A proactive defense method for the stealthy EDoS attacks in a cloud environment

Cloud computing technology provides flexibility to Cloud Service Provider (CSP) for providing the cloud resources based on the users' requirements. In on‐demand pricing model, the attackers exploit this feature and cause unwanted scaling‐up of the cloud resources without any intent to pay for them. The associated cost for the unpaid malicious usage burdens the CSP, and over a long period, economic losses occur at the CSP end. Thus, the resources and services offered by the CSP become unsustainable, and the attack is termed as Economic Denial‐of‐Sustainability (EDoS) attack. The existing defense approaches for EDoS attacks are reactive. Thus, the associated attack detection/mitigation cost is high; consequently, the approaches are not suitable for the Small and Medium Enterprises (SMEs). The aim of this paper is to detect and mitigate, internal and external, stealthy EDoS attacks proactively. The attack is detected using average CPU utilization threshold and utility function (in terms of cost for the utilized cloud computing resources) and mitigated using virtual firewalls. Amazon Elastic Compute Cloud (Amazon EC2) is used to evaluate the performance of the proposed approach. The proposed approach accurately detects the EDoS attack and mitigates its effect as well with reduced cost. It is observed that the approach provides competitive response time, victim service downtime, and attack reporting time. Thus, the overall performance is improved.     

MTBAC:云计算环境中一种基于互信任的访问控制模型（英文）

As a new computing mode,cloud computing can provide users with virtualized and scalable web services,which faced with serious security challenges,however.Access control is one of the most important measures to ensure the security of cloud computing.But applying traditional access control model into the Cloud directly could not solve the uncertainty and vulnerability caused by the open conditions of cloud computing.In cloud computing environment,only when the security and reliability of both interaction parties are ensured,data security can be effectively guaranteed during interactions between users and the Cloud.Therefore,building a mutual trust relationship between users and cloud platform is the key to implement new kinds of access control method in cloud computing environment.Combining with Trust Management(TM),a mutual trust based access control(MTBAC) model is proposed in this paper.MTBAC model take both user's behavior trust and cloud services node's credibility into consideration.Trust relationships between users and cloud service nodes are established by mutual trust mechanism.Security problems of access control are solved by implementing MTBAC model into cloud computing environment.Simulation experiments show that MTBAC model can guarantee the interaction between users and cloud service nodes.     

A Profile-Based Novel Framework for Detecting EDoS Attacks in the Cloud Environment

The future of information technology mainly depends upon cloud computing. Hence security in cloud computing is highly essential for the consumers as well as the service providers of the particular cloud environment. There are many security threats are challenging the current cloud environment. One of the important security threat ever in cloud environment is considered to be the Distributed Denial of Service (DDoS) attack. Where cloud is of greater benefit in terms of providing on-demand services, a certain kind of attack named as Economic Denial of Sustainability (EDoS) occurs in pay per use payment model. Due to the occurrence of this attack the consumers are forced to pay additional amount for the services offered. EDoS attacks are similar to that of DDoS attacks Which is classified as-attacks associated with bandwidth consuming, application targeted attacks and the exhaustion of the connection layer. The main objective of the proposed work is to design a profile-based novel framework for maximizing the detection of various types of EDoS attacks. During this process, the proposed framework consisting Feature Classification (FC) algorithm ensures that false positives and negatives along with bandwidth and memory consumption are highly minimized. The proposed algorithm allows only the limited resources for allocation to the available virtual machines which increases the chances of the detecting the attack and preventing the misuse propagation of resources. The accuracy and efficiency of this approach is proven to be higher with lesser computational complexity when compare to the existing approaches.

     

A certificateless signcryption with proxy re-encryption for practical access control in cloud-based reliable smart grid

Cloud computing has proven to be applicable in smart grid systems with the help of the cloud-based Internet of things (IoT) technology. In this concept, IoT is deployed as a front-end enabling the acquisition of smart grid-related data and its outsourcing to the cloud for data storage purposes. It is obvious that data storage is a pertinent service in cloud computing. However, its wide adoption is hindered by the concern of having a secure access to data without a breach on confidentiality and authentication. To address this problem, we propose a novel data access control scheme that simultaneously accomplishes confidentiality and authentication for cloud-based smart grid systems. Our scheme can enable the storing of encrypted smart grid-related data in the cloud. When a user prefers to access the data, the data owner issues a delegation command to the cloud for data re-encryption. The cloud is unable to acquire any plaintext information on the data. Only authorized users are capable of decrypting the data. Moreover, the integrity and authentication of data can only be verified by the authorized user. We obtain the data access control scheme by proposing a pairing free certificateless signcryption with proxy re-encryption (CLS-PRE) scheme. We prove that our CLS-PRE scheme has indistinguishability against adaptive chosen ciphertext attack under the gap Diffie–Hellman problem and existential unforgeability against adaptive chosen message attack under elliptic curve discrete logarithm problem in the random oracle model.

