Researchers have introduced a novel threat detection model designed specifically for serverless cloud environments. This innovative approach leverages cloud providers’ native monitoring tools to detect anomalous behavior in serverless applications, providing a robust and efficient solution for identifying compromised serverless functions.
Serverless computing has emerged as a popular cloud computing paradigm. It enables organizations to build and deploy software and services without the need to maintain, provide, or scale resources like physical or virtual servers.
However, this shift has also introduced new security challenges, including limited access to the underlying infrastructure, short development cycles, and a large and complex attack surface.
Serverless environments are prone to unique threats, including permission misuse, data leakage, and denial-of-wallet (DoW) attacks.
Compromised serverless functions can significantly damage the CIA triad of confidentiality, integrity, and availability. The researchers’ threat model focuses on detecting compromised serverless functions by identifying post-exploitation abnormal behavior related to different types of attacks.
The researchers propose an unsupervised deep learning anomaly detection model that relies solely on cloud providers’ native monitoring tools to detect abnormal behavior in serverless applications.
This approach is serverless application-agnostic, threat-agnostic, and easy to expand with model fine-tuning. The model learns the normal behavior of the serverless environment and detects anomalies in real-time, allowing for swift incident response.
According to the researchers, In this paper, “we introduce an extendable serverless security threat detection model that utilizes cloud providers’ native monitoring tools to identify abnormal behavior in serverless applications. Our model focuses on detecting compromised serverless functions by pinpointing post-exploitation abnormal behavior associated with various attacks on these functions, serving as a crucial last line of defense.”
“We developed a comprehensive testbed within an AWS cloud environment to rigorously evaluate our threat detection model, specifically designed for serverless applications.
This testbed comprised two distinct serverless applications and incorporated simulations of various attack scenarios that represent the primary security threats encountered by serverless functions. Through this meticulous setup, our model was put to the test against a wide spectrum of potential attacks.”
The evaluation results were highly promising. Our model successfully detected all the implemented attacks, demonstrating its robust capability to identify compromised serverless functions effectively. Moreover, the model maintained an impressively low false alarm rate of just 0.003, underscoring its precision in distinguishing between genuine threats and benign activities. This low false alarm rate is crucial as it ensures that security teams can focus their efforts on actual threats without being overwhelmed by false positives.
Overall, this evaluation highlights the efficacy of our threat detection model in safeguarding serverless environments. By accurately detecting various types of attacks while minimizing false alarms, our model proves to be a reliable tool for enhancing the security posture of serverless applications in the cloud.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Key Features and Benefits
The proposed model offers several key features and benefits, including:
- Efficient detection: The model detects all implemented attacks while maintaining a negligible false alarm rate.
- Ease of use: The model is easy to deploy and maintain, requiring no changes to the existing infrastructure.
- Flexibility: The model can be used in online or offline mode, allowing organizations to choose the best approach based on their security policy and risk assessment.
- Scalability: The model can monitor multiple functions and applications, making it an ideal solution for large-scale serverless environments.
The researchers evaluated their model using a serverless evaluation testbed in an AWS cloud environment, simulating benign user activity and various attacks.
“The evaluation scores looked very good. This model was able to find all of the attacks that were tried, showing that it is a strong tool for finding serverless services that have been compromised.”
The model also had an incredibly low false alarm rate of only 0.003, which shows how well it can tell the difference between real threats and harmless behaviors. This low rate of false alarms is significant because it lets security teams focus on real risks without being distracted by too many false positives.
The proposed threat detection model represents a significant breakthrough in serverless cloud security, offering a robust and efficient solution for identifying compromised serverless functions. With its ease of use, flexibility, and scalability, this model is poised to become a vital tool for organizations seeking to secure their serverless environments.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download