Biblio

The most important advantage of database is that it can form an intensive management system and serve a large number of information users, which shows the importance of information security in network development. However, there are many problems in the current computer software engineering industry, which seriously hinder the development of computer software engineering, among which the most remarkable and prominent one is that the database programming technology is difficult to be effectively utilized. In this paper, virtualization technology is used to manage the underlying resources of data center with the application background of big data technology, and realize the virtualization of network resources, storage resources and computing resources. It can play a constructive role in the construction of data center, integrate traditional and old resources, realize the computing data center system through virtualization, distributed storage and resource scheduling, and realize the clustering and load balancing of non-relational databases.

Cloud computing has transformed the way of utilizing the computing, storage and network resources as per the user demand. Consequently, the field of robotics performs high complexity tasks that exploit the clouds with the capability to build low-cost light weight and intelligent robots. Recently various researchers have been emerged in the cloud robotics field which are related to offloading computations to the cloud infrastructure, storing and sharing knowledge, coordination and collective learning among robots. However, there are issues related to security and privacy that needs to be addressed while deploying the robotics application in the cloud. Significant research attention is required to build a secure cloud robotic infrastructure. The foremost factor of our research entails the development of standard web services that will allow heterogeneous robots to execute the computationally intense algorithms like map building as a service over the cloud. We have proposed the model that presents the mutual authentication and encryption mechanism for getting access to the hosted robotic services. For mutual authentication, we have used Kerberos module and ECIES (Elliptic Curve Integrated Encryption Scheme) for data encryption. Moreover, we have also performed the cryptanalysis of the proposed protocol by using a Proverif tool. After the cryptanalysis, it is found that our system can also withstand against various type of attacks.

The number of Mobile device users in the word has evolved rapidly. Many internet users currently want to connect the internet for all utilities automatically. One of the technologies in the IPv6 network, which supports data access from moving users, is IPv6 Mobile protocol. In its mobility, the users on a range of networks can move the range to another network. High demand for this technology will interest to a hacker or a cracker to carry out an attack. One of them is a DoS attack that compromises a target to denial its services. A firewall is usually used to protect networks from external attacks. However, since the firewall based on the attacker database, the unknown may not be detected. In order to address the obstacle, a detection tool could be used. In this research, IDS as an intrusion detection tool was integrated with a firewall to be implemented in IPv6 Mobile to stop the DoS attack. The results of some experiments showed that the integration system could block the attack at 0.9 s in Correspondent Node and 1.2 s in Home Agent. The blocked attack can decrease the network throughput up to 27.44% when a Mobile Node in Home Agent, 28,87% when the Mobile Node in a Foreign Network. The final result of the blocked attack is reducing the average CPU utilization up to 30.99%.

As the core infrastructure of cloud data operation, exchange and storage, data centerneeds to ensure its security and reliability, which are the important prerequisites for the development of cloud computing. Due to various illegal accesses, attacks, viruses and other security threats, it is necessary to protect the boundary of cloud data center through security gateway. Since the traffic growing up to gigabyte level, the secure gateway must ensure high transmission efficiency and different network services to support the cloud services. In addition, data center is gradually evolving from IPv4 to IPv6 due to excessive consumption of IP addresses. Packet classification algorithm, which can divide packets into different specific streams, is very important for QoS, real-time data stream application and firewall. Therefore, it is necessary to design a high performance IPv6 packet classification algorithm suitable for security gateway.AsIPv6 has a128-bitIP address and a different packet structure compared with IPv4, the traditional IPv4 packet classification algorithm is not suitable properly for IPv6 situations. This paper proposes a fast packet classification algorithm for IPv6 - PCHA (packet classification based on hash andAdelson-Velsky-Landis Tree). It adopts the three flow classification fields of source IPaddress(SA), destination IPaddress(DA) and flow label(FL) in the IPv6 packet defined by RFC3697 to implement fast three-tuple matching of IPv6 packet. It is through hash matching of variable length IPv6 address and tree matching of shorter flow label. Analysis and testing show that the algorithm has a time complexity close to O(1) in the acceptable range of space complexity, which meets the requirements of fast classification of IPv6 packetsand can adapt well to the changes in the size of rule sets, supporting fast preprocessing of rule sets. Our algorithm supports the storage of 500,000 3-tuple rules on the gateway device and can maintain 75% of the performance of throughput for small packets of 78 bytes.

