In [6], the authors have developed a sound logging mechanism that demotivates the community masters from misbehaving by either increasing their reputation levels or by decreasing other communities’ reputation levels illegally. In this mechanism, a third-party service called agent controller is assigned the role of recognizing the misbehaviors by comparing the community’s reputation change (improvement or degradation) between two slots of time and matching this change with a predefined threshold. If a suspicious behavior is observed, then the agent controller will monitor the upcoming behavior of the suspected communities and try to match the actual efficiency with the enhanced/degraded reputation level. However, this approach considers only three metrics while assessing the reputation of communities and ignores some important factors, which makes it unable to build a comprehensive perception on the trust level of services.

The remainder of the paper is organized as follows. Section II reviews relevant related work. Section III describes the proposed community-based cloud computing architecture and explains the misbehavior detection framework. Section IV illustrates the implementation setups used to perform simulations and presents empirical results. Finally, Section V concludes the paper and discusses future perspectives. II.

In [7], the authors have extended [6] by considering more collusion scenarios. They defined a model architecture composed of four agents: (1) service consumer, which may collude with some Web services to report false feedback, (2) Web service, which engage in some collusion scenarios with

R ELATED W ORK

The concept of community has been extensively investigated in the domain of Web services. The community has been mainly considered as a container of Web services sharing the

182







    

  



(   

(

    

   

      

'&%"   

    

'&%"    

    !"

  (  

    



 

   

    (

       

 

'&%"    

'&%"    

#   # !" 

 



      

(

     



     

( 

     



'&%"     



'&%"    

$%  & &   $ !"

Fig. 1: Community-based Cloud Computing: Cloud services sharing the same domain of interest are grouped into communities. The horizontal dashed rectangle depicts the intra-layer composition scenarios and the vertical dashed rectangle depicts the cross-layer composition scenarios.

the consumer, (3) feedback file, responsible for collecting the feedback reported by the consumers, and finally (4) controller agent, charged of supervising the feedback file against falsified feedback. The authors discussed four possible scenarios the controller may face: Malicious Act not Penalized, Truthful Act Penalized, Truthful Act not Penalized, and Malicious Act Penalized. Thereafter, a repeated game theoretical model of two players (Web service and controller) is developed to derive the best strategy for both players in terms of payoff in each of the aforementioned cases. This analysis reveals that if the Web service is made aware of the penalties that it may undergo as well as of the controller’s detection accuracy, then the system will fulfill a sound and secure state.

of the information service agents is introduced. By solving the game, the authors stated that telling the truth is the only Nash equilibrium strategy for information service agents. Overall, the existing misbehavior detection mechanisms in the community-based architecture restrict the analysis to few reputation parameters, which makes them inflexible to capture the dynamism in the misbehaviors. Moreover, these approaches deal with misbehaving services as passive agents that try to manipulate their reputation scores and ignore those that launch active attacks (e.g., request dropping, denial of service, etc.). To tackle this problem, we propose in this paper an misbehavior detection framework that is resilient to the number and type of parameters used to judge services as well as the type of services’ misbehaviors.

In [8], the authors have proposed a game-theoretical model that analyzes the stabilized situation wherein information service agents, responsible for providing information about Web services willing to join communities, well-behave and report truthful information. To this end, they defined a utility function to help these agents choose their strategies either by truth-telling or by lying. This function is composed of three incentive metrics: (1) a reward given to these agents by the customer asking for information, (2) a value that depends on the similarity level between the information they provide and the average information provided by other service agents, and (3) a value that is equal to the difference between the expected performance and the experienced performance (of the single Web services after having joined the communities). Thereafter, a game theoretical model that analyzes the possible strategies

III.

