Browse Prior Art Database

AUTOMATIC IDENTIFICATION OF FUNCTIONAL STRUCTURE OF A COMPLEX CLOUD SERVICE

IP.com Disclosure Number: IPCOM000240346D
Publication Date: 2015-Jan-23
Document File: 8 page(s) / 259K

Publishing Venue

The IP.com Prior Art Database

Related People

Jan Kohout: AUTHOR [+2]

Abstract

Increasingly more popular cloud services have frequently many functional parts, which makes their structure rather complex yet its understanding improves network monitoring for security purposes, traffic routing, etc. Since the structure of third-party services is typically unknown, automated tools for its discovery are of great need. In this work, we propose such tool relying only on high-level statistics of servers’ usage, such as volumes and times of interactions with the servers. Without looking into the communication contents, the method works for encrypted channels as well.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 21% of the total text.

Page 01 of 8

AUTOMATIC IDENTIFICATION OF FUNCTIONAL STRUCTURE OF A COMPLEX CLOUD SERVICE

AUTHORS:

Jan Kohout

Tomas Pevny

CISCO SYSTEMS, INC.

ABSTRACT

    Increasingly more popular cloud services have frequently many functional parts, which makes their structure rather complex yet its understanding improves network monitoring for security purposes, traffic routing, etc. Since the structure of third-party services is typically unknown, automated tools for its discovery are of great need. In this work, we propose such tool relying only on high-level statistics of servers' usage, such as volumes and times of interactions with the servers. Without looking into the communication contents, the method works for encrypted channels as well.

DETAILED DESCRIPTION

    With the increasing trend of replacing internal services running inside a private network with cloud services accessed via the HTTP(S) protocol, there is also an increasing need for monitoring the behavior of their users to identify security concerns. The monitoring system needs to have enough knowledge how each cloud service works. Such knowledge enables the system to accurately distinguish between normal and anomalous usage patterns.

    Many cloud services that are accessed via the HTTP(S) have a rather complex structure and they can be seen as composed of several sub-services fulfilling specific tasks. For example, in the cloud storage service offered by Dropbox, Inc., there is a sub- service responsible for periodical notifications about file changes, a sub-service that handles meta-data transfers or a sub-service which provides the file transfers. As the trend is to access remote cloud services via a web interface, the vast majority of traffic uses ports 80 or 443 which makes the port-based identification of services' components

Copyright 2015 Cisco Systems, Inc.

1


Page 02 of 8

unusable. Moreover, relying on any structure in can be tricky, because it can be unclear. There is no guarantee that hostnames with similar FQDNs run the same type of services and also FQDNs of all services' nodes can be unavailable as there can be only their IP addresses in the proxy logs.

    In order to accurately model behavior of the service's users (especially for applications in intrusion detection systems), there is a need to identify the sub-services and take them into account when the behavioral models are built. Otherwise, the accuracy of the models could significantly suffer from different properties of the communication with each different sub-service. Moreover, if the behavioral model has information about the structure of sub-services available, it can capture the behavioral patterns of the users in much deeper detail by modelling relations between sub-services.

    There are two main problems in the process of identifying sub-services: 1) As the cloud service is not operated by the network operator who is deploying the monitoring system, the operator has usually very limited insight into the internal structure of th...