In this paper, our objective is to focus on the recent trend of military fields where they brought Internet of Things (IoT) to have better impact on the battlefield by improving the effectiveness and this is called Internet of Battlefield Things(IoBT). Due to the requirements of high computing capability and minimum response time with minimum fault tolerance this paper proposed a decentralized IoBT architecture. The proposed method can increase the reliability in the battlefield environment by searching the reliable nodes among all the edge nodes in the environment, and by adding the fault tolerance in the edge nodes will increase the effectiveness of overall battlefield scenario. This suggested fault tolerance approach is worth for decentralized mode to handle the issue of latency requirements and maintaining the task reliability of the battlefield. Our experimental results ensure the effectiveness of the proposed approach as well as enjoy the requirements of latency-aware military field while ensuring the overall reliability of the network.

The complexity of building, deploying, and managing cross-organizational enterprise computing services with self-service, security, and quality assurances has been increasing exponentially in the era of hybrid multiclouds. AI-accelerated material discovery capabilities, for example, are desirable for enterprise application users to consume through business API services with assurance of satisfactory nonfunctional properties, e.g., enterprise-compliant self-service management of sharable sensitive data and machine learning capabilities at Internet scale. This paper presents a composable microservices based approach to creating and continuously improving enterprise computing services. Moreover, it elaborates on several key architecture design decisions for Navarch, a composable enterprise microservices fabric that facilitates consuming, managing, and composing enterprise API services. Under service management model of individual administration, every Navarch microservice is a managed composable API service that can be provided by an internal organization, an enterprise partner, or a public service provider. This paper also illustrates a Navarch-enabled systematic and efficient approach to transforming an AI-accelerated material discovery tool into secure, scalable, and composable enterprise microservices. Performance of the microservices can be continuously improved by exploiting advanced heterogeneous microservice hosting infrastructures. Factual comparative performance analyses are provided before the paper concludes with future work.

Cloud computing has become the main backend of the IT infrastructure as it provides ubiquitous and on-demand computing to serve to a wide range of users including end-users and high-performance demanding agencies. The users can allocate and free resources allocated for their Virtual Machines (VMs) as needed. However, with the rapid growth of interest in cloud computing systems, several issues have arisen especially in the domain of cybersecurity. It is a known fact that not only the malicious users can freely allocate VMs, but also they can infect victims' VMs to run their own tools that include cryptocurrency mining, ransomware, or cyberattacks against others. Even though there exist intrusion detection systems (IDS), running an IDS on every VM can be a costly process and it would require fine configuration that only a small subset of the cloud users are knowledgeable about. Therefore, to overcome this challenge, in this paper we present a VM introspection based allowlisting method to be deployed and managed directly by the cloud providers to check if there are any malicious software running on the VMs with minimum user intervention. Our middleware monitors the processes and if it detects unknown events, it will notify the users and/or can take action as needed.

End-to-end encryption is now ubiquitous on the internet. By securing network communications with TLS, parties can insure that in-transit data remains inaccessible to collection and analysis. In the IoT domain however, end-to-end encryption can paradoxically decrease user privacy, as many IoT devices establish encrypted communications with the manufacturer's cloud backend. The content of these communications remains opaque to the user and in several occasions IoT devices have been discovered to exfiltrate private information (e.g., voice recordings) without user authorization. In this paper, we propose Inspection-Friendly TLS (IF-TLS), an IoT-oriented, TLS-based middleware protocol that preserves the encryption offered by TLS while allowing traffic analysis by middleboxes under the user's control. Differently from related efforts, IF-TLS is designed from the ground up for the IoT world, adding limited complexity on top of TLS and being fully controllable by the residential gateway. At the same time it provides flexibility, enabling the user to offload traffic analysis to either the gateway itself, or cloud-based middleboxes. We implemented a stable, Python-based prototype IF-TLS library; preliminary results show that performance overhead is limited and unlikely to affect quality-of-experience.

Internet of Things (IoT) has been growing exponentially in the commercial market in recent years. It is also a fact that people hold one or more computing devices at home. Many of them have been developed to operate through internet connectivity with cloud computing technologies that result in the demand for fast, robust, and secure services. In most cases, the lack of these services makes difficult the transfer of data to fulfill the devices' purposes. Under these conditions, an intermediate layer or middleware is needed to process, filter, and send data through a more efficient alternative. This paper presents the adaptive solution of a middleware architecture as an intermediate layer between smart devices and cloud computing to enhance the management of the heterogeneity of data provining from IoT devices. The proposed middleware provides easy configuration, adaptability, and bearability for different environments. Finally, this solution has been implemented in the healthcare domain, in which IoT solutions are deployed into Ambient Assisted Living (AAL) environments.

