Evidence Detection in Cloud Forensics
Cloud forensics is different than digital forensics because of the architectural implementation of the cloud. In an Infrastructure as a Service (IaaS) cloud model. Virtual Machines (VM) deployed over the cloud can be used by adversaries to carry out a cyber-attack using the cloud as an environment. Investigation of such a crime requires sufficient evidence data to prove the attack in the court of law. Electronic evidence (EE) is any data that produce information relevant to the investigation. Identifying evidence from the data generated in a cloud environment is a tedious and manual process. Adhering to RFC 3227 the evidence collection can be carried out once the evidence data is detected with appropriate triage.
Cyber attack originating from a VM leaves its trails on the resource that it utilizes. These patterns of attacks on the resource and its properties can be used to detect and acquire evidence data generated in a cloud.
We have generated a dataset using the following settings:
To generate the dataset a private cloud was set up. The system configuration included Intel® CoreTM i5-4590 Processor with 12 GB of RAM with 1TB of HDD. The private cloud setup was done using a KVM type-1 hypervisor along with OpenNebula (version 5.12) as a cloud management platform. To simulate the real-time cloud environment a script generating synthetic workload was deployed on the virtual machines of the cloud. An attack was carried out. The dataset is manually tagged with the known state of attack or normal to respective VM.
About the dataset
The dataset generated is a KVM monitoring dataset however we proposed a novel feature-set. The methodology used to generate these novel features are under publication and will be updated once the research article is published. This is one portion of the dataset. where the features can be used to train ML models for evidence detection.
The second portion of the dataset is published under the standard dataset of IEEE Dataport under the name of Memory Dumps of Virtual Machines for Cloud Forensics.
How to use
These two datasets can be used together as they are the outcome of the same experiment. Memory dumps have timestamp and VMID, UUID features.
This Dataset can be used to study the impact of an attack (origin) on the Rate of Resource utilization of a VM monitored at the hypervisor.
The ID of the VM
unique identifier of the domain
Rate of received bytes from the network
Rate of received packets from the network
Rate of the number of receive errors from the network
Rate of the number of received packets dropped from the network
Rate of transmitted bytes from the network
Rate of transmitted packets from the network
Rate of the number of transmission errors from the network
Rate of the number of transmitted packets dropped from the network
Rate of time spent by vCPU threads executing guest code
Rate of time spent in kernel space
Rate of time spent in userspace
Rate of running state
Rate of maximum memory in kilobytes
Rate of memory used in kilobytes
Rate of the number of virtual CPUs chaged
Rate of CPU time used in nanoseconds
Rate of Current balloon value (in KiB)
Rate of The amount of data read from swap space (in KiB)
Rate of The amount of memory written out to swap space (in KiB)
Rate of The number of page faults where disk IO was required
Rate of The number of other page faults
Rate of The amount of memory left unused by the system (in KiB)
Rate of The amount of usable memory as seen by the domain (in KiB)
Rate of The amount of memory that can be reclaimed by balloon without causing host swapping (in KiB)
Rate of The timestamp of the last update of statistics (in seconds)
Rate of The amount of memory that can be reclaimed without additional I/O, typically disk caches (in KiB)
Rate of The number of successful huge page allocations initiated from within the domain
Rate of The number of failed huge page allocations initiated from within the domain
Rate of Resident Set Size of the running domain's process (in KiB)
Rate of the number of reading requests on the vda block device
Rate of the number of reading bytes on the vda block device
Rate of the number of write requests on the vda block device
Rate of the number of write requests on vda the block device
Rate of the number of errors in the vda block device
Rate of the number of read requests on the hda block device
Rate of the number of read bytes on the had block device
Rate of the number of write requests on the hda block device
Rate of the number of write bytes on the hda block device
Rate of the number of errors in the hda block device
- The csv files contains the proposed novel feature-set to detect evidence data in cloud VM. VMResourceUtilizationSlope.csv (1.71 MB)
- Zip file: The csv files contains all the proposed novel features to detect if the data generated in the cloud is evidence data VMResourceUtilizationSlope.zip (182.34 kB)