Biblio

Mesh topology networks provide Network security in the form of redundancy of communication links. But redundancy also contributes to complexity in configuration and subsequent troubleshooting. Mesh topology deployed in Critical networks like Backbone Networks (used in Cloud Computing) deploy the Mesh topology provides additional security in terms of redundancy to ensure availability of services. One amongst most prominent attacks is Distributed Denial of Service attacks which cause an immense amount of loss of data as well as monetary losses to service providers. This paper proposes a method by which using SDN capabilities and sFlow-RT application, Distributed Denial of Service (DDoS) attacks is detected and consequently mitigated by using REST API to implement Policy Based Flow Management (PBFM) through the SDN Controller which will help in ensuring uninterrupted services in scenarios of such attacks and also further simply and enhance the management of Mesh architecture-based networks.

As data being produced by IoT applications continues to explode, there is a growing need to bring computing power closer to the source of the data to meet the response-time, power dissipation and cost goals of performance-critical applications in various domains like Industrial Internet of Things (IIoT), Automated Driving, Medical Imaging or Surveillance among others. This paper proposes a data collection and utilization framework that allows runtime platform and application data to be sent to an edge and cloud system via data collection agents running close to the platform. Agents are connected to a cloud system able to train AI models to improve overall energy efficiency of an AI application executed on a edge platform. In the implementation part we show the benefits of FPGA-based platform for the task of object detection. Furthermore we show that it is feasible to collect relevant data from an FPGA platform, transmit the data to a cloud system for processing and receiving feedback actions to execute an edge AI application energy efficiently. As future work we foresee the possibility to train, deploy and continuously improve a base model able to efficiently adapt the execution of edge applications.

Containers technology radically changed the ways for packaging applications and deploying them as services in cloud environments. According to the recent report on security predictions of 2020 by Trend Micro, the vulnerabilities in container components deployed with cloud architecture have been one of the top security concerns for development and operations teams in enterprises. Docker is one of the leading container technologies that automate the deployment of applications into containers. Docker Hub is a public repository by Docker for storing and sharing the Docker images. These Docker images are pulled from the Docker Hub repository and the security of images being used from the repositories in any cloud environment could be at risk. Vulnerabilities in Docker images could have a detrimental effect on enterprise applications. In this paper, the focus is on securing the Docker images using vulnerability centric approach (VCA) to detect the vulnerabilities. A set of use cases compliant with the NIST SP 800-190 Application Container Security Guide is developed for audit compliance of Docker container images with the OWASP Container Security Verification Standards (CSVS). In this paper, firs vulnerabilities of Docker container images are identified and assessed using the VCA. Then, a set of use cases to identify presence of the vulnerabilities is developed to facilitate the security audit of the container images. Finally, it is illustrated how the proposed use cases can be mapped with the requirements of the OWASP Container Security Verification Standards. The use cases can serve as a security auditing tool during the development, deployment, and maintenance of cloud microservices applications.

To break the data barrier of the information island and explore the value of data in the past few years, it has become a trend of uploading data to the cloud by data owners for data sharing. At the same time, they also hope that the uploaded data can still be controlled, which makes access control of cloud data become an intractable problem. As a famous cryptographic technology, ciphertext policy-based attribute encryption (CP-ABE) not only assures data confidentiality but implements fine-grained access control. However, the actual application of CP-ABE has its inherent challenge in attribute revocation. To address this challenge, we proposed an access control solution supporting attribute revocation in cloud computing. Unlike previous attribute revocation schemes, to solve the problem of excessive attribute revocation overhead, we use symmetric encryption technology to encrypt the plaintext data firstly, and then, encrypting the symmetric key by utilizing public-key encryption technology according to the access structure, so that only the key ciphertext is necessary to update when the attributes are revoked, which reduces the spending of ciphertext update to a great degree. The comparative analysis demonstrates that our solution is reasonably efficient and more secure to support attribute revocation and access control after data sharing.

Driven by the development of Internet and information technology, cloud computing has been widely recognized and accepted by the public. However, with the occurrence of more and more information leakage, cloud security has also become one of the core problem of cloud computing. As one of the resolve methods of it, ciphertext-policy attribute-based encryption (CP-ABE) by embedding access policy into ciphertext can make data owner to decide which attributes can access ciphertext. It achieves ensuring data confidentiality with realizing fine-grained access control. However, the traditional access policy has some limitations. Compared with other access policies, the circuit-based access policy ABE supports more flexible access control to encrypted data. But there are still many challenges in the existing circuit-based access policy ABE, such as privacy leakage and low efficiency. Motivated by the above, a new circuit-based access policy ABE is proposed. By converting the multi output OR gates in monotonic circuit, the backtracking attacks in circuit access structure is avoided. In order to overcome the low efficiency issued by circuit conversion, outsourcing computing is adopted to Encryption/Decryption algorithms, which makes the computing overhead for data owners and users be decreased and achieve constant level. Security analysis shows that the scheme is secure under the decision bilinear Diffie-Hellman (DBDH) assumption. Numerical results show the proposed scheme has a higher computation efficiency than the other circuit-based schemes.

