Global ETD Search

1	Security audit compliance for cloud computing Doelitzscher, Frank January 2014 (has links) Cloud computing has grown largely over the past three years and is widely popular amongst today's IT landscape. In a comparative study between 250 IT decision makers of UK companies they said, that they already use cloud services for 61% of their systems. Cloud vendors promise "infinite scalability and resources" combined with on-demand access from everywhere. This lets cloud users quickly forget, that there is still a real IT infrastructure behind a cloud. Due to virtualization and multi-tenancy the complexity of these infrastructures is even increased compared to traditional data centers, while it is hidden from the user and outside of his control. This makes management of service provisioning, monitoring, backup, disaster recovery and especially security more complicated. Due to this, and a number of severe security incidents at commercial providers in recent years there is a growing lack of trust in cloud infrastructures. This thesis presents research on cloud security challenges and how they can be addressed by cloud security audits. Security requirements of an Infrastructure as a Service (IaaS) cloud are identified and it is shown how they differ from traditional data centres. To address cloud specific security challenges, a new cloud audit criteria catalogue is developed. Subsequently, a novel cloud security audit system gets developed, which provides a flexible audit architecture for frequently changing cloud infrastructures. It is based on lightweight software agents, which monitor key events in a cloud and trigger specific targeted security audits on demand - on a customer and a cloud provider perspective. To enable these concurrent cloud audits, a Cloud Audit Policy Language is developed and integrated into the audit architecture. Furthermore, to address advanced cloud specific security challenges, an anomaly detection system based on machine learning technology is developed. By creating cloud usage profiles, a continuous evaluation of events - customer specific as well as customer overspanning - helps to detect anomalies within an IaaS cloud. The feasibility of the research is presented as a prototype and its functionality is presented in three demonstrations. Results prove, that the developed cloud audit architecture is able to mitigate cloud specific security challenges. 004.67 Cloud Computing ; Cloud Security ; Cloud
2	Intrusion Detection System as a Service : Providing intrusion detection system on a subscription basis for cloud deployment Gade, Vaibhav January 2015 (has links) No description available. IDSaaS cloud computing cloud security NFV
3	Cloud Security : Penetration Testing of Application in Micro-service architecture and Vulnerability Assessment. Kothawade, Prasad, Bhowmick, Partha Sarathi January 2019 (has links) Software as a Service (SaaS) is a modern software product model that provides an awesome experience and dynamic platform for the expedition, communication and creating new features in a short amount of time. Cloud platforms provide an outstanding foundation for Software as a solution with their on user-demand infrastructure and application service. We can say that microservice architecture as the optional architecture for a cloud-hosted solution. Microservice architecture is not that much build-up, it just started getting attraction from various industries who want to market for their product in a short time by expanding productivity through increasing automation in the whole product lifecycle[1]. Microservice architecture approach come-up with lots of new complexity and it need a certain level of maturity development to confidently apply the architectural style. The challenge we are facing is how do we make sure the system stays safe and doesn't get hacked or leak data in this more complex and versatile cloud environment. Hence, we need to do penetration testing on the newly developed application in a microservice architecture. Micro- Service Penetration Testing Cloud Security Engineering and Technology Teknik och teknologier
4	Detecting Compute Cloud Co-residency with Network Flow Watermarking Techniques Bates, Adam, Bates, Adam January 2012 (has links) This paper presents co-resident watermarking, a traffic analysis attack for cloud environments that allows a malicious co-resident virtual machine to inject a watermark signature into the network flow of a target instance. This watermark can be used to exfiltrate co-residency data, compromising isolation assurances. While previous work depends on virtual hypervisor resource management, our approach is difficult to defend without costly underutilization of the physical machine. We evaluate co-resident watermarking under many configurations, from a local lab environment to production cloud environments. We demonstrate the ability to initiate a covert channel of 4 bits per second, and we can confirm co-residency with a target VM instance in less than 10 seconds. We also show that passive load measurement of the target and behavior profiling is possible. Our investigation demonstrates the need for the careful design of hardware to be used in the cloud. This thesis includes unpublished co-authored material. Cloud Computing Cloud Security Covert Channel Network Flow Watermarking
5	An evaluation of Honeypots with Compliant Kubernetes Eriksson, Oscar January 2023 (has links) This thesis evaluates different honeypot technologies and how they can be integrated into Compliant Kubernetes (CK8s), a secure open-source distribution of Kubernetes designed to address various compliance and regulatory requirements. The thesis identifies and compares the features, metrics, and suitability of several candidate honeypots for CK8s based on a literature survey and experimental testing. The thesis also discusses the value and challenges of using honeypots in cloud environments and the legal and ethical issues involved. The main findings of the thesis are that ContainerSSH is the most mature, user-friendly, and Kubernetes-compatible honeypot among the candidates, and that honeypots can provide useful threat intelligence and security awareness for cloud systems. honeypots Kubernetes cloud security compliance Computer Sciences Datavetenskap (datalogi)
