SDN-based Proactive Defense Mechanism in a Cloud System

January 2015

abstract: Cloud computing is known as a new and powerful computing paradigm. This new generation of network computing model delivers both software and hardware as on-demand resources and various services over the Internet. However, the security concerns prevent users from adopting the cloud-based solutions to fulfill the IT requirement for many business critical computing. Due to the resource-sharing and multi-tenant nature of cloud-based solutions, cloud security is especially the most concern in the Infrastructure as a Service (IaaS). It has been attracting a lot of research and development effort in the past few years. Virtualization is the main technology of cloud computing to enable multi-tenancy. Computing power, storage, and network are all virtualizable to be shared in an IaaS system. This important technology makes abstract infrastructure and resources available to users as isolated virtual machines (VMs) and virtual networks (VNs). However, it also increases vulnerabilities and possible attack surfaces in the system, since all users in a cloud share these resources with others or even the attackers. The promising protection mechanism is required to ensure strong isolation, mediated sharing, and secure communications between VMs. Technologies for detecting anomalous traffic and protecting normal traffic in VNs are also needed. Therefore, how to secure and protect the private traffic in VNs and how to prevent the malicious traffic from shared resources are major security research challenges in a cloud system. This dissertation proposes four novel frameworks to address challenges mentioned above. The first work is a new multi-phase distributed vulnerability, measurement, and countermeasure selection mechanism based on the attack graph analytical model. The second work is a hybrid intrusion detection and prevention system to protect VN and VM using virtual machines introspection (VMI) and software defined networking (SDN) technologies. The third work further improves the previous works by introducing a VM profiler and VM Security Index (VSI) to keep track the security status of each VM and suggest the optimal countermeasure to mitigate potential threats. The final work is a SDN-based proactive defense mechanism for a cloud system using a reconfiguration model and moving target defense approaches to actively and dynamically change the virtual network configuration of a cloud system. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2015

Computer science

Attack Graph

Cloud Computing

Cloud Security

Cybersecurity

Network security

Software Defined Networking

Homomorphic Encryption: Working and Analytical Assessment : DGHV, HElib, Paillier, FHEW and HE in cloud security

Papisetty, Srinivas Divya

January 2017

Context: Secrecy has kept researchers spanning over centuries engaged in the creation of data protection techniques. With the growing rate of data breach and intervention of adversaries in confidential data storage and communication, efficient data protection has found to be a challenge. Homomorphic encryption is one such data protection technique in the cryptographic domain which can perform arbitrary computations on the enciphered data without disclosing the original plaintext or message. The first working fully homomorphic encryption scheme was proposed in the year 2009 and since then there has been a tremendous increase in the development of homomorphic encryption schemes such that they can be applied to a wide range of data services that demand security. All homomorphic encryption schemes can be categorized as partially homomorphic (PHE), somewhat homomorphic (SHE), leveled Homomorphic (LHE), and fully homomorphic encryption (FHE). Each encryption algorithm has its own importance and usage in different realms of security. DHGV, Paillier, HElib, and FHEW are the algorithms chosen in this study considering their wide usage and scope for further advancement in this subject area. A public-key algorithm named RSA is also chosen for comparison of the impact of HE and PKE (Public-key encryption) algorithm on the CPU and Memory. The utilization of various homomorphic schemes and concepts in the trending cloud storage systems is a prevailing field of research and can be expanded further by knowing the current state-of-the-art of homomorphic encryption. Hence, the necessity of comprehending the knowledge of homomorphic encryption schemes and their aspect in cloud security becomes vital. Objectives: The objective of this study is to analytically assess homomorphic encryption and various homomorphic encryption schemes. A comprehensive investigation on working and performance of the selected HE schemes is another objective of this research. Also, an experiment to run publicly available libraries of DGHV, Paillier, HElib, and FHEW is one of the main objectives. In addition to these, comprehending the impact of HE and PKE on CPU and Memory is also among the objectives of the study. The role and practice of homomorphic encryption in the cloud storage system are among the secondary objectives of this research in terms of securing confidential data. These objectives are set based on the research gap identified by conducting an exhaustive literature review. Methods: The objectives of this study are achieved by adopting the methods exhaustive literature review and experiment. Scientific databases such as IEEE Xplore, ACM Digital Library, Inspec, Springer Link etc. are used and literature is accordingly selected based on the relevance to the research topic. An exhaustive literature review is conducted and extensive bibliographic research is done to accomplish the objective of comprehending the working, applications, significance of homomorphic encryption. Apart from literature review, bibliographic research, an experiment is also conducted to run the publicly available homomorphic encryption libraries to evaluate, compare, and analyze the performance of DGHV, Paillier, HElib, and FHEW schemes. Experiment to run publicly available PKE algorithm is also conducted. Finally, the conclusion and outcome by adopting these research methods for accomplishing the objectives are theoretically presented in detail. Results: By conducting an exhaustive literature review, the importance, working, application of homomorphic encryption and its schemes is discerned. And by conducting an experiment, the impact of HE and PKE is also discerned. Apart from this, the limitations of HE and selected HE schemes along with the distinction between public and private key cryptography is understood by finding and mapping in connection with each other. From the experiment conducted, it is examined that despite the encryption libraries being publicly available for use, the possibility of running and employing few libraries successfully is remarkably low inferring that there is much improvement needed in this cryptographic discipline. Conclusions: From this research, it can be concluded that homomorphic encryption has a wide scope of extending towards efficiency and application in various fields concerned with data protection. It can also me concluded that the experimental assessment of state of the art of few HE schemes libraries that are available online are remarkably impractical for real-time practice. By analyzing the selected ii schemes, it can be concluded few HE schemes do not support any other operations on encrypted data other than addition and multiplication due to which chances of increasing noise for each encryption is relatively high. From the experiment conducted for Paillier encryption (HE) and RSA (PKE) encryption, it is concluded that both the schemes increase linearly with an increase in the input size when CPU and Memory utilization is measured. Apart from these conclusions, it can also be inferred that not all the homomorphic encryption algorithms are IND-CCA1 and IND-CCA2 secure. From this study, it can be deduced that more empirical validation and analysis of HE algorithms is required in terms of their performance and security. In order to address these problems, much research and improvement are required as it inferred from the results of this research that Homomorphic encryption is still in its early stage of development and enormous utility can be anticipated when enhanced correctly.

