2172 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 28, NO.

8, AUGUST 2017

ATOM: Efficient Tracking, Monitoring,

and Orchestration of Cloud Resources
Min Du, Student Member, IEEE and Feifei Li, Member, IEEE

Abstract—The emergence of Infrastructure as a Service framework brings new opportunities, which also accompanies with new
challenges in auto scaling, resource allocation, and security. A fundamental challenge underpinning these problems is the continuous
tracking and monitoring of resource usage in the system. In this paper, we present ATOM, an efficient and effective framework to
automatically track, monitor, and orchestrate resource usage in an Infrastructure as a Service (IaaS) system that is widely used in cloud
infrastructure. We use novel tracking method to continuously track important system usage metrics with low overhead, and develop a
Principal Component Analysis (PCA) based approach to continuously monitor and automatically find anomalies based on the
approximated tracking results. We show how to dynamically set the tracking threshold based on the detection results, and further, how
to adjust tracking algorithm to ensure its optimality under dynamic workloads. Lastly, when potential anomalies are identified, we use
introspection tools to perform memory forensics on VMs guided by analyzed results from tracking and monitoring to identify malicious
behavior inside a VM. We demonstrate the extensibility of ATOM through virtual machine (VM) clustering. The performance of our
framework is evaluated in an open source IaaS system.

Index Terms—Infrastructure as a service, cloud, tracking, monitoring, anomaly detection, virtual machine introspection

1 INTRODUCTION

T HE Infrastructure as a Service (IaaS) framework is a pop-

ular model in realizing cloud computing services. In
this model, a cloud provider manages and outsources her
computing resources through an IaaS system. For example,
Amazon offers cloud service with its Elastic Compute
Cloud (EC2) platform [1], which is an IaaS system. While
IaaS is an attractive model, since it enables cloud providers
to outsource their computing resources and cloud users to
cut their cost on a pay-per-use basis, it has raised new chal-
lenges in auto scaling, resource allocation, and security.
For example, auto scaling in the IaaS framework is the
process to automatically add and remove computing
resources based upon the actual resource usage. Cloud
users want to pay for more resources only when they need
them, and to make the best use of their (paid) resources by
evenly distributing their workloads. Auto scaling and load
balancing, two critical services provided by Amazon Web
Service (AWS) [1] and other IaaS platforms, are designed to
address these issues. A critical module in achieving auto-
scaling and load balancing is the ability to monitor resource
usage from many virtual machines (VMs) running on top of
EC2. In Amazon cloud, resource usage information needs to
be collected and reported back to a cloud controller, not
only for the cloud controller to make various administrative
decisions, but also for cloud users to query.

The authors are with the School of Computing, University of Utah, Salt
Lake City, UT 84112. E-mail: {mind, lifeifei}@cs.utah.edu.
Manuscript received 19 May 2016; revised 9 Nov. 2016; accepted 30 Dec.
2016. Date of publication 16 Jan. 2017; date of current version 14 July 2017.
Recommended for acceptance by X. Gu.
For information on obtaining reprints of this article, please send e-mail to:
Security is another paramount issue while using an IaaS
system. For example, it was reported in late July 2014,
adversaries attacked Amazon cloud by installing distrib-
uted denial-of-service (DDoS) bots on user VMs by exploit-
ing a vulnerability in Elasticsearch [2]. Resource usage data
could provide critical insights to address security concerns.
Thus, a cloud provider needs to constantly monitor resource
usage and utilize these statistics not only for resource alloca-
tion, but also for anomaly detection in the system. Until
now, the best practices for mitigating DDoS and other
attacks in AWS include using CloudWatch to create simple
threshold alarms on monitored metrics and alert users for
potential attacks [3]. In our work we show how to detect the
anomalies automatically while saving users the trouble on
setting magic threshold values.
These observations illustrate that a fundamental chal-
lenge underpinning several important problems in an IaaS
system is the continuous tracking and monitoring of resource
usage in the system. Furthermore, several applications (e.g.,
security) also need intelligent and automated orchestration
of system resources, by going beyond passive tracking and
monitoring, and introducing auto-detection of abnormal
behavior in the system, and active introspection and correc-
tion once anomaly has been identified and confirmed. This
motivates us to design and implement ATOM, an efficient
and effective framework to automatically track, orchestrate,
and monitor resource usage in an IaaS system.
A Motivating Example. Eucalyptus [4], [5] is an open
source cloud software that provides AWS-compatible envi-
ronment and interface. A simplified architecture of Eucalyp-
tus, similar to other IaaS systems, is shown in Fig. 1. Cloud
users interact with the cloud controller (CLC) to issue

[email protected]

, and reference the Digital Object Identifier below. requests such as to allocate resources and query resource
Digital Object Identifier no. 10.1109/TPDS.2017.2652467 usage. CLC handles incoming user requests, collects
1045-9219 ß 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
Fig. 1. A simplified architecture of Eucalyptus.
information of the entire cloud, makes high-level decisions
and controls other components such as cluster controller
(CC) and node controller (NC). A CC forwards requests from
the CLC to a NC, gathers status data on each NC, and
reports back to the CLC. A NC controls the VMs running on
it. One CLC controls several CCs and each CC could in turn
control several NCs, on which multiple user VMs could be
running. Note that only one CLC exists on each cloud.
Eucalyptus provides an AWS-like service called Cloud-
Watch. CloudWatch is able to monitor resource usage of
each VM. To reduce overhead, such data are only collected
from each VM at every minute, and then reported to the
CLC through a CC. Clearly, gathering resource usage in
real time introduces overhead in the system (e.g., communi-
cation overhead from a NC to the CLC). When there are
plenty of VMs to monitor, the problem becomes even worse
and will bring significant overhead to the system. Cloud-
Watch addresses this problem by collecting measurements
only once every minute, but this provides only a discrete, sam-
pled view of the system status and is not sufficient to provid-
ing continuous understanding and protection of the system.
Another limitation in existing approaches like Cloud-
Watch is that they only do passive monitoring. No active
online resource orchestration is in place towards detecting
system anomalies, potential threats and attacks. We observe
that, e.g., in the aforementioned DDoS attack to Amazon
cloud, alarming signals can be learned automatically from
resource usage data, which are readily to analyze without any
pre-processing like system logs [6]. Active online resource
monitoring and orchestration is very useful in achieving a
more secure and reliable system. Active online resource moni-
toring gives us the opportunities to trigger VM introspection
to debug the system and figure out what has possibly gone
wrong. The introspection into VMs then allows to orchestrate
resource usage and allocation in the IaaS system to achieve a
more secure system and/or better performance. Note that
VM introspection is expensive. Without continuous tracking
and online monitoring and orchestration, it is almost impossi-
ble to figure out when to do VM introspection and what spe-
cific target to introspect in a host VM. Our goal is to automate
this process and trigger VM introspection only when needed.
We refer to this process as resource orchestration.
Our Contribution. Motivated by these discussions, we
present the ATOM framework. ATOM is an end-to-end
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2173
framework that could be easily plugged into an IaaS system,
to provide automated tracking, orchestration, and monitor-
ing of resource usage for a potentially large number of VMs
running on an IaaS cloud, in an online fashion.
ATOM introduces an online tracking module that runs
at NC and continuously tracks various performance met-
rics and resource usage values of all VMs. The CLC is
denoted as the tracker, and the NCs are denoted as the
observers. The goal is to replace the sampled view at the
CLC with a continuous understanding of system status,
with minimum overhead.
ATOM then uses an automated monitoring module that
continuously monitors the resource usage data reported by
the online tracking module. The goal is to detect anomaly
by mining the resource usage data. This is especially helpful
for detecting attacks that could cause changes in resource
usage, for example, one VM consumes all available resources
and starves all other VMs running on the same physical com-
puter [7]. The baseline for online monitoring is to simply
define a threshold value for any metric of interest. Clearly,
this approach is not very effective against dynamic and com-
plex attacks and anomalies. ATOM uses a dynamic online
monitoring method that is developed based on PCA. We
design a PCA-based method that continuously analyzes the
dominant subspace defined by the measurements from the
tracking module, and automatically raises an alarm when-
ever a shift in the dominant subspace has been detected.
Even though PCA-based methods have been used for anom-
aly detection in various contexts, a new challenge in our set-
ting is to cope with approximate measurements produced by
online tracking, and design methods that are able to auto-
matically adapting to and adjusting the tracking errors.
Lastly, virtual machine introspection (VMI) is used to
detect and identify malicious behavior inside a VM. VMI
techniques such as analyzing VM memory space tends to be
of great cost. If we don’t know where and when an attack
might have happened, we will need to go through the entire
memory constantly, which is clearly expensive, especially if
VMs to be analyzed are so many. ATOM provides two
options here. The first option is to set a threshold for each
resource usage measure (the baseline as discussed above),
and we consider there may be an anomaly if the reported
value is beyond (or below) the threshold for that measure
and trigger a VMI. This is the method that existing systems
like AWS and Eucalyptus have adopted for auto scaling
tasks. The second option is to use the online monitoring
method in the monitoring module to automatically detect
anomaly and trigger a VMI, as well as guiding the intro-
spection to specific regions in the VM memory space based
on the data from online monitoring and tracking. We denote
the second method as orchestration.
Comparison with UBL.UBL [8] stands for Unsupervised
Behavior Learning which is designed for monitoring vir-
tualized cloud systems. It collects resource usage data from
each VM, and trains Self-Organizing Maps (SOM) using
normal data to predict future performance anomalies. UBL
shows that SOM is an effective learning method for VM sta-
tistics and has better prediction accuracy compared with
PCA/KNN in some experiments [8].
That said, note that ATOM is an end-to-end frame-
work that integrates online tracking, online monitoring,
 2174 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,
Fig. 2. The ATOM framework.
and orchestration (for VM introspection) into one frame-
work, whereas UBL focuses on anomaly detection in per-
formance data without the integration of tracking and
orchestration. Hence, UBL is “equivalent” to the moni-
toring component in ATOM.
More specifically, UBL can be plugged/integrated into
ATOM’s monitoring component as an alternative anomaly
detection method to be more effective in capturing different
types of anomaly. Note that PCA-based approach has the
advantage of enabling us to analyze the theoretical bounds,
when there are bounded tracking errors present in the con-
tinuously tracked measurements returned by the tracking
component. UBL is an empirical method which may per-
form really well on some instances, but it remains as an
open problem to theoretically study its performance espe-
cially with approximate measurements when being used
together with ATOM’s tracking module. PCA-based
approach also allows us to adjust the tracking threshold
automatically in an online fashion by only adjusting the
false alarm rate, as later shown in Section 5 where we have
established the theoretical connection between the false
alarm rate and the tracking threshold.
Paper Organization. The rest of this paper is organized as
follows. Section 2 gives an overview on the design of ATOM,
and the threat model it considers. Sections 3 and 4 describe
the online tracking and the online monitoring modules in
ATOM. We further demonstrates the interaction between
tracking component and monitoring component in Section 5.
Section 6 introduces the orchestration module. Section 7
shows an extension on VM clustering using the ATOM
framework. Section 8 evaluates ATOM using Eucalyptus
cloud and shows its effectiveness. Lastly, Section 9 reviews
the related work, and section 10 concludes the paper.
2 THE ATOM FRAMEWORK
Fig. 2 shows the ATOM framework. For simplicity, only one
CC and one NC are shown in this example. ATOM adds three
components to an IaaS system like AWS and Eucalyptus:
(1) Tracking component: ATOM adapts the optimal online
tracking algorithm for one-dimension online track-
ing inside the monitoring service on NCs. This
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
VOL. 28, NO. 8, AUGUST 2017
TABLE 1
Frequently Used Notations
Symbol Definition
D tracking threshold
g finest resolution for floating point values
t number of time instances in a sliding window
n number of monitored VMs
d0 number of metrics for each VM
d d0  n
M data matrix (t  d) of the most recent monitored data
avgj mean of the jth column in M
stdj standard deviation of the jth column in M
Y standardized M, each value yi;j ¼ ðmi;j  avgj Þ=stdj
tnow current time-stamp
A consecutively abnormal data from tnow  t to tnow
B standardized A
z the metric vector monitored at tnow (with d dimensions)
x standardized z
vi the ith eigen vector output by PCA
i the ith eigen value output by PCA
k number of principal components output by PCA
a input false alarm rate in PCA anomaly detection
Qa PCA anomaly detection threshold
m false alarm rate deviation, to control tracking threshold
dramatically reduces the overhead used to monitor
cloud resources and enables continuous measure-
ments to CC and CLC;
(2) Monitoring component (anomaly detection): ATOM adds
this component in CLC to analyze tracking results by
the tracking component, which provides continuous
resource usage data in real time. It uses a modified
PCA method to continuously track the divided sub-
space, as defined by the multi-dimensional values
from the tracking results, and automatically detect
anomaly by identifying notable shift in the interesting
subspace. It also generates anomaly information for
further analysis by the orchestration component
when this happens. The monitoring component also
adjusts the tracking threshold from the tracking com-
ponent dynamically online based on the data trends
and a desired false alarm rate.
(3) Orchestration component (introspection and debugging):
when a potential anomaly is identified by the moni-
toring component, an INTROSPECT request along
with anomaly information is sent to the orchestration
component on NC, in which VMI tools (such as
LibVMI [9]) and VM debugging tools (such as
StackDB [10]) are used to identify the anomalous
behavior inside a VM and raise an alarm to cloud
users for further analysis.
In the following sections we investigate each component
in further detail. Table 1 lists some frequently-used notations.
2.1 Threat Model
ATOM provides realtime tracking and monitoring on the
usage of cloud resource in an IaaS system. It further goes
out to detect and prevent attacks that could cause a notable
change in resource usage from its typical subspace.
To that end, we need to formalize a threat model. We
assume cloud users to be trustworthy, but they might acci-
dentally run some malicious software out of ignorance.
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
Also, despite various security rules and policies that are in
place, it’s still possible that a smart attacker could bypass
them and perform malicious tasks. The malicious behavior
could very likely cause some change in resource usage.
Note that, however, this is not necessarily always accompanied
with more resource consumption! Some attacks could actually
lead to less resource usage, or simply different ways of
using the same amount of resources on average. All these
attacks are targeted by the ATOM framework. The possibil-
ity of incorporating other types of attacks into ATOM is dis-
cussed in Sections 6 and 8.7.
3 TRACKING COMPONENT
This section introduces the tracking component in ATOM.
Consider Eucalyptus CloudWatch as an example, which is
an AWS CloudWatch compatible monitoring service that
enables cloud users to monitor their cloud resources and
make operational decisions based on the statistics. Cloud-
Watch is capable of collecting, aggregating and dispensing
data from resources such as VMs and storage. Cloud users
can specify what they would like to monitor, and then query
the history data for up to two weeks through the interface in
the CLC. They can also set an alarm (essentially, a thresh-
old) for a specific measure, and be notified or let it trigger
some predefined action if the alarm conditions are met.
Clearly, collecting such statistics continuously is expensive.
Thus, the default in Eucalyptus and AWS is to ask a NC to
only send measurements to the CLC at some predefined
interval, e.g., once every minute in Eucalyptus.
A user VM in Eucalyptus is called an instance. In the fol-
lowing we will use the term “instance” and “VM” inter-
changeably. There are various variables that can be
monitored overtime on each instance, each of which is called
a metric. The measurement for each metric, for example, Per-
cent for CPUUtilization, Count for DiskReadOps and
DiskWriteOps, Bytes for DiskReadBytes, DiskWriteBytes,
NetworkIn and NetworkOut, is called Unit and is numerical.
A continuous understanding of these values is much
more useful than a periodic, discrete sampled view that are
only available, say, every minute. But doing so is expensive;
a NC needs to constantly sending data to the CLC. A key
observation is that, for most purposes, cloud users may not
be interested in the exact value at every time instance. Thus,
a continuous understanding of these values within some
predefined error range is an appealing alternative. For
example, it’s acceptable to learn that CPUUtilization is
guaranteed to be within 3 percent of its exact value at any
time instance.
This way NC only sends a value whenever the newest
one is more than D away from last sent value on a measure-
ment, where D is a user-specified, maximum allowed error
on this measurement. CLC could use the last received value
as an acceptable approximation for all values in-between. In
practice, often time certain metrics on a VM do not change
much over a long period. Thus far fewer values need to be
sent to the CLC. Not only can we save the communication
overhead from NC to the CLC, but also the database space
on CLC used to store every value reported by NC (so that
the history data could be kept for much longer than two
weeks). Furthermore, instead of having only a sampled
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2175
view at every minute, user now could query values at any
time instance in the entire history that is available.
But unfortunately, this seemingly natural idea may per-
form very badly in practice. In fact, in the worst case, its
asymptotic cost is infinite in terms of competitive ratio over
the optimal offline algorithm that knows the entire data
series in advance. For example, suppose the first value NC
observes is 0 and then it oscillates between 0 and D þ 1.
Then NC continues to send 0 and D þ 1 to the CLC. While
the optimal offline algorithm who knows the entire fðtÞ at
the beginning could send only one message to the CLC-the
value D2 . Formally, this is known as the online tracking prob-
lem, which is formalized and studied in [11]. In online track-
ing, an observer observes a function fðtÞ in an online
fashion, which means she sees fðtÞ for any time t before the
current time (including the current time). A tracker would
like to keep track of the current function value within some
predefined error. The observer needs to decide when and
what value she needs to send to the tracker so that the com-
munication cost is minimized.
Suppose function f : Zþ ! Z is the function observer
observes overtime. gðtÞ stands for the value she chooses to
send to the tracker at time t. The predefined error is D,
which means at any time tnow , if the observer does not send
a new value gðtnow Þ to the tracker, then it must satisfy
jjfðtnow Þ  gðtlast Þjj  D, where gðtlast Þ is the last value the
tracker receives from the observer. This is an online tracking
over a one dimension positive integer function.
Instead of the naive algorithm that’s shown above, Yi and
Zhang provide an online algorithm that is proved to be opti-
mal with a competitive ratio of only Oðlog DÞ; that means in
the worst case, its communication cost is only Oðlog DÞ times
worse than the cost of the offline optimal algorithm that
knows the function fðtÞ for entire time domain [11]. But
unfortunately, the algorithm works only for integer values.
We observe that in reality, especially in our setting, real
values (e.g., “double” for CPUUtilization) need to be
tracked instead. To that end, we adapt the algorithm from
[11], and design Algorithm 1 to track real values continu-
ously in an online fashion. The algorithm performs in
rounds. A round ends when S becomes an empty set, and a
new round starts.
Algorithm 1. One Round of Online Tracking for Real
Values
let S ¼ ½fðtnow Þ  D; fðtnow Þ þ D;
while Supper bound  Slower bound > g do
gðtnow Þ ¼ ðSupper bound  Slower bound Þ=2;
send gðtnow Þ to tracker;
wait until jjfðtnow Þ  gðtlast Þjj > D;
Supper bound ¼ minðSupper bound ; fðtnow Þ þ DÞ;
Slower bound ¼ maxðSlower bound ; fðtnow Þ  DÞ;
end while /* this algorithm is run by observer */
The central idea of our algorithm is to always send the
median value from the range of possible valid values,
denoted by S, whenever fðtnow Þ has changed more than D
(could be non-integer) from gðtlast Þ. The next key observa-
tion is that any real domain in a system must have a finite
precision. Suppose g is the finest resolution for the floating
point values being tracked in the algorithm. Then at the
 2176 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 28, NO. 8, AUGUST 2017