6	Towards a trusted grid architecture Cooper, Andrew January 2010 (has links) The malicious host problem is challenging in distributed systems such as grids and clouds. Rival organisations may share the same physical infrastructure. Administrators might deliberately or accidentally compromise users' data. The thesis concerns the development of a security architecture that allows users to place a high degree of trust in remote systems to process their data securely. The problem is tackled through a new security layer that ensures users' data can only be accessed within a trusted execution environment. Access to encrypted programs and data is authorised by a key management service using trusted computing attestation. Strong data integrity and confidentiality protection on remote hosts is provided by the job security manager virtual machine. The trusted grid architecture supports the enforcement of digital rights management controls. Subgrids allow users to define a strong trusted boundary for delegated grid jobs. Recipient keys enforce a trusted return path for job results to help users create secure grid workflows. Mandatory access controls allow stakeholders to mandate the software that is available to grid users. A key goal of the new architecture is backwards compatibility with existing grid infrastructure and data. This is achieved using a novel virtualisation architecture where the security layer is pushed down to the remote host, so it does not need to be pre-installed by the service provider. A new attestation scheme, called origin attestation, supports the execution of unmodified, legacy grid jobs. These features will ease the transition to a trusted grid and help make it practical for deployment on a global scale. 621.382
7	Micro-architectural Threats to Modern Computing Systems Inci, Mehmet Sinan 17 April 2019 (has links) With the abundance of cheap computing power and high-speed internet, cloud and mobile computing replaced traditional computers. As computing models evolved, newer CPUs were fitted with additional cores and larger caches to accommodate run multiple processes concurrently. In direct relation to these changes, shared hardware resources emerged and became a source of side-channel leakage. Although side-channel attacks have been known for a long time, these changes made them practical on shared hardware systems. In addition to side-channels, concurrent execution also opened the door to practical quality of service attacks (QoS). The goal of this dissertation is to identify side-channel leakages and architectural bottlenecks on modern computing systems and introduce exploits. To that end, we introduce side-channel attacks on cloud systems to recover sensitive information such as code execution, software identity as well as cryptographic secrets. Moreover, we introduce a hard to detect QoS attack that can cause over 90+\% slowdown. We demonstrate our attack by designing an Android app that causes degradation via memory bus locking. While practical and quite powerful, mounting side-channel attacks is akin to listening on a private conversation in a crowded train station. Significant manual labor is required to de-noise and synchronizes the leakage trace and extract features. With this motivation, we apply machine learning (ML) to automate and scale the data analysis. We show that classical machine learning methods, as well as more complicated convolutional neural networks (CNN), can be trained to extract useful information from side-channel leakage trace. Finally, we propose the DeepCloak framework as a countermeasure against side-channel attacks. We argue that by exploiting adversarial learning (AL), an inherent weakness of ML, as a defensive tool against side-channel attacks, we can cloak side-channel trace of a process. With DeepCloak, we show that it is possible to trick highly accurate (99+\% accuracy) CNN classifiers. Moreover, we investigate defenses against AL to determine if an attacker can protect itself from DeepCloak by applying adversarial re-training and defensive distillation. We show that even in the presence of an intelligent adversary that employs such techniques, DeepCloak still succeeds. cloud security DoS attacks machine learning mobile security side-channel attacks
8	Secure Service Provisioning in a Public Cloud Aslam, Mudassar January 2012 (has links) The evolution of cloud technologies which allows the provisioning of IT resources over the Internet promises many benefits for the individuals and enterprises alike. However, this new resource provisioning model comes with the security challenges which did not exist in the traditional resource procurement mechanisms. We focus on the possible security concerns of a cloud user (e.g. an organization, government department, etc.) to lease cloud services such as resources in the form of Virtual Machines (VM) from a public Infrastructure-as-a-Service (IaaS) provider. There are many security critical areas in the cloud systems, such as data confidentiality, resource integrity, service compliance, security audits etc. In this thesis, we focus on the security aspects which result in the trust deficit among the cloud stakeholders and hence hinder a security sensitive user to benefit from the opportunities offered by the cloud computing. Based upon our findings from the security requirements analysis,we propose solutions that enable user trust in the public IaaS clouds. Our solutions mainly deal with the secure life cycle management of the user VM which include mechanisms for VM launch and migration. The VM launch and migration solutions ensure that the user VM is always protected in the cloud by only allowing it to run on the user trusted platforms. This is done by using trusted computing techniques that allow the users to remotely attest and hence rate the cloud platforms trusted or untrusted. We also provide a prototype implementation to prove the implementation feasibility of the proposed trust enabling principles used in the VM launch and migration solutions. VM migration trusted platforms cloud security IaaS TPM Security Trusted Computing Virtualization Cloud Computing trust
