Mary Grace Dhooghe, Minkyung Park, Junghwan Rhee, Yung Ryn Choe, and Chung Hwan Kim

Proceedings in the 56th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) 2026.

View PDF, code, or BibTeX.

areas
Security

abstract

With unparalleled flexibility in management and resource scaling, cloud computing is widely adopted and growing. Cyber threats targeting cloud instances require security solutions as much as physical infrastructures. Although traditional host-based and network-based security tools can be deployed to detect malicious activities within a cloud instance, they are not suitable for monitoring activities specific to cloud environments such as cloud resource management and authentication.

In this paper, we systematically investigate the effectiveness of cloud telemetry logs, for cybersecurity monitoring and defense. While cloud infrastructures provide telemetry logs to help cloud users and administrators monitor various activities such as performance or resource management, there remains limited understanding of the extent to which these logs capture evidence of attacks, the types of attacks they can reveal, and their effectiveness across platforms. To address this gap, we conduct 35 attacks categorized under the MITRE ATT&CK framework on three major cloud infrastructures, and collect telemetry logs under both control and attack scenarios. Through differential analysis, we identify which log fields are impacted by specific attacks, assess platform-level consistency, and characterize gaps in log observability. Our new findings show that default telemetry configurations reflect 45∼48% of the attacks, while enabling extended logging increases this to 65∼88%, depending on the platform. We also evaluate the cost-effectiveness and performance overhead of telemetry logs, demonstrating minimal deployment costs to enable the extended logging.