Anomaly Detection with Virtual Service Migration in Cloud Infrastructures

Cloud computing is becoming a very popular way to outsource data storage, services or even infrastructure. Clouds are large network data centers that make use of virtualization technology, thus enabling dynamic scalability and , from user’s perspective, apparent infinite resources. Clouds host services in virtual machines that are isolated from one another and can be migrated within or between data centers. Virtual service migration is used in case of failure or disaster, resource optimization issues, maintenance and to reduce network costs. This thesis work shows how virtual service migration affects state-of-the-art anomaly detection that can be used to detect malicious activity, such as Distributed Denial of Service attacks. Using data from actual services, anomalous traffic is analyzed with and without migration in different scenarios. The scenarios cover different types of anomalies, i.e. attacks, variations of anomaly intensity and variations of size of migrated services. All these parameters affect how much virtual service migration influences anomaly detection results. Our results show that, in some cases, virtual service migration can be incorrectly detected as an anomaly, i.e., an attack. To mitigate this, one could adjust detection parameters such as the anomaly score threshold to reduce the number of incorrectly detected attacks. However, this introduced the risk of not detecting genuine attacks. This finding brings into question the reliability of state-of-the-art anomaly detection techniques when applied in the cloud, pointing to the need for further investigation in this important area.