Biblio

With the ubiquitous computing of providing services and applications at anywhere and anytime, cloud computing is the best option as it offers flexible and pay-per-use based services to its customers. Nevertheless, security and privacy are the main challenges to its success due to its dynamic and distributed architecture, resulting in generating big data that should be carefully analysed for detecting network's vulnerabilities. In this paper, we propose a Collaborative Anomaly Detection Framework (CADF) for detecting cyber attacks from cloud computing environments. We provide the technical functions and deployment of the framework to illustrate its methodology of implementation and installation. The framework is evaluated on the UNSW-NB15 dataset to check its credibility while deploying it in cloud computing environments. The experimental results showed that this framework can easily handle large-scale systems as its implementation requires only estimating statistical measures from network observations. Moreover, the evaluation performance of the framework outperforms three state-of-the-art techniques in terms of false positive rate and detection rate.

In the 21st century, integrated transport, service and mobility concepts for real-life situations enabled by automation system and smarter connectivity. These services and ideas can be blessed from cloud computing, and big data management techniques for the transport system. These methods could also include automation, security, and integration with other modes. Integrated transport system can offer new means of communication among vehicles. This paper presents how hybrid could computing influence to make urban transportation smarter besides considering issues like security and privacy. However, a simple structured framework based on a hybrid cloud computing system might prevent common existing issues.

Recently, the researches utilizing environmentally friendly new and renewable energy and various methods have been actively pursued to solve environmental and energy problems. The trend of the technology is converged with the latest ICT technology and expanded to the cloud of share and two-way system. In the center of this tide of change, new technologies such as IoT, Big Data and AI are sustaining to energy technology. Now, the cloud concept which is a universal form in IT field will be converged with energy field to develop Energy Cloud, manage zero energy towns and develop into social infrastructure supporting smart city. With the development of social infrastructure, it is very important as a security facility. In this paper, it is discussed the concept and the configuration of the Energy Cloud, and present a basic design method of the Energy Cloud's security that can examine and respond to the risk factors of information security in the Energy Cloud.

While the growth of cloud-based technologies has benefited the society tremendously, it has also increased the surface area for cyber attacks. Given that cloud services are prevalent today, it is critical to devise systems that detect intrusions. One form of security breach in the cloud is when cyber-criminals compromise Virtual Machines (VMs) of unwitting users and, then, utilize user resources to run time-consuming, malicious, or illegal applications for their own benefit. This work proposes a method to detect unusual resource usage trends and alert the user and the administrator in real time. We experiment with three categories of methods: simple statistical techniques, unsupervised classification, and regression. So far, our approach successfully detects anomalous resource usage when experimenting with typical trends synthesized from published real-world web server logs and cluster traces. We observe the best results with unsupervised classification, which gives an average F1-score of 0.83 for web server logs and 0.95 for the cluster traces.

In the big data era, many users upload data to cloud while security concerns are growing. By using attribute-based encryption (ABE), users can securely store data in cloud while exerting access control over it. Revocation is necessary for real-world applications of ABE so that revoked users can no longer decrypt data. In actual implementations, however, revocation requires re-encryption of data in client side through download, decrypt, encrypt, and upload, which results in huge communication cost between the client and the cloud depending on the data size. In this paper, we propose a new method where the data can be re-encrypted in cloud without downloading any data. The experimental result showed that our method reduces the communication cost by one quarter in comparison with the trivial solution where re-encryption is performed in client side.

Edge Computing is a scheme to improve the performance, latency and security guidelines for IoT applications. However, edge deployment of an application also comes with additional complexity in management, an increased attack surface for security vulnerability, and could potentially result in a more expensive solution. As a result, the conditions under which an edge deployment of IoT applications delivers a better solution is not always obvious. Metrics which would be able to predict whether or not an IoT application is suitable for edge deployment can provide useful insights to address this question. In this paper, we examine the key performance indicators for IoT applications, namely the responsiveness, scalability and cost models for different types of IoT applications. Our analysis identifies that network centrality of an IoT application is a key characteristic which determines whether or not an IoT application is a good candidate for edge deployment. We discuss the different measures of network centrality that can be used to characterize applications, and the relative performance of edge deployment compared to centralized deployment for various IoT applications.