beginning of each round, the number of possible values

within S is 2D=g, and since S is a finite set, it always
becomes an empty set at some step following the above
algorithm. As long as S contains a finite number of elements
in Algorithm 1, we can show its correctness and optimality
with a competitive ratio of only Oðlog ðD=gÞÞ for online
tracking of real values.
Theorem 1. Algorithm 1 is correct and optimal for tracking dou-
ble values, and has a competitive ratio of log ðD=gÞ, where g is
the finest precision for floating point values.
Proof. Since g is the finest resolution for the floating point
values being tracked in the algorithm, then by multiply-
ing every possible value in region S with integer 1=g, all Fig. 3. An example of PCA anomaly detection in 2-dimensional space.
the values become integers. Therefore S becomes a region
of integers, and all values we could choose to send to the more VMs being tracked/monitored, the more savings
tracker are integers. Now we could adapt the proof for ATOM will lead to, as evaluated in Section 8.4.
tracking integers to prove the correctness and optimality
of Algorithm 1, and compute its competitive ratio. We 4 MONITORING COMPONENT
denote the online algorithm as ASOL and the offline algo-
rithm as AOPT . With the continuously tracked values of various metrics,
Correctness. The correctness is obvious since Alice compared with having only discrete, sampled views on
sends a value to Bob whenever the observation exceeds these metrics, ATOM is able to do a much better job in mon-
threshold D, and the value sent is within D of the itoring system health and detecting anomalies.
observed value. To find anomalies in real-time, a naive method is to use
Competitive Ratio. The competitive ratio follows by two the threshold approach. For example, Eucalyptus and AWS
facts: In each round, i) ASOL sends at most log ðD=gÞ mes- CloudWatch allow users to set an alarm along with an alarm
action that can be triggered if the alarm condition is met. The
sages. This is because the cardinality of S decreases by
alarm action is optional, which could be some predefined
half each time, and the initial range of S is 2D=g. ii) AOPT
auto scaling policy such as changing disk capacity. The alarm
sends at least one message. S is maintained as \t ½fðtÞ
condition consists of a threshold value T on a metric E of
D; fðtÞ þ D for up to tnow in current round. If no value has
interest. The condition is met when the value vt from the
been sent in this round, then the value (call it y) sent at the
metric E has exceeded T (or gone below T ) at any time
end of last round is within D range of all observations in
instance t. However, in practice, it is very hard for cloud
current round, which makes y still lie in range S, a contra-
users to set a magic value as the threshold for a metric that
diction to the fact that S becomes empty in the end.
will be effective in a dynamic environment like that in an
Optimality. The optimality holds because any online
IaaS system. Besides, it’s inconvenient to change the thresh-
algorithm needs to send at least log ðD=gÞ messages in an
old for each metric every time a user does some different
extreme case. Suppose an adversary Carole operates
tasks (which may invalidate the old threshold value). Thus
function f. Whenever Alice sends some value to Bob, if
an automated monitoring method would be very useful.
the value is above the median of S, Carole decreases f
until Alice sends a new value; otherwise Carole increases
4.1 An Overview of PCA Method
f until Alice sends a new one. This way the cardinality of
S decreases at most half, so any online algorithm needs Given a data matrix in Rd , some dimensions in which are
to send at least log ðD=gÞ messages. Whereas AOPT only possibly correlated, the PCA method could transform this
needs to send out one value at the beginning of each matrix into a new coordinate system, where each dimension
round that’s within the final S until the current round is orthogonal. By mapping the original matrix onto the new
coordinate system, we get a set of principal components.
ends. In this case the lower bound of competitive ratio is
The first principal component points to the direction with
log ðD=gÞ. Hence the optimality of Algorithm 1 is proved.
the largest variance, and the following principal components
The competitive ratio for Algorithm 1 thus becomes
each points to the largest variance direction that is orthogo-
Oðlog ðD=gÞÞ, which is optimal among all online tracking
nal to all the previous ones. The intuition to use PCA as an
functions for floating point values. u
t
anomaly detection method, is that the abnormal data points
In an IaaS system, a NC obtains the values for a metric of most likely do not fit into the correlation between each dimension
interest and acts as an observer for these values, and then in the original space. Thus by transforming the data matrix
chooses what to send to CLC by following Algorithm 1. The onto a new space using PCA, the original anomaly point
CLC, as the tracker, simply stores the values into its local would have a large projection length on the axes supposed to
database, whenever a value is reported from a NC. This is have very small variance (or so-called “residual subspace” in
how ATOM’s tracking module is able to save the network our following analysis). This way anomaly can be detected
communication overhead from NC to CLC, and the storage by analyzing the projection length onto these axes. A simple
overhead in CLC. Note that the tracking algorithm is example when d ¼ 2 is shown in Fig. 3. PCA rotates the origi-
applied independently per dimension, meaning that the nal coordinates into a new space, where the first axis points
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
to the direction having the largest data variance while the
remaining axis forms the residual subspace. The abnormal
point is detected by comparing its projection length onto the
residual subspace (second axis) against a threshold (detailed
in Section 4.3.3). Using PCA for anomaly detection has been
widely studied in the context of network traffic analysis and
monitoring, e.g., [12], [13].
To the best of our knowledge, there is no prior work in
adapting PCA for online monitoring and anomaly detection
over VMs in an IaaS system. That said, there are three new
challenges that we need to address: 1) unlike most existing
work that use PCA for anomaly detection in an offline batch
setting [13], ATOM needs to do online monitoring; 2) once
anomaly is identified, ATOM needs to figure out which
metrics from which VM instance(s) might have caused the
anomaly; 3) the input data to ATOM’s online monitoring
module are approximate results from the tracking module,
which have an error that is bounded by D. We need to take
into account such tracking errors into the analysis. Next we
will explain our method in detail.
4.2 The Data Matrix
Given d0 metrics reported by the tracking module for each
VM and t is the length of a time-based sliding window, PCA
could be performed on these data which form a t  d0 matrix.
A more general and more interesting case is to perform
online monitoring over a data matrix composed of multiple
VMs’ data, e.g., d ¼ d0  n dimensions. For VMs hosted on
the same physical node, or even the same cloud, it’s quite
possible that one VM may attack another [14], or some VMs
are attacked by the same process simultaneously. Detecting
anomaly on a d-dimensional space makes it easier to dis-
cover such correlations. It also provides better detection
accuracy. Performing PCA on multiple VMs’ statistics
yields a higher residual dimension space, leading to more
accurate anomaly detection.
Recall that ATOM’s tracking module ensures that at any
time point t, for each metric E, CLC can obtain a value v0t
that is within vt  D, where vt is the exact value of this met-
ric at time t from a VM instance of interest. Next we will
show how to design an online PCA method to detect anom-
aly using a t  d matrix M. Each data value in this matrix is
guaranteed to be within D of the true exact value for the
same metric at that same time instance.
4.3 Our approach
The following matrices are used in our construction: M, Y,
A, B, whose definitions could be found in Table 1.
At first, a standard, offline batch PCA analysis [13] is
applied to the data using the newest t time instances to find
potential anomalies. If anomalies are found, we eliminate
data corresponding to those time instances, and use the rest
as the initial data matrix M to find the residual subspace Se
through a regular PCA analysis. Afterwards, for each z at
tnow , we use the latest residual subspace Se to perform anom-
aly detection.
In summary, our monitoring method has five steps: (1)
process data from M to form Y; (2) build the PCA model
based on Y; (3) find the residual subspace of the PCA model;
(4) do anomaly detection for data at each new time instance
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2177
using the latest PCA model; and if the newest time instance
data z is normal, move it to M and update the PCA model;
otherwise move it to A in case it doesn’t agree with the
residual subspace; (5) if z is abnormal, do metrics identifica-
tion to find which metrics of which VM instances might
have caused the anomaly. Step 1 is trivial by the definition
of Y. The details of steps (2) to (5) are as follows.
4.3.1 Building the PCA Model
To build the PCA model, we perform eigenvalue decompo-
sition on the covariance matrix of Y, and get a set of eigen
vectors V ¼ ðv1 ; v2 ; . . . ; vd ) sorted by their eigen values.
These eigen vectors form the new axes in the transformed
coordinate system, with the first principal axis v1 pointing
to the direction that has the largest variance in Y and the fol-
lowing principal axes each points to the largest variance
direction orthogonal to previous ones. The corresponding
eigen values are 1 2    d 0.
4.3.2 Find the Residual Subspace
We define the principal subspace and the residual subspace
as follows. The principal subspace S stands for the space
spanned by the first several principal axes in V, while resid-
ual subspace Se stands for the space spanned by the rest.
The number of significant principal components in the prin-
cipal subspace is denoted as k. Hence, the first k eigen vec-
tors form the principal subspace, and the rest ðd  kÞ eigen
vectors form the residual subspace that could be used to
detect anomalies. Of numerous methods to determine k, we
choose cumulative percent variance (CPV) method [15] for
its ease of computation and good performance in practice as
shown by previous work. For the first ‘ principal compo-
P‘
i
nents, CPV ð‘Þ ¼ Pi¼1d  100%; and we choose k to be:

i¼1 i
k ¼ arg min‘ ðCPV ð‘Þ > 90%Þ.
4.3.3 Anomaly Detection
Unlike previous methods, e.g., [13], that perform offline,
batched backbone network anomaly detection, we are not
required to detect anomalies for every row in M. Instead, we
only need to check the newest vector z at tnow . That’s because
we have classified data into the (normal) data matrix M and
the abnormal matrix A, and the real-time detection of ongo-
ing anomalies is based on the PCA model built from M.
To do this, we first standardize z using the mean and
standard deviation of each column in M. We use x to denote
the standardized vector.
Given the normal subspace S : P1 ¼ ½v1 ; . . . ; vk , and the
residual subspace Se : P2 ¼ ½vkþ1 ; . . . ; vd , x is divided into
two parts by being projected on these two subspaces
x¼^
xþ~
x ¼ P1 P1 T x þ P2 P2 T x:
If z is normal, it should fit the distribution (e.g., mean
and variance) of the normal data. Moreover, the values of ~ x,
which are the projection onto P2 by x, are supposed to be
small. Specifically, we define the squared prediction error
(SPE) to quantify this:
2 2
xjj2 ¼ jjP2 P2 T xjj ¼ jjðI  P1 P1 T Þxjj :
SPEðxÞ ¼ jj~
 2178 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 28, NO. 8, AUGUST 2017