Homomorphic encryption

Homomorphic Encryption Schemes

Cloud security

Cryptography

Computer Sciences

Datavetenskap (datalogi)

Guideline for assessing risks arising from adoption of a cloud service / Guideline for assessing security risks arising from adoption of a cloud platform

Tomčová, Zuzana

January 2014

This thesis focuses on assessment of IT risks related to company's adoption of a cloud ser-vice. The goal of the thesis is to identify generally applicable set of IT risks, which will serve as a basis for the proposed risk assessment guideline. The work is organized as follows: Introduction and literature review is presented in the first chapter. The author provides theoretical background supporting better understand-ing of the topic in the Chapter two, where concept of the cloud computing and IT risk are described. A qualitative questionnaire is introduced and results of the participants' re-sponses are depicted in the third chapter. Following chapter provides a risks categoriza-tion representing a base for the proposed cloud oriented IT risk assessment guideline. Subsequently, validation of the guideline in form of its practical application on a company undergoing the decision-making process towards cloud solution is summarized in the Chapter five. Second last chapter describes standards and certifications in an area of coud information security. Finally, Chapter seven summarizes and concludes the findings outlining opportunities for future work and possible improvements in this area.

VISUELL PRESENTATION AV VÄDERDATA OCH ELPRISERE TT ARBETE OM DATABASMODELLERING I MOLNET MED BUSINESS INTELLIGENCE

Björnbom, Willie, Eklöf, Alexander

January 2019

In an environment where data flows everywhere and in all forms, it can be difficult to extract something valuable of it. Business Intelligence, also known as BI, is a technology used to transform information into a valuable resource for primarily companies with a lot of information. But what opportunities does BI offer? In this essay, we use standardized techniques, popular tools and cloud services to perform a pure BI project. We will generate a report in which we will analyze whether there is any correlation between electricity prices and different types of weather data. After the practical part of the work, we will use our experience of the cloud to dig deeper into how safe the cloud reallys is. We will compare the concerns that an ordinary user has to the cloud and compare with how the cloud service provider (CSP) Azure adapts to this. / ett samhälle där information flödar i alla dess former så kan det vara svårt att utvinna någontingvärdefullt av detta. Business intelligence, även kallat BI, är en teknik som används för att kunnaomvandla informationen till en värdefull resurs för främst företag. Men vad kan man egentligengöra med BI? I denna uppsats används standardiserade tekniker, nya verktyg och molntjänster föratt utföra ett helt BI-projekt. Projektet innefattar en visuell rapport där det ska göras en grundliganalys om det finns någon korrelation mellan elpriser och olika typer av väderdata.Efter det praktiska arbetet så kommer en teoretiskt fördjupning inom molntjärnes säkerhet attutföras. Den teoretiska fördjupningen kommer att omfatta en jämförelse mellan de mestförekommande orosmoment som användare har inför molnet och hur Azure faktiskt ställer sig tilldessa.