In the process of big data analysis and processing, a key concern blocking users from storing and processing their data in the cloud is their misgivings about the security and performance of cloud services. There is an urgent need to develop an approach that can help each cloud service provider (CSP) to demonstrate that their infrastructure and service behavior can meet the users' expectations. However, most of the prior research work focused on validating the process compliance of cloud service without an accurate description of the basic service behaviors, and could not measure the security capability. In this paper, we propose a novel approach to verify cloud service security conformance called CloudSec, which reduces the description gap between the cloud provider and customer through modeling cloud service behaviors (CloudBeh Model) and security SLA (SecSLA Model). These models enable a systematic integration of security constraints and service behavior into cloud while using UPPAAL to check the conformance, which can not only check CloudBeh performance metrics conformance, but also verify whether the security constraints meet the SecSLA. The proposed approach is validated through case study and experiments with a cloud storage service based on OpenStack, which illustrates CloudSec approach effectiveness and can be applied in real cloud scenarios.

In this paper, we review big data characteristics and security challenges in the cloud and visit different cloud domains and security regulations. We propose using integrated auditing for secure data storage and transaction logs, real-time compliance and security monitoring, regulatory compliance, data environment, identity and access management, infrastructure auditing, availability, privacy, legality, cyber threats, and granular auditing to achieve big data security. We apply a stochastic process model to conduct security analyses in availability and mean time to security failure. Potential future works are also discussed.

The main issue with big data in cloud is the processed or used always need to be by third party. It is very important for the owners of data or clients to trust and to have the guarantee of privacy for the information stored in cloud or analyzed as big data. The privacy models studied in previous research showed that privacy infringement for big data happened because of limitation, privacy guarantee rate or dissemination of accurate data which is obtainable in the data set. In addition, there are various privacy models. In order to determine the best and the most appropriate model to be applied in the future, which also guarantees big data privacy, it is necessary to invest in research and study. In the next part, we surfed some of the privacy models in order to determine the advantages and disadvantages of each model in privacy assurance for big data in cloud. The present study also proposes combined Diff-Anonym algorithm (K-anonymity and differential models) to provide data anonymity with guarantee to keep balance between ambiguity of private data and clarity of general data.

Numerous event-based probing methods exist for cloud computing environments allowing a hypervisor to gain insight into guest activities. Such event-based probing has been shown to be useful for detecting attacks, system hangs through watchdogs, and for inserting exploit detectors before a system can be patched, among others. Here, we illustrate how to use such probing for trustworthy logging and highlight some of the challenges that existing event-based probing mechanisms do not address. Challenges include ensuring a probe inserted at given address is trustworthy despite the lack of attestation available for probes that have been inserted dynamically. We show how probes can be inserted to ensure proper logging of every invocation of a probed instruction. When combined with attested boot of the hypervisor and guest machines, we can ensure the output stream of monitored events is trustworthy. Using these techniques we build a trustworthy log of certain guest-system-call events. The log powers a cloud-tuned Intrusion Detection System (IDS). New event types are identified that must be added to existing probing systems to ensure attempts to circumvent probes within the guest appear in the log. We highlight the overhead penalties paid by guests to increase guarantees of log completeness when faced with attacks on the guest kernel. Promising results (less that 10% for guests) are shown when a guest relaxes the trade-off between log completeness and overhead. Our demonstrative IDS detects common attack scenarios with simple policies built using our guest behavior recording system.

Data outsourcing in cloud is emerging as a successful paradigm that benefits organizations and enterprises with high-performance, low-cost, scalable data storage and sharing services. However, this paradigm also brings forth new challenges for data confidentiality because the outsourced are not under the physic control of the data owners. The existing schemes to achieve the security and usability goal usually apply encryption to the data before outsourcing them to the storage service providers (SSP), and disclose the decryption keys only to authorized user. They cannot ensure the security of data while operating data in cloud where the third-party services are usually semi-trustworthy, and need lots of time to deal with the data. We construct a privacy data management system appending hierarchical access control called HAC-DMS, which can not only assure security but also save plenty of time when updating data in cloud.

