Biblio

The tremendous growth of cloud computing and large-scale data analytics highlight the importance of reducing datacenter power consumption and environmental impact of brown energy. While many Internet service operators have at least partially powered their datacenters by green energy, it is challenging to effectively utilize green energy due to the intermittency of renewable sources, such as solar or wind. We find that the geographical diversity of internet-scale services can be carefully scheduled to improve the efficiency of applying green energy in datacenters. In this paper, we propose a holistic heterogeneity-aware cloud workload management approach, sCloud, that aims to maximize the system goodput in distributed self-sustainable datacenters. sCloud adaptively places the transactional workload to distributed datacenters, allocates the available resource to heterogeneous workloads in each datacenter, and migrates batch jobs across datacenters, while taking into account the green power availability and QoS requirements. We formulate the transactional workload placement as a constrained optimization problem that can be solved by nonlinear programming. Then, we propose a batch job migration algorithm to further improve the system goodput when the green power supply varies widely at different locations. Finally, we extend sCloud by integrating a flexible batch job manager to dynamically control the job execution progress without violating the deadlines. We have implemented sCloud in a university cloud testbed with real-world weather conditions and workload traces. Experimental results demonstrate sCloud can achieve near-to-optimal system performance while being resilient to dynamic power availability. sCloud with the flexible batch job management approach outperforms a heterogeneity-oblivious approach by 37 percent in improving system goodput and 33 percent in reducing QoS violations.

In Infrastructure-as-a-Service clouds, there exist many virtual machines (VMs) that are not used for a long time. For such VMs, many vulnerabilities are often found in installed software while VMs are suspended. If security updates are applied to such VMs after the VMs are resumed, the VMs easily suffer from attacks via the Internet. To solve this problem, offline update of VMs has been proposed, but some approaches have to permit cloud administrators to resume users' VMs. The others are applicable only to completely stopped VMs and often corrupt virtual disks if they are applied to suspended VMs. In addition, it is sometimes difficult to accurately emulate security updates offline. In this paper, we propose OUassister, which enables consistent offline update of suspended VMs. OUassister emulates security updates of VMs offline in a non-intrusive manner and applies the emulation results to the VMs online. This separation prevents virtual disks of even suspended VMs from being corrupted. For more accurate emulation of security updates, OUassister provides an emulation environment using a technique called VM introspection. Using this environment, it automatically extracts updated files and executed scripts. We have implemented OUassister in Xen and confirmed that the time for critical online update was largely reduced.

Big data platforms have grown popular for real-time stream processing on distributed clusters and clouds. However, execution of sensitive streaming applications on shared computing resources increases their vulnerabilities, and may lead to data leaks and injection of spurious logic that can compromise these applications. Here, we adopt Moving Target Defense (MTD) techniques into Fast Data platforms, and propose MTD strategies by which we can mitigate these attacks. Our strategies target the platform, application and data layers, which make these reusable, rather than the OS, virtual machine, or hardware layers, which are environment specific. We use Apache Storm as the canonical distributed stream processing platform for designing our MTD strategies, and offer a preliminary evaluation that indicates the feasibility and evaluates the performance overheads.

Exfiltrating sensitive information from smartphones has become one of the most significant security threats. We have built a system to identify HTTP-based information exfiltration of malicious Android applications. In this paper, we discuss the method to track the propagation of sensitive information in Android applications using static taint analysis. We have studied the leaked information, destinations to which information is exfiltrated, and their correlations with types of sensitive information. The analysis results based on 578 malicious Android applications have revealed that a significant portion of these applications are interested in identity-related sensitive information. The vast majority of malicious applications leak multiple types of sensitive information. We have also identified servers associated with three country codes including CN, US, and SG are most active in collecting sensitive information. The analysis results have also demonstrated that a wide range of non-default ports are used by suspicious URLs.

Cloud nowaday has become the backbone of the IT infrastructure. Whole of the infrastructure is now being shifted to the clouds, and as the cloud involves all of the networking schemes and the OS images, it inherits all of the vulnerabilities too. And hence securing them is one of our very prior concerns. Malwares are one of the many other problems that have ever growing and hence need to be eradicated from the system. The history of mal wares go long back in time since the advent of computers and hence a lot of techniques has also been already devised to tackle with the problem in some or other way. But most of them fall short in some or other way or are just too heavy to execute on a simple user machine. Our approach devises a 3 - phase exhaustive technique which confirms the detection of any kind of malwares from the host. It also works for the zero-day attacks that are really difficult to cover most times and can be of really high-risk at times. We have thought of a solution to keep the things light weight for the user.

This paper suggests a conceptual mechanism for increasing the security level of the global information community, national information technology infrastructures (e-governments) and private cloud structures, which uses the logical characteristic of IPv6-protocol. The mechanism is based on the properties of the IPv6-header and, in particular, rules of coding IPv6-addresses.

Smart Internet of Things (IoT) applications will rely on advanced IoT platforms that not only provide access to IoT sensors and actuators, but also provide access to cloud services and data analytics. Future IoT platforms should thus provide connectivity and intelligence. One approach to connecting IoT devices, IoT networks to cloud networks and services is to use network federation mechanisms over the internet to create network slices across heterogeneous platforms. Network slices also need to be protected from potential external and internal threats. In this paper we describe an approach for enforcing global security policies in the federated cloud and IoT networks. Our approach allows a global security to be defined in the form of a single service manifest and enforced across all federation network segments. It relies on network function virtualisation (NFV) and service function chaining (SFC) to enforce the security policy. The approach is illustrated with two case studies: one for a user that wishes to securely access IoT devices and another in which an IoT infrastructure administrator wishes to securely access some remote cloud and data analytics services.

The Internet of Vehicles (IoV) is a complex and dynamic mobile network system that enables information sharing between vehicles, their surrounding sensors, and clouds. While IoV opens new opportunities in various applications and services to provide safety on the road, it introduces new challenges in the field of digital forensics investigations. The existing tools and procedures of digital forensics cannot meet the highly distributed, decentralized, dynamic, and mobile infrastructures of the IoV. Forensic investigators will face challenges while identifying necessary pieces of evidence from the IoV environment, and collecting and analyzing the evidence. In this article, we propose TrustIoV - a digital forensic framework for the IoV systems that provides mechanisms to collect and store trustworthy evidence from the distributed infrastructure. Trust-IoV maintains a secure provenance of the evidence to ensure the integrity of the stored evidence and allows investigators to verify the integrity of the evidence during an investigation. Our experimental results on a simulated environment suggest that Trust-IoV can operate with minimal overhead while ensuring the trustworthiness of evidence in a strong adversarial scenario.

Science Gateways bridge multiple computational grids and clouds, acting as overlay cyber infrastructure. Gateways have three logical tiers: a user interfacing tier, a resource tier and a bridging middleware tier. Different groups may operate these tiers. This introduces three security challenges. First, the gateway middleware must manage multiple types of credentials associated with different resource providers. Second, the separation of the user interface and middleware layers means that security credentials must be securely delegated from the user interface to the middleware. Third, the same middleware may serve multiple gateways, so the middleware must correctly isolate user credentials associated with different gateways. We examine each of these three scenarios, concentrating on the requirements and implementation of the middleware layer. We propose and investigate the use of a Credential Store to solve the three security challenges.