Let Q ¼ jj~xjj2 , a classic result for the PCA model is that Step 1 reveals which dimension has a larger projection on
the following variable c approximately follows a standard residual subspace than the normal data, however it is hard
normal distribution with zero mean and unit variance [16]: to map such change back to the original data. Furthermore,
as shown in Section 8.2, this measure is not highly reliable
u1 ½ðQ=u1 Þh0  1  u2 h0 ðh0  1Þ=u21 
c¼ qffiffiffiffiffiffiffiffiffiffiffiffi ; (1) and could be omitted to save some computation cost. Step 2
2u2 h20 is a useful measure to show which dimension has a signifi-
Pd cant different pattern compared to the normal data. How-
where ui ¼ j¼kþ1 ij ; i ¼ 1; 2; 3; h0 ¼ 1  2u3u1 2u3 . ever, it does not tell us whether some metric usage goes up
2
And we consider x to be abnormal if SPEðxÞ > Qa , where or down. Thus we use step 3 at last to find this pattern. Step
the threshold Qa is derived from the distribution c 3 itself is not good enough to indicate a pattern, because the
oscillation of metric usage statistics might make the mean of
2 qffiffiffiffiffiffiffiffiffiffiffiffi 3h10 some dimension in A appear benign. Thus, the output of
ca 2u2 h20 u h ðh  1Þ steps 2 and 3 are sent together along with an introspection
Qa ¼ u1 4 5 ;
2 0 0
þ1þ
u1 u21 request, to the orchestration module on the corresponding
NC(s), that administrates the identified VM instance(s). Sec-
and ca is the ð1  aÞ percentile in a standard normal distri- tion 8 shows how information identified from these three
bution, with a being the false alarm rate. steps could facilitate the orchestration module to find a “real
Finally, if z is normal, we add it to M and delete the oldest cause” of what might have gone wrong and how wrong it is.
data in M, and update the PCA model accordingly. Otherwise
4.3.5 Other Remarks
it is added to A, and the corresponding standardized x is
moved to matrix B. Matrices A and B need to contain time- Raising Alarms to Cloud Users. Once a data vector is detected
consecutive data only (so that we detect anomaly correspond- as abnormal, it is moved to the abnormal data matrix, on
ing to a continuous event), thus, they are cleared if its last vec- which metrics identification is performed. Suppose there are
tor is not consecutive in time with the new incoming vector. totally m vectors in the abnormal data matrix A, an alarm
will be raised with an alarm level m. The alarm level indicates
how serious the detected anomaly is; intuitively, the larger
4.3.4 Metrics Identification
number of data vectors contained in A, the longer duration
When an anomaly is detected, we need to do further analy- of the currently detected anomaly is. The alarm can be raised
sis to identify which metrics on which VM instance(s) from the either right after the metrics identification step, or wait until
d ¼ d0  n dimensions might have caused the anomaly, to the virtual machine inspection from the orchestration mod-
assist the orchestration module. Our identification method ule has finished (so that more information are gathered). The
consists of three steps. It compares the abnormal data alarm notifies the user about the potential abnormal behav-
matrix A (and the corresponding standardized matrix B), ior in the IaaS system and lets user identify whether the
and normal matrix M (and Y). Suppose there are m vectors ongoing behavior on his/her VM(s) is normal. If this is
in A (B) and t vectors in M (Y). because that the tasks on a VM have changed, the corre-
xjj2 , it is natural
Step 1. Since the anomaly is detected by jj~ sponding data vectors in the abnormal matrix should be
to compare the residual data between B and Y. Suppose yi is moved to the normal data matrix and used to build the PCA
the transpose of the ith row vector in Y, and y~i ¼ P2 PT2 yi is model to accommodate and reflect the new behavior. Abnor-
its residual traffic, then mal data matrix is cleared once the anomaly on VM is
ðy~1 ; y~2 ; . . . ; y~t ÞT ¼ ðP2 PT2 ðy1 ; y2 ; . . . ; yt ÞÞT ¼ YP2 PT2 ; removed, or is identified as normal by the cloud user.
Scalability. The computation complexity of monitoring
forms a residual matrix of Y , denoted as Yr . Similarly, module is evaluated in Section 8.4 (Fig. 11). Although its
Ar ¼ AP2 PT2 . For each dimension j 2 ½1; d, let computation cost increases with the increasing number of
VMs, it remains as a very small overhead. The average com-
1 1 putation cost per sliding window for the monitoring module
aj ¼ jjðAr Þj jj2 and yj ¼ jjðYr Þj jj2 ;
m t is less than 3 milliseconds in most cases for up to 6 VMs.
where ðAr Þj is the jth column in Ar and ðYr Þj is the jth col- What’s more, due to the significant message savings from
umn in Yr . Then rdj ¼ ðaj  yj Þ=yj . ATOM’s tracking module, both the PCA-based computation
Step 2. If for some dimension j, rdj b1 for some con- overhead and the Eucalyptus storage overhead are reduced
stant b1 , we measure the change in A and M. In particular, significantly. Larger number of VMs could significantly
for each such dimension j, we calculate how much the improve the detection accuracy, meaning smaller false alarm
abnormal data in A are away from the standard normal rates, which is due to the fact that the monitoring component
deviation of the normal data along that uses a larger data matrix that helps find normal subspace
P dimension in M. more reliably, as also evaluated in Section 8.4 in Fig. 11.
Specifically, we calculate stddevj ¼ m1 m i¼1 jaij  avgj j=stdj .
A dimension j is considered abnormal if stddevj b2 for
5 INTERACTION BETWEEN TRACKING AND
some constant b2 . In practice, we find that setting b1 and b2
to small positive integers works well, say b1 ¼ 2 and b2 ¼ 3.
MONITORING COMPONENTS
Step 3. For a dimension j that’s been considered abnor- 5.1 Deriving the Tracking Error Threshold
mal in Step 2, we measure the difference between the mean As mentioned earlier, the input data to the monitoring mod-
of abnormal and normal
P data. Specifically, we want to mea- ule is produced by the tracking module and each value may
sure meandiff j ¼ ðm1 m i¼1 aij  avgj Þ=avgj . contain an approximate error of at most D (away from the
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
true value at that time instance for that metric). The approxi-
mation error introduced by the tracking module may
degrade the performance quality of ATOM’s monitoring
module. Thus, a formal analysis is needed to bound the effect
of tracking errors and show how to set a proper value as the
error threshold D for each metric in the tracking module.
As shown in Section 4.3.3, the random variable c follows a
normal distribution, and the SPE threshold Qa is computed
after an a value is specified. However, we do not have c from
the exact data matrix, instead, the approximate data matrix
leads to the value c^. The SPE threshold is computed using a
user-specified a value. However, the threshold calculated by
the approximated matrix does not represent confident limit
1  a anymore, instead it leads to a corresponding approxi-
mation 1  a ^ . We want to understand the relationship
between a ^ and a. Formally, the cloud user specifies a and a
maximally allowed deviation rate m such that our tracking and
monitoring methods guarantee that j^ a  aj  m (even
though c is unknown). Thus, we need to establish the rela-
tionship between m and the tracking error threshold D for
each metric dimension used by the tracking module [17].
We achieve this objective via two steps: 1) given m, find
an approximate error bound  on the average eigen values
produced by PCA; 2) once having the error bound  on
eigen values, calculate the tracking threshold D based on .
Step 1. We could approximate m according to  from
Equation 1, yet the reverse could not be done with a closed-
form formula. The observation is made that m monotoni-
cally increases with . Hence the idea is to use a binary
search to approximate : we first guess a value 0 , then calcu-
late a m0 and compare it with the user-input m, and finally
adjust the value of 0 and compute m0 again. We repeat this
process until the difference between m0 and m is within a
desired precision. Then we could treat 0 as , the input for
the next step. The way to calculate m using  could be
derived as follows. Given that c approximately follows a
normal distribution, then m ¼ Pr½ca  hc < U < ca þ hc ,
where hc ¼ j^ c  cj, and U is a random variable following the
normal distribution Nð0; 1Þ. hc could be approximated from
 using the Monte Carlo sampling technique according to
equation 1. For each loop, we generate a random value ^ in
the range of ½  ;  þ  and then compute c^ based on equa-
tion 1, and compute the difference with c which is calcu-
lated by . This loop is repeated a constant number of times
and the largest difference is assigned to hc , which could be
then used to calculate m.
Step 2. Once having the eigen-error , using stochastic
matrix perturbation method we could get the relation
between eigen-error  and the variance s 2i along each
dimension
vffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi vffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
u u
u X d u 1 1 X d
2 t  si þ t þ
2 s 4 ¼ ;
t i¼1 t d i¼1 i
where  is the average of eigen values, t is the number of
points used to build the PCA model, and d is the number of
dimensions. Then the estimation of tracking error D is based
on the following assumptions:
1) the errors between the approximated values sent to
the tracker (the CLC) and the true values observed
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2179
by the observer (a NC) are independently and uni-
formly distributed within the threshold, according to
which
pffiffithe
ffi tracking threshold for the ith dimension is
di ¼ 3s i .
2) we use homogeneous slack allocation, which is to
assume a uniform distribution of tracking error d on
each dimension.
Applying these two assumptions, we get a tracking
threshold
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi pffiffiffiffiffiffiffiffiffi
 þ 3 m2 þ mn  3n
3n 
d¼ pffiffiffiffiffiffiffiffiffiffiffiffiffi : (2)
mþn
Note we cannot send this threshold directly to observers
since the data matrix used to build the PCA model has been
standardized. Recall stdi is the standard deviation along the
ith dimension of matrix M, then the original variance is
Si ¼ ðstdi  s i Þ2 . Thus, the tracking threshold for the ffiith
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
pffiffiffi
dimension is calculated as Di ¼ 3Si ¼ 3ðstdi  s i Þ2 ¼
stdi  di : The CLC calculates the results for each metric dimen-
sion whenever there is a PCA update, and then send the new
tracking threshold to corresponding NCs (observers), which
use the updated thresholds to adjust its tracking algorithm. A
possible improvement is to allocate the tracking slack for
each metric dimension according to the frequency of message
passing sent to the CLC. By giving the dimensions being sent
more frequently larger tracking error thresholds, and other
dimensions smaller tracking error thresholds, the tracking
overhead could be potentially further reduced.
5.2 Accommodating Dynamic Tracking Thresholds
In the monitoring component (CLC), each time a new set of
tracking thresholds are calculated, they are sent back to the
tracking component (NC). This means that the tracking
threshold on each metric dimension may change from time
to time. On the tracking component, we use a buffer B to
store the newest tracking threshold for each metric, and
adjust the tracking method in Algorithm 1 accordingly, as
shown in Algorithm 2. Here Dnew is the current tracking
threshold in buffer B for the metric being tracked.
Algorithm 2. One Round of Online Tracking for Real
Values
let S ¼ ½fðtnow Þ  D; fðtnow Þ þ D;
while Supper bound  Slower bound > g do
gðtnow Þ ¼ ðSupper bound  Slower bound Þ=2;
send gðtnow Þ to tracker;
while jjfðtnow Þ  gðtlast Þjj  D do
wait until fðtnow Þ is updated;
D ¼ Dnew ;
end while
Supper bound ¼ minðSupper bound ; fðtnow Þ þ DÞ;
Slower bound ¼ maxðSlower bound ; fðtnow Þ  DÞ;
end while /* this algorithm is run by observer */
We can show that doing this style of “lazy update of the
tracking threshold value” could ensure that the competitive
ratio is the max of log D for all possible D (or log ðD=gÞ where
g is the finest precision for “double” values) in a tracking
period; and it is optimal. It also guarantees that on the
 2180 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,
Fig. 4. Intersection with dynamically changing values of D.
monitoring component, the PCA detection result calculated
by the approximated tracking values has a false alarm rate
^ that is within user-specified deviation value m of the true
a orchestration component is able to automatically mitigate
^ 2 ½a  m; a þ m).
false alarm rate a (i.e., a
Claim 2. When the tracking threshold D changes at NC,
by simply changing the D value in Algorithm 1 during a
round, the correctness and optimality of the tracking algo-
rithm still hold. The competitive ratio with dynamically
changing values of D becomes the log of the maximum D
value for integers, and log of the maximum D=g value for
floating point values, where g is the finest precision.
Proof. Here we prove for the case to track integer values.
The extension to real values is straightforward following
the proof for Claim 1. We use the same notation as in
Section 3. Recall that a range S is initialized as
½fðt0 Þ  D; fðt0 Þ þ D, where fðt0 Þ is the value observed at
first, and updated as the intersection of ½fðtÞ  D; fðtÞþ D
up to tnow . A round is from the initialization of S until S
becomes empty.
Correctness. When the tracking error bound changes
from D1 to D2 , Alice sends Bob a new value whenever the
newest value observed is beyond D2 range of last sent one.
Competitive Ratio. Note that in Algorithm 1, ASOL uses
binary search, to guess what value AOPT might have sent
in each round. The range S contains all the possible val-
ues that AOPT might have sent, and it decreases at least
half upon the sending of each message (median of S). So
that in each round, AOPT sends out only one value while
ASOL sends out at most log D. Even if D changes in the
middle, as shown in Fig. 4, it won’t affect the fact that S
decreases at least half upon each message sent. When the
tracking error bound changes from D1 to D2 , use S1 to
denote the region of S at that time, and S2 to denote
½y  D2 ; y þ D2 . x is the median of S1 , the last sent value,
and y is the first value observed that exceeds D2 of x after
D changes. According to our “lazy update” method, the
new S is the intersection of S1 and S2 . Because
y  D2 > x, so jnew Sj ¼ S1ðupper boundÞ  ðy  D2 Þ < jS1 j=2.
Hence no matter D2 is bigger or smaller than D1 , S1
decreases at least half when this change happens. If S1 and
S2 do not intersect, then a new round starts and D2 becomes
the initial threshold of the new round. Therefore, the com-
petitive ratio for each round ONLY matters with the initial
size of S. If the initial threshold of a round is D, then the
competitive ratio for that round is thus log D. Throughout
the whole period, the competitive ratio becomes the log of
maximum threshold values that ever appear.
Optimality. Suppose the last value sent by an online
algorithm ASOL before the change from D1 to D2 is x. An
adversary Carole operates the value of f here. If x is
greater than the median of S, Carole decreases f until it
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
VOL. 28, NO. 8, AUGUST 2017
exceeds D2 threshold of x, otherwise increases f until
ASOL has to send out a new value. This way the cardi-
nally of S decreases at most half during the change of D1
to D2 . So the optimality of Algorithm 1 still holds even
with the tracking error bound changing. u
t
6 ORCHESTRATION COMPONENT
The monitoring component in Section 4 detects the abnor-
mal state and identifies which measurement on which VM
might be responsible. In this section, we describe how
the malicious behavior after an anomaly is detected.
Modern IaaS cloud vendors offer services mostly in the
form of VMs, which makes it critical to ensure VM security
in order to attract more customers. VMI technique has been
widely studied to introspect VM for security purpose. There
are also several popular open source general-purpose VMI
tools such as LibVMI[9], Volatility[18], and StackDB[10], for
researchers to explore and develop more sophisticated
applications. LibVMI has many basic APIs that support
memory read and write on live memory. Volatility itself
supports memory forensics on a VM memory snapshot file,
and it has many Linux plugins that are ready to use.
StackDB is designed to be a multi-level debugger, while
also serves well as a memory-forensics tool. Other more
sophisticated techniques developed for special-purpose
VMI anomaly detection are generally based on these tools.
Blacksheep [19], for instance, utilizes Volatility and specifi-
cally developed plug-ins to implement a distributed system
for detecting anomalies inside VMs among groups of simi-
lar machines. However, as most other VMI strategies to
secure VMs, it needs to dump the whole memory space of
the target VM, and then analyze each piece, typically by