Cloud data centers are critical infrastructures to deliver cloud services. Although security and performance of cloud data centers have been well studied in the past, their networking aspects are overlooked. Current network infrastructures in cloud data centers limit the ability of cloud provider to offer guaranteed cloud network resources to users. In order to ensure security and performance requirements as defined in the service level agreement (SLA) between cloud user and provider, cloud providers need the ability to provision network resources dynamically and on the fly. The main challenge for cloud provider in utilizing network resource can be addressed by provisioning virtual networks that support information centric services by separating the control plane from the cloud infrastructure. In this paper, we propose an sdn based information centric cloud framework to provision network resources in order to support elastic demands of cloud applications depending on SLA requirements. The framework decouples the control plane and data plane wherein the conceptually centralized control plane controls and manages the fully distributed data plane. It computes the path to ensure security and performance of the network. We report initial experiment on average round-trip delay between consumers and producers.

Automation of real time car parking system (RTCPS) using mobile cloud computing (MCC) and vehicular networking (VN) has given rise to a novel concept of integrated communication-computing platforms (ICCP). The aim of ICCP is to evolve an effective means of addressing challenges such as improper parking management scheme, traffic congestion in parking lots, insecurity of vehicles (safety applications), and other Infrastructure-to-Vehicle (I2V) services for providing data dissemination and content delivery services to connected Vehicular Clients (VCs). Edge (parking lot based) Fog computing (EFC) through road side sensor based monitoring is proposed to achieve ICCP. A real-time cloud to vehicular clients (VCs) in the context of smart car parking system (SCPS) which satisfies deterministic and non-deterministic constraints is introduced. Vehicular cloud computing (VCC) and intra-Edge-Fog node architecture is presented for ICCP. This is targeted at distributed mini-sized self-energized Fog nodes/data centers, placed between distributed remote cloud and VCs. The architecture processes data-disseminated real-time services to the connected VCs. The work built a prototype testbed comprising a black box PSU, Arduino IoT Duo, GH-311RT ultrasonic distance sensor and SHARP 2Y0A21 passive infrared sensor for vehicle detection; LinkSprite 2MP UART JPEG camera module, SD card module, RFID card reader, RDS3115 metal gear servo motors, FPM384 fingerprint scanner, GSM Module and a VCC web portal. The testbed functions at the edge of the vehicular network and is connected to the served VCs through Infrastructure-to-Vehicular (I2V) TCP/IP-based single-hop mobile links. This research seeks to facilitate urban renewal strategies and highlight the significance of ICCP prototype testbed. Open challenges and future research directions are discussed for an efficient VCC model which runs on networked fog centers (NetFCs).

The Internet of Vehicles (IoV) is a complex and dynamic mobile network system that enables information sharing between vehicles, their surrounding sensors, and clouds. While IoV opens new opportunities in various applications and services to provide safety on the road, it introduces new challenges in the field of digital forensics investigations. The existing tools and procedures of digital forensics cannot meet the highly distributed, decentralized, dynamic, and mobile infrastructures of the IoV. Forensic investigators will face challenges while identifying necessary pieces of evidence from the IoV environment, and collecting and analyzing the evidence. In this article, we propose TrustIoV - a digital forensic framework for the IoV systems that provides mechanisms to collect and store trustworthy evidence from the distributed infrastructure. Trust-IoV maintains a secure provenance of the evidence to ensure the integrity of the stored evidence and allows investigators to verify the integrity of the evidence during an investigation. Our experimental results on a simulated environment suggest that Trust-IoV can operate with minimal overhead while ensuring the trustworthiness of evidence in a strong adversarial scenario.

Cloud computing is a solution to reduce the cost of IT by providing elastic access to shared resources. It also provides solutions for on-demand computing power and storage for devices at the edge networks with limited resources. However, increasing the number of connected devices caused by IoT architecture leads to higher network traffic and delay for cloud computing. The centralised architecture of cloud computing also makes the edge networks more susceptible to challenges in the core network. Fog computing is a solution to decrease the network traffic, delay, and increase network resilience. In this paper, we study how fog computing may improve network resilience. We also conduct a simulation to study the effect of fog computing on network traffic and delay. We conclude that using fog computing prepares the network for better response time in case of interactive requests and makes the edge networks more resilient to challenges in the core network.

