Detection of Compromised Functions in a Serverless Cloud Environment

TL;DR

This work tackles security in serverless environments by leveraging native cloud monitoring logs to detect compromised functions without modifying infrastructure or relying on third-party data. It introduces an unsupervised, log-based anomaly-detection pipeline built on LSTM autoencoders that model normal sequences of function events, with three window-size detectors and DBSCAN-driven thresholding. The approach is evaluated on an AWS testbed with two serverless applications (airline booking and VOD) and multiple attack scenarios targeting integrity, confidentiality, and availability, achieving high precision and recall and negligible false alarms. The results demonstrate a scalable, threat-agnostic defense that can operate online or offline and adapt through delta-model updates, providing practical value for defenders in managed cloud environments.

Abstract

Serverless computing is an emerging cloud paradigm with serverless functions at its core. While serverless environments enable software developers to focus on developing applications without the need to actively manage the underlying runtime infrastructure, they open the door to a wide variety of security threats that can be challenging to mitigate with existing methods. Existing security solutions do not apply to all serverless architectures, since they require significant modifications to the serverless infrastructure or rely on third-party services for the collection of more detailed data. In this paper, we present an extendable serverless security threat detection model that leverages cloud providers' native monitoring tools to detect anomalous behavior in serverless applications. Our model aims to detect compromised serverless functions by identifying post-exploitation abnormal behavior related to different types of attacks on serverless functions, and therefore, it is a last line of defense. Our approach is not tied to any specific serverless application, is agnostic to the type of threats, and is adaptable through model adjustments. To evaluate our model's performance, we developed a serverless cybersecurity testbed in an AWS cloud environment, which includes two different serverless applications and simulates a variety of attack scenarios that cover the main security threats faced by serverless functions. Our evaluation demonstrates our model's ability to detect all implemented attacks while maintaining a negligible false alarm rate.

Figures (6)

• Figure 1: An application flow of a booking process in our testbed. This application flow is comprised of a series of function flows, each containing a sequence of function events. Each function event has a log entry that provides comprehensive details about it.
• Figure 2: An overview of the essential processes in our compromised functions anomaly detection model.
• Figure 3: Example of an event vector associated with the $UpdateItem$ operation. Each categorical feature is represented by a pair of numerical values, and subsequently, all the values in the vector are normalized to fit within the [0,1] range based on their respective minimal and maximal values.
• Figure 4: An illustration of the errors observed in the validation set of an autoencoder with a window size of 10; the red line indicates the threshold (0.0187) established based on these errors.
• Figure 5: An overview of the architectures of the testbed applications, highlighting the interactions and processes facilitated by various AWS services employed by each of these applications airline_githubvod_github.