M ISBEHAVIOR D ETECTION F RAMEWORK

In this section, we first describe the Community-based Cloud Computing architecture and highlight its main advantages. Thereafter, we give an overview on the proposed misbehavior detection framework by presenting and linking its three phases. Finally, we terminate the section by explaining each phase in details and describing the relevant algorithms. A. Model Architecture The model architecture consists of a set of cloud services partitioned into communities along with a master that is

183

responsible for managing and maintaining the health of the community. This model architecture is depicted in Figure 1. Service providers continuously publish and register their services in the appropriate community. The community gathers cloud services sharing the same domain of interest (e.g., community of Email services, community of Web servers, etc.). The master is a trusted central entity that is implemented as a watchdog to monitor and perceive its environment [21], [22]. It serves as a broker having extra privileges from the service providers allowing it to observe the incoming requests and match them with the associated answers (if any). The responsibilities of the master include (1) allocating tasks to the community members, (2) attracting new services to join the community, (3) selecting the cloud services that will participate in the composition requests, (4) monitoring the performance of the community members, and (5) retaining well-performing services and firing poorly-performing ones.

Algorithm 1: Monitoring Phase 1: Input: Community C of cloud services 2: Input: Set of requests R to be executed 3: Input: Time period P of one round of monitoring 4: Output: Training set T 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23:

The advantages of this architecture are (1) facilitating the discovery of cloud services by enhancing their visibility towards users, (2) enhancing the QoS management by allowing interoperability and cooperation within communities (e.g., one service may replace another in case of execution errors), (3) increasing the efficiency in managing and utilizing resources (e.g., a service whose resources are overwhelmed by a large number of requests may delegate some requests to another service whose resources are under-utilized and agree on a certain gain distribution method), and (4) facilitating intra-layer and cross-layers compositions. To illustrate the idea of intralayer and cross-layers compositions, consider the following examples. For the intra-layer compositions, the community (not users nor providers) serving as a pocket of cloud services sharing the same domain of interest will be responsible for selecting the candidates that will participate in the composition processes. For example, upon receiving a composition request, the master of the Community of Email services (1) in Figure 1 will select the best candidate among Email Service 1, Email Service 2, Email Service 4, and Email Service 6 to participate in that request and the master of Community of Facebook services (1) will select the best candidate between Facebook Service 1 and Facebook Service 2. This mitigates the load and time of the composition process as each set of cloud services will be represented by a single community. For the cross-layer composition, assume that Email Service 4 in Figure 1 trusts its community colleague Email Service 2 based on previous interactions in the Software-as-a-Service (SaaS) layer and that Email Service 2 is owned by the same provider as Web Server 2 in the Platform-as-a-Service (PaaS) layer and Storage Service 2 in the Infrastructure-as-a-Service (IaaS) layer, then Email Service 4 will trust engaging in composition processes with Web Server 2 and Storage Service 2.

24: 25: 26:

procedure M ONITORING for each cloud service s ∈ C do repeat for each request r ∈ R assigned to s do Monitor s when executing r if s has executed r then increment ExecutedRequests(w) else increment DiscardedRequests(w) end if increment TotalRequests(w) end for until P elapses if ExecutedRequests(w) = TotalRequests(w) then type(w) = cooperative else type(w) = malicious end if Add (w, TotalRequests(w), ExecutedRequests(w), DiscardedRequests(w), type(w)) to T end for return T end procedure

based environment, while being flexible to the number and type of parameters used to judge services and effective in detecting both active and passive attacks. In the rest of the paper, the request dropping attack is used as a case study to illustrate our proposed misbehavior detection framework. However, the framework is generic and may be adapted to deal with different types of malicious attacks by accordingly modifying the classifier’s parameters. The proposed framework consists of three main phases: •

Phase 1 - Monitoring: In this phase, the master monitors the behavior of the services that belong to its community. This allows it to collect a set of representative evidences that span over a period of time.

•

Phase 2 - Classification: Based on the set of evidences collected in Phase 1, the master constructs the training set of the SVM classifier. Thereafter, it analyzes this training data using SVM to learn the properties of the data by pairing each set of inputs with the expected output. Finally, it uses the learned classifier to predict the final classes of the cloud services.

