- The paper introduces CloudSEC, a novel methodology using an Evidence Reasoning Network (ERN) to detect real-time lateral movement attacks by correlating vulnerability evidence in edge computing environments.
- CloudSEC consists of EventTracker for monitoring user activities in VMs/containers and AlertCorrelator for correlating network alerts to deduce attack links and detect movement at the network edge.
- Evaluations on standard datasets like MIT Lincoln Lab and UCSB Treasure Hunt demonstrate CloudSEC's effectiveness, scalability, and ability to maintain high evidence confidence in dynamic edge-cloud scenarios.
Real-Time Lateral Movement Detection for Edge Computing Environments
This paper presents a novel methodology, CloudSEC, aimed at enhancing security in edge computing environments by effectively detecting lateral movement attacks in real-time. The increasing adoption of edge computing, coupled with traditional cloud computing, introduces complex security challenges due to dissociation of data and access controls, necessitating robust security measures.
Edge computing environments are distinguished by their low latency, high bandwidth, and proximity advantages. Nevertheless, these environments amplify the potential attack surface for lateral movement, a prevalent cyber-attack vector targeting hierarchical architectures. The traditional detection methods falter in these scenarios due to the dynamic architectures and limited computational resources inherent to edge nodes.
The proposed CloudSEC system leverages an Evidence Reasoning Network (ERN) to detect lateral movements based on vulnerability correlations. The methodology introduced involves constructing an ERN using known vulnerabilities and network environment information, providing a framework for correlating and reasoning discrete attack evidence. The ERN allows for the reconfiguration of attack processes in real-time, offering more credible evidence chains for forensic investigation—a crucial element in improving cloud service providers' situational awareness and response strategies.
CloudSEC is composed of two primary components: EventTracker and AlertCorrelator. EventTracker operates within individual Virtual Machines (VMs) or containers to monitor user activities and system calls, serving as a prerequisite for identifying complex attack patterns. AlertCorrelator functions at the network’s edge, correlating alerts from multiple network Intrusion Detection Sensors (NIDS) to reason out attack links and detect movement activities based on pre-defined criteria.
The methodology's robustness is demonstrated through extensive experiments, including evaluation on the MIT Lincoln Lab datasets and the University of California Santa Barbara's Treasure Hunt dataset. These evaluations confirm the effectiveness and validity of CloudSEC in deducing complete attack scenarios, illustrating its capability to maintain high evidence confidence even in the absence of certain captured events.
The proposed framework significantly advances the state of the art in real-time lateral movement detection, presenting a scalable and flexible approach suitable for the dynamic and resource-constrained nature of edge-cloud environments. While the results exhibit the strength of the approach in maintaining high evidence chain confidence, the authors acknowledge opportunities for enhancing ERN generation efficiency and exploring additional detection algorithms.
The paper makes substantial contributions to the field of network security, particularly in edge computing contexts, by introducing rigorous evidence reasoning for lateral movement detection. Future work, building on this foundational approach, will likely focus on optimizing the execution of ERN frameworks and evaluating the integration of diverse lateral movement strategies, further enhancing security in increasingly prevalent edge-cloud infrastructures.