F. Basso, Bruno Marcelo Soares Ferreira, Rafael Torres, R. Z. Frantz, D. Kreutz, Maicon Bernardino, Elder de Macedo Rodrigues
Open Services for Lifecycle Collaboration (OSLC) is an open standard for tool interoperability, which allows data federation throughout Software Engineering (SE) application lifecycles. The OSLC community has been active since 2008, and there is still an open question: "What is the state-of-the-art and practice of OSLC for tool integration in Application Lifecycle Management (ALM) for Software Engineering environments?". Objective: To answer this question, our main goal is to map the state-of-the-art and practice on the adoption of OSLC in SE lifecycles. Method: This paper presents a Systematic Mapping Study (SMS) by analyzing 59 primary studies and addressing integration issues such as building SE toolchains. Results: Our findings show that OSLC has been mostly implemented with the development of adapters and MDE. Conclusions: The main advantages of OSLC are related to linked data, involving not only tool adapters for point-to-point integrations, but also proposing solutions for tool replacement in the toolchain, as well as including modifications of OSLC domain specifications and solutions for automated activities for tool integration.
{"title":"Model-Driven Integration and the OSLC Standard: a Mapping of Applied Studies","authors":"F. Basso, Bruno Marcelo Soares Ferreira, Rafael Torres, R. Z. Frantz, D. Kreutz, Maicon Bernardino, Elder de Macedo Rodrigues","doi":"10.1145/3555776.3577761","DOIUrl":"https://doi.org/10.1145/3555776.3577761","url":null,"abstract":"Open Services for Lifecycle Collaboration (OSLC) is an open standard for tool interoperability, which allows data federation throughout Software Engineering (SE) application lifecycles. The OSLC community has been active since 2008, and there is still an open question: \"What is the state-of-the-art and practice of OSLC for tool integration in Application Lifecycle Management (ALM) for Software Engineering environments?\". Objective: To answer this question, our main goal is to map the state-of-the-art and practice on the adoption of OSLC in SE lifecycles. Method: This paper presents a Systematic Mapping Study (SMS) by analyzing 59 primary studies and addressing integration issues such as building SE toolchains. Results: Our findings show that OSLC has been mostly implemented with the development of adapters and MDE. Conclusions: The main advantages of OSLC are related to linked data, involving not only tool adapters for point-to-point integrations, but also proposing solutions for tool replacement in the toolchain, as well as including modifications of OSLC domain specifications and solutions for automated activities for tool integration.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"11 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89285469","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Xinwei Ji, Tianming Zhao, Wei Li, Albert Y. Zomaya
Automatic pain assessment systems can help patients get timely and effective pain relief treatment whenever needed. Such a system aims to provide the service with pain identification and pain intensity rating functions. Among the physiological signals, the electrodermal activity (EDA) signal emerges as a promising feature to support both functions in pain assessment. In this work, we propose a machine learning framework to implement pain identification and pain intensity rating using only EDA and its derived features. Our solution also explores the feasibility of using ultra-short EDA segmentation of about 5 seconds to meet real-time requirements. We evaluate our system on two datasets: Biovid, a publicly available dataset, and Apon, the one we build. Experimental results demonstrate that using just the ultra-short EDA signal as input, our algorithm outperforms state-of-the-art baselines and achieves a low regression error of 0.90.
{"title":"Automatic Pain Assessment with Ultra-short Electrodermal Activity Signal","authors":"Xinwei Ji, Tianming Zhao, Wei Li, Albert Y. Zomaya","doi":"10.1145/3555776.3577721","DOIUrl":"https://doi.org/10.1145/3555776.3577721","url":null,"abstract":"Automatic pain assessment systems can help patients get timely and effective pain relief treatment whenever needed. Such a system aims to provide the service with pain identification and pain intensity rating functions. Among the physiological signals, the electrodermal activity (EDA) signal emerges as a promising feature to support both functions in pain assessment. In this work, we propose a machine learning framework to implement pain identification and pain intensity rating using only EDA and its derived features. Our solution also explores the feasibility of using ultra-short EDA segmentation of about 5 seconds to meet real-time requirements. We evaluate our system on two datasets: Biovid, a publicly available dataset, and Apon, the one we build. Experimental results demonstrate that using just the ultra-short EDA signal as input, our algorithm outperforms state-of-the-art baselines and achieves a low regression error of 0.90.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"103 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91301899","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The verification of computations performed by an untrusted server is a cornerstone for delegated computations, especially in multi-clients setting where inputs are provided by different parties. Assuming a common secret between clients, a garbled circuit offers the attractive property to ensure the correctness of a result computed by the untrusted server while keeping the input and the function private. Yet, this verification can be guaranteed only once. Based on the notion of multi-key homomorphic encryption (MKHE), we propose RMC-PVC a multi-client verifiable computation protocol, able to verify the correctness of computations performed by an untrusted server for inputs (encoded for a garbled circuit) provided by multiple clients. Thanks to MKHE, the garbled circuit is reusable an arbitrary number of times. In addition, each client can verify the computation by its own. Compared to a single-key FHE scheme, the MKHE usage in RMC-PVC allows to reduce the workload of the server and thus the response delay for the client. It also enforce the privacy of inputs, which are provided by different clients.