•

Phase 3 - Punishment: In this phase, the master punishes the detected malicious services in Phase 2 by firing them from its community and adding them to its blacklist.

However, a serious challenge to the success of such an architecture is the existence of malicious services that launch attacks against their partner services or the community as a whole. Therefore, we propose in the following subsections a misbehavior detection framework that is able to detect such misbehaving services. B. Solution Overview Our solution is an SVM-based detection framework that aims at detecting the malicious cloud services in a community-

184

C. Monitoring

Algorithm 2: Classification Phase 1: Input: Training set T 2: Input: Set of initial classes I of cloud services in T 3: Input: Kernel function K 4: Output: Set of final classes F of cloud services

The algorithm that describes this phase and that is executed by the community master is presented in Algorithm 1. The algorithm takes the community of cloud services led by the master in question (line (1)), a set of requests to be executed by that community (line (2)), and a time period that represents the time length for one round of monitoring (line (3)) as inputs. The output of the algorithm is a training set data (line (4)). Line (6) iterates over all the possible cloud services in the given community. Line (7) starts the chosen monitoring time period. Line (8) iterates over all the requests that are assigned by the master to each of the community’s services. For each request being sent, the master monitors the behavior of the services when executing the request (line 9). This helps the master fill two main attributes: ExecutedRequests that counts the number of requests actually executed by the service, and DiscardedRequests that counts the number of requests discarded or dropped by that service (lines (10) − (14)). After the monitoring time period elapses (line (17)), the master compares the number of requests actually executed by each service in the community with the total number of requests supposed to be executed (line (18)). If the whole number of requests was actually executed, then the master marks the service in question as cooperative (line (19)). Otherwise, the service is marked as malicious (line (21)). It is worth to mention that checking whether the whole number of requests has been executed is not unfair for the non-malicious request droppers (i.e., those that are overwhelmed) since the monitoring process spans over a period of time and the set of collected evidences will reflect whether the given service is malicious or was forced to drop some requests. Here lies the importance of the classification phase to differentiate among these cases.

5: 6: 7: 8: 9: 10: 11:

procedure C LASSIFICATION modelSV M = TrainSV M(T, I, K) for each cloud service s ∈ community C do F = SV MClassi f y(s, modelSV M) end for return F end procedure

that is executed by the community master is presented in Algorithm 2. The algorithm takes as inputs the training set data obtained from the monitoring phase (line (1)), the set of initial classes of the services in that training data (line (2)), and the kernel function to be used by the classifier (line (3)). A kernel function K(Xi , X  ) is a function that measures the similarity between a given unlabeled tuple X  and each of the learned training inputs Xi ∈ T , where T is the training data set. Four kernel functions are usually used in SVM; namely the Linear, Multilayer Perceptron, Quadratic, Polynomial, and Gaussian Radial Basis Function kernels [14]. The output of the algorithm is the set of final classes of the cloud services predicted by the SVM classifier (line (4)). As a first step, the master trains the SVM classifier over the training data in order to be able to learn the patterns of the data and distinguish among classes (line (6)). In more detail, SVM draws a hyperplane that separates the training data tuples classified as cooperative from those classified as malicious. The hyperplane is determined based on the major training tuples that are the most useful in differentiating between classes referred to as support vectors in such a way to maximize the margins of the hyperplane. Intuitively, this means maximizing the distance between cooperative support vectors and malicious support vectors in order to increase the accuracy of the classifier. Line (7) iterates over all the possible cloud services in the given community. For each one of these services, the master uses the learned classifier to predict the final class of that service (line (8)).