comparing with what’s defined a “normal” state. Thus to
protect VMs in real time, the whole memory space needs to
be analyzed constantly, introducing much overhead into
the production system.
ATOM implements its orchestration component based
on Volatility (with LibVMI plug-in for live introspection)
and StackDB. A crucial difference with other systems is
that, ATOM only introspects the VM when an anomaly hap-
pens, and only on the relevant memory space of the suspi-
cious VMs. The monitoring component in ATOM serves as
a trigger to inform VMI tools when and where to do intro-
spection. The anomalies are found by analyzing previously
monitored resource usage data, in monitoring component,
which is much more lightweight than analyzing the whole
memory space. Then the metrics identification process in
monitoring component could locate which dimensions are
suspicious, indicating the relevant metrics on some particu-
lar VMs. This information is sent to orchestration compo-
nent along with a VMI request, which then only introspects
the relevant memory space, reducing the overhead dramati-
cally. For example, if it is detected and identified that the
network usages on VM-2 and VM-3 are unusual, as shown
in Fig. 5, then ATOM could only introspects the network
connections using Volatility network plug-ins on VM-2 and
VM-3, in contrast to other VMI-based detection strategies
which typically need to walk over the whole process list,
opened network sockets, opened files, etc..
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
Fig. 5. Memory space introspected by ATOM.
After the orchestration component identifies potential
abnormal processes, an alarm is raised with associated
information identified by VMI tools. The alarm and such
information are provided to the VM user. If user confirms
this as an abnormal behavior, ATOM is able to terminate
the malicious processes inside a VM instance by using tools
like StackDB [10]. StackDB could be used to debug, inspect,
modify, and analyze the behavior of running programs
inside a VM instance. To kill a process, it first finds the
task_struct object of the running process using process
name or id, and then passes in SIGKILL signal. Next time
the process is being scheduled, it is killed immediately.
Although the anomalies that could be detected by ATOM
is limited compared with other systems which analyze the
whole memory space, we argue the framework of ATOM
could be easily extended to detect more complex attacks.
First, more metrics could be easily added to monitor for
each VM. Also, many other auto-debugging tools could be
developed, which are useful to find various kinds of attacks
and perform different desirable actions.
Note that killing the identified, potentially malicious pro-
cess is just one possible choice provided by ATOM, which is
performed only if user agrees to (ATOM is certainly able to
automate this as well if desired). Alternatives could be to
terminate the network connections or to close file handles.
A more sophisticated way is to study a rich dataset of
known attacks (e.g., Exploits Database) and design rule-
based approaches to mitigate attacks based on different pat-
terns. We refer these active actions, together with introspec-
tion, as ATOM’s orchestration module. Orchestration in
ATOM can be greatly customized to suite the needs for dif-
ferent tasks, such as identification of different attacks, and
dynamic resource allocation in an IaaS system.
7 VM CLUSTERING
ATOM enables a continuous understanding of the VMs in an
IaaS system. In addition to anomaly detection, this frame-
work is also useful for many other decision making and ana-
lytics applications. Hence, in addition to using a PCA-based
approach in the monitoring component, we will demonstrate
that it is possible to design and implement a VM clustering
module to be used in the monitoring component.
The objective of VM clustering is to cluster a set of VMs
into different clusters so that VMs with similar workload
characteristics end up in the same group. This operation
assists making load balancing decisions, as well as
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2181
developing customized, fine-tuned monitoring modules for
each cluster. For instance, a cloud provider may want to
evenly distribute the VMs having similar resource usage
patterns to different physical nodes, in order to make sure
the physical resources are fully utilized and fewer VMs may
suffer from resource starvation. In another example, we
may want to use different anomaly detection techniques for
VMs running a database server workload than those run-
ning a web server.
The basic idea of our proposed approach is as follows.
The monitoring component in ATOM, using its PCA-based
approach, transforms the original coordinates to a new
coordinate system where the principal components (PCs)
are ordered by the amount of variations on each direction
(as explained in Fig. 3). Thus, if two VMs share similar
workloads, the directions of the corresponding PCs between
the two should also be similar. That said,
Step 1. On CLC, a data matrix for each VM is maintained,
where the columns are metric types and rows are time
instances (i.e., a t  d0 matrix for each VM with a sliding
window of t), and is updated over time.
Step 2. ATOM performs a PCA on each VM data matrix
without standardization; since for clustering purposes, not
only the variations on each direction is important, but also
the average usage on each dimension. For example, a VM
having a disk usage that oscillates between 10,000 and
20,000 bytes is obviously not the same as one having oscilla-
tion between 100 and 200 bytes on the same dimension;
whereas a standardization procedure which first performs
mean-center and then normalization will make the two
oscillations look similar.
This step yields a set of PCs for each VM. The direction of
each PC is denoted by the corresponding eigen vector while
the variation is shown by the associated eigen value.
Step 3. Suppose VM1 has eigen vectors ðv11 ; v12 ; . . .Þ and
corresponding eigen values ð11 ; 12 ; . . .Þ, while VM2 has
ðv21 ; v22 ; . . .Þ and ð21 ; 22 ; . . .Þ. We measure the distance
between two directions using cosine distance; defined as
ð1  cosine similarityÞ. Intuitively, the bigger the angle
between two directions (the less similar they are), the
smaller their cosine similarity is, hence the larger the cosine
distance becomes. Finally, the distance between the two
VMs is defined as: VMdist(VM1, VM2) ¼ j11  21 jð1
v11 v21 v22
jv11 jv21 Þ þ j12  22 jð1  jvv12
12 jv22
Þ þ    . Note that it is simply
the sum of the cosine distance of each corresponding pair of
eigen vectors from VM1 and VM2, weighted by the differ-
ence of the corresponding eigen values to ensure that the
variations do not differ a lot.
Step 4. Using VMdist as the distance measure between
any two VMs, we use DBSCAN [20] to cluster similar VMs
together. DBSCAN is a threshold-based (aka density based)
clustering algorithm which requires two parameters: 
which is the density threshold, and minPts which is the
number of minimum points to form a cluster. DBSCAN
expands a cluster from an un-visited data point towards all
its neighboring points provided the distance is within , and
then recursively expands from each of the neighboring
point. Points are marked as an outlier if the number of
points in their cluster is fewer than minPts. Compared with
other popular clustering methods like k-means, density-
 2182 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,
Fig. 6. A comparison on number of values sent by NC for each metric.
based clustering algorithm does not require the prior-
knowledge on the number of clusters, neither does it need
to iteratively compute an explicit “centroid” and re-cluster
at every iteration.
By default, ATOM sets minPts=10, and computes the
threshold value  using a sampling based approach. More
specifically, we randomly select n pairs of VMs and com-
pute their VMdist. We sort the n VMdist values, and set
 ¼ VMdisti if VMdistiþ1 > 5  VMdisti . The intuition is
that for any point, the distance to a point in a different clus-
ter is much longer than the distance to a point in the same
cluster, and we want to find a large enough “inner cluster”
distance and use it as the threshold value  to determine
whether two points belong to the same cluster.
8 EVALUATION
We implemented ATOM using Eucalyptus as the underly-
ing IaaS system. The virtual machine hypervisor running on
each NC is the default KVM hypervisor. Each VM has an
m1.medium type on Eucalyptus. ATOM tracks seven met-
rics from each VM instance: CPUUtilization, NetworkIn,
NetworkOut, DiskReadOps, DiskWriteOps, DiskReadBytes,
DiskWriteBytes. All experiments are executed on a linux
machine with an 8-core Intel(R) Core(TM) i7-3770 CPU @
3.40 GHz computer.
8.1 Online Tracking
In the evaluation the data collection time interval is set to 10
seconds, i.e., raw values for different metrics are collected
every 10 seconds on a NC (observer), which produces 360
values for each metric per hour. Instead of sending every
value to CLC (the tracker), the modified CloudWatch
with ATOM’s online tracking component selectively
sends certain values based on Algorithm 1, from NC to
CLC. Fig. 6 shows the number of values sent for each
metric over 2 hours, with different workloads (e.g., TPC-
C benchmark over MySQL) and different D values.
Among the seven metrics for each VM, only the first 5
ones are shown in each sub-figure, as DiskReadBytes/
DiskWriteBytes follow the same patterns with DiskRea-
dOps/DiskWriteOps in all experiments.
Fig. 6a shows the result when VM is idle, using D ¼ 0.
This is the base case with no error allowed for any metric.
The result shows that our tracking component has still
achieved significant savings when no error is allowed. In
Fig. 6b, VM is also idle, while D is set to 10 percent of the
average value (calculated from exact values collected) in 2
hours for each metric. Note that this is a very small error
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
VOL. 28, NO. 8, AUGUST 2017
threshold. For example, metric CPUUtilization is always
between 0 and 0.2 percent when VM is idle, so D value for
this metric is only (roughly) 0.01 percent. This figure shows
that when allowing a very small error, tracking component
already leads to significant savings. Fig. 6c shows the results
when VM is running TPC-C benchmark on a MySQL data-
base, which involves large disk reads and writes. D is set as
the average of the exact values in 2 hours when VM is idle.
This is reasonable even for users who do not allow any
error, because D is merely the average of the amount con-
sumed by an idle VM. Note that in this figure, NetworkIn
and NetworkOut only have two values sent to CLC in 2
hours with the tracking component. This figure tells us that
even if VM is intensively used and almost no error is
allowed, the tracking component is still highly effective.
Fig. 6d demonstrates the result when VM is running the
same workload, while D value for each metric is now set as
10 percent of the average value when the VM has been run-
ning the same workload for 2 hours, i.e., larger errors
are allowed. Clearly, the tracking component becomes more
effective. Error is expected to improve ATOM performance
because new values within the error threshold of last sent
one could be saved.
Fig. 7 explains how the online tracking component
works. It shows both values sent by standard CloudWatch
(without tracking) and values sent by modified CloudWatch
with ATOM tracking, with a time interval of 1000 seconds
for the NetworkOut metric from Fig. 6b. This clearly illus-
trates that at each time instance, with online tracking, the cur-
rent (exact) value is not sent if it is within D threshold of the
last sent value; and at each time point, the last value sent to
CLC is always within D of the newest value observed on NC.
The values sent by the tracking method closely approximate
those exact values, with much smaller overhead.
Fig. 7. A comparison on NetworkOut values sent by NC.
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
TABLE 2
Online Monitoring Experiment Setup
Experiment Workload Attack
1 VM 1, 3 idle; VM 2 DDoS attack inside
network workload VM 2
2 VM 1 idle; VM 2, 3 DDoS attack inside
network workload VM 2, 3
3 VM 1 idle; VM 2 Resource-freeing attack
network workload; from VM 3 to VM 2
VM 3 disk workload
8.2 Automated Online Monitoring and Orchestration
We design three experiments to illustrate the effectiveness
of ATOM’s monitoring module. For each experiment, we
use a false alarm rate a ¼ 0:2 percent and its deviation m ¼ 1
percent (to set the tracking error bound). Meanwhile the Qa
threshold with a ¼ 0:5 percent is also calculated to compare
against. The online tracking error D is calculated dynami-
cally according to the equations in Section 5.1 at the CLC,
and set using the algorithm in Section 5.2 on each NC. Three
VMs with a type of m1.medium co-located in one Eucalyptus
physical node are monitored for each experiment, which
form a t  21 data matrix. Dimensions 1-7 belong to VM 1, 8-
14 are for VM 2, whereas VM 3 owns the rest.
We use two types of normal workloads and two kinds of
attacks in all three experiments. The two types of normal
workloads include network and disk workloads. For the
network workload, an Apache web server is installed and
constantly responding WebBench network requests. The
disk workload is TPC-C benchmark against MySQL data-
base [21]. The two types of attacks are DDoS attack and
resource-freeing attack [14]. In our experiment, DDoS attack
treats the affected VM as a compromised zombie and sends
malicious traffic to the target IP address. Resource-freeing
attack is launched by VM 3 targeting the web server on VM
2 to gain more cache usage. Note that there is a 4th VM run-
ning WebBench and a 5th VM running Apache web server
as the target of DDoS bots. The first two hours are used to
build PCA model for each experiment, while the anomaly
happens at the third hour. The settings for each experiment
is shown in Table 2.
In the first experiment, VM 2 runs an Apache web server
while the other 2 VMs are idle. A DDoS attack turns VM 2
to be a zombie at the third hour, using it to generate traffic
towards the target IP (the 5th VM in our experiment). Note
Fig. 8. Time series plots of SPE against thresholds Qa with a ¼ 0:2 and 0.5 percent.
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2183
that this attack is hard to detect using the simple threshold
approach in existing IaaS systems. The normal workload on
VM 2 is a network workload, which already has a large
amount of NetworkIn/NetworkOut usage, sending out
malicious traffic only changes roughly 10%  30 percent to
the mean of normal statistics. Hence it is difficult to set an
effective threshold value even for an experienced user due
to the fact that the underlying normal traffic might oscillate
within a range. Yet ATOM’s monitoring module success-
fully finds the underlying pattern, and detects time instan-
ces that are abnormal (when attacks are ongoing). Fig. 8a
shows the online monitoring and detection process. The
dashed line corresponds to threshold Qa for a ¼ 0:2 percent,
and the solid line shows Qa for a ¼ 0:5 percent. SPE of the
approximate data matrix projected onto the residual sub-
space is plotted, where the black dots indicates the time instan-
ces when DDoS attack happens. Clearly, ATOM has
successfully identified all abnormal time instances correctly.
Once a time instance is considered abnormal, ATOM
immediately runs metrics identification procedure to find
the affected VMs and metrics. As described in Section 4.3.4,
ATOM first finds out potential abnormal dimension(s) by
analyzing the average change portion rdj between abnormal
data points and normal data points projected onto residual
subspace. Then for dimensions that have significant
changes, ATOM computes stddevj as suggested in Section
4.3.4, and also calculates the average change meandiff j if
stddevj is above a threshold. Recall m is the number of
consecutive abnormal time instances until tnow . The results
when m ¼ 5 are shown in the first table of Table 3. Note that
only for the dimensions having large enough residual por-
tion (rdj ) does ATOM computes the standard deviation
error (stddevj ). Among the 3 VM instances being tracked
and monitored, ATOM correctly identifies an anomaly hap-
pening on VM 2, and more specifically, it discovers that the
anomaly is from its first three dimensions (CPUUtilization,
NetworkIn, NetworkOut), indicated by the bold values.
Note that NetworkIn and NetworkOut actually go down
because of DDoS attack. Our guess is that WebBench tends
to saturate the bandwidth available for the VM, while the
DDoS attack we use launches many network connections
but not sending as much traffic. The CPUUtilization, how-
ever, goes up due to the attack. Nevertheless, ATOM is able
to identify all three abnormal metric dimensions.
After abnormal metrics are identified, a VMI request is
sent to the corresponding NC for introspection. ATOM’s
 2184 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 28, NO. 8, AUGUST 2017