{"title":"RMC-PVC: A Multi-Client Reusable Verifiable Computation Protocol","authors":"Gael Marcadet, P. Lafourcade, Léo Robert","doi":"10.1145/3555776.3577680","DOIUrl":"https://doi.org/10.1145/3555776.3577680","url":null,"abstract":"The verification of computations performed by an untrusted server is a cornerstone for delegated computations, especially in multi-clients setting where inputs are provided by different parties. Assuming a common secret between clients, a garbled circuit offers the attractive property to ensure the correctness of a result computed by the untrusted server while keeping the input and the function private. Yet, this verification can be guaranteed only once. Based on the notion of multi-key homomorphic encryption (MKHE), we propose RMC-PVC a multi-client verifiable computation protocol, able to verify the correctness of computations performed by an untrusted server for inputs (encoded for a garbled circuit) provided by multiple clients. Thanks to MKHE, the garbled circuit is reusable an arbitrary number of times. In addition, each client can verify the computation by its own. Compared to a single-key FHE scheme, the MKHE usage in RMC-PVC allows to reduce the workload of the server and thus the response delay for the client. It also enforce the privacy of inputs, which are provided by different clients.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"8 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87532830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Pereira, Carlos Gonçalves, Lara Lopes Nunes, P. Cortez, A. Pilastri
Nowadays, the general interest in Machine Learning (ML) based solutions is increasing. However, to develop and deploy a ML solution often requires experience and it involves developing large code scripts. In this paper, we propose AI4CITY, an automated technological platform that aims to reduce the complexity of designing ML solutions, with a particular focus on Smart Cities applications. We compare our solution with popular Automated ML (AutoML) tools (e.g., H2O, AutoGluon) and the results achieved by AI4CITY were quite interesting and competitive.
{"title":"AI4CITY - An Automated Machine Learning Platform for Smart Cities","authors":"P. Pereira, Carlos Gonçalves, Lara Lopes Nunes, P. Cortez, A. Pilastri","doi":"10.1145/3555776.3578740","DOIUrl":"https://doi.org/10.1145/3555776.3578740","url":null,"abstract":"Nowadays, the general interest in Machine Learning (ML) based solutions is increasing. However, to develop and deploy a ML solution often requires experience and it involves developing large code scripts. In this paper, we propose AI4CITY, an automated technological platform that aims to reduce the complexity of designing ML solutions, with a particular focus on Smart Cities applications. We compare our solution with popular Automated ML (AutoML) tools (e.g., H2O, AutoGluon) and the results achieved by AI4CITY were quite interesting and competitive.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"69 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83469896","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shubham Malaviya, Manish Shukla, Pratik Korat, S. Lodha
Federated learning has emerged as a privacy-preserving technique to learn a machine learning model without requiring users to share their data. Our paper focuses on Federated Semi-Supervised Learning (FSSL) setting wherein users do not have domain expertise or incentives to label data on their device, and the server has access to some labeled data that is annotated by experts. The existing work in FSSL require data augmentation for model training. However, data augmentation is not well defined for prevalent domains like text and graphs. Moreover, non independent and identically distributed (non-i.i.d.) data across users is a significant challenge in federated learning. We propose a generalized framework based on model contrastive learning called FedFAME which does not require data augmentation, thus making it easy to adapt to different domains. Our experiments on image and text datasets show the robustness of FedFAME towards non-i.i.d. data. We have validated our approach by varying data imbalance across users and the number of labeled instances on the server.