That is, the collected observations, individually, cannot be decisive to judge the services since the monitoring process may be hindered by the false positives and false negatives [11]. For example, a service may drop some requests not because it is malicious but rather since it is overwhelmed by a lot number of requests draining its allocated resources. Moreover, the malicious services may vary their behavior in order to mislead detections. For instance, a malicious service may apply the request dropping selectively either by dropping the requests every t slots of time or by dropping the requests pertaining to some specific customers and/or providers and fulfilling the other requests. Therefore, a classification technique that is able to analyze the whole data, link the different observations, educe the relevant patterns, and predict the actual classes of services is needed. In this work, we have chosen SVM due to its brilliant reputation in producing very accurate classifiers in intrusion detection scenarios compared to other classification techniques such as neural networks and decision trees [12], [10]. Thus, the information obtained from the monitoring process is being continuously inserted into the appropriate database, which constitutes the training set of the SVM classifier (line (23)). The classification phase is explained in the following subsection.

E. Punishment The algorithm that describes this phase and that is executed by the community master is presented in Algorithm 3. The algorithm takes the community of cloud services led by the given master (line (1)), the set of final classes of services predicted by the classifier in the classification phase (line (2)), and the the set of services that have been previously blacklisted by the master after being classified as malicious (line (3)) as inputs. The algorithm outputs the given community after applying the punishment measures (line (4)) as well as the blacklist after adding the newly detected malicious services to it (line (5)). l=Line (7) iterates over all the possible instances in the set of final classes. For each instance, line (8) checks whether this instance pertains to a malicious service. If so, the master punishes this service by firing it from the community (line 9) and adding it to its blacklist (line (10)); thus prohibiting this service from re-joining the community in the future and

D. Classification Based on the training set data obtained from the monitoring phase, the master uses SVM to analyze this data and predict the final classes. The algorithm that describes this phase and

185

100

100

Linear kernel Multilayer Perceptron kernel Quadratic kernel Polynomial kernel Gaussian Radial Basis Function kernel

Linear kernel Multilayer Perceptron kernel Quadratic kernel Polynomial kernel Gaus sian Radial Basis Function kernel

99

98

Attack Detection Rate (%)

98

99

Accuracy (%)

97

96

95

94

93

96

95

94

93

92

92

91

91

90 10

15

20

25

30

35

40

45

90 10

50

20

25

30

35

40

45

50

Fig. 3: Attack detection w.r.t. percentage of malicious services

Fig. 2: Accuracy w.r.t. percentage of malicious services

re-launching its malicious attacks again.

our framework involves binary (not multi-class) classification. Unlike the “one-vs.-all” strategy that builds one SVM per class and trains the classifier to differentiate the samples in a single class from the samples in all remaining classes, the ‘one-vs.-one” strategy builds one SVM for each pair of classes. Thus, the “one-vs.-one” strategy is able to reduce the training time over the “one-vs.-all” strategy [24]. Different kernel functions have been simulated; namely the Linear, Multilayer Perceptron, Quadratic, Polynomial, and Gaussian Radial Basis Function kernels. Four performance metrics have been used to evaluate our framework: accuracy rate, attack detection rate, false positive rate, and false negative rate. The accuracy rate is obtained by dividing the total number of correctly classified observations over the total number of observations. Attack detection rate is obtained by dividing the total number of attacks over the total number of detected attacks. False positive rate is obtained by dividing the total number of observations misclassified as cooperative while they are actually malicious over the total number of observations classified as cooperative. False negative rate is obtained by dividing the total number of observations misclassified as malicious while they are actually cooperative over the total number of observations classified as malicious. The information used to populate these metrics is obtained from the confusion matrix of the classification model.

Algorithm 3: Punishment Phase 1: Input: Community c of cloud services 2: Input: Set of final classes F of cloud services 3: Input: Blacklist b of community c 4: Output: Community c of cloud services 5: Output: Blacklist b of community c procedure P UNISHMENT for each instance i ∈ F relating to service s(i) do if i = malicious then c = c \ {s(i)} b = b ∪ {s(i)} end end for return (c, b) end procedure

IV.