Business Intelligence

visual analytics

cloud computing

cloud security

Computer Sciences

Datavetenskap (datalogi)

Database security in the cloud / Databassäkerhet i molnet

Sakhi, Imal

January 2012

The aim of the thesis is to get an overview of the database services available in cloud computing environment, investigate the security risks associated with it and propose the possible countermeasures to minimize the risks. The thesis also analyzes two cloud database service providers namely; Amazon RDS and Xeround. The reason behind choosing these two providers is because they are currently amongst the leading cloud database providers and both provide relational cloud databases which makes the comparison useful. The focus of the analysis has been to provide an overview of their database services as well as the available security measurements. A guide has been appended at the end of the report to help with technical configurations of database migration and connecting applications to the databases for the two mentioned cloud database providers. The thesis has been conducted on behalf of the Swedish Armed Forces and after reviewing the security risks associated with cloud databases, it is recommended that the Armed Forces should refrain from public cloud database services. Security deficiencies such as vague physical security and access control procedures, unavailability of preferred monitoring tools and most importantly the absence of proper encryption and key management schemes make the public database services useless for an authority such as the Armed Forces.  The recommended solutions are therefore to either use a jointly-owned community cloud database solution for less confidential data only or to use on-premise private cloud database solution for all but the TOP SECRET classified data.     Keywords: Cloud computing, cloud database services, Swedish Armed Forces, security risks, Xeround, Amazon RDS

Database security

security in cloud

cloud security

databassäkerhet

molnet

moln

Computer Engineering

Datorteknik

A Neural Network Based Distributed Intrusion Detection System on Cloud Platform

Li, Zhe

22 August 2013

No description available.

Computer Engineering

Computer Science

Distributed IDS

Neural network

Cloud security

Anomaly detection

A study of Oracle Cloud Infrastructure : Demonstration of the vulnerability or reliability of certain services through penetration attacks / En studie av Oracle Cloud Infrastructure : demonstration av sårbarheten eller tillförlitligheten hos vissa tjänster genom penetrationsattacker

Feller, Shanly

January 2023

This thesis aims to assess the security of Oracle Cloud Infrastructure (OCI) through penetration testing of some of its services. Targeted at cloud, cybersecurity, governance, and compliance professionals as well as administrators or cyber enthusiasts in general, this research uncovers specific best practices to OCI. We employ a methodology in three steps published by Astra aimed at cloud services auditing, combining penetration testing techniques and thorough documentation review to evaluate the security posture of OCI services. The scope encompasses IAM and MySQL Managed Databases. We found that unproperly supervised ABAC policies could lead to privilege escalation through the tagging of computing resources and that the MySQL service does not present the major issues that occurred in the managed services of OCI’s main competitors. This research contributes to the growing body of knowledge on cloud security and offers practical recommendations to strengthen OCI deployments, ultimately fostering greater confidence in adopting OCI services. / Syftet med denna uppsats är att undersöka säkerheten hos Oracle Cloud Infrastructure (OCI) genom penetrationstestning av några av dess tjänster. Riktad till moln-, cybersäkerhets-, styrnings- och efterlevnadsproffs, bidrar denna forskning till best-practice metoder för OCI. Vi tillämpar en metodik i tre steg som publicerats av Astra och som är inriktad på granskning av molntjänster. Metodiken kombinerar tekniker för penetrationstester och noggrann dokumentationsgenomgång för att utvärdera säkerhetsläget för OCI. Omfattningen inkluderar IAM och hanterade MySQL-databaser. Vi fann att bristfälligt övervakade ABAC-policyer kunde leda till privilegieeskaleringsproblem genom taggning av beräkningsresurser och att Oracles MySQL-tjänst inte har de större problem som hittades i hanterade tjänster hos OCIs främsta konkurrenter. Denna forskning bidrar till den växande kunskapsmängden om molnsäkerhet och erbjuder praktiska rekommendationer för att stärka implementeringar av OCI, vilket i slutändan främjar större förtroende för och antagandet av OCItjänster.

Oracle Cloud Infrastructure

penetration testing

security practices

cloud security

vulnerability assessment.

