In cloud computing, it is desirable if suspicious activities can be detected by automatic anomaly detection systems. Although anomaly detection has been investigated in the past, it remains unsolved in cloud computing. Challenges are: characterizing the normal behavior of a cloud server, distinguishing between benign and malicious anomalies (attacks), and preventing alert fatigue due to false alarms. We propose CloudShield, a practical and generalizable real-time anomaly and attack detection system for cloud computing. Cloudshield uses a general, pretrained deep learning model with different cloud workloads, to predict the normal behavior and provide real-time and continuous detection by examining the model reconstruction error distributions. Once an anomaly is detected, to reduce alert fatigue, CloudShield automatically distinguishes between benign programs, known attacks, and zero-day attacks, by examining the prediction error distributions. We evaluate the proposed CloudShield on representative cloud benchmarks. Our evaluation shows that CloudShield, using model pretraining, can apply to a wide scope of cloud workloads. Especially, we observe that CloudShield can detect the recently proposed speculative execution attacks, e.g., Spectre and Meltdown attacks, in milliseconds. Furthermore, we show that CloudShield accurately differentiates and prioritizes known attacks, and potential zero-day attacks, from benign programs. Thus, it significantly reduces false alarms by up to 99.0%.

翻译：在云计算中,如果可以通过自动异常探测系统检测到可疑活动,则在云计算中是可取的。虽然过去曾调查过异常探测,但在云计算中仍未解决。挑战包括:确定云服务器的正常行为,区分良性异常和恶意异常(攻击),防止因错误警报而出现戒备疲劳。我们提议使用云计算系统CloudShield,这是一个实用的、可普遍适用的实时异常和攻击探测系统。云管理使用一般的、经过预先训练的深度学习模型,其云工作量不同,以预测正常行为,并通过检查模型重建错误分布提供实时和连续的检测。一旦发现异常现象,就通过检查预测错误分布,减少警报疲劳,Cloud Shield自动区分良性程序、已知的攻击和零天攻击,我们根据有代表性的云基准评估拟议的云管理系统。我们的评估表明,云管理,使用模型前期,可以适用于范围很广的云工作量。我们观察到,CloudShield可以检测最近提出的投机性执行袭击,例如,Spectretre和Meldown 优先度, 以及我们所知道的气候攻击的顺序,然后在10秒内准确地区分。