15

Percentage of Malicious Services (%)

Percentage of Malicious Services (%)

6: 7: 8: 9: 10: 11: 12: 13: 14:

97

P ERFORMANCE E VALUATION

In this section, we evaluate the performance of our proposed misbehavior detection framework. First, we explain the implementation details and then present the experimental results that involve the accuracy, attack detection, false positive, and false negative rates with regards to different kernel functions of SVM.

B. Simulations Results Table I measures the accuracy, attack detection, false positive, and false negative rates of our framework with respect to the foregoing five SVM kernel functions. The number of services used is 5000 and the percentage of malicious services is 30%. The Table reveals that our framework is able to achieve high accuracy rates (> 93%) using the different kernel functions with an increased accuracy of 98.14% when applied with the Linear kernel function. The Table shows also that our framework is able to achieve high attack detection rates (> 92%) using the different kernel functions with an increased attack detection rate of 97.38% when used with the Linear kernel function. As for the false positive rate, Table I reveals that our framework results in low false positive rates (< 8%) using the different kernel functions with a minimal false positive rate of ≈ 2.61% when used with the Linear kernel function. Finally, the Table reveals that our framework results in small false negative rates (< 9%) using the different

A. Implementation and Setup We implement our framework in a 64-bit Windows 8 environment on a machine equipped with an AMD A8-5550M APU with Radeon(tm) HD Graphics 2.10 GHz Processor and 8.192 GB RAM. MATLAB 9.0 has been used as programming language to implement the different algorithms of the framework [23]. Throughout the simulations, we vary the number of cloud services from 1000 to 5000. The percentage of malicious services varies from 10% to 50% of cloud services; each of which having a drop percentage between 1% and 100%. In other words, a malicious service may drop all the requests it receives or a portion of them. For implementing SVM, we use the “one-vs.-one” classification strategy since

186

TABLE I: Comparison between SVM kernel functions using four performance metrics Kernel function

Accuracy Rate

Linear Kernel Multilayer Percepton Kernel Quadratic Kernel Polynomial Kernel Gaussian Radial Basis Function kernel

Performance Metric Attack Detection Rate False Positive Rate

98.14% 93.05% 95.20% 95.96% 95.20%

97.38% 92.25% 94.08% 94.98% 94.09%

2.98% 8.02% 6.13% 5.99% 6.10%

9

9

8

8

False Negative Rate (%)

7

False Positive Rate (%)

False Negative Rate

2.61% 7.69% 5.91% 5.02% 5.91%

6

5 Linear kernel Multilayer Perceptron kernel Quadratic kernel Polynomial kernel Gaussian Radial Basis Function kernel

4

7

6

Linear kernel Multilayer Perceptron kernel Quadratic kernel Polynomial kernel Gaussian Radial Basis Function kernel

5

4

3

3 2

1 10

15

20

25

30

35

40

45

2 10

50

Fig. 4: False positive w.r.t. percentage of malicious services

20

25

30

35

40

45

50

Fig. 5: False negative w.r.t. percentage of malicious services

kernel functions with a minimal false negative rate of 2.98% when used with the Linear kernel function. Overall, we can conclude that the linear kernel function is the one that best fits our framework. This means that our data is almost linearly separable, i.e., the data records classified as cooperative and those classified as malicious may be separated by a straight line as depicted in Figure 6.

challenge to this architecture is the existence of malicious services that launch attacks against their partners and/or communities. Therefore, we address this problem by elaborating a misbehavior detection framework that is flexible to the types of attacks, and the number and type of parameters used to judge services. In this framework, the master of the community monitors the behavior of its community members to construct a representative training dataset. Thereafter, it uses the SVM classification technique to analyze this training dataset and predict the final classes of the services. Simulation results show that our framework is able to perform very well using five different kernel functions of SVM with increased accuracy, attack detection, false positive, and false negative rates up to 98.14%, 97.38%, 2.61%, and 2.98% respectively.