{"title":"FedFAME: A Data Augmentation Free Framework based on Model Contrastive Learning for Federated Semi-Supervised Learning","authors":"Shubham Malaviya, Manish Shukla, Pratik Korat, S. Lodha","doi":"10.1145/3555776.3577613","DOIUrl":"https://doi.org/10.1145/3555776.3577613","url":null,"abstract":"Federated learning has emerged as a privacy-preserving technique to learn a machine learning model without requiring users to share their data. Our paper focuses on Federated Semi-Supervised Learning (FSSL) setting wherein users do not have domain expertise or incentives to label data on their device, and the server has access to some labeled data that is annotated by experts. The existing work in FSSL require data augmentation for model training. However, data augmentation is not well defined for prevalent domains like text and graphs. Moreover, non independent and identically distributed (non-i.i.d.) data across users is a significant challenge in federated learning. We propose a generalized framework based on model contrastive learning called FedFAME which does not require data augmentation, thus making it easy to adapt to different domains. Our experiments on image and text datasets show the robustness of FedFAME towards non-i.i.d. data. We have validated our approach by varying data imbalance across users and the number of labeled instances on the server.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"18 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87588849","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Parra-Ullauri, Xunzheng Zhang, A. Bravalheri, R. Nejabati, D. Simeonidou
Federated learning (FL) is an emerging distributed machine learning technique in which multiple clients collaborate to learn a model under the management of a central server. An FL system depends on a set of initial conditions (i.e., hyperparameters) that affect the system's performance. However, defining a good choice of hyperparameters for the central server and clients is a challenging problem. Hyperparameter tuning in FL often requires manual or automated searches to find optimal values. Nonetheless, a noticeable limitation is the high cost of algorithm evaluation for server and client models, making the tuning process computationally expensive and time-consuming. We propose an implementation based on integrating the FL framework Flower, and the prime optimisation software Optuna for automated and efficient hyperparameter optimisation (HPO) in FL. Through this combination, it is possible to tune hyperparameters in both clients and server online, aiming to find the optimal values at runtime. We introduce the HPO factor to describe the number of rounds that the HPO will take place, and the HPO rate that defines the frequency for updating the hyperparameters and can be used for pruning. The HPO is managed by the FL server which updates clients' hyperparameters, with an HPO rate, using state-of-the-art optimisation algorithms enabled by Optuna. We tested our approach by updating multiple client models simultaneously in popular image recognition datasets which produced promising results compared to baselines.
{"title":"Federated Hyperparameter Optimisation with Flower and Optuna","authors":"J. Parra-Ullauri, Xunzheng Zhang, A. Bravalheri, R. Nejabati, D. Simeonidou","doi":"10.1145/3555776.3577847","DOIUrl":"https://doi.org/10.1145/3555776.3577847","url":null,"abstract":"Federated learning (FL) is an emerging distributed machine learning technique in which multiple clients collaborate to learn a model under the management of a central server. An FL system depends on a set of initial conditions (i.e., hyperparameters) that affect the system's performance. However, defining a good choice of hyperparameters for the central server and clients is a challenging problem. Hyperparameter tuning in FL often requires manual or automated searches to find optimal values. Nonetheless, a noticeable limitation is the high cost of algorithm evaluation for server and client models, making the tuning process computationally expensive and time-consuming. We propose an implementation based on integrating the FL framework Flower, and the prime optimisation software Optuna for automated and efficient hyperparameter optimisation (HPO) in FL. Through this combination, it is possible to tune hyperparameters in both clients and server online, aiming to find the optimal values at runtime. We introduce the HPO factor to describe the number of rounds that the HPO will take place, and the HPO rate that defines the frequency for updating the hyperparameters and can be used for pruning. The HPO is managed by the FL server which updates clients' hyperparameters, with an HPO rate, using state-of-the-art optimisation algorithms enabled by Optuna. We tested our approach by updating multiple client models simultaneously in popular image recognition datasets which produced promising results compared to baselines.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"62 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72646118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mateusz Gniewkowski, H. Maciejewski, T. Surmacz, Wiktor Walentynowicz
In this paper, we show how methods known from Natural Language Processing (NLP) can be used to detect anomalies in HTTP requests and malicious URLs. Most of the current solutions focusing on a similar problem are either rule-based or trained using manually selected features. Modern NLP methods, however, have great potential in capturing a deep understanding of samples and therefore improving the classification results. Other methods, which rely on a similar idea, often ignore the interpretability of the results, which is so important in machine learning. We are trying to fill this gap. In addition, we show to what extent the proposed solutions are resistant to concept drift. In our work, we compare three different vectorization methods: simple BoW, fastText, and the current state-of-the-art language model RoBERTa. The obtained vectors are later used in the classification task. In order to explain our results, we utilize the SHAP method. We evaluate the feasibility of our methods on four different datasets: CSIC2010, UNSW-NB15, MALICIOUSURL, and ISCX-URL2016. The first two are related to HTTP traffic, the other two contain malicious URLs. The results we show are comparable to others or better, and most importantly - interpretable.