As massive research efforts are poured into server-side DNS security enhancement in online cloud service platforms, sophisticated APTs tend to develop client-side DNS attacks, where defenders only have limited resources and abilities. The collaborative DNS attack is a representative newest client-side paradigm to stealthily undermine user cache by falsifying DNS responses. Different from existing static methods, in this paper, we propose a moving target defense solution named multi-vNIC intelligent mutation to free defenders from arduous work and thwart elusive client-side DNS attack in the meantime. Multiple virtual network interface cards are created and switched in a mutating manner. Thus attackers have to blindly guess the actual NIC with a high risk of exposure. Firstly, we construct a dynamic game-theoretic model to capture the main characteristics of both attacker and defender. Secondly, a reinforcement learning mechanism is developed to generate adaptive optimal defense strategy. Experiment results also highlight the security performance of our defense method compared to several state-of-the-art technologies.

Lightweight virtualization represented by container technology provides a virtual environment for cloud services with more flexibility and efficiency due to the kernel-sharing property. However, the shared kernel also means that the system isolation mechanisms are incomplete. Attackers can scan the shared system configuration files to explore vulnerabilities for launching attacks. Previous works mainly eliminate the problem by fixing operating systems or using access control policies, but these methods require significant modifications and cannot meet the security needs of individual containers accurately. In this paper, we present ConfigRand, a moving target defense framework to prevent the information leakages due to the shared kernel in the container-based cloud. The ConfigRand deploys deceptive system configurations for each container, bounding the scan of attackers aimed at the shared kernel. In design of ConfigRand, we (1) propose a framework applying the moving target defense philosophy to periodically generate, distribute, and deploy the deceptive system configurations in the container-based cloud; (2) establish a model to formalize these configurations and quantify their heterogeneity; (3) present a configuration movement strategy to evaluate and optimize the variation of configurations. The results show that ConfigRand can effectively prevent the information leakages due to the shared kernel and apply to typical container applications with minimal system modification and performance degradation.

Cloud federation is the evolution of modern cloud computing. It provides better resource-sharing, perfect resource-utilization, and load-balancing. However, the heterogeneity of security policies and configurations between cloud service providers makes it hard for users to totally trust them. Further, the severe impact of modern cloud attacks such as cross-side channels on federated environments is a major roadblock against such evolution. Securing users' capsules (Virtual Machines and containers) against cross-side channel attacks is considered as a big challenge to cloud service providers. Moving-target Defense (MtD) by live capsule migration was introduced as an effective mechanism to overcome such challenge. However, researchers noted that even with MtD, migrated capsules can still be tracked via routing information. In this paper, we propose a novel Blockchain-based routing mechanism to enable trace-resistant Moving-target Defence (BMtD) to enable anonymous live cross-cloud migrations of running capsules in federated cloud environments. Exploiting the Vulnerable, Exposed, Attacked, Recovered (VEAR) model, simulation results demonstrated the effectiveness of BMtD in minimizing viral attack dispersion.

Container technology has been used for running multiple isolated operating system distros on a host or deploying large scale microservice-based applications. In most cases, containers share the same kernel with the host and other containers on the same host, and the application in the container can make system calls of the host kernel like a normal process on the host. Seccomp is a security mechanism for the Linux kernel, through which we can prohibit certain system calls from being executed by the program. Docker began to support the seccomp mechanism from version 1.10 and disables around 44 system calls out of 300+ by default. However, for a particular container, there are still many system calls that are unnecessary for running it allowed to be executed, and the abuse of system calls by a compromised container can trigger the security vulnerabilities of a host kernel. Unfortunately, Docker does not provide a way to get the necessary system calls for a particular container. In this paper, we propose RSDS, a method combining dynamic analysis and static analysis to get the necessary system calls for a particular container. Our experiments show that our solution can reduce system calls by 69.27%-85.89% compared to the default configuration on an x86-64 PC with Ubuntu 16.04 host OS and does not affect the functionalities of these containers.

Over the years, public health has faced a large number of challenges like COVID-19. Medical cloud computing is a promising method since it can make healthcare costs lower. The computation of health data is outsourced to the cloud server. If the encrypted medical data is not decrypted, it is difficult to search for those data. Many researchers have worked on searchable encryption schemes that allow executing searches on encrypted data. However, many existing works support single-keyword search. In this article, we propose a patient-centered fine-grained attribute-based encryption scheme with multi-keyword search (CP-ABEMKS) for medical cloud computing. First, we leverage the ciphertext-policy attribute-based technique to construct trapdoors. Then, we give a security analysis. Besides, we provide a performance evaluation, and the experiments demonstrate the efficiency and practicality of the proposed CP-ABEMKS.