Nowadays, many data owners choose to outsource their data to public cloud servers while allowing authorized users to retrieve them. To protect data confidentiality from an untrusted cloud, many studies on searchable encryption (SE) are proposed for privacy-preserving search over encrypted data. However, most of the existing SE schemes only focus on the single-owner model. Users need to search one-by-one among data owners to retrieve relevant results even if data are from the same cloud server, which inevitably incurs unnecessary bandwidth and computation cost to users. Thus, how to enable efficient authorized search over multi-owner datasets remains to be fully explored. In this paper, we propose a new privacy-preserving search scheme for the multi-owner and multi-user model. Our proposed scheme has two main advantages: 1) We achieve an attribute-based keyword search for multi-owner model, where users can only search datasets from specific authorized owners. 2) Each data owner can enforce its own fine-grained access policy for users while an authorized user only needs to generate one trapdoor (i.e., encrypted search keyword) to search over multi-owner encrypted data. Through rigorous security analysis and performance evaluation, we demonstrate that our scheme is secure and feasible.

Medical organizations find it challenging to adopt cloud-based Electronic Health Records (EHR) services due to the risk of data breaches and the resulting compromise of patient data. Existing authorization models follow a patient-centric approach for EHR management, where the responsibility of authorizing data access is handled at the patients’ end. This creates significant overhead for the patient, who must authorize every access of their health record. It is also not practical given that multiple personnel are typically involved in providing care and that the patient may not always be in a state to provide this authorization.

In the fast growing world using new Cloud computing technology. In the terms of Sensitive Data Access from the remote cloud computing storage with different users using security measures to avoid the unauthorized users. Even though so many uses in the Cloud, it leads to lot of issues such as in the Data Access of the sensitive data and encryption still remain challenging. To overcome with these issues, In this novel paper focus on multiple attribute-based encryption which features the data access in secured way with different users in the Cloud Data. The proposed system enables on secure Data Access by using the MABE scheme.

Trust is of paramount concern for tenants to deploy their security-sensitive services in the cloud. The integrity of virtual machines (VMs) in which these services are deployed needs to be ensured even in the presence of powerful adversaries with administrative access to the cloud. Traditional approaches for solving this challenge leverage trusted computing techniques, e.g., vTPM, or hardware CPU extensions, e.g., AMD SEV. But, they are vulnerable to powerful adversaries, or they provide only load time (not runtime) integrity measurements of VMs. We propose TRIGLAV, a protocol allowing tenants to establish and maintain trust in VM runtime integrity of software and its configuration. TRIGLAV is transparent to the VM configuration and setup. It performs an implicit attestation of VMs during a secure login and binds the VM integrity state with the secure connection. Our prototype's evaluation shows that TRIGLAV is practical and incurs low performance overhead (\textbackslashtextless 6%).

The Transient Public Key Infrastructure or T-PKI is introduced in this paper that allows a transactional approach to attestation, where a Trusted Platform Module (TPM) can stay anonymous to a verifier. In cloud computing and IoT environments, attestation is a critical step in ensuring that the environment is untampered with. With attestation, the verifier would be able to ascertain information about the TPM (such as location, or other system information) that one may not want to disclose. The addition of the Direct Anonymous Attestation added to TPM 2.0 would potentially solve this problem, but it uses the traditional RSA or ECC based methods. In this paper, a Lattice-based approach is used that is both quantum safe, and not dependent on creating a new key pair in order to increase anonymity.

The Internet of Things integrates multiple hardware appliances from large cloud data centres to constrained devices embedded within the physical reality, from multiple vendors and providers, under the same infrastructure. These appliances are subject to different restrictions, have different available resources and show different risk profiles and vulnerabilities. In these scenarios, remote attestation mechanisms are essential, enabling the verification of a distant appliance’s internal state before allowing it to access sensitive data or execute critical workloads. This work proposes a new attestation approach based on a Trusted Platform Module (TPM), devoted to performing Remote Attestation as a Service (RAaaS) while guaranteeing essential properties such as flexibility, generality, domain separation and authorized initiation. The proposed solution can prove both edge devices and IoT devices reliability to services running on cloud data centres. Furthermore, the first prototype of this service has been validated and evaluated via a real use case.

