Intrusion Resilient Cloud Services
Cloud Computing is an emerging paradigm that aims at delivering computing, information services, and data storage as a utility service over a network or Internet. There is a strong interest in cloud computing due to their performance and cost reduction, but their rapid deployment will exacerbate the security problem. In addition, cloud computing integrates many technologies including virtualization, Web technologies, utility computing, and distributed data management, each with its own set of vulnerabilities. The adoption and proliferation of cloud computing will be severely impacted if cloud security is not adequately addressed. Traditional approaches to security will not work well in a cloud environment and it is widely believed that we cannot deliver cloud services that are 100% immune against cyber attacks and exploitations.
Software Behavior Encryption
Cloud Computing is emerging as a new paradigm that aims at delivering computing as a utility. For cloud computing to be fully adopted and effectively used it is important that the security mechanisms are robust and resilient to faults and attacks. Securing cloud applications and services is a challenging research problem because it involves many interdependent tasks including vulnerability scanning, application layer firewalls, configuration management, alert monitoring and analysis, source code analysis, and user identity management. Most of these challenges are due to the monoculture of cloud software, dynamic environment where resources and services are constantly changing, and social networking technologies. In this project, we are developing a moving target defence middleware that can provide cloud services that are resilient against anomalous events that might be triggered by malicious attacks and/or faults. The main MTDM capabilities are Software Behaviour Encryption (SBE) and Self-Management (SM). Software Behaviour Encryption employs spatiotemporal behaviour encryption and a moving target defence to make active software components change their implementation variants and resources continuously and consequently evade attackers. This approach will make it extremely difficult for an attack to disrupt the normal operations of an application. Also, the dynamic change in the execution environment will hide the software flaws that would otherwise be exploited by a cyber attacker. Self Management is critical in order to deliver automatic detection and recovery capabilities to enhance the resiliency of software systems and services. To validate our approach, we use a cloud application based on Hadoop MapReduce as a running example to experiment with and evaluate the resiliency of the MTDM services against attacks. We employ N version programming by having three physical machines independently run different version of each task, thus employing spatial diversity. The selection of the task version and its execution environment (type of operating system, programming language, etc.) will be randomized at runtime using the SBE algorithm. Our implementation approach is shown below. The preliminary experimental results show that the cloud application can continue to operate normally in spite of cyberattacks including Denial of Service (DoS) and insider attacks with little overhead and performance degradation in the application performance.
Storage Dynamic Encryption
With the advance of cloud computing technologies, there is a huge demand for computing resources and storage. Many organizations prefer to outsource their storage and other resources. As the data reside on the third parties data centers, security is becoming a major concern. Storage Dynamic Encryption (SDE) addresses the major security issues for cloud storage such as access control confidentiality, integrity, and secure communications. Our resilient approach is based on moving target defense and key hopping techniques. Data is partitioned into a random number of partitions where different keys are used to encrypt each partition. We also show that by using key hopping technique, we can reduce smaller key length that is normally used to improve performance without compromising the security. Our experimental results show that we can improve performance by 50% when we use a key of length 512 when compared with certificate technique that uses key length of 2048.
Quantification of Security and Resilient
A widespread interest in resilient computing cloud system has emerged in the recent past to the recent advancement in complex computational systems. In the past, these systems were designed to be defect-free as to eliminate the vulnerabilities to attackers and chances of failures; however, it is now widely accepted that malicious attacks are unavoidable, and with the ability to penetrate the system. Resilient computing systems should therefore be adaptive in nature with the ability to not only thwart and recover from these attacks but perform to function normally in spite of these attacks. The main objective of this project will focus on developing a model that can not only measure the resilience of a traditional system architecture, but one that will enable us to compare it to evolving system architectures such as IBM's Software Define Environments where integration, automation and optimization workloads are dynamically assigned to IT resources based on application characteristics.
Avinash K Gudagi,
1. G. Dsouza, H. Alipour, S. Hariri, Y. Al-Nashif, and M. Eltoweissy, "Cloud Resilient Architecture," in Proceedings of the 1st IBM Cloud Academy Conference (ICA CON 2012), Research Triangle Park, NC, April 19-20, 2012
4. Hemayamini Kurra, Y. Al-Nashif, S. Hariri, "Resilient Cloud Data Storage Services", Accepted for publication in Proceedings of Cloud and Autonomic Computing Conference , to be held at Miami, Florida, 5-9 August, 2013.
Phone Number: (520) 621-9915 Room 251, ECE Dept. 1230 E. Speedway Tucson, AZ 85721-0104
ACL - © Copyright 2007, Webmaster: Youssif Al-Nashif
All Rights Reserved