Cloud computing provides an open architecture and resource sharing computing platform with pay-per-use model. It is now a popular computing platform and most of the new internet based computing services are on this innovation supported environment. We consider it as innovation supported because developers are more focused here on the service design, rather on arranging the infrastructure, network, management of the resources, etc. These all things are available in cloud computing on hired basis. Now, a big question arises here is the security of data or privacy of data because the service provider is already using the infrastructure, network, storage, processors, and other more resources from the third party. So, the security or privacy of the portable user's data is the main motivation for writing this research paper. In this paper, we are proposing an innovative perturbation algorithm MAP() to secure the portable user's data on the cloud server.

With almost unlimited storage capacity and low maintenance cost, cloud storage becomes a convenient and efficient way for data sharing among cloud users. However, this introduces the challenges of access control and privacy protection when data sharing for multiple groups, as each group usually has its own encryption and access control mechanism to protect data confidentiality. In this paper, we propose a multiple-group data sharing scheme with privacy preservation in the cloud. This scheme constructs a flexible access control framework by using group signature, ciphertext-policy attribute-based encryption and broadcast encryption, which supports both intra-group and cross-group data sharing with anonymous access. Furthermore, our scheme supports efficient user revocation. The security and efficiency of the scheme are proved thorough analysis and experiments.

There exists a need for sharing user health data, especially with institutes for research purposes, in a secure fashion. This is especially true in the case of a system that includes a third party storage service, such as cloud computing, which limits the control of the data owner. The use of encryption for secure data storage continues to evolve to meet the need for flexible and fine-grained access control. This evolution has led to the development of Attribute Based Encryption (ABE). The use of ABE to ensure the security and privacy of health data has been explored. This paper presents an ABE based framework which allows for the secure outsourcing of the more computationally intensive processes for data decryption to the cloud servers. This reduces the time needed for decryption to occur at the user end and reduces the amount of computational power needed by users to access data.

Nowadays, ubiquitous healthcare monitoring applications are becoming a necessity. In a pervasive smart healthcare system, the user's location information is always transmitted periodically to healthcare providers to increase the quality of the service provided to the user. However, revealing the user's location will affect the user's privacy. This paper presents a novel cloud-based secure location privacy-preserving mobile healthcare framework with decision-making capabilities. A user's vital signs are sensed possibly through a wearable healthcare device and transmitted to a cloud server for securely storing user's data, processing, and decision making. The proposed framework integrates a number of features such as machine learning (ML) for classifying a user's health state, and crowdsensing for collecting information about a person's privacy preferences for possible locations and applying such information to a user who did not set his privacy preferences. In addition to location privacy preservation methods (LPPM) such as obfuscation, perturbation and encryption to protect the location of the user and provide a secure monitoring framework. The proposed framework detects clear emergency cases and quickly decides about sending a help message to a healthcare provider before sending data to the cloud server. To validate the efficiency of the proposed framework, a prototype is developed and tested. The obtained results from the proposed prototype prove its feasibility and utility. Compared to the state of art, the proposed framework offers an adaptive context-based decision for location sharing privacy and controlling the trade-off between location privacy and service utility.

In the current scenario, the data owners would like to access data from anywhere and anytime. Hence, they will store their data in public or private cloud along with encryption and particular set of attributes to access control on the cloud data. While uploading the data into public or private cloud they will assign some attribute set to their data. If any authorized cloud user wants to download their data they should enter that particular attribute set to perform further actions on the data owner's data. A cloud user wants to register their details under cloud organization to access the data owner's data. Users wants to submit their details as attributes along with their designation. Based on the Users details Semi-Trusted Authority generates decryption keys to get control on owner's data. A user can perform a lot of operation over the cloud data. If the user wants to read the cloud data he needs to be entering some read related, and if he wants to write the data he needs to be entering write related attribute. For each and every action user in an organization would be verified with their unique attribute set. These attributes will be stored by the admins to the authorized users in cloud organization. These attributes will be stored in the policy files in a cloud. Along with this attribute,a rule based engine is used, to provide the access control to user. If any user leaks their decryption key to the any malicious user data owners wants to trace by sending audit request to auditor and auditor will process the data owners request and concludes that who is the convict.

Cloud computing has made the life of individual users and work of business corporations so much easier by providing them data storage services at very low costs. Individual users can store and access their data through shared cloud storage service anywhere anytime. Similarly, business corporation consumers of cloud computing can store, manage, process and access their big data with quite an ease. However, the security and privacy of users' data remains vulnerable in cloud computing Availability, integrity and confidentiality are the three primary elements that users consider before signing up for cloud computing services. Many public and private cloud services have experienced security breaches and unauthorized access incidents. This paper suggests user end cryptography of data before uploading it to a cloud storage service platform like Google Drive, Microsoft, Amazon and CloudSim etc. The proposed cryptography algorithm is based on symmetric key cryptography model and has been implemented on Amazon S3 cloud space service.