TABLE 3
Metrics Identification Results

Dim (j) vm1-d1 vm1-d2 vm1-d3 vm1-d4 vm1-d5 vm1-d6 vm1-d7 vm2-d1 vm2-d2 vm2-d3 vm2-d4
rdj 1.87 36.62 27.17 13.39 -0.56 0.08 8.55 32.63 7.31 35.82 0.00
Experiment 1 stddevj 0.50 0.32 0.72 0.00 0.76 0.00 0.90 48.68 3.82 6.74 0.08
Metrics meandiff j 0.11 -0.12 -0.21
Identification Dim (j) vm2-d5 vm2-d6 vm2-d7 vm3-d1 vm3-d2 vm3-d3 vm3-d4 vm3-d5 vm3-d6 vm3-d7
Results rdj 0.00 0.00 0.00 2.94 -0.50 -0.41 18.45 18.00 1.22 1.88
stddevj 0.90 0.08 0.41 0.72 0.31 1.06 0.00 0.18 0.00 0.66
meandiff j
Dim (j) vm1-d1 vm1-d2 vm1-d3 vm1-d4 vm1-d5 vm1-d6 vm1-d7 vm2-d1 vm2-d2 vm2-d3 vm2-d4
rdj 23.70 -0.98 -0.98 -0.55 -0.57 4.27 3.76 9.14 64.18 65.05 3.50
Experiment 2 stddevj 0.78 0.42 0.58 0.00 0.67 0.00 0.71 3.17 8.01 8.30 0.00
Metrics meandiff j 0.16 -0.26 -0.28
Identification Dim (j) vm2-d5 vm2-d6 vm2-d7 vm3-d1 vm3-d2 vm3-d3 vm3-d4 vm3-d5 vm3-d6 vm3-d7
Results rdj -0.51 -0.82 4.23 9.04 60.56 61.16 1.45 -0.56 1.89 -0.51
stddevj 0.31 0.00 0.35 7.23 6.06 6.98 0.17 3.39 0.12 3.65
meandiff j 0.39 -0.23 -0.31
Dim (j) vm1-d1 vm1-d2 vm1-d3 vm1-d4 vm1-d5 vm1-d6 vm1-d7 vm2-d1 vm2-d2 vm2-d3 vm2-d4
rdj 2.58 -0.65 -0.93 -0.65 28.23 -0.98 -0.15 6.90 7.94 7.27 -0.76
Experiment 2 stddevj 0.24 0.42 0.63 0.95 0.43 0.98 0.86 7.36 4.52 4.74 0.21
Metrics meandiff j -0.91 -0.85 -0.89
Identification Dim (j) vm2-d5 vm2-d6 vm2-d7 vm3-d1 vm3-d2 vm3-d3 vm3-d4 vm3-d5 vm3-d6 vm3-d7
Results rdj 0.30 -0.99 -0.44 10.70 1282.80 1401.34 1363.47 -0.70 1544.73 -0.53
stddevj 1.41 0.17 1.43 1.86 13.05 12.79 13.42 1.72 13.60 1.78
meandiff j 101.81 110.97 187.16 196.30