{"title":"Sec2vec: Anomaly Detection in HTTP Traffic and Malicious URLs","authors":"Mateusz Gniewkowski, H. Maciejewski, T. Surmacz, Wiktor Walentynowicz","doi":"10.1145/3555776.3577663","DOIUrl":"https://doi.org/10.1145/3555776.3577663","url":null,"abstract":"In this paper, we show how methods known from Natural Language Processing (NLP) can be used to detect anomalies in HTTP requests and malicious URLs. Most of the current solutions focusing on a similar problem are either rule-based or trained using manually selected features. Modern NLP methods, however, have great potential in capturing a deep understanding of samples and therefore improving the classification results. Other methods, which rely on a similar idea, often ignore the interpretability of the results, which is so important in machine learning. We are trying to fill this gap. In addition, we show to what extent the proposed solutions are resistant to concept drift. In our work, we compare three different vectorization methods: simple BoW, fastText, and the current state-of-the-art language model RoBERTa. The obtained vectors are later used in the classification task. In order to explain our results, we utilize the SHAP method. We evaluate the feasibility of our methods on four different datasets: CSIC2010, UNSW-NB15, MALICIOUSURL, and ISCX-URL2016. The first two are related to HTTP traffic, the other two contain malicious URLs. The results we show are comparable to others or better, and most importantly - interpretable.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"46 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79851654","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Growing technologies like virtualization and artificial intelligence have become more popular on mobile devices. But lack of resources faced for processing these applications is still major hurdle. Collaborative edge and cloud computing are one of the solutions to this problem. We have proposed a multi-period deep deterministic policy gradient (MP-DDPG) algorithm to find an optimal offloading policy by partitioning the task and offloading it to the collaborative cloud and edge network to reduce energy consumption. Our results show that MP-DDPG achieves the minimum latency and energy consumption in the collaborative cloud network.
{"title":"MP-DDPG: Optimal Latency-Energy Dynamic Offloading Scheme in Collaborative Cloud Networks","authors":"Jui Mhatre, Ahyoung Lee","doi":"10.1145/3555776.3577767","DOIUrl":"https://doi.org/10.1145/3555776.3577767","url":null,"abstract":"Growing technologies like virtualization and artificial intelligence have become more popular on mobile devices. But lack of resources faced for processing these applications is still major hurdle. Collaborative edge and cloud computing are one of the solutions to this problem. We have proposed a multi-period deep deterministic policy gradient (MP-DDPG) algorithm to find an optimal offloading policy by partitioning the task and offloading it to the collaborative cloud and edge network to reduce energy consumption. Our results show that MP-DDPG achieves the minimum latency and energy consumption in the collaborative cloud network.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"59 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80246251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Christian Banse, Immanuel Kunz, Nico Haas, Angelika Schneider
Continuous certification of cloud services requires a high degree of automation in collecting and evaluating evidences. Prior approaches to this topic are often specific to a cloud provider or a certain certification catalog. This makes it costly and complex to achieve conformance to multiple certification schemes and covering multi-cloud solutions. In this paper, we present a novel approach to continuous certification which is scheme- and vendor-independent. Leveraging an ontology of cloud resources and their security features, we generalize vendor- and scheme-specific terminology into a new model of so-called semantic evidence. In combination with generalized metrics that we elicited out of requirements from the EUCS and the CCMv4, we present a framework for the collection and assessment of such semantic evidence across multiple cloud providers. This allows to conduct continuous cloud certification while achieving re-usability of metrics and evidences in multiple certification schemes. The performance benchmark of the framework's prototype implementation shows that up to 200,000 evidences can be processed in less than a minute, making it suitable for short time intervals used in continuous certification.