     

Secure Data Access and Sharing Scheme for Cloud Storage

Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

     

A based on blinded CP‐ABE searchable encryption cloud storage service scheme

Cloud computing has great economical advantages and wide application, more and more data owners store their data in the cloud storage server (CSS) to avoid tedious local data management and insufficient storage resources. But the privacy of data owners faces enormous challenges. The most recent searchable encryption technology adopts the ciphertext‐policy attribute‐based encryption (CP‐ABE), which is one good method to deal with this security issue. However, the access attributes of the users are transmitted and assigned in plaintext form. In this paper, we propose a based on blinded CP‐ABE searchable encryption cloud storage service (BCP‐ABE‐SECSS) scheme, which can blind the access attributes of the users in order to prevent the collusion attacks of the CSS and the users. Data encryption and keyword index generation are performed by the data owners; meanwhile, we construct that CSS not only executes the access control policy of the data but also performs the pre‐decryption operation about the encrypted data to solve higher time cost of decryption calculation to the data users. Security proof results show that this scheme has access attribute security, data confidentiality, indistinguishable security against chosen keyword attack, and resisting the collusion attack between the data user and the CSS. Performance analysis and the experimental results show that this scheme can effectively reduce the computation time cost of the data owners and the data users.     

Hybrid model for dynamic evaluation of trust in cloud services

Cloud computing, a new paradigm in distributed computing, has gained wide popularity in a relatively short span of time. With the increase in the number, functionality and features of cloud services, it is more and more mind-boggling for the cloud users to find a trustworthy provider. Cloud users need to have confidence in cloud providers to migrate their critical data to cloud computing. There must be some means to determine reliability of service providers so that users can choose services with the assurance that the provider will not act malignantly. An effort has been made in this paper to formulate a hybrid model to calculate the trustworthiness of service providers. Cloud services are evaluated and trust value is calculated based on compliance and reputation. Service logs based compliance reflects dynamic trust. The reputation has been computed from collective user feedback. Feedback rating is the view of each user about the invoked services. The discovered services that fulfill the user requirements are ranked based on their trust values and top-k cloud services are recommended to the user. The proposed approach is efficient and considerably improves service-selection process in cloud applications.     

5G Mobile Virtual Reality Optimization Solution for Communication and Computing Integration

5G network is an inevitable trend in the development of mobile communications. Mobile cloud computing is a more promising technology for 5G networks. This paper proposes a hierarchical distributed cloud service network model, which is composed of three layers: “access cloud + distributed micro cloud + core cloud”. On the basis of access to the cloud, a distributed micro cloud system is deployed to migrate the service capabilities of the remote core cloud server to the local area. This paper proposes a task offloading assignment algorithm in a small cell cloud scenario. This algorithm establishes a SCC (Small Cell Cloud) based on the channel quality between small cells and the remaining available computing resources, and allocates the load to each small cell in the SCC according to the channel quality and the remaining available computing resources. Simulation results show that this solution can improve the utilization of wireless and computing resources in the small cell cloud computing scenario, and improve the user QoE (Quality of Experience). In order to make the system operate normally under heavy load, this paper proposes a feedback adaptive random access strategy based on the adaptive random access model. This can ensure that the throughput rate does not decrease under heavy load conditions, and at the same time, the average access delay of the existing system is reduced. When the arrival rate of user requests gradually increases, the throughput rate of RA-RACH access will continue to decrease due to collisions until it approaches below 0.1. In the state where the number of users is low and the load is lighter, both RA-RACH, AC-RACH, and FC-RACH have a higher access success rate. But as the load continues to increase, RA-RACH will quickly drop to 0.

     

基于云计算的计算机信息安全技术分析

随着云计算技术的快速发展和广泛应用,数据安全、隐私保护和访问控制方面的信息安全需求和挑战,成为云服务提供商和用户面临的主要问题。针对该问题,文中提出了基于云计算的信息安全策略和技术,包括先进的数据加密方法、强化的身份认证机制、精细化的访问控制策略以及基于云环境的入侵检测和防御系统,旨在全面提升云计算环境中的数据保护和系统安全性。实验结果表明,该安全策略和技术在云计算环境中提高了数据保护水平和系统安全性,降低了安全威胁和风险,增强了整个云服务体系的安全性和用户信任度。     

A Countermeasure to SQL Injection Attack for Cloud Environment

Although cloud computing becomes a new computing model, a variety of security threats have been described. Among these threats, SQL injection attack (SQLIA) has received increasing attention recently. In the past, many researchers had proposed several methods to counter SQLIAs. However, these countermeasures of SQLIAs cannot be applied to cloud environments directly. In this paper, we propose a mechanism called CCSD (Cloud Computing SQLIA Detection) to detect SQLIAs. CCSD does not require any access to the application’s source code. Hence, it can be directly applied to existing cloud environments. The experimental results demonstrate that CCSD has high accuracy, low false positive rates and low time consumption.     