orchestration module first identifies this as a possible net-
work problem, and then calls volatility to analyze the net-
work connections (linux_netstat plugin) on that VM,
which then finds out the numerous network connections
targeting at one IP address, a typical pattern of DDoS
attacks. Volatility is then used to find out related processes
and their parent process (pslist plugin) of these network
connections. At this time ATOM raises an alarm with alarm
level m notifying user about the findings, and asks user to
check whether those processes are normal or malicious. The
alarm level is useful; for example, m ¼ 1 could be treated as
a mild warning. If user identifies them to be malicious, he/
she could either investigate the VM in further details, or use
ATOM’s monitoring module to do auto-debugging and kill
malicious processes automatically through StackDB [22].
Fig. 8a shows that SPE goes back to normal after the attack
is mitigated on the affected VM through ATOM’s orchestra-
tion module.
In the second experiment, both VM 2 and VM 3 are run-
ning the network workload, and the same DDoS attack
turns both VMs to be zombie VMs simultaneously. Not
only ATOM is able to detect an anomaly happened as
shown in Fig. 8b, but also it finds similar patterns on the cor-
rect metrics from both VM 2 and VM 3 as illustrated in the
second table of Table 3, which shows the metrics identifica-
tion results when m ¼ 5. By sending this information to the
orchestration component, the introspection overhead could
be saved by first introspecting one VM, and then checking if
another one has the same malicious behavior going on.
The third experiment illustrates ATOM’s ability to detect
a different type of attack, the resource-freeing attack [14], a
subtle attack where the goal is to improve a VM’s perfor-
mance by forcing a competing VM to saturate some bottle-
neck and shift its usage on the target resource (often times
with legitimate behavior). This kind of attacks is known to
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
be very hard to catch except for using strong isolation on
physical node. In this experiment, VM 2 runs an Apache
web server constantly handling network requests. VM 3
runs TPC-C benchmark on MySQL database. According to
[14], if VM 3 wants more cache usage, it could make net-
work resource to be a bottleneck for VM 2, and shift its
usage on cache (VM 2 and VM 3 are running on the same
physical node). In this experiment VM 3 launches Golden-
Eye attack, which achieves a denial-of-service attack on the
HTTP server running on VM 2 by consuming all available
sockets, and is paired with cache control. We show that
ATOM successfully finds the two VMs, and by its metrics
identification procedure, it suggests the possibility of an
resource-freeing attack and provides useful data to its
orchestration module in assisting the VMI procedure on
VMs 2 and 3.
Fig. 8c plots the monitoring and the detection process.
The black dots indicate the time instances when abnormal
behavior happens. This figure, as before, only shows that an
anomaly has happened. While the third table in Table 3 ana-
lyzes where the anomaly has originated. The stddevj values
show what the abnormal dimensions are, on VM 2: CPUUti-
lization (vm2-1), NetworkIn (vm2-2), NetworkOut (vm2-3);
on VM 3: NetworkIn (vm3-2), NetworkOut (vm3-3), Dis-
kReadOps (vm3-4), DiskReadBytes (vm3-6).
Further analysis on meandiff j finds out NetworkIn and
NetworkOut statistics on VM 2 decrease nearly by an order,
while VM 3 sees significant increase in NetworkIn, Net-
workOut and especially its disk read statistics (DiskRea-
dOps and DiskReadBytes). This is a typical resource
freeing attack as described in [14], where network
resource has become the bottleneck of a target VM, and
the beneficiary VM gains much of the shared cache usage
by showing a significant increase in disk read statistics.
The sudden increase in NetworkIn/NetworkOut in VM 3
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
Fig. 9. Network bandwidth saving in each experiment in Fig. 8.
also suggests that VM 3 might be the attacker of VM 2 by
sending malicious traffic to it.
Further analysis by VMI in ATOM’s orchestration mod-
ule shows that most of VM 2’s sockets are occupied by con-
necting to VM 3, thus the anomaly could be mitigated by
closing such connections and limiting future ones. Of
course, VM 3 could use a helper to establish such malicious
connections with VM 2 as suggested in paper [14], yet
ATOM is still able to raise an alarm to end user and suggest
a possible ongoing resource-freeing attack.
Users should be aware that the larger an alarm level m is,
the more accurate the metrics identification process is, and
the more likely a bigger damage an attack has caused.
Lastly, Fig. 9 shows the communication overhead saving
achieved by ATOM in these three experiments. For the first
hour in each experiment, each VM should have sent
7  360 ¼ 2; 520 values to CLC. However, by using online
tracking and setting the tracking error D dynamically, the
number of values sent are significantly reduced. Since each
message is of the same size, we calculate the network band-
number of messages sent with tracking module
width saving as (1 - number
of messages sent without tracking module); the
results are shown in Fig. 9. Note here the deviation is a very
small value m ¼ 1 percent, which could be a much bigger
value in practice because as shown in Fig. 8, the anomalies
tend to have a much bigger SPE value. A larger m leads to a
bigger threshold D, leading to even more savings than what
is shown in Fig. 9. What’s more, the monitoring overhead is
also saved because PCA only needs to be computed when
new data arrives. With less data reported, PCA could be
computed less frequently.
8.3 Sensitivity Analysis
There are only two parameters to set up for ATOM:
the desired false alarm rate a which is used to calculate the
anomaly detection threshold Qa in Section 4.3.3, and the
maximally allowed false alarm deviation rate m as defined
in Section 5 which is used to bound and adjust the tracking
threshold D.
We design two experiments to analyze the sensitivity of a
and m respectively. We use the same dataset for these
experiments to clearly demonstrate the impacts of having
different values for a and m. The first experiment varies the
values of a and counts the actual number of false alarms.
The second experiment gradually increases the values of m,
and measures the actual number of false alarms and the net-
work savings achieved by the tracking module (when its
tracking threshold D is dynamically adjusted by ATOM).
The result of the first experiment is shown in Fig. 10a,
which shows how the actual false alarm rate changes with
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2185
Fig. 10. Sensitivity analysis.
the increase of values of a. When a increases from 0.1 per-
cent (confidence level 99.9 percent) to 5 percent, the actual
false alarm rate also increases. But the actual false alarm
rate is always much smaller, ranging from just 0.006 to 0.05
percent. The common practice is to choose a < 0:5 percent,
and far fewer actual false alarms (less than 0.5 per 100 data
points) will be produced.
Fig. 10b shows the results of the second experiment. We
vary the false alarm deviation rate m from 0 to 2.6 percent,
with a step size of 0.2 percent. For each value of m, we run the
experiments for 10 times, where a value ranges from 0.1 to
0.5 percent, with a step size of 0.1 percent. Finally the average
results are computed with respect to each m. We are inter-
ested in network bandwidth saving in percentage (y axis)
and the actual false alarm rate (x axis). Larger m means a big-
ger D threshold is used by ATOM, and thus leads to more
savings in network bandwidth. However the growth of m is
also accompanied with an increase in the number of actual
false alarms, which suggests a trade-off between using more
network bandwidth and having fewer false alarms.
But generally speaking, a small value for m is sufficient to
provide enough communication savings. Note that all
attacks were still detected in all experiments, achieving false
negative rate of 0 percent. As shown in Fig. 8, using both
a ¼ 0:2 percent and a ¼ 0:5 percent, ATOM could easily
identify the attacks. A higher a value leads to a lower
threshold value for attack detection, meaning attacks are
more easily to be detected though it may lead to more false
alarms. ATOM allows users to control the false alarm rate
and the tracking threshold by adjusting a and m.
In our analysis, a wide range of thresholds suffice to
detect denial of service attacks or resource starving attacks
while achieving large communication saving. However in
production systems, it is important to provide users feed-
back about the effects of their error setting. ApproxHadoop
[23] and Social Trove [24] use statistical models from extreme
value theory to estimate the effects of delta. In our models,
statistical models can help over short periods, but over long
periods we would expect malicious attackers to adapt their
attacks to reduce their chances of being caught. In this situa-
tion, it is important to use offline benchmarking to assess the
effect of the error threshold as shown in [25], in which the
authors provide techniques to overlap online executions
with different delta settings, allowing us to understand the
effects of delta empirically without degrading throughput.
8.4 ATOM Scalability Evaluation
To evaluate the scalability of ATOM, we measure the key
performance metrics of ATOM with an increasing number
 2186 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,
Fig. 11. Impacts to ATOM’s performance with respect to the increasing
number of VMs.
of VMs (from 2 to 6). In each configuration, we perform
online monitoring using the adapted PCA-based anomaly
detection using a sliding window of size 100 (time instan-
ces), combined with either online tracking or no tracking
(i.e., send everything). We report the average for the false
alarm rate, the average PCA running time, and the total
number of messages sent from NC to the CLC, per sliding
window. The results are shown in Fig. 11.
Larger number of VMs leads to higher communication cost
in ATOM. However, the tracking component of ATOM
becomes more effective with more VMs, as shown in Fig. 11a.
This is because there are more opportunities for communica-
tion savings when there is a higher probability of temporal
locality on one of the many VMs’ performance metrics.
Fig. 11b shows the computation cost in ATOM increases
linearly to the number of VMs, which is as expected. Never-
theless, the overall computation overhead of ATOM is still
fairly small (in just a few milliseconds per sliding window).
The measured false alarm rate actually decreases initially
with more VMs. But when the number of VMs keeps
increasing, the measured false alarm rate will eventually
start to increase, as indicated in Fig. 11c. Initially, when pre-
sented with more data, the PCA-based approach becomes
more effective in “learning” the normal subspace, hence
results in a reduced false alarm rate. But as number of VMs
continues to increase, the dimensionality of the data matrix
becomes larger, eventually making it less effective to detect
abnormal subspace after dimensionality reduction. Never-
theless, ATOM remains very effective in all cases; the false
alarm rates are smaller than 1 percent in nearly all test cases.
8.5 ATOM versus Classic Offline PCA Anomaly
Detection
In this section we show what happens if we simply
apply the classic offline PCA method (offlinePCA) that
has been widely used for anomaly detection in previous
literature [13].
Specifically, to use offlinePCA, each time we delete the
oldest time instance and add the newest one in the sliding
window, and then use the data matrix inside this sliding
window to do PCA. Each time only the newest time instance
data need to be verified. After transforming the original
data to the rotated PCA space, we measure each dimension
at the newest time instance, use the first dimension that
exceeds 3 times of standard deviation along that axis as the
starting dimension of the residual subspace, and if no such
dimension exists, SPE need not be calculated and checked
against the anomaly threshold.
To compare the performance of this method with our
approach, we run another experiment with the same setting
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
VOL. 28, NO. 8, AUGUST 2017
Fig. 12. offlinePCA using the settings in Experiment 1 from Table 2 (SPE
is computed as in Section 4.3.3).
as that in experiment 1 shown in Table 2 and apply the
above method. Fig. 12 shows the result of anomaly detection
using this method. Note that SPE is not calculated for all
time points as explained above. The blue dots indicate SPE
of certain time instances and red crosses show the threshold
Qa to compare against at the same time instances. Anomaly
happens at the end of first hour (3,600 on the time dimen-
sion in Fig. 12), and it continues ever since. So we would
expect at the second hour there should be blue dots and red crosses
at every time point, and all blue dots should be above the red
crosses. However as shown in Fig. 12, it only takes less than
4 minutes (only the first 20 time instances after 3,600 have
been detected being abnormal) for the attack to escape from
the monitoring and detection, and make itself be identified
as normal behavior. Note that towards the end the SPE val-
ues in Fig. 12 here is different from that in Fig. 8, where SPE
values are normal again in the end because the attacks were
mitigated in the experiment by ATOM’s orchestration mod-
ule. The key difference causing this is that ATOM’s online
method based on PCA ensures only normal data points are
used for anomaly detection, while the abnormal data points
may skew the PCA model built by the naive offline method.
8.6 VM Clustering Evaluation
To evaluate the accuracy and robustness of our VM cluster-
ing method, we run an experiment using 102 VM data vec-
tors (each VM data vector is a seven-dimension vector with
seven performance metrics, collected from a VM running a
particular workload at the time of data collection). Among
the 102 VM data vectors, 34 were idle, another 34 were run-
ning a TPCC benchmark on MySQL database and the rest
34 were running an Apache web server. We run the VM
clustering for 10 times and calculate the average results.
The experiment result shows that our method is able to pre-
cisely identify the three clusters, with a few points marked
as outliers each time. The average clustering precision is
96.08 percent, the average clustering recall is 95.10 percent,
and the average clustering F-measure is 95.59 percent.
Since we use a density-based clustering algorithm which
groups nearby VM data vectors together, to test its robust-
ness, for each VM data vector we measure its distance to the
closet neighbor inside the same cluster (denoted as “inner
cluster distance”) and the closest distance to a VM data vec-
tor in a different cluster (denoted as “inter cluster dis-
tance”). A histogram of the two measures for all 102 VM
data vectors is shown in Fig. 13. We can see that there is a
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES
Fig. 13. Histogram of clustering distances.
large gap between the two distances, which shows the
robustness of our clustering method and it is fairly robust
and insensitive to a wide range of threshold  values.
8.7 Discussion
The Choice of D. Larger D values lead to more savings, but
with less accurate data matrix. However cloud users don’t
have to worry about setting D values; ATOM only needs the
user to specify a tolerable deviation rate m on the detection
threshold. ATOM is then able to adjust D values dynami-
cally online.
Possible False Alarms. Resource usage pattern may simply
change due to normal changes in user activities, in which
case ATOM may raise false alarms. Nevertheless, ATOM is
able to raise alarms and let users decide the right course of
actions to take by assisting users with its orchestration mod-
ule. ATOM also uses the new workload chracteristics to
adjust its monitoring component to adapt to a new work-
load dynamically and automatically in an online fashion.
Overhead. The tracking module, by simply apply Algo-
rithm 1 before sending out each value, introduces only Oð1Þ
overhead. The monitoring module could leverage a recur-
sive update procedure, so that it is possible to use the cur-
rent PCA model to do incremental update instead of
computing from scratch, e.g., [15], [26]. Depending on the
PCA algorithm used, it is polynomial to the sliding window
size and number of dimensions. In contrast, the overhead
saved by ATOM is significant. Not only a major fraction of
network traffic could be saved from CC to CLC, but also the
effort to apply VMI. The orchestration module orchestrates
and introspects only the affected VMs and metrics, and only
when needed, hence, leads to much smaller overhead than
full-scale VM introspection that are typically required.
Other Attacks. Our experiments use the same set of met-
rics that are monitored by CloudWatch and demonstrate
two different types of attacks. But ATOM can easily add
any additional metric without much overhead. This means
that it can be easily extended when necessary with addi-
tional metrics for monitoring and detecting different kinds
of attacks.
9 RELATED WORK
To the best of our knowledge, none of existing IaaS plat-
forms is able to provide continuous tracking, monitoring,
and orchestration of system resource usage. Furthermore,
none of them is able to do intelligent, automated monitoring
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
2187
for a large number of VMs and carry out orchestration
inside a VM.
Cloud Monitoring. Most existing IaaS systems follow the
general, hierarchical architecture as shown in Fig. 1. Inside
these systems, there are imperative needs for the controller
to continuously collect resource usage data and monitor
system health. AWS [1] and Eucalyptus [4], [5] use Cloud-
Watch [27] service to monitor VMs and other components
in some fixed intervals, e.g., every minute. This provides
cloud users a system-wide visibility into resource utiliza-
tion, and allows users to set some simple threshold based
alarms to monitor and ensure system health. OpenStack [28]
is developing a project called Ceilometer [29], to collect
resources utilization measurements. However, these
approaches only provide a discrete, sampled view of the
system. Several emerging startup companies such as DATA-
DOG[30] and librato [31] could monitor in a more fine-
grained granularity, provided the required softwares are
installed. However, this inevitably introduces more network
overhead to the cloud, which becomes worse when the moni-
tored infrastructure scales up. On the contrary, ATOM sig-
nificantly reduces the network overhead by utilizing the
optimal online tracking algorithm, while providing just
about the same amount of information. Furthermore, all
these cloud monitoring services offer very limited capability
in monitoring and ensuring system health. UBL [8] uses col-
lected VM usage data to train Self-Organizing Maps for
anomaly prediction, which serves a similar purpose to
ATOM’s monitoring component. Besides the detailed com-
parison in Section 1, SOM requires an explicit training stage
and needs to be trained by normal data, while PCA could
identify what is normal directly from the history data pro-
vided normal data is the majority. Unlike UBL and ATOM
which only require VM usage data, PerfCompass collects
system call traces and checks the execution units being
affected [32] to identify whether a VM performance anomaly
is caused by internal fault like software bugs, or from an
external source such as co-existing VMs.
Astrolabe [33] is a monitoring service for distributed
resources, to perform user-defined aggregation (e.g., number
of nodes that satisfy certain property) on-the-fly for the host
hierarchy. It is intended as a “summarizing mechanism”.
Similar to Astrolabe, SDIMS[34] is another system that aggre-
gates information about large-scale networked systems with
better scalability, flexibility, and administrative isolation.
Ganglia [35] is a general-purpose scalable distributed moni-
toring system for high performance computing systems
which also has a hierarchical design to monitor and aggre-
gate all the nodes and has been used in many clusters. These
efforts are similar to the CloudWatch module currently used
in AWS/Eucalyptus, and they reduce monitoring overhead
by simple aggregations. While the purpose of ATOM’s track-
ing module is to reduce data transfer, but it does so using
online tracking instead of simply aggregating which delivers
much more fine-grained information.
STAR [36] is a hierarchical algorithm for scalable aggre-
gation that reduces communication overhead by carefully
distributing the allowed error budgets. It suites systems like
SDIMS[34] well. InfoEye [37] is a model-based information
management system for large-scale service overlay net-
works through a set of monitoring sensors deployed on
 2188 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,
different overlay nodes with reduced overhead achieved by
ad-hoc conditions filters. InfoTrack [38] is a monitoring sys-
tem that is similar to ATOM’s tracking module, in that it
tries to minimize continuous monitoring cost with most
information precision preserved, by leveraging temporal
and spatial correlation of monitored attributes, while
ATOM utilizes an optimal online tracking algorithm that is
proved to achieve the best saving in network cost without
any prior knowledge on the data. MELA [39] is a monitor-
ing framework for cloud service which collects different
dimensions of data tailored for analyzing cloud elasticity
purpose (e.g., scale up and scale down). ATOM may use
MELA to collect, track, and monitor different types of met-
rics than those already available through CloudWatch.
Cloud Security. IaaS system also brings us a new set of
security problems. Leading cloud providers have developed
advanced mechanism to ensure the security of their IaaS
systems. AWS [40] has many built-in security features such
as firewalls, encrypted storage and security logs. OpenStack
uses a security component called Keystone [41] to do
authentication and authorization. It also has security rules
for network communication in its network component Neu-
tron [42]. Other IaaS platforms have similar security solu-
tions, which are mainly firewalls and security groups.
Nevertheless, it is still possible that hackers could bypass
known security policies, or cloud users may accidentally
run some malicious software. It is thus critical to be able to
detect such anomaly in near real-time to avoid leaving hack-
ers plenty of time to cause significant damage. Hence we
need a monitoring solution that could actively detect anom-
aly, and identify potentially malicious behavior over a large
number of VM instances. AWS recently adopts its Cloud-
Watch service for DDoS attacks[3], but it requires user to
check historical data and set a “’magic value” as the thresh-
old manually, which is unrealistic if user’s underlying
workloads change frequently.
In contrast, ATOM could automatically learn the normal
behavior from previous monitored data, and detect more
complex attacks besides DDoS attacks using PCA. PCA has
been widely used to detect anomaly in network traffic vol-
ume in backbone networks [12], [13], [17], [43], [44], [45]. As
we have argued in Section 4.1, adapting a PCA-based
approach to our setting has not been studied before and pre-
sented significant new challenges.
The security challenges in IaaS system were analyzed in
[7], [46], [47], [48]. Virtual machine attacks is considered a
major security threat. ATOM’s introspection component
leverages existing open source VMI tools such as Stackdb
[10] and Volatility [18] to pinpoint the anomaly to the exact
process.
VMI is a well-known method for ensuring VM secu-
rity [49], [50], [51], [52]. It has also been studied for IaaS sys-
tems [53], [54], [55]. However, to constantly secure VM using
VMI technique, the entire VM memory needs to be traversed
and analyzed periodically. It may also require the VM to be
suspended in order to gain access to VM memory. Black-
sheep [19] is such a system that detects rootkit by dumping
and comparing groups of similar machines. Though the per-
formance overhead is claimed to be acceptably low to sup-
port real-time monitoring, clearly user programs will be
negatively affected. Another solution was suggested [56] for
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.
VOL. 28, NO. 8, AUGUST 2017
cloud users to verify the integrity of their VMs. However,
this is not an “active detection and reaction” system. In con-
trast, ATOM enables triggering VMI only when a potential
attack is identified, and it also helps locate the relevant memory
region to analyze and introspect much more effectively and
efficiently using its orchestration component.
10 CONCLUSION
We present the ATOM framework that can be easily inte-
grated into a standard IaaS system to provide automated,
continuous tracking, monitoring, and orchestration of sys-
tem resource usage in nearly real-time. ATOM is extremely
useful for anomaly detection, auto scaling, and dynamic
resource allocation and load balancing in IaaS systems.
Interesting future work include extending ATOM for more
sophisticated resource orchestration and incorporating the
defense against even more complex attacks in ATOM.
ACKNOWLEDGMENTS
Min Du and Feifei Li were supported in part by grants US
National Science Foundation CNS-1314945, CNS-1514520
and US National Science Foundation IIS-1251019. We wish
to thank Eric Eide, Jacobus (Kobus) Van der Merwe, Robert
Ricci, and other members of the TCloud project and the
Flux group for helpful discussion and valuable feedback.
The preliminary version of this paper appeared in IEEE Big-
Data 2015[57].
REFERENCES
[1] Amazon. [Online]. Available: http://www.aws.amazon.com/,
Accessed on: Nov. 5, 2016.
[2] ITWORLD. [Online]. Available: http://www.itworld.com/
security/428920/attackers-install-ddos-bots-amazon-cloud-
exploiting-elasticsearch-weakness, Accessed on: Nov. 5, 2016.
[3] Amazon, “AWS Best Practices for DDoS Resiliency,” [Online].
Available: https://d0.awsstatic.com/whitepapers/DDoS_White_
Paper_June2015.pdf, Accessed on: Nov. 5, 2016.
[4] Eucalyptus. [Online]. Available: http://www8.hp.com/us/en/
cloud/helion-eucalyptus.html, Accessed on: Nov. 5, 2016.
[5] D. Nurmi, et al., “The eucalyptus open-source cloud-computing
system,” in Proc. 9th IEEE/ACM Int. Symp. Cluster Comput. Grid,
2009, pp. 124–131.
[6] M. Du and F. Li, “SPELL: Streaming parsing of system event
logs,” in Proc. IEEE Int. Conf. Data Mining, 2016.
[7] W. Dawoud, I. Takouna, and C. Meinel, “Infrastructure as a ser-
vice security: Challenges and solutions,” in Proc. 7th Int. Conf. Inf.
Syst., 2010, pp. 1–8.
[8] D. J. Dean, H. Nguyen, and X. Gu, “UBL: Unsupervised behavior
learning for predicting performance anomalies in virtualized cloud
systems,” in Proc. 9th Int. Conf. Auton. Comput., 2012, pp. 191–200.
[9] LibVMI. [Online]. Available: http://libvmi.com/, Accessed on:
Nov. 5, 2016.
[10] D. Johnson, M. Hibler, and E. Eide, “Composable multi-level
debugging with Stackdb,” in Proc. 10th ACM SIGPLAN/SIGOPS
Int. Conf. Virtual Execution Environ., 2014, pp. 213–226.
[11] K. Yi and Q. Zhang, “Multi-dimensional online tracking,” in Proc.
20th Annu. ACM-SIAM Symp. Discrete Algorithms, 2009, pp. 1098–
1107.
[12] H. Ringberg, A. Soule, J. Rexford, and C. Diot, “Sensitivity of PCA
for traffic anomaly detection,” ACM SIGMETRICS Performance
Eval. Rev., vol. 35, pp. 109–120, 2007.
[13] A. Lakhina, M. Crovella, and C. Diot, “Diagnosing network-wide
traffic anomalies,” in Proc. Conf. Appl. Technol. Archit. Protocols
Comput. Commun., 2004, pp. 219–230.
[14] V. Varadarajan, T. Kooburat, B. Farley, T. Ristenpart, and M. M.
Swift, “Resource-freeing attacks: Improve your cloud perfor-
mance (at your neighbor’s expense),” in Proc. ACM Conf. Comput.
Commun. Secur., 2012, pp. 281–292.
 DU AND LI: ATOM: EFFICIENT TRACKING, MONITORING, AND ORCHESTRATION OF CLOUD RESOURCES 2189