9	Bringing Visibility in the Clouds : using Security, Transparency and Assurance Services Aslam, Mudassar January 2014 (has links) The evolution of cloud computing allows the provisioning of IT resources over the Internet and promises many benefits for both - the service users and providers. Despite various benefits offered by cloud based services, many users hesitate in moving their IT systems to the cloud mainly due to many new security problems introduced by cloud environments. In fact, the characteristics of cloud computing become basis of new problems, for example, support of third party hosting introduces loss of user control on the hardware; similarly, on-demand availability requires reliance on complex and possibly insecure API interfaces; seamless scalability relies on the use of sub-providers; global access over public Internet exposes to broader attack surface; and use of shared resources for better resource utilization introduces isolation problems in a multi-tenant environment. These new security issues in addition to existing security challenges (that exist in today's classic IT environments) become major reasons for the lack of user trust in cloud based services categorized in Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS). The focus of this thesis is on IaaS model which allows users to lease IT resources (e.g. computing power, memory, storage, etc.) from a public cloud to create Virtual Machine (VM) instances. The public cloud deployment model considered in this thesis exhibits most elasticity (i.e. degree of freedom to lease/release IT resources according to user demand) but is least secure as compared to private or hybrid models. As a result, public clouds are not trusted for many use cases which involve processing of security critical data such as health records, financial data, government data, etc. However, public IaaS clouds can also be made trustworthy and viable for these use cases by providing better transparency and security assurance services for the user. In this thesis, we consider such assurance services and identify security aspects which are important for making public clouds trustworthy. Based upon our findings, we propose solutions which promise to improve cloud transparency thereby realizing trustworthy clouds. The solutions presented in this thesis mainly deal with the secure life cycle management of the user VM which include protocols and their implementation for secure VM launch and migration. The VM launch and migration solutions ensure that the user VM is always hosted on correct cloud platforms which are setup according to a profile that fulfills the use case relevant security requirements. This is done by using an automated platform security audit and certification mechanism which uses trusted computing and security automation techniques in an integrated solution. In addition to provide the assurance about the cloud platforms, we also propose a solution which provides assurance about the placement of user data in correct and approved geographical locations which is critical from many legal aspects and usually an important requirement of the user. Finally, the assurance solutions provided in this thesis increase cloud transparency which is important for user trust and to realize trustworthy clouds. Cloud Security Trusted Computing Trustworthy Clouds Cloud Audits Security Automation SCAP Virtual Machine
10	A theory for understanding and quantifying moving target defense Zhuang, Rui January 1900 (has links) Doctor of Philosophy / Computing and Information Sciences / Scott A. DeLoach / The static nature of cyber systems gives attackers a valuable and asymmetric advantage - time. To eliminate this asymmetric advantage, a new approach, called Moving Target Defense (MTD) has emerged as a potential solution. MTD system seeks to proactively change system configurations to invalidate the knowledge learned by the attacker and force them to spend more effort locating and re-locating vulnerabilities. While it sounds promising, the approach is so new that there is no standard definition of what an MTD is, what is meant by diversification and randomization, or what metrics to define the effectiveness of such systems. Moreover, the changing nature of MTD violates two basic assumptions about the conventional attack surface notion. One is that the attack surface remains unchanged during an attack and the second is that it is always reachable. Therefore, a new attack surface definition is needed. To address these issues, I propose that a theoretical framework for MTD be defined. The framework should clarify the most basic questions such as what an MTD system is and its properties such as adaptation, diversification and randomization. The framework should reveal what is meant by gaining and losing knowledge, and what are different attack types. To reason over the interactions between attacker and MTD system, the framework should define key concepts such as attack surface, adaptation surface and engagement surface. Based on that, this framework should allow MTD system designers to decide how to use existing configuration choices and functionality diversification to increase security. It should allow them to analyze the effectiveness of adapting various combinations of different configuration aspects to thwart different types of attacks. To support analysis, the frame- work should include an analytical model that can be used by designers to determine how different parameter settings will impact system security. Moving Target Defense Network Security Computer Security Science of Security Cloud Security Computer Science (0984)

Search results