The IoT (Internet of Things) is one of the primary reasons for the massive growth in the number of connected devices to the Internet, thus leading to an increased volume of traffic in the core network. Fog and edge computing are becoming a solution to handle IoT traffic by moving timesensitive processing to the edge of the network, while using the conventional cloud for historical analysis and long-term storage. Providing processing, storage, and network communication at the edge network are the aim of fog computing to reduce delay, network traffic, and decentralise computing. In this paper, we define a framework that realises fog computing that can be extended to install any service of choice. Our framework utilises fog nodes as an extension of the traditional switch to include processing, networking, and storage. The fog nodes act as local decision-making elements that interface with software-defined networking (SDN), to be able to push updates throughout the network. To test our framework, we develop an IP spoofing security application and ensure its correctness through multiple experiments.

Cloud computing has become a widely used computing paradigm providing on-demand computing and storage capabilities based on pay-as-you-go model. Recently, many organizations, especially in the field of big data, have been adopting the cloud model to perform data analytics through leasing powerful Virtual Machines (VMs). VMs can be attractive targets to attackers as well as untrusted cloud providers who aim to get unauthorized access to the business critical-data. The obvious security solution is to perform data analytics on encrypted data through the use of cryptographic keys as that of the Advanced Encryption Standard (AES). However, it is very easy to obtain AES cryptographic keys from the VM's Random Access Memory (RAM). In this paper, we present a novel key-scattering (KS) approach to protect the cryptographic keys while encrypting/decrypting data. Our solution is highly portable and interoperable. Thus, it could be integrated within today's existing cloud architecture without the need for further modifications. The feasibility of the approach has been proven by implementing a functioning prototype. The evaluation results show that our approach is substantially more resilient to brute force attacks and key extraction tools than the standard AES algorithm, with acceptable execution time.

Virtual machine introspection (VMI) is a technology with many possible applications, such as malware analysis and intrusion detection. However, this technique is resource intensive, as inspecting program behavior includes recording of a high number of events caused by the analyzed binary and related processes. In this paper we present an architecture that leverages cloud resources for virtual machine-based malware analysis in order to train a classifier for detecting cloud-specific malware. This architecture is designed while having in mind the resource consumption when applying the VMI-based technology in production systems, in particular the overhead of tracing a large set of system calls. In order to minimize the data acquisition overhead, we use a data-driven approach from the area of resource-aware machine learning. This approach enables us to optimize the trade-off between malware detection performance and the overhead of our VMI-based tracing system.

Security challenges are the most important obstacles for the advancement of IT-based on-demand services and cloud computing as an emerging technology. Lack of coincidence in identity management models based on defined policies and various security levels in different cloud servers is one of the most challenging issues in clouds. In this paper, a policy- based user authentication model has been presented to provide a reliable and scalable identity management and to map cloud users' access requests with defined polices of cloud servers. In the proposed schema several components are provided to define access policies by cloud servers, to apply policies based on a structural and reliable ontology, to manage user identities and to semantically map access requests by cloud users with defined polices. Finally, the reliability and efficiency of this policy-based authentication schema have been evaluated by scientific performance, security and competitive analysis. Overall, the results show that this model has met defined demands of the research to enhance the reliability and efficiency of identity management in cloud computing environments.

Cloud computing is significantly reshaping the computing industry built around core concepts such as virtualization, processing power, connectivity and elasticity to store and share IT resources via a broad network. It has emerged as the key technology that unleashes the potency of Big Data, Internet of Things, Mobile and Web Applications, and other related technologies; but it also comes with its challenges - such as governance, security, and privacy. This paper is focused on the security and privacy challenges of cloud computing with specific reference to user authentication and access management for cloud SaaS applications. The suggested model uses a framework that harnesses the stateless and secure nature of JWT for client authentication and session management. Furthermore, authorized access to protected cloud SaaS resources have been efficiently managed. Accordingly, a Policy Match Gate (PMG) component and a Policy Activity Monitor (PAM) component have been introduced. In addition, other subcomponents such as a Policy Validation Unit (PVU) and a Policy Proxy DB (PPDB) have also been established for optimized service delivery. A theoretical analysis of the proposed model portrays a system that is secure, lightweight and highly scalable for improved cloud resource security and management.