Moreover, we study in Figures 2, 3, 4, 5 the scalability of our framework w.r.t the increase in the percentage of malicious services that perform the request dropping attack. To this end, we vary the percentage of malicious services from 10% up to 50% while fixing the number of services to 5000. The Figures reveal that our framework is resilient to a large extent to the increase in the percentage of malicious services. Practically, Figures 2 and 3 show respectively that the accuracy and attack detection rates decrease ≈ 2% when the percentage of malicious cloud services jumps from 10% to 50%. As for the false alarms, Figures 4 and 5 show respectively that the false positive and false negative rates suffer from an increase of ≈ 1.5% when the percentage of malicious services jumps from 10% to 50%. As a conclusion, the increase in the percentage of malicious cloud services does not have a significant impact on the performance of our framework. Thus, we can claim that our framework is quite resilient to the increase in the number of malicious cloud services. V.

15

Percentage of Malicious Services (%)

Percentage of Malicious Services (%)

Promisingly, this work gives guidance to a new architecture that could adopted to solve or mitigate several challenges that encounter the domain of cloud computing. It opens as well numerous research directions that seem worthy working on and investigating such as: (1) building efficient community-based compositions in the cloud, (2) studying ontological frameworks and linking them with the community-based architecture to facilitate the discovery of cloud services, (3) investigating novel models for optimal formation of such communities, (4) developing resource sharing and task allocation models for intra-community management, and (5) building trust and reputation models among cloud services to facilitate cross-layer compositions. Regarding the misbehavior detection framework, it may be extended to lessen the reliance on the master as a trusted central entity and to consider a multi-class rather than binary SVM model that sub-classifies the malicious services based on the gravity of their attacks.

C ONCLUSION AND F UTURE W ORK

In this paper, we proposed a novel architecture for cloud computing called Community-based Cloud Computing. The advantages of this architecture are three-fold. First, it facilitates the discovery of cloud services by enhancing their visibility. Second, it provides an efficient means for better QoS management and resources utilization. Third, it may be used to reduce the complexity of building intra-layer and crosslayer composite services in the cloud. However, a serious

ACKNOWLEDGMENT Omar Abdel Wahab was supported by the Doctoral Research Scholarship for Foreign Students, Fonds de recherche

187



  



 






Fig. 6: Linearly Separable Data: The data records classified as cooperative and those classified as malicious are separated by a straight line

du Qu´ebec - Nature et technologies (FRQNT). Jamal Bentahar was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) and Fonds de Recherche sur la Soci´et´e et la Culture (FRQSC). Hadi Otrok was supported by Khalifa University of Science, Technology & Research (KUSTAR). Azzam Mourad was supported by CNRS (Lebanon) and Lebanese American University (LAU).

[12]

[13]

[14]

R EFERENCES [1]

[2] [3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[15]

M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica et al., “A View of Cloud Computing,” Communications of the ACM, vol. 53, no. 4, pp. 50–58, 2010. B. Furht and A. Escalante, Handbook of cloud computing. Springer, 2010, vol. 3. F. Chen, X. Bai, and B. Liu, “Efficient service discovery for cloud computing environments,” in Advanced Research on Computer Science and Information Engineering. Springer, 2011, pp. 443–448. A. Jula, E. Sundararajan, and Z. Othman, “Cloud computing service composition: A systematic literature review,” Expert Systems with Applications, vol. 41, no. 8, pp. 3809–3824, 2014. D. Ardagna, G. Casale, M. Ciavotta, J. F. P´erez, and W. Wang, “Quality-of-service in cloud computing: modeling techniques and their applications,” Journal of Internet Services and Applications, vol. 5, no. 1, pp. 1–17, 2014. B. Khosravifar, J. Bentahar, A. Moazin, and P. Thiran, “Analyzing communities of web services using incentives,” International Journal of Web Services Research, vol. 7, no. 3, pp. 30–51, 2010. J. Bentahar, B. Khosravifar, M. A. Serhani, and M. Alishahia, “On the analysis of reputation for agent-based web services,” Expert Systems with Applications, vol. 39, no. 16, pp. 12 438–12 450, November 2012. B. Khosravifar, J. Bentahar, K. Clacens, C. Goffart, and P. Thiran, Service-Oriented Computing, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2011, vol. 7084, ch. Game-Theoretic Analysis of a Web Services Collaborative Mechanism, pp. 549–556. O. A. Wahab, J. Bentahar, H. Otrok, and A. Mourad, “A survey on trust and reputation models for web services: Single, composite, and communities,” Decision Support Systems, vol. 74, pp. 121–134, 2015. W. Hu, Y. Liao, and V.-R. Vemuri, “Robust support vector machines for anomaly detection in computer security.” in In Proc. 2003 International Conference on Machine Learning and Applications, 2003, pp. 168–174. O. A. Wahab, H. Otrok, and A. Mourad, “A cooperative watchdog model based on Dempster-Shafer for detecting misbehaving vehicles,” Computer Communications, vol. 41, pp. 43–54, 2014.

