Cloud security monitoring of applications in PaaS services

What is claimed: 1. A system comprising: one or more processors; and a memory that stores one or more programs that are configured to be executed by the one or more processors, the one or more programs including instructions to perform acts that: host an application as a Platform-as-a-Service (PaaS) web service in a virtual machine using virtual resources, the PaaS web service unaware of physical resources associated with the virtual resources, a virtual resource associated with a virtual resource identifier; obtain an application usage profile for the PaaS web service, the application usage profile having a statistic representing normal consumption of a physical resource used by the PaaS web service; monitor runtime usage of the physical resources of the virtual machine during execution of the PaaS web service, wherein execution of the PaaS web service is represented by a process identifier; map a virtual resource identifier of a first virtual resource used in the PaaS web service to a first physical resource identifier; obtain the runtime usage of the first physical resource during execution of the PaaS web service using the first physical resource identifier and the process identifier; obtain the statistic corresponding to the first physical resource from the application usage profile for the PaaS web service; compare the runtime usage of the first physical resource with the statistic corresponding to the first physical resource and the PaaS service; and upon the comparison indicating an anomaly, initiate a warning of the anomaly. 2. The system of claim 1 , wherein the one or more programs include further instructions to perform acts that: obtain historical resource consumption of the PaaS web service; derive a threshold for the first physical resources consumed by the PaaS web service; and store the threshold in the application usage profile for the PaaS web service. 3. The system of claim 1 , wherein the one or more programs include further instructions to perform acts that: obtain historical resource consumption of the PaaS web service; cluster the historical resource consumption into one or more clusters for the first physical resource; compute a centroid for the first physical resource for each cluster; and store the centroids in the application usage profile for the PaaS web service. 4. The system of claim 1 , wherein the application usage profile includes one or more of processor consumption, memory consumption, number and types of disk I/O events, number of network packets transmitted, frequency of network packets transmitted, largest size of network packets transmitted, Internet Protocol (IP) addresses used in network packets transmitted, or identity of open ports. 5. The system of claim 1 , wherein the statistic includes a threshold for the first physical resource, wherein the one or more programs include further instructions to detect when the threshold for the first physical resource is exceeded during runtime usage of the PaaS web service. 6. The system of claim 1 , wherein the one or more programs include further instructions to perform acts that: detect the anomaly when the runtime usage of the first physical resource exceeds a distance from a centroid representing normal usage consumption of the first physical resource. 7. The system of claim 1 , wherein the statistic is derived from runtime usage of the first physical resource during multiple instances of the PaaS web service. 8. The system of claim 7 , wherein the multiple instances of the PaaS web service operate on different virtual machines in different servers. 9. A computer-implemented method, comprising: configuring an application as a Platform as a Service (PaaS) web service in a virtual machine with virtual resources, wherein the PaaS web service is isolated from identity of physical resources consumed by the PaaS web service; during a training period, monitoring usage of the physical resources consumed by the PaaS web service and generating a model of a normal resource consumption for a first physical resource of the PaaS web service; monitoring runtime usage of the physical resources of the virtual machine during execution of the PaaS web service, wherein execution of the PaaS web service is represented by a process identifier; mapping a virtual resource identifier of a first virtual resource used in the PaaS web service to a first physical resource identifier; obtaining the runtime usage of the first physical resource during execution of the PaaS web service using the first physical resource identifier and the process identifier; detecting an abnormal behavior of the PaaS web service from a comparison of the runtime usage of the first physical resource with the model of the normal resource consumption for the first physical resource of the PaaS web service; and generating an alert when the abnormal behavior is detected. 10. The computer-implemented method of claim 9 , further comprising: monitoring resource usage of the PaaS web service across all instances of the PaaS web service. 11. The computer-implemented method of claim 9 , further comprising: monitoring processor consumption and memory consumption of the PaaS web service. 12. The computer-implemented method of claim 9 , further comprising: monitoring features of network usage of the PaaS web service, the features including a number of network packets transmitted, sizes of the network packets transmitted, open ports, and Internet Protocol (IP) addresses used. 13. The computer-implemented method of claim 9 , further comprising: monitoring features of disk I/O usage of the PaaS web service, the features including identity of files accessed and a number of I/O operations made. 14. The computer-implemented method of claim 9 , wherein the model of the normal resource consumption of the first physical resource consumed by the PaaS web service is derived from historical resource usage of the first physical resource by the PaaS web service during the training period. 15. The computer-implemented method of claim 9 , wherein the model of normal resource consumption of the first physical resource consumed by the PaaS web service is derived from clustering historical resource usage of the first physical resource by the PaaS web service during the training period. 16. A device, comprising: one or more processors and a memory; the memory including a virtual machine configured to perform acts that: execute a Platform as a Service (PaaS) web service in the virtual machine, the PaaS web service utilizing virtual resources with no visibility to associated physical resources, wherein execution of the PaaS web service is represented by a process identifier; monitor runtime usage of the physical resources during execution of the PaaS web service; map a virtual resource identifier of a first virtual resource used in the execution of the PaaS web service to a first physical resource identifier; obtain normal usage data of the first physical resource used by the PaaS web service; extract runtime usage data of the first physical resource used by the PaaS web service using the first physical resource identifier and the process identifier of the PaaS web service executing on the virtual machine; compare the runtime usage data of the first physical resource with the normal usage data of the first physical resource; and determine a security threat when the runtime usage data of the first physical resource exceeds the normal usage data of the first physical resource. 17. The device of claim 16 , wherein the v