Proxy re-encryption based multi-factor access control scheme in cloud

Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.     

云计算安全威胁分析

随着云计算技术应用的进一步深入,云安全也成为业界关注的焦点.云安全不仅是广大用户选择云计算服务的首要考虑因素,也是云计算实现健康可持续发展的基础.为了能更好地了解、掌握云计算环境下的安全问题,详细分析了云环境在基础设施、数据、身份及访问管理、安全管理、隐私、审计与合规等方面面临的安全威胁,认为只有云计算服务提供商以及用户双方协力合作,在提供及监测安全功能方面取得一致认同,并重新调整传统的安全模式,才能处理云计算所面临的威胁.     

基于可信计算技术的抗恶意代码攻击模型

通过对恶意代码攻击过程的分析,针对恶意代码攻击的类型手段,研究信任链传递技术、基于密码的安全隔离技术、多级安全访问控制技术以及安全管道域技术。信任链传递技术解决可信计算基不能被篡改的问题,基于密码的安全隔离技术解决可信计算基不能被绕过的问题,多级安全访问控制技术解决普通用户信息交互的完整性和保密性问题,安全管道域技术解决特权用户使用资源的范围问题。最后,在此基础上构建基于可信计算技术的抗恶意代码攻击模型,并分析该模型的效能。     

Assessing Teacher’s Performance Evaluation and Prediction Model Using Cloud Computing Over Multi-dimensional Dataset

The main objective is to create a secured classifier for datasets based on clustering algorithm. K-means algorithm is one of the efficient techniques for mining large databases based on cloud computing platform to store large database with least cost. Cloud computing allows users to outsource their data. For multi-dimensional data the clustering technique is implemented which performs clustering of related elements without advance knowledge. The K-nearest neighbor classification is analyzed by using dataset under different conditions of parameters. In view of the above, the development of data management with a cloud computing is gaining more attention towards multi-dimensional datasets. It is a challenging task to obtain secured data in evolution of data mining technique based on cloud computing employed using classifier techniques. Quality of education depends largely on teacher’s ability, performance, knowledge, assessment and prediction on the basis of data mining techniques and clustering. These approaches permit the educational institution to decide and evaluate the classification rule to determine and recruit the best teacher based on knowledge by using cloud database which is a challenging task. The proposed technique provides secured cloud computing details regarding teacher’s recruitment, privacy of user’s input query, selecting the best teacher and hides the access patterns on cloud. The proposed idea is computed by extracting the data and proves that it provides better accuracy for selecting the best teachers and also improves the speed and constancy of recruitment application. The teacher’s recruitment is used in evaluating the ranks based on performance so that, the institution takes a better decision for recruitment.

     

Prediction-based secured handover authentication for mobile cloud computing

Mobile cloud computing (MCC) is a new technology that brings cloud computing and mobile networks together. It enhances the quality of service delivered to mobile clients, network operators, and cloud providers. Security in MCC technology, particularly authentication during the handover process, is a big challenge. Current vertical handover authentication protocols encounter different problems such as undesirable delays in real-time applications, the man in the middle attack, and replay attack. In this paper, a new authentication protocol for heterogeneous IEEE 802.11/LTE-A mobile cloud networks are proposed. The proposed protocol is mainly based on the view of the 3GPP access network discovery and selection function, which uses the capacities given by the IEEE 802.11 and the 3GPP long term evolution-advanced (LTE-A) standards interconnection. A prediction scheme, with no additional load over the network, or the user is utilized to handle cloud computing issues arising during authentication in the handover process. The proposed handover authentication protocol outperformed existing protocols in terms of key confidentiality, powerful security, and efficiency which was used to reduce bandwidth consumption.

     

A provable and secure mobile user authentication scheme for mobile cloud computing services

The mobile cloud computing (MCC) has enriched the quality of services that the clients access from remote cloud‐based servers. The growth in the number of wireless users for MCC has further augmented the requirement for a robust and efficient authenticated key agreement mechanism. Formerly, the users would access cloud services from various cloud‐based service providers and authenticate one another only after communicating with the trusted third party (TTP). This requirement for the clients to access the TTP during each mutual authentication session, in earlier schemes, contributes to the redundant latency overheads for the protocol. Recently, Tsai et al have presented a bilinear pairing based multi‐server authentication (MSA) protocol, to bypass the TTP, at least during mutual authentication. The scheme construction works fine, as far as the elimination of TTP involvement for authentication has been concerned. However, Tsai et al scheme has been found vulnerable to server spoofing attack and desynchronization attack, and lacks smart card‐based user verification, which renders the protocol inapt for practical implementation in different access networks. Hence, we have proposed an improved model designed with bilinear pairing operations, countering the identified threats as posed to Tsai scheme. Additionally, the proposed scheme is backed up by performance evaluation and formal security analysis.     