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

188

K.-A. Heller, K.-M. Svore, A.-D. Keromytis, and S.-J. Stolfo, “One class support vector machines for detecting anomalous windows registry accesses,” in International Journal of Pattern Recognition and Artificial Intelligence, 2003, pp. 459–486. T. Shon and J. Moon, “A hybrid machine learning approach to network anomaly detection,” Information Sciences, vol. 177, no. 18, pp. 3799– 3821, 2007. J. Han, M. Kamber, J. Pei, and M. Kaufmann, Data Mining: Concepts and techniques, 3rd ed. San Francisco, CA, USA: The Morgan Kaufmann Series in Data Management Systems, 2012. B. Benatallah, Q. Sheng, and M. Dumas, “The self-serv environment for web services composition,” IEEE Internet Computing, vol. 7, no. 1, pp. 40–48, 2003. Z. Maamar, S. Subramanian, J. Bentahar, P. Thiran, and D. Bensilamane, “An approach to engineer communities of web services: Concepts, architecture, operation, and deployment,” International Journal of EBusiness Research (IJEBR), vol. 5, no. 4, pp. 1–21, 2009. H. Limam and J. Akaichi, “Managing web services communities: A cache for queries optimisation,” International Journal on Web Service Computing (IJWSC), vol. 1, no. 1, 2010. B. Medjahed and A. Bouguettaya, “A dynamic foundational architecture for semantic web services,” Distributed and Parallel Databases, vol. 17, pp. 179–206, 2005. L. Zeng, B. Benatallah, M. Dumas, J. Kalagnanam, and Q. Z. Sheng, “Quality driven web services composition,” in Proceedings of the 12th international conference on World Wide Web, ser. WWW 03, 2003, pp. 411–421. D. Niyato, A. V. Vasilakos, and Z. Kun, “Resource and revenue sharing with coalition formation of cloud providers: Game theoretic approach,” in Proceedings of the 2011 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. IEEE Computer Society, 2011, pp. 215–224. P. Alvaro, T. Condie, N. Conway, K. Elmeleegy, J. M. Hellerstein, and R. Sears, “Boom analytics: exploring data-centric, declarative programming for the cloud,” in Proceedings of the 5th European conference on Computer systems. ACM, 2010, pp. 223–236. R. K. Ko, B. S. Lee, and S. Pearson, “Towards achieving accountability, auditability and trust in cloud computing,” in Advances in Computing and Communications. Springer, 2011, pp. 432–444. O. A. Wahab, H. Otrok, and A. Mourad, “VANET QoS-OLSR: QoSbased clustering protocol for Vehicular Ad hoc Networks,” Computer Communications, vol. 36, no. 13, pp. 1422–1435, 2013. L. Khan, M. Awad, and B. Thuraisingham, “A new intrusion detection system using support vector machines and hierarchical clustering,” The International Journal on Very Large Data Bases (VLDB), vol. 16, no. 4, pp. 507–521, 2007.