Cloud computing is the flexible platform to outsource the data from local server to commercial cloud. However cloud provides tremendous benefits to user, data privacy and data leakage reduce the attention of cloud. For protecting data privacy and reduce data leakage various techniques has to be implemented in cloud. There are various types of cloud environment, but we concentrate on Hybrid cloud. Hybrid cloud is nothing but combination of more than two or more cloud. Where critical operations are performed in private cloud and non critical operations are performed in public cloud. So, it has numerous advantages and criticality too. In this paper, we focus on data security through encryption scheme over Hybrid Cloud. There are various encryption schemes are close to us but it also have data security issues. To overcome these issues, Attribute Based Encryption Scheme with Dynamic Attributes Supporting (ABE-DAS) has proposed. Attribute based Encryption Scheme with Dynamic Attributes Supporting technique enhance the security of the data in hybrid cloud.

With the improvement of the current Internet software and hardware performance, cloud storage has become one of the most widely used applications. This paper proposes a user privacy protection algorithm suitable for tennis match live broadcast from media cloud platform. Through theoretical and experimental verification, this algorithm can better protect the privacy of users in the live cloud platform. This algorithm is a ciphertext calculation algorithm based on data blocking. Firstly, plaintext data are grouped, then AES ciphertext calculation is performed on each group of plaintext data simultaneously and respectively, and finally ciphertext data after grouping encryption is spliced to obtain final ciphertext data. Experimental results show that the algorithm has the characteristics of large key space, high execution efficiency, ciphertext statistics and good key sensitivity.

Many organizations are still reluctant to move sensitive data to the cloud. Moreover, data protection regulations have established considerable punishments for violations of privacy and security requirements. Privacy, however, is a concept that is difficult to measure and to demonstrate. While many privacy design strategies, tactics and patterns have been proposed for privacy-preserving system design, it is difficult to evaluate an existing system with regards to whether these strategies have or have not appropriately been implemented. In this paper we propose indicators for a system's non-compliance with privacy design strategies, called privacy smells. To that end we first identify concrete metrics that measure certain aspects of existing privacy design strategies. We then define smells based on these metrics and discuss their limitations and usefulness. We identify these indicators on two levels of a cloud system: the data flow level and the access control level. Using a cloud system built in Microsoft Azure we show how the metrics can be measured technically and discuss the differences to other cloud providers, namely Amazon Web Services and Google Cloud Platform. We argue that while it is difficult to evaluate the privacy-awareness in a cloud system overall, certain privacy aspects in cloud systems can be mapped to useful metrics that can indicate underlying privacy problems. With this approach we aim at enabling cloud users and auditors to detect deep-rooted privacy problems in cloud systems.

We focus on policy-aware data centers (PADCs), wherein virtual machine (VM) traffic traverses a sequence of middleboxes (MBs) for security and performance purposes, and propose two new VM placement and migration problems. We first study PAL: policy-aware virtual machine placement. Given a PADC with a data center policy that communicating VM pairs must satisfy, the goal of PAL is to place the VMs into the PADC to minimize their total communication cost. Due to dynamic traffic loads in PADCs, however, above VM placement may no longer be optimal after some time. We thus study PAM: policy-aware virtual machine migration. Given an existing VM placement in the PADC and dynamic traffic rates among communicating VMs, PAM migrates VMs in order to minimize the total cost of migration and communication of the VM pairs. We design optimal, approximation, and heuristic policyaware VM placement and migration algorithms. Our experiments show that i) VM migration is an effective technique, reducing total communication cost of VM pairs by 25%, ii) our PAL algorithms outperform state-of-the-art VM placement algorithm that is oblivious to data center policies by 40-50%, and iii) our PAM algorithms outperform the only existing policy-aware VM migration scheme by 30%.

This paper proposes and analyzes a new virtual machine (VM) placement technique called Group Instance to deal with co-location attacks in public Infrastructure-as-a-Service (IaaS) clouds. Specifically, Group Instance organizes cloud users into groups with pre-determined sizes set by the cloud provider. Our empirical results obtained via experiments with real-world data sets containing million of VM requests have demonstrated the effectiveness of the new technique. In particular, the advantages of Group Instance are three-fold: 1) it is simple and highly configurable to suit the financial and security needs of cloud providers, 2) it produces better or at least similar performance compared to more complicated, state-of-the-art algorithms in terms of resource utilization and co-location security, and 3) it does not require any modifications to the underlying infrastructures of existing public cloud services.