TY - JOUR
T1 - Detection of compromised functions in a serverless cloud environment
AU - Ben-Shimol, Lavi
AU - Lavi, Danielle
AU - Klevansky, Eitan
AU - Brodt, Oleg
AU - Mimran, Dudu
AU - Elovici, Yuval
AU - Shabtai, Asaf
N1 - Publisher Copyright:
© 2024 Elsevier Ltd
PY - 2025/3/1
Y1 - 2025/3/1
N2 - Serverless computing is an emerging cloud paradigm with serverless functions at its core. While serverless environments enable software developers to focus on developing applications without the need to actively manage the underlying runtime infrastructure, they open the door to a wide variety of security threats that can be challenging to mitigate with existing methods. Existing security solutions do not apply to all serverless architectures, since they require significant modifications to the serverless infrastructure or rely on third-party services for the collection of more detailed data. In this paper, we present an extendable serverless security threat detection model that leverages cloud providers’ native monitoring tools to detect anomalous behavior in serverless applications. Our model aims to detect compromised serverless functions by identifying post-exploitation abnormal behavior related to different types of attacks on serverless functions, and therefore, it is a last line of defense. Our approach is not tied to any specific serverless application, is agnostic to the type of threats, and is adaptable through model adjustments. To evaluate our model's performance, we developed a serverless cybersecurity testbed in an AWS cloud environment, which includes two different serverless applications and simulates a variety of attack scenarios that cover the main security threats faced by serverless functions. Our evaluation demonstrates our model's ability to detect all implemented attacks while maintaining a negligible false alarm rate.
AB - Serverless computing is an emerging cloud paradigm with serverless functions at its core. While serverless environments enable software developers to focus on developing applications without the need to actively manage the underlying runtime infrastructure, they open the door to a wide variety of security threats that can be challenging to mitigate with existing methods. Existing security solutions do not apply to all serverless architectures, since they require significant modifications to the serverless infrastructure or rely on third-party services for the collection of more detailed data. In this paper, we present an extendable serverless security threat detection model that leverages cloud providers’ native monitoring tools to detect anomalous behavior in serverless applications. Our model aims to detect compromised serverless functions by identifying post-exploitation abnormal behavior related to different types of attacks on serverless functions, and therefore, it is a last line of defense. Our approach is not tied to any specific serverless application, is agnostic to the type of threats, and is adaptable through model adjustments. To evaluate our model's performance, we developed a serverless cybersecurity testbed in an AWS cloud environment, which includes two different serverless applications and simulates a variety of attack scenarios that cover the main security threats faced by serverless functions. Our evaluation demonstrates our model's ability to detect all implemented attacks while maintaining a negligible false alarm rate.
KW - Anomaly detection
KW - Deep learning
KW - Serverless computing
UR - http://www.scopus.com/inward/record.url?scp=85211991625&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2024.104261
DO - 10.1016/j.cose.2024.104261
M3 - Article
AN - SCOPUS:85211991625
SN - 0167-4048
VL - 150
JO - Computers and Security
JF - Computers and Security
M1 - 104261
ER -