[15] W. Li, H. H. Yue, S. Valle-Cervantes , and S. J. Qin, “Recursive
PCA for adaptive process monitoring,” J. Process Control, vol. 10,
pp. 471–486, 2000.
[16] J. E. Jackson and G. S. Mudholkar, “Control procedures for resid-
uals associated with principal component analysis,” Technometrics,
vol. 21, pp. 341–349, 1979.
[17] L. Huang, M. I. Jordan, A. Joseph, M. Garofalakis, and N. Taft,
“In-network PCA and anomaly detection,” in Proc. Neural Inf. Pro-
cess. Syst., 2006, pp. 617–624.
[18] Volatility. [Online]. Available: http://www.volatilityfoundation.
org/, Accessed on: Nov. 5, 2016.
[19] A. Bianchi, Y. Shoshitaishvili, C. Kruegel, and G. Vigna,
“Blacksheep: detecting compromised hosts in homogeneous
crowds,” in Proc. ACM Conf. Comput. Commun. Secur., 2012,
pp. 341–352.
[20] M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, “A density-based
algorithm for discovering clusters in large spatial databases with
noise,” in Proc. 2nd Int. Conf. Knowl. Discovery Data Mining, 1996,
pp. 226–231.
[21] D. E. Difallah, A. Pavlo, C. Curino, and P. Cudre-Mauroux ,
“OLTP-Bench: An extensible testbed for benchmarking relational
databases,” Proc. VLDB Endowment, vol. 7, pp. 277–288, 2013.
[22] StackDB. [Online]. Available: http://www.flux.utah.edu/
software/stackdb/doc/all.html#using-eucalyptus-to-run-
qemukvm, Accessed on: Nov. 5, 2016.
[23] I. Goiri, R. Bianchini, S. Nagarakatte, and T. D. Nguyen,
“ApproxHadoop: Bringing approximations to MapReduce frame-
works,” in Proc. 20th Int. Conf. Archit. Support Program. Languages
Operating Syst., 2015, pp. 383–397.
[24] M. T. Al Amin, et al., “Social trove: A self-summarizing storage
service for social sensing,” in Proc. IEEE Int. Conf. Auton. Comput.,
2015, pp. 41–50.
[25] J. Kelley, C. Stewart, N. Morris, D. Tiwari, Y. He, and S. Elnikety,
“Measuring and managing answer quality for online data-inten-
sive services,” in Proc. IEEE Int. Conf. Auton. Comput., 2015,
pp. 167–176.
[26] X. Wang, U. Kruger, and G. W. Irwin, “Process monitoring
approach using fast moving window PCA,” Ind. Eng. Chemistry
Res., vol. 44, pp. 5691–5702, 2005.
[27] Amazon, “Amazon cloudwatch,” [Online]. Available: http://aws.
amazon.com/cloudwatch/, Accessed on: Nov. 5, 2016.
[28] OpenStack. [Online]. Available: http://www.openstack.org/
Accessed on: Nov. 5, 2016.
[29] OpenStack, “Openstack ceilometer,” [Online]. Available: https://
wiki.openstack.org/wiki/Ceilometer. Accessed on: Nov. 5, 2016.
[30] DATADOG. [Online]. Available: https://www.datadoghq.com/
Accessed on: Nov. 5, 2016.
[31] librato. [Online]. Available: https://www.librato.com/. Accessed
on: Nov. 5, 2016.
[32] D. J. Dean, H. Nguyen, P. Wang, and X. Gu, “PerfCompass:
Toward runtime performance anomaly fault localization for infra-
structure-as-a-service clouds,” in Proc. 6th USENIX Workshop Hot
Topics Cloud Comput., 2014, pp. 16–16.
[33] R. Van Renesse , K. P. Birman, and W. Vogels, “Astrolabe: A
robust and scalable technology for distributed system monitoring,
management, and data mining,” ACM Trans. Comput. Syst.,
vol. 21, pp. 164–206, 2003.
[34] P. Yalagandula and M. Dahlin, “A scalable distributed informa-
tion management system,” in Proc. Conf. Appl. Technol. Archit. Pro-
tocols Comput. Commun., 2004, pp. 379–390.
[35] M. L. Massie, B. N. Chun, and D. E. Culler, “The ganglia distrib-
uted monitoring system: Design, implementation, and experi-
ence,” Parallel Comput., vol. 30, pp. 817–840, 2004.
[36] N. Jain, D. Kit, P. Mahajan, P. Yalagandula, M. Dahlin, and
Y. Zhang, “STAR: Self-tuning aggregation for scalable monitoring,”
in Proc. 33rd Int. Conf. Very Large Data Bases, 2007, pp. 962–973.
[37] J. Liang, X. Gu, and K. Nahrstedt, “Self-configuring information
management for large-scale service overlays,” in Proc. 26th IEEE
Int. Conf. Comput. Commun., 2007, pp. 472–480.
[38] Y. Zhao, Y. Tan, Z. Gong, X. Gu, and M. Wamboldt, “Self-correlating
predictive information tracking for large-scale production systems,”
in Proc. 6th Int. Conf. Auton. Comput., 2009, pp. 33–42.
[39] D. Moldovan, G. Copil, H.-L. Truong, and S. Dustdar, “MELA:
Monitoring and analyzing elasticity of cloud services,” in Proc.
IEEE 5th Int. Conf. Cloud Comput. Technol. Sci., 2013, pp. 80–87.
[40] Amazon, “Aws security center,” [Online]. Available: http://aws.
amazon.com/security/, Accessed on: Nov. 5, 2016.
[41] OpenStack, “OpenStack Keystone,” [Online]. Available: http://docs.
openstack.org/developer/keystone/, Accessed on: Nov. 5, 2016.
[42] OpenStack, “OpenStack Neutron,” [Online]. Available: https://
wiki.openstack.org/wiki/Neutron, Accessed on: Nov. 5, 2016.
[43] X. Li, et al., “Detection and identification of network anomalies
using sketch subspaces,” in Proc. 6th ACM SIGCOMM Conf. Inter-
net Meas., 2006, pp. 147–152.
[44] Y. Liu, L. Zhang, and Y. Guan, “Sketch-based streaming PCA
algorithm for network-wide traffic anomaly detection,” in Proc.
IEEE 30th Int. Conf. Distrib. Comput. Syst., 2010, pp. 807–816.
[45] L. Huang, et al., “Communication-efficient online detection of net-
work-wide anomalies,” in Proc. 26th IEEE Int. Conf. Comput. Com-
mun., 2007, pp. 134–142.
[46] A. S. Ibrahim, J. H. Hamlyn-Harris , and J. Grundy, “Emerging
security challenges of cloud virtual infrastructure,” in Proc.
APSEC Cloud Workshop, 2010.
[47] L. M. Vaquero, L. Rodero-Merino , and D. Moran, “Locking the
sky: A survey on IaaS cloud security,” Computing, vol. 91, pp. 93–
118, 2011.
[48] C. R. Li, et al., “Potassium: Penetration testing as a service,” in
Proc. 6th ACM Symp. Cloud Comput., 2015, pp. 30–42.
[49] T. Garfinkel, et al., “A virtual machine introspection based archi-
tecture for intrusion detection,” in Proc. Netw. Distrib. Syst. Secur.
Symp., 2003, pp. 191–206.
[50] J. Pfoh, C. Schneider, and C. Eckert, “A formal model for virtual
machine introspection,” in Proc. ACM Workshop Virtual Mach.
Secur., 2009, pp. 1–10.
[51] B. Dolan-Gavitt , T. Leek, M. Zhivich, J. Giffin, and W. Lee,
“Virtuoso: Narrowing the semantic gap in virtual machine intro-
spection,” in Proc. IEEE Symp. Secur. Privacy, 2011, pp. 297–312.
[52] Y. Fu and Z. Lin, “Space traveling across VM: Automatically
bridging the semantic gap in virtual machine introspection via
online kernel data redirection,” in Proc. IEEE Symp. Secur. Privacy,
2012, pp. 586–600.
[53] A. S. Ibrahim, J. Hamlyn-Harris, J. Grundy, and M. Almorsy,
“CloudSec: A security monitoring appliance for virtual machines
in the IaaS cloud model,” in Proc. 5th Int. Conf. Netw. Syst. Secur.,
2011, pp. 113–120.
[54] F. Zhang, J. Chen, H. Chen, and B. Zang, “CloudVisor: Retrofitting
protection of virtual machines in multi-tenant cloud with nested
virtualization,” in Proc. 23rd ACM Symp. Operating Syst. Principles,
2011, pp. 203–216.
[55] H. W. Baek, A. Srivastava, and J. Van der Merwe, “CloudVMI:
Virtual machine introspection as a cloud service,” in Proc. IEEE
Int. Conf. Cloud Eng., 2014, pp. 153–158.
[56] B. Bertholon, S. Varrette, and P. Bouvry, “Certicloud: A novel
TPM-based approach to ensure cloud IaaS security,” in Proc. IEEE
4th Int. Conf. Cloud Comput., 2011, pp. 121–130.
[57] M. Du and F. Li, “ATOM: Automated tracking, orchestration and
monitoring of resource usage in infrastructure as a service sys-
tems,” in Proc. IEEE Int. Conf. Big Data, 2015, pp. 271–278.
Min Du received the bachelor’s and master’s
degrees from Beihang University, in 2009 and
2012, respectively. She is currently working
toward the PhD degree in the School of Comput-
ing, University of Utah. Her research interests
include big data analytics and cloud security. She
is a student member of the IEEE.
Feifei Li received the BS degree in computer
engineering from Nanyang Technological Univer-
sity, in 2002 and the PhD degree in computer sci-
ence from Boston University, in 2007. He is
currently an associate professor in the School of
Computing, University of Utah. His research
interests include database and data management
systems and big data analytics. He is a member
of the IEEE.
" For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on March 31,2024 at 11:48:31 UTC from IEEE Xplore. Restrictions apply.