Cyber Attacks in Cloud Computing: Modelling Multi-stage Attacks using Probability Density Curves

Full Text (PDF, 770KB), PP.25-36

Views: 0 Downloads: 0

Author(s)

Aaron Zimba 1,* Victoria Chama 2

1. Department of Computer Science and Technology University of Science and Technology Beijing Beijing 100083, China

2. Department of Computer Science and IT Mulungushi University Kabwe 80415, Zambia

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2018.03.04

Received: 27 Oct. 2017 / Revised: 10 Nov. 2017 / Accepted: 17 Nov. 2017 / Published: 8 Mar. 2018

Index Terms

Cloud computing, multi-stage attack, attack path, vulnerability, probability density curves

Abstract

Cyber attacks in cloud computing more often than not tend to exploit vulnerabilities and weaknesses found in the underlying structural components of the cloud. Such vulnerabilities and weaknesses have drawn interest from various attack profiles ranging from script kiddies to APTs. Regardless of the attack profile, cyber attackers have come to leverage the interdependencies exhibited amongst these vulnerabilities by chaining exploits together to effectuate complex interlinked attack paths. Such chaining of vulnerabilities in cloud components results in multi-stage attacks where the attacker traverses different segments of the cloud residing in different layers to reach the target. In this paper, we partition the cloud into three different layers to show how multi-stage attacks on Confidentiality, Integrity and Availability (CIA) interleave with the SaaS, PaaS and IaaS cloud computing service models. Further, we generate multi-stage attack paths based on the vulnerabilities exhibited in the components across the partitioned cloud layers. Furthermore, we model the constituents of multi-stage attack events as discrete random Bernoulli variables to characterize the attack path pursued by a given attack profile. We generate probability density curves of the associated resultant attack paths to infer on the nature of the attack and recommend a hierarchical security mitigation process based on the nature of the attack nodes.

Cite This Paper

Aaron Zimba, Victoria Chama, "Cyber Attacks in Cloud Computing: Modelling Multi-stage Attacks using Probability Density Curves", International Journal of Computer Network and Information Security(IJCNIS), Vol.10, No.3, pp.25-36, 2018. DOI:10.5815/ijcnis.2018.03.04

