Final Report Abstract

The project started with a focus on testing intrusion detection systems (IDSes) in virtualized environments. However, we realized an extensive need for further research on the underlying issues of testing and benchmarking hypervisors and their hypercall interfaces as well as generating realistic workloads. Further on, we conducted research in the area of Software-Defined Networking (SDN) and Network Function Virtualization (NFV) in combination with IDSes and other security functions including IDSes for databases. We developed a feature-rich hypercall testing framework that can perform hypercall testing campaigns consisting of an arbitrary number of hypercalls. For human-readability, we developed the HyperCall Campaign Description Language (HCCDL) that simplifies campaign creation. It supports many features (e.g., random values, repetitions, delays, fuzzing). When running a hypercall testing campaign, an execution report is generated. Both, the campaign files and the results are stored in a human-readable format. This format is compiled by the framework into a hypervisorspecific campaign file readable by an injection driver. This driver module executes the hypercalls and collects potential return values. The collected metrics and return values are stored in log files. After the campaign is executed, the compiler once again converts these files into a human-readable format. We evaluated our framework and found that we were able to accurately reproduce the timing of the hypercall campaigns. When evaluating selected hypercalls, we were surprised that some hypercalls behaved counterintuitively. When the load increased they were processed faster than with lower load. Meanwhile, other hypercalls behaved as expected and took longer to complete with increasing load (similar to requests in cloud applications). A third category of hypercalls was not influenced at all by the load level. Our framework can be applied by the robustness testing, performance testing, performance isolation, and software aging communities. We plan to extend the framework to support further applications in these areas. We also plan to publish the framework as an official SPEC-endorsed tool. As mentioned earlier, we also did some additional work that is highly related to our main project. In the area of SDN and NFV in combination with IDSes and other security functions, we developed a vision of dynamic reordering for security functions inside a network as well as optimizations for existing security functions. We developed approaches for dynamically bypassing network IDSes. Results showed that performance close to a network without an IDS is achievable without losing security. The performance gain depending on the application scenario and workload was up to a factor of fourteen. We also introduced a DDoS Protection System against SYN Flood attacks that allows for better scalability. Last, we evaluated the performance impact of the ordering of security functions. For all our projects, we had major support from academic partners and industry partners.

Publications

• Benchmarking Intrusion Detection Systems with Adaptive Provisioning of Virtualized Resources. In Samuel Kounev, Jeffrey O. Kephart, Aleksandar Milenkoski, and Xiaoyun Zhu, editors, Self-Aware Computing Systems. Springer Verlag, Berlin Heidelberg, Germany, 2017
  Aleksandar Milenkoski, K. R. Jayaram, and Samuel Kounev
  
• Software Architectures for Self-Protection in IaaS Clouds. In Samuel Kounev, Jeffrey O. Kephart, Aleksandar Milenkoski, and Xiaoyun Zhu, editors, Self-Aware Computing Systems. Springer Verlag, Berlin Heidelberg, Germany, 2017
  K. R. Jayaram, Aleksandar Milenkoski, and Samuel Kounev
  
• Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking. In Proceedings of the 9th Symposium on Software Performance 2018 (SSP’18), November 2018
  Lukas Iffländer, Stefan Geißler, Jürgen Walter, Lukas Beierlieb, and Samuel Kounev
  
• CUP: A Formalism for Expressing Cloud Usage Patterns for Experts and Non-Experts. IEEE Cloud Computing, 5(3):65–76, June 2018
  Aleksandar Milenkoski, Alexandru Iosup, Samuel Kounev, Kai Sachs, Diane E. Mularz, Jonathan A. Curtiss, Jason J. Ding, Florian Rosenberg, and Piotr Rygielski
  
• The vision of self-aware reordering of security network function chains. In Proceedings of the 2018 ACM/SPEC International Conference on Performance Engineering, ICPE ’18, pages 1–4, New York, NY, USA, 2018. ACM
  Lukas Iffländer, Jürgen Walter, Simon Eismann, and Samuel Kounev
  
• Hands Off my Database: Ransomware Detection in Databases through Dynamic Analysis of Query Sequences. Technical report, Universität Würzburg, Jul 2019
  Lukas Iffländer, Alexandra Dmitrienko, Christoph Hagen, Michael Jobst, and Samuel Kounev
  
• Performance influence of security function chain ordering. In Companion of the 2019 ACM/SPEC International Conference on Performance Engineering, ICPE ’19, pages 45–46, New York, NY, USA, 2019. ACM
  Lukas Iffländer and Nicolas Fella
  
• Performance Oriented Dynamic Bypassing for Intrusion Detection Systems. In Proceedings of the 2019 ACM/SPEC International Conference on Performance Engineering, ICPE ’19, pages 159–166, New York, NY, USA, 2019. ACM
  Lukas Iffländer, Jonathan Stoll, Nishant Rawtani, Veronika Lesch, Klaus-Dieter Lange, and Samuel Kounev
  
• Towards Testing the Performance Influence of Hypervisor Hypercall Interface Behavior. In Proceedings of the 10th Symposium on Software Performance 2019 (SSP’19), 11 2019
  Lukas Beierlieb, Lukas Iffländer, Samuel Kounev, and Aleksandar Milenkoski
  
• Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces. In 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). IEEE, 11 2019
  Lukas Beierlieb, Lukas Iffländer, Aleksandar Milenkoski, Charles F. Goncalves, Nuno Antunes, and Samuel Kounev