Today the mobile devices are more and more present in our lives, and the mobile applications market has experienced a sharp growth. Most of these applications are made to make our daily lives easier, and for this a large part of them consume various web services. Given this transition, from desktop and web applications to mobile applications, many critical services have begun to expose their APIs for use by such application clients. Unfortunately, this transition has paved the way for new vulnerabilities, vulnerabilities used to compress cloud services. In this article we analyzed the main security problems and how they can be solved using the attestation services, the services that indicate that the device running the application and the client application are genuine.

Our identity as a human being is determined by the documents, not by appearance or physicality. The most important thing to prove the identity of humans is to show a government-issued document. Generally, from birth to death humans are recognized by documents because they are born with a birth certificate and they die with a death certificate. The main problem with these documents is that, they can be falsified or manipulated by others. Moreover in this digital era, they are stored in a centralized manner, which is prone to a cyber threat. This study aims to develop a blockchain environment to create, verify, and securely share documents in a decentralized manner. With the help of bigchainDB, interplanetary file system (IPFS), and asymmetric encryption, this research work will prototype the proposed solution called blockchain-based digital locker, which is similar to the DigiLocker released by the Department of Electronics and Information Technology (DeitY), Govt. of India. BigchainDB will help in treating each document as an asset by making it immutable with the help of IPFS and asymmetric encryption, where documents can not only be shared but also verified.

Cloud computing enables users and organizations to conveniently store and share data in large volumes and to enjoy on-demand services. Security and the protection of big data sharing from various attacks is the most challenging issue. Proxy re-encryption (PRE) is an effective method to improve the security of data sharing in the cloud environment. However, in PRE schemes, offloading big data for re-encryption will impose a heavy computational burden on the cloud proxy server, resulting in an increased computation delay and response time for the users. In this paper, we propose a novel parallel PRE workload distribution scheme to dynamically route the big data re-encryption process into the fog of the network. Moreover, this paper proposes a dynamic load balancing technique to avoid an excessive workload for the fog nodes. It also uses lightweight asymmetric cryptography to provide end-to-end security for the big data sharing between users. Within the proposed scheme, the offloading overhead on the centralized cloud server is effectively mitigated. Meanwhile, the processing delay incurred by the big data re-encryption process is efficiently improved.

An emerging widely used technology cloud computing which a paddle of computing resources is available for the users. Through the internet-based the resources could be supplied to cloud consumers at their request but it is not directly active management by the user. This application-based software infrastructure can store data on remote serves, which can be accessed through the internet and a user who wants to access data stored in the cloud have to use an internet browser or cloud computing software. Data protection has become one of the significant issues in cloud computing when users must rely on their cloud providers for security purposes. In this article, a system that can embarrass the disclosure of the key for distributing a file that will assure security dispensing asymmetric key and sharing it among the cloud environment and user perform the integrity check themselves rather than using third-party services by using compression or hash function where the hash is created using a hash function and it was not mentioned in the previous paper. After the user receives the data every hash is compared with other hash values to check the differences of the data. The time-consumption of encryption and decryption of the data is calculated and compared with the previous paper and the experiment shows that our calculation took around 80% less time.

Digitalisation of domains such as medical and railway utilising cloud and networking technologies such as 5G and forthcoming 6G systems presents additional security challenges. The establishment of the identity, integrity and provenance of devices, services and other functional components removed a number of attack vectors and addresses a number of so called zero-trust security requirements. The addition of trusted hardware, such as TPM, and related remote attestation integrated with the networking and cloud infrastructure will be necessary requirement.

Zero Trust security model permits to secure cloud native applications while encrypting all network communication, authenticating, and authorizing every request. The service mesh can enable Zero Trust using a side-car proxy without changes to the application code. To the best of our knowledge, no previous work has provided a performance analysis of Zero Trust in a multi-cloud environment. This paper proposes a multi-cloud framework and a testing workflow to analyse performance of the data plane under load and the impact on the control plane, when Zero Trust is enabled. The results of preliminary tests show that Istio has reduced latency variability in responding to sequential HTTP requests. Results also reveal that the overall CPU and memory usage can increase based on service mesh configuration and the cloud environment.

Cloud storage is a low-cost and convenient storage method, but the nature of cloud storage determines the existence of security risks for data uploaded by users. In order to ensure the security of users' data in third-party cloud platforms, a zero trust security platform for data trusteeship is proposed. The platform introduces the concept of zero trust, which meets the needs of users to upload sensitive data to untrusted third-party cloud platforms by implementing multiple functional modules such as sensitivity analysis service, cipher index service, attribute encryption service.