面向云计算基于双层激励和欺骗检测的信任模型

针对云计算环境下存在的信任问题,该文提出基于双层激励和欺骗检测的信任模型(CCIDTM)。该模型提出了一组云计算服务属性评价指标,引入了信任度随时间衰减的动态信任机制,建立了对服务提供商服务行为和用户评价行为的双层激励机制,提出了一个共谋欺骗检测算法,提高了模型的动态适应性和评价的综合性。实验结果表明,与已有信任模型相比,该模型评估的结果更接近服务提供商的真实服务行为,能够有效地抵抗各种恶意行为的攻击,表现出良好的鲁棒性。     

云计算关键技术的探讨

云计算(cloud computing)中涉及了分布式处理、并行处理和网格计算、网络存储、虚拟化、负载均衡等传统计算机技术和网络技术。本文从云计算的体系架构和服务角度出发,对云计算中实现的访问控制管理、数据管理和虚拟化功能所使用加密算法和虚拟化等关键技术,用计算机和网络知识分析了这些技术存在的问题,提出了需要改进的方向。     

Public integrity verification for data sharing in cloud with asynchronous revocation

Cloud data sharing service, which allows a group of people to access and modify the shared data, is one of the most popular and efficient working styles in enterprises. Recently, there is an uprising trend that enterprises tend to move their IT service from local to cloud to ease the management and reduce the cost. Under the new cloud environment, the cloud users require the data integrity verification to inspect the data service at the cloud side. Several recent studies have focused on this application scenario. In these studies, each user within a group is required to sign a data block created or modified by him. While a user is revoked, all the data previously signed by him should be resigned. In the existing research, the resigning process is dependent on the revoked user. However, cloud users are autonomous. They may exit the system at any time without notifying the system admin and even are revoked due to misbehaviors. As the developers in the cloud-based software development platform, they are voluntary and not strictly controlled by the system. Due to this feature, cloud users may not always follow the cloud service protocol. They may not participate in generating the resigning key and may even expose their secret keys after being revoked. If the signature is not resigned in time, the subsequent verification will be affected. And if the secret key is exposed, the shared data will be maliciously modified by the attacker who grasps the key. Therefore, forcing a revoked user to participate in the revocation process will lead to efficiency and security problems. As a result, designing a practical and efficient integrity verification scheme that supports this scenario is highly desirable. In this paper, we identify this challenging problem as the asynchronous revocation, in which the revocation operations (i.e., re-signing key generation and resigning process) and the user's revocation are asynchronous. All the revocation operations must be able to be performed without the participation of the revoked user. Even more ambitiously, the revocation process should not rely on any special entity, such as the data owner or a trusted agency. To address this problem, we propose a novel public data integrity verification mechanism in which the data blocks signed by the revoked user will be resigned by another valid user. From the perspectives of security and practicality, the revoked user does not participate in the resigning process and the re-signing key generation. Our scheme allows anyone in the cloud computing system to act as the verifier to publicly and efficiently verify the integrity of the shared data using Homomorphic Verifiable Tags (HVTs). Moreover, the proposed scheme resists the collusion attack between the cloud server and the malicious revoked users. The numerical analysis and experimental results further validate the high efficiency and scalability of the proposed scheme. The experimental results manifest that re-signing 10,000 data blocks only takes 3.815 ?s and a user can finish the verification in 300 ?ms with a 99% error detection probability.     

An Enhanced Load Balancing Approach for Dynamic Resource Allocation in Cloud Environments

Cloud computing is one of the distributed resource-sharing technology that offers resources on a pay-as-you-use basis. Platform as a service, Infrastructure as a service, and Software as a Service are services provided by the Cloud. Each end user's Quality of service must be ensured by the cloud service provider. In recent days, cloud utilization is rapidly increasing. To avoid congestion and to preserve the Service Level Agreement, the large workload must be balanced across the network. In this research work, a new load balancing approach is proposed for the dynamic resource allocation process to improve stability and to increase profit. PBMM algorithm is devised for an effective load balancing process through which, resource scheduling is performed. Task size and the bidding value coded by each customer are taken into account. To optimize the waiting time, resource tables and task tables are employed. The average waiting time and response time of the special users are minimized. The simulation results show that the proposed load balancing technique ensures the maximum profit and it enhances load balancing stability by increasing the number of special users.