Reference

[1]Sumit Goyal,"Public vs Private vs Hybrid vs Community - Cloud Computing: A Critical Review", IJCNIS, vol.6, no.3, pp.20-29, 2014. DOI:10.5815/ijcnis.2014.03.03
[2]Fatemeh shieh, Mostafa Ghobaei Arani, Mahboubeh Shamsi,"An Extended Approach for Efficient Data Storage in Cloud Computing Environment", IJCNIS, vol.7, no.8, pp.30-38, 2015.DOI:10.5815/ijcnis.2015.08.04
[3]S. Srinivasan. "Cloud Computing Basics." Springer Briefs in Electrical and Computer Engineering. 2014.
[4]H. Tianfield. "Security issues in cloud computing." In Systems, Man, and Cybernetics (SMC), 2012 IEEE International Conference on, pp. 1082-1089. IEEE, 2012.
[5]K.M. Khan and Q. Malluhi. "Establishing trust in cloud computing." IEEE IT professional 12, no. 5, pp. 20-27. 2010.
[6]A. Vance. "Flow based analysis of Advanced Persistent Threats detecting targeted attacks in cloud computing." In Problems of Infocommunications Science and Technology, 2014 First International Scientific-Practical Conference, pp. 173-176. IEEE, 2014.
[7]M. Jensen, J. Schwenk, N. Gruschka and L. L. Iacono. "On technical security issues in cloud computing." In Cloud Computing, 2009. CLOUD'09. IEEE International Conference on, pp. 109-116. IEEE, 2009.
[8]N. Gruschka and J. Meiko. "Attack surfaces: A taxonomy for attacks on cloud services." In Cloud Computing (CLOUD), 2010 IEEE 3rd International Conference on, pp. 276-279. IEEE, 2010.
[9]C. Tankard. "Advanced persistent threats and how to monitor and deter them." Network Security no. 8, Elsevier Publishing , pp.16-19. 2011.
[10]P. Mell and T. Grance, “The NIST Definition of Cloud Computing.” NIST, 2011.
[11]P. Mell, K. Scarfone and S. Romanosky, “Common Vulnerability Scoring System v3.0: Specification Document” Jun. 2011, [Online]. Available: https://www.first.org/cvss/user-guide. [Accessed: 9-Sept- 2017].
[12]P. Mell, K.A. Kent, and S.Romanosky. "The common vulnerability scoring system (CVSS) and its applicability to federal agency systems." US Department of Commerce, National Institute of Standards and Technology (NIST), 2007.
[13]M.K.A.MAlnazir, A. Babiker, N. Mustafa, A.A. Hamid, and A.O. Yousif. "Performance analysis of Cloud Computing for distributed data center using cloud-sim." In Communication, Control, Computing and Electronics Engineering (ICCCCEE), 2017 International Conference on, pp. 1-6. IEEE, 2017.
[14]T. Clark. "Designing Storage Area Networks: A Practical Reference for Implementing Storage Area Networks." Addison-Wesley Longman Publishing Co., Inc., 2003.
[15]G.A. Gibson and R.V. Meter. "Network attached storage architecture." Communications of the ACM 43, no. 11, pp.37-45. ACM 2000.
[16]P.M. Chen, E.K. Lee, G.A. Gibson, R.H. Katz, and D. A. Patterson. "RAID: High-performance, reliable secondary storage." ACM Computing Surveys (CSUR) 26, no. 2, pp.145-185. ACM 1994.
[17]B.P. Tholeti "Hypervisors, Virtualization and the Cloud." 23rd September 2011, IBM. [Online] Available: https://www.ibm.com/developerworks/cloud/library/cl-hypervisorcompare/ [Accessed 14th September 2017]
[18]F. Lombardi and R.D. Pietro. "Secure virtualization for cloud computing." Journal of Network and Computer Applications 34, no. 4, pp. 1113-1122. Elsevier 2011.
[19]C. Cachin and M. Schunter. "A cloud you can trust." IEEE Spectrum 48, no. 12, pp. 28-51. IEEE 2011.
[20]D. McCullagh, 20th June 2011. "Dropbox confirms security glitch--no password required." [Online]. Available: http://www.cnet.com/news/dropbox-confirms-security-glitch-no-password-required/ [Accessed 29th August 2017]
[21]J. Homer, S, Zhang, X. Ou, D. Schmidt, Y. Du, S. Raj Rajagopalan, and A. Singhal. "Aggregating vulnerability metrics in enterprise networks using attack graphs." Journal of Computer Security 21, no. 4 (2013): 561-597.
[22]V. Shandilya, C. B. Simmons, and S. Shiva. "Use of attack graphs in security systems." Journal of Computer Networks and Communications 2014 (2014).
[23]T. Ristenpart, E.Tromer, H. Shacham, and S. Savage. "Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds." In Proceedings of the 16th ACM conference on Computer and communications security, pp. 199-212. ACM, 2009.
[24]M. Aamir and M. Arif. "Study and performance evaluation on recent DDoS trends of attack & defense." International Journal of Information Technology and Computer Science (IJITCS). Mecs-Press Publishers, 2013 Jul 1;Vol. 5No. (8):pp.54-65.
[25]L. Huan. "A new form of DOS attack in a cloud and its avoidance mechanism." In Proceedings of the 2010 ACM workshop on Cloud computing security workshop, pp. 65-76. ACM, 2010.
[26]Y.L. Huang, C. Borting , W.S. Ming, and Y.L. Chien. "Security impacts of virtualization on a network testbed." In Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on, pp. 71-77. IEEE, 2012.
[27]L.E. Olson, M.J. Rosulek, and M.Winslett. "Harvesting credentials in trust negotiation as an honest-but-curious adversary." In Proceedings of the 2007 ACM workshop on Privacy in electronic society, pp. 64-67. ACM, 2007.
[28]B. Wang, W. Song, W. Lou, and Y. T. Hou. "Inverted index based multi-keyword public-key searchable encryption with strong privacy guarantee." In Computer Communications (INFOCOM), 2015 IEEE Conference on, pp. 2092-2100. IEEE, 2015.
[29]T. Ristenpart, E.Tromer, H. Shacham, and S. Savage. "Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds." In Proceedings of the 16th ACM conference on Computer and communications security, pp. 199-212. ACM, 2009.
[30]M.I. Gofman, R. Luo, P. Yang, and K. Gopalan. "Sparc: a security and privacy aware virtual machinecheckpointing mechanism." In Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, pp. 115-124. ACM, 2011.
[31]J. Sahoo, S. Mohapatra, and R. Lath. "Virtualization: A survey on concepts, taxonomy and associated security issues." In Computer and Network Technology (ICCNT), 2010 Second International Conference on, pp. 222-226. IEEE, 2010.
[32]C.H. Kao, J.H. Dai, R.K , Y.T. Kuang, C.P. Lai, and C.H. Mao. "MITC Viz: Visual Analytics for Man-in-the-Cloud Threats Awareness." In Computer Symposium (ICS), 2016 International, pp. 306-311. IEEE, 2016.
[33]A. Chonka, X. Yang, W. Zhou, and A. Bonti. "Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks." Journal of Network and Computer Applications 34, no. 4, pp. 1097-1107. 2011.
[34]V. Varadarajan, T. Kooburat, B. Farley, T. Ristenpart, and M. M. Swift. "Resource-freeing attacks: improve your cloud performance (at your neighbor's expense)." In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 281-292. ACM, 2012.
[35]J. Fortes, “Cloud Computing Security: What Changes with Software-Defined Networking?,” presented at the ARO Workshop on Cloud Security, Mar 11, 2013.
[36]S.J. Stolfo, M.B. Salem, and A. D. Keromytis. "Fog computing: Mitigating insider data theft attacks in the cloud." In Security and Privacy Workshops (SPW), 2012 IEEE Symposium on, pp. 125-128. IEEE, 2012.