With the rise of the cloud computing and services, the network environments tend to be more complex and enormous. Security control becomes more and more hard due to the frequent and various access and requests. There are a few techniques to solve the problem which developed separately in the recent years. Network Micro-Segmentation provides the system the ability to keep different parts separated. Zero Trust Model ensures the network is access to trusted users and business by applying the policy that verify and authenticate everything. With the combination of Segmentation and Zero Trust Model, a system will obtain the ability to control the access to organizations' or industrial valuable assets. To implement the cooperation, the paper designs a strategy named light verification to help the process to be painless for the cost of inspection. The strategy was found to be effective from the perspective of the technical management, security and usability.

Distributed denial of service attacks are still one of the greatest threats for computer systems and networks. We propose an intelligent moving target solution against DDOS flooding attacks. Our solution will use a fast-flux approach combined with moving target techniques to increase attack cost and complexity by bringing dynamics and randomization in network address space. It continually increases attack costs and makes it harder and almost infeasible for botnets to launch an attack. Along with performing selective proxy server replication and shuffling clients among this proxy, our solution can successfully separate and isolate attackers from benign clients and mitigate large-scale and complex flooding attacks. Our approach effectively stops both network and application-layer attacks at a minimum cost. However, while we try to make prevalent attack launches difficult and expensive for Bot Masters, this approach is good enough to combat zero-day attacks, too. Using DNS capabilities to change IP addresses frequently along with the proxy servers included in the proposed architecture, it is possible to hide the original server address from the attacker and invalidate the data attackers gathered during the reconnaissance phase of attack and make them repeat this step over and over. Our simulations demonstrate that we can mitigate large-scale attacks with minimum possible cost and overhead.

Modern commercial software development organizations frequently prescribe to a development and deployment pattern for releases known as continuous integration / continuous deployment (CI/CD). Kubernetes, a cluster-based distributed application platform, is often used to implement this pattern. While the abstract concept is fairly well understood, CI/CD implementations vary widely. Resources are scattered across on-premise and cloud-based services, and systems may not be fully automated. Additionally, while a development pipeline may aim to ensure the security of the finished artifact, said artifact may not be protected from outside observers or cloud providers during execution. This paper describes a complete CI/CD pipeline running on Kubernetes that addresses four gaps in existing implementations. First, the pipeline supports strong separation-of-duties, partitioning development, security, and operations (i.e., DevSecOps) roles. Second, automation reduces the need for a human interface. Third, resources are scoped to a Kubernetes cluster for portability across environments (e.g., public cloud providers). Fourth, deployment artifacts are secured with Asylo, a development framework for trusted execution environments (TEEs).

In this research we have explained to set up an Infrared Array Sensor system that is IOT based in order to provide security at remote location. We have tried to Establishment of cloud environment to host IOT application & Development of IOT Application using Asp.net with C\# programming platform. We have Integrated IOT with Infrared Array sensors in order to implement proposed work. In this research camera captures the external event and sent signal to Infrared grid array sensor. Internet of Things (IoT) would enable applications of utmost societal value including smart cities, smart grids & smart healthcare. For majority of such applications, strict dependability requirements are placed on IOT performance, & sensor data as well as actuator commands must be delivered reliably & timely.

Load profiling is to cluster power consumption data to generate load patterns showing typical behaviors of consumers, and thus it has enormous potential applications in smart grid. However, short-interval readings would generate massive smart meter data. Although cloud computing provides an excellent choice to analyze such big data, it also brings significant privacy concerns since the cloud is not fully trustworthy. In this paper, based on a modified vector homomorphic encryption (VHE), we propose a privacy-preserving and outsourced k-means clustering scheme (PPOk M) for secure load profiling over encrypted meter data. In particular, we design a similarity-measuring method that effectively and non-interactively performs encrypted distance metrics. Besides, we present an integrity verification technique to detect the sloppy cloud server, which intends to stop iterations early to save computational cost. In addition, extensive experiments and analysis show that PPOk M achieves high accuracy and performance while preserving convergence and privacy.

The reliable distributed data storage system based on the Redundant Residue Number System (RRNS) is developed. The structure of the system, data splitting and recovery algorithms based on RRNS are developed. A study of the total time and time spent on converting ASCII-encoded data into a RRNS for files of various sizes is conducted. The research of data recovery time is conducted for the inverse transformation from RRNS to ASCII codes.

Data integrity and recovery management is a more important issue in cloud computing because data is located in everywhere. There is a big challenge in backup recovery and security. It is required to provide an efficient and more reliable system in data storage. In this paper, a new methodology is focused and proposed data recovery and data management to assure high-level scalability and high order reliability to provide fault recognition and fault tolerance cloud-based systems. We propose a methodology of segmenting data and generating tokens for the data split-up by adding the address of the cloud or locations of the cloud storage using the tailing method. Thus the missing segment of any faulty node is easily recognized within a short range of limits and will get the data backup from the neighboring nodes.