{"title":"A Semantic Evidence-based Approach to Continuous Cloud Service Certification","authors":"Christian Banse, Immanuel Kunz, Nico Haas, Angelika Schneider","doi":"10.1145/3555776.3577600","DOIUrl":"https://doi.org/10.1145/3555776.3577600","url":null,"abstract":"Continuous certification of cloud services requires a high degree of automation in collecting and evaluating evidences. Prior approaches to this topic are often specific to a cloud provider or a certain certification catalog. This makes it costly and complex to achieve conformance to multiple certification schemes and covering multi-cloud solutions. In this paper, we present a novel approach to continuous certification which is scheme- and vendor-independent. Leveraging an ontology of cloud resources and their security features, we generalize vendor- and scheme-specific terminology into a new model of so-called semantic evidence. In combination with generalized metrics that we elicited out of requirements from the EUCS and the CCMv4, we present a framework for the collection and assessment of such semantic evidence across multiple cloud providers. This allows to conduct continuous cloud certification while achieving re-usability of metrics and evidences in multiple certification schemes. The performance benchmark of the framework's prototype implementation shows that up to 200,000 evidences can be processed in less than a minute, making it suitable for short time intervals used in continuous certification.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"16 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79252397","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hypervisor vulnerabilities cause severe security issues in multi-tenant cloud environments because hypervisors guarantee isolation among virtual machines (VMs). Unfortunately, hypervisor vulnerabilities are continuously reported, and device emulation in hypervisors is one of the hotbeds because of its complexity. Although applying patches to fix the vulnerabilities is a common way to protect hypervisors, it takes time to develop the patches because the internal knowledge on hypervisors is mandatory. The hypervisors are exposed to the threat of the vulnerabilities exploitation until the patches are released. This paper proposes Nioh-PT, a framework for filtering illegal I/O requests, which reduces the vulnerability windows of the device emulation. The key insight of Nioh-PT is that malicious I/O requests contain illegal I/O sequences, a series of I/O requests that are not issued during normal I/O operations. Nioh-PT filters out those illegal I/O sequences and protects device emulators against the exploitation. The filtering rules, which define illegal I/O sequences for virtual device exploits, can be specified without the knowledge on the internal implementation of hypervisors and virtual devices, because Nioh-PT is decoupled from hypervisors and the device emulators. We develop 11 filtering rules against four real-world vulnerabilities in device emulation, including CVE-2015-3456 (VENOM) and CVE-2016-7909. We demonstrate that Nioh-PT with these filtering rules protects against the virtual device exploits and introduces negligible overhead by up to 8% for filesystem and storage benchmarks.
{"title":"Nioh-PT: Virtual I/O Filtering for Agile Protection against Vulnerability Windows","authors":"Mana Senuki, Ken-Ichi Ishiguro, K. Kono","doi":"10.1145/3555776.3577687","DOIUrl":"https://doi.org/10.1145/3555776.3577687","url":null,"abstract":"Hypervisor vulnerabilities cause severe security issues in multi-tenant cloud environments because hypervisors guarantee isolation among virtual machines (VMs). Unfortunately, hypervisor vulnerabilities are continuously reported, and device emulation in hypervisors is one of the hotbeds because of its complexity. Although applying patches to fix the vulnerabilities is a common way to protect hypervisors, it takes time to develop the patches because the internal knowledge on hypervisors is mandatory. The hypervisors are exposed to the threat of the vulnerabilities exploitation until the patches are released. This paper proposes Nioh-PT, a framework for filtering illegal I/O requests, which reduces the vulnerability windows of the device emulation. The key insight of Nioh-PT is that malicious I/O requests contain illegal I/O sequences, a series of I/O requests that are not issued during normal I/O operations. Nioh-PT filters out those illegal I/O sequences and protects device emulators against the exploitation. The filtering rules, which define illegal I/O sequences for virtual device exploits, can be specified without the knowledge on the internal implementation of hypervisors and virtual devices, because Nioh-PT is decoupled from hypervisors and the device emulators. We develop 11 filtering rules against four real-world vulnerabilities in device emulation, including CVE-2015-3456 (VENOM) and CVE-2016-7909. We demonstrate that Nioh-PT with these filtering rules protects against the virtual device exploits and introduces negligible overhead by up to 8% for filesystem and storage benchmarks.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":"13 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76072650","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: