FaaSMT: Lightweight Serverless Framework for Intrusion Detection Using Merkle Tree and Task Inlining
Chuang Li, Lanfang Huang, Dian He, Yanhua Wen, Gang Liu, Lixin Duan
TL;DR
FaaSMT introduces a Merkle Tree-based, inline security framework for Functions-as-a-Service that uses adaptive task fusion to monitor and verify cross-function call chains in real time. The architecture comprises a Fusion Handler, Proof of Storage, and Verification Optimizer, which collaboratively collect execution data, generate trusted proofs, and iteratively optimize deployment configurations. Empirical evaluation on AWS Lambda demonstrates that FaaSMT can detect DoW and business-logic attacks while reducing latency by about 34% and maintaining memory usage under 128 MB, compared with a Fusionice baseline. The work advances serverless security by enabling real-time integrity verification with provable trust while balancing performance and cost, though it acknowledges limitations related to OS-level integration and scalability of the Merkle Tree store. Practical impact includes enhanced cross-function monitoring, tamper-resistant provenance, and adaptive deployment decisions for secure, efficient serverless applications.
Abstract
The serverless platform aims to facilitate cloud applications' straightforward deployment, scaling, and management. Unfortunately, the distributed nature of serverless computing makes it difficult to port traditional security tools directly. The existing serverless solutions primarily identify potential threats or performance bottlenecks through post-analysis of modified operating system audit logs, detection of encrypted traffic offloading, or the collection of runtime metrics. However, these methods often prove inadequate for comprehensively detecting communication violations across functions. This limitation restricts the real-time log monitoring and validation capabilities in distributed environments while impeding the maintenance of minimal communication overhead. Therefore, this paper presents FaaSMT, which aims to fill this gap by addressing research questions related to security checks and the optimization of performance and costs in serverless applications. This framework employs parallel processing for the collection of distributed data logs, incorporating Merkle Tree algorithms and heuristic optimisation methods to achieve adaptive inline security task execution. The results of experimental trials demonstrate that FaaSMT is capable of effectively identifying major attack types (e.g., Denial of Wallet (DoW) and Business Logic attacks), thereby providing comprehensive monitoring and validation of function executions while significantly reducing performance overhead.