Computer Sciences

Datavetenskap (datalogi)

Cloud security frameworks and measures for SLA (Service Level Agreement)

Baião Kandala, Manuel Mazanga

January 2022

Small companies and organizations have expressed doubts about using cloud services due to unclear Service Level Agreement (SLA) contracts. These contracts are usually based on security frameworks and measures adapted for data security in general, but not for complex cloud data specifically. The purpose of this study was therefore to compare end users’ opinions of the security measures and security frameworks that were being used for their SLA contracts for cloud services. The study was carried out through semi-structured interviews, thematization, and comparison with earlier research on SLA and cloud security. The result showed that security frameworks on which SLA contracts were based were being used in a too general way by cloud service providers. This made the contracts unclear and not entirely relevant to their own operations. Therefore, the users wanted implementations of security measures that were easier to interpret, well-established and recognized, and relevant to their own operations. The users wanted the security measures to be more detailed by having the cloud service providers divide them into more categories relevant to their particular activities. The users also wanted SLA contracts adapted to their individual needs for cloud security specifically. One conclusion was that frameworks such as ISO, NIST, and COBIT were being used in a too general way for generating cloud service SLAs. Another conclusion was that cloud service security measures should be more specific to users’ own operations and easier to interpret in relation to established frameworks. Cloud service providers could use NIST, ISO, and COBIT to generate more specific measures. One solution would be to automatically generate more specific SLA contracts by auto-selecting established frameworks and well-defined security measures.

cloud security

cloud service

service level agreement

SLA

Computer and Information Sciences

Data- och informationsvetenskap

Detecting and mitigating software security vulnerabilities through secure environment programming

Blair, William

26 March 2024

Adversaries continue to exploit software in order to infiltrate organizations’ networks, extract sensitive information, and hijack control of computing resources. Given the grave threat posed by unknown security vulnerabilities, continuously monitoring for vulnerabilities during development and evidence of exploitation after deployment is now standard practice. While the tools that perform this analysis and monitoring have evolved significantly in the last several decades, many approaches require either directly modifying a program’s source code or its intermediate representation. In this thesis, I propose methods for efficiently detecting and mitigating security vulnerabilities in software without requiring access to program source code or instrumenting individual programs. At the core of this thesis is a technique called secure environment programming (SEP). SEP enhances execution environments, which may be CPUs, language interpreters, or computing clouds, to detect security vulnerabilities in production software artifacts. Furthermore, environment based security features allow SEP to mitigate certain memory corruption and system call based attacks. This thesis’ key insight is that a program’s execution environment may be augmented with functionality to detect security vulnerabilities or protect workloads from specific attack vectors. I propose a novel vulnerability detection technique called micro-fuzzing which automatically detects algorithmic complexity (AC) vulnerabilities in both time and space. The detected bugs and vulnerabilities were confirmed by vendors of real-world Java libraries. Programs implemented in memory unsafe languages like C/C++ are popular targets for memory corruption exploits. In order to protect programs from these exploits, I enhance memory allocators with security features available in modern hardware environments. I use efficient hash algorithm implementations and memory protection keys (MPKs) available on recent CPUs to enforce security policies on application memory. Finally, I deploy a microservice-aware policy monitor (MPM) that detects security policy deviations in container telemetry. These security policies are generated from binary analysis over container images. Embedding MPMs derived from binary analysis in micro-service environments allows operators to detect compromised components without modifying container images or incurring high performance overhead. Applying SEP at varying levels of the computing stack, from individual programs to popular micro-service architectures, demonstrates that SEP efficiently protects diverse workloads without requiring program source or instrumentation.

Computer science

Architectural security

Cloud security

Fuzz testing

Micro-execution

Micro-fuzzing

Microservices

Ochrana soukromí v cloudu / Privacy protection in cloud

Chernikau, Ivan

Unknown Date

In the Master’s thesis were described privacy protection problems while using cloud technologies. Some of the problems can be solved with help of homomorphic encryption, data splitting or searchable encryption. These techniques were described and compared by provided security, privacy protection and efficiency. The data splitting technique was chosen and implemented in the C language. Afterwards a performance of the implemented solution was compared to AES encryption/decryption performance. An application for secured data storing in cloud was designed and implemented. This application is using the implemented data splitting technique and third-party application CloudCross. The designed application provides command line interface (CLI) and graphical user interface (GUI). GUI extends the capabilities of CLI with an ability to register cloud and with an autodetection of registered clouds. The process of uploading/downloading the data to/from cloud storage is transparent and it does not overload the user with technical details of used data splitting technique.