In the multi-cloud tenancy environments, Web Service offers an standard approach for discovering and using capabilities in an environment that transcends ownership domains. This brings into concern the ownership and security related to Web Service governance. Our approach for this issue involves an ESB-integrated middleware for security criteria regulation on Clouds. It uses an attribute-based security policy model for the exhibition of assets consumers' security profiles and deducing service accessing decision. Assets represent computing power/functionality and information/data provided by entities. Experiments show the middleware to bring minor governance burdens on the hardware aspect, as well as better performance with colosum scaling property, dealing well with cumbersome policy files, which is probably the situation of complex composite service scenarios.

With the rapid development of bulk power grid under extra-high voltage (EHV) AC/DC hybrid power system and extensive access of distributed energy resources (DER), operation characteristics of power grid have become increasingly complicated. To cope with new severe challenges faced by safe operation of interconnected bulk power grids, an in-depth analysis of bulk power grid security defense system under the background of EHV and new energy resources was implemented from aspects of management and technology in this paper. Supported by big data and cloud computing, bulk power grid security defense system was divided into two parts: one is the prevention and control of operation risks. Power grid risks are eliminated and influence of random faults is reduced through measures such as network planning, power-cut scheme, risk pre-warning, equipment status monitoring, voltage control, frequency control and adjustment of operating mode. The other is the fault recovery control. By updating “three defense lines”, intelligent relay protection is used to deal with the challenges brought by EHV AC/DC hybrid grid and new energy resources. And then security defense system featured by passive defense is promoted to active type power grid security defense system.

Security in virtualised environments is becoming increasingly important for institutions, not only for a firm's own on-site servers and network but also for data and sites that are hosted in the cloud. Today, security is either handled globally by the cloud provider, or each customer needs to invest in its own security infrastructure. This paper proposes a Virtual Security Operation Center (VSOC) that allows to collect, analyse and visualize security related data from multiple sources. For instance, a user can forward log data from its firewalls, applications and routers in order to check for anomalies and other suspicious activities. The security analytics provided by the VSOC are comparable to those of commercial security incident and event management (SIEM) solutions, but are deployed as a cloud-based solution with the additional benefit of using big data processing tools to handle large volumes of data. This allows us to detect more complex attacks that cannot be detected with todays signature-based (i.e. rules) SIEM solutions.

Internet of Things (IoT) devices are getting increasingly popular, becoming a core element for the next generations of informational architectures: smart city, smart factory, smart home, smart health-care and many others. IoT systems are mainly comprised of embedded devices with limited computing capabilities while having a cloud component which processes the data and delivers it to the end-users. IoT devices access the user private data, thus requiring robust security solution which must address features like usability and scalability. In this paper we discuss about an IoT authentication service for smart-home devices using a smart-phone as security anchor, QR codes and attribute based cryptography (ABC). Regarding the fact that in an IoT ecosystem some of the IoT devices and the cloud components may be considered untrusted, we propose a privacy preserving attribute based access control protocol to handle the device authentication to the cloud service. For the smart-phone centric authentication to the cloud component, we employ the FIDO UAF protocol and we extend it, by adding an attributed based privacy preserving component.

The revolution of smart devices has a significant and positive impact on the lives of many people, especially in regard to elements of healthcare. In part, this revolution is attributed to technological advances that enable individuals to wear and use medical devices to monitor their health activities, but remotely. Also, these smart, wearable medical devices assist health care providers in monitoring their patients remotely, thereby enabling physicians to respond quickly in the event of emergencies. An ancillary advantage is that health care costs will be reduced, another benefit that, when paired with prompt medical treatment, indicates significant advances in the contemporary management of health care. However, the competition among manufacturers of these medical devices creates a complexity of small and smart wearable devices such as ECG and EMG. This complexity results in other issues such as patient security, privacy, confidentiality, and identity theft. In this paper, we discuss the design and implementation of a hybrid real-time cryptography algorithm to secure lightweight wearable medical devices. The proposed system is based on an emerging innovative technology between the genomic encryptions and the deterministic chaos method to provide a quick and secure cryptography algorithm for real-time health monitoring that permits for threats to patient confidentiality to be addressed. The proposed algorithm also considers the limitations of memory and size of the wearable health devices. The experimental results and the encryption analysis indicate that the proposed algorithm provides a high level of security for the remote health monitoring system.