TY - GEN
T1 - SMART
T2 - 24th IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing, CCGrid 2024
AU - Ashkenazi, Adi
AU - Grolman, Edita
AU - Elyashar, Aviad
AU - Mimran, Dudu
AU - Brodt, Oleg
AU - Elovici, Yuval
AU - Shabtai, Asaf
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024/1/1
Y1 - 2024/1/1
N2 - Serverless Function-as-a-Service (FaaS) environments enable developers to build and run cloud applications without the need to manage the underlying servers and computing infrastructure, allowing them to focus on implementing the application logic. Such environments contain numerous functions and dynamic resources, e.g., APIs and databases, making it challenging to gain insight and context of internal events i.e., recognize modules. Module in a serverless application is a set of functions and resources, that represents a functional unit that shares logical context. This paper presents SMART, a method for automatic analysis and recognition of modules for managed serverless applications. The proposed method creates an event-based graph by analyzing the standard serverless logs that document events involving the application's functions and resources and utilizes well-known community detection algorithms (such as Louvain), with graph centrality metrics (such as degree centrality) to recognize the modules. SMART enables high-level visibility of the application's structure and logical context which can facilitate security analysis and contribute to improved decision-making of incident response handlers, who typically do not have direct access to the application's design and code, which can lead to challenges in fully understanding the system's intricacies. We focused on the popular Amazon Web Services (AWS) Lambda serverless computing platform and evaluated the proposed method on three different demo applications (Airline Booking, VOD, and E-commerce). We compared SMART's performance to four overlapping community detection algorithms and showed that it outperformed them in the task of module recognition, with a maximum improvement of 61% on the omega index metric compared to the Speaker-Listener Label Propagation algorithm. In addition, we demonstrate that the use of large language models (LLMs) with the knowledge gained by SMART can enrich security analysis insights.
AB - Serverless Function-as-a-Service (FaaS) environments enable developers to build and run cloud applications without the need to manage the underlying servers and computing infrastructure, allowing them to focus on implementing the application logic. Such environments contain numerous functions and dynamic resources, e.g., APIs and databases, making it challenging to gain insight and context of internal events i.e., recognize modules. Module in a serverless application is a set of functions and resources, that represents a functional unit that shares logical context. This paper presents SMART, a method for automatic analysis and recognition of modules for managed serverless applications. The proposed method creates an event-based graph by analyzing the standard serverless logs that document events involving the application's functions and resources and utilizes well-known community detection algorithms (such as Louvain), with graph centrality metrics (such as degree centrality) to recognize the modules. SMART enables high-level visibility of the application's structure and logical context which can facilitate security analysis and contribute to improved decision-making of incident response handlers, who typically do not have direct access to the application's design and code, which can lead to challenges in fully understanding the system's intricacies. We focused on the popular Amazon Web Services (AWS) Lambda serverless computing platform and evaluated the proposed method on three different demo applications (Airline Booking, VOD, and E-commerce). We compared SMART's performance to four overlapping community detection algorithms and showed that it outperformed them in the task of module recognition, with a maximum improvement of 61% on the omega index metric compared to the Speaker-Listener Label Propagation algorithm. In addition, we demonstrate that the use of large language models (LLMs) with the knowledge gained by SMART can enrich security analysis insights.
KW - Function-as-a-Service
KW - Incident response
KW - Security analysis
KW - Serverless activity logs
KW - Serverless application architecture
KW - Serverless computing
UR - https://www.scopus.com/pages/publications/85207932831
U2 - 10.1109/CCGrid59990.2024.00057
DO - 10.1109/CCGrid59990.2024.00057
M3 - Conference contribution
AN - SCOPUS:85207932831
T3 - Proceedings - 2024 IEEE 24th International Symposium on Cluster, Cloud and Internet Computing, CCGrid 2024
SP - 442
EP - 452
BT - Proceedings - 2024 IEEE 24th International Symposium on Cluster, Cloud and Internet Computing, CCGrid 2024
PB - Institute of Electrical and Electronics Engineers
Y2 - 6 May 2024 through 9 May 2024
ER -