How Do You Secure an Environment Without a Perimeter? Using Emerging Technology Processes to Support Information Security Efforts in an Agile Data Center

Cloud computing has transformed businesses, enabling agile and cost-effective IT infrastructure. The critical problem is that these new opportunities resulted in a co-mingled architecture which is difficult to secure. Based on interviews with boards of directors and executive leadership teams facing these new environments, our research question was: How do we secure increasingly dynamic architecture in an environment without a perimeter? The research involved an in-depth exploration of this problem using a survey instrument and interviews with 204 executives from 80 companies throughout 2014. From this work we developed an information security framework for executives in this new environment

Intrusion detection and prevention of web service attacks for software as a service:Fuzzy association rules vs fuzzy associative patterns

Cloud computing inherits all the systems, networks as well asWeb Services’ security vulnerabilities, in particular for software as a service (SaaS), where business applications or services are provided over the Cloud as Web Service (WS). Hence, WS-based applications must be protected against loss of integrity, confidentiality and availability when they are deployed over to the Cloud environment. Many existing IDP systems address only attacks mostly occurring at PaaS and IaaS. In this paper, we present our fuzzy association rule-based (FAR) and fuzzy associative pattern-based (FAP) intrusion detection and prevention (IDP) systems in defending against WS attacks at the SaaS level. Our experimental results have validated the capabilities of these two IDP systems in terms of detection of known attacks and prediction of newvariant attacks with accuracy close to 100%. For each transaction transacted over the Cloud platform, detection, prevention or prediction is carried out in less than five seconds. For load and volume testing on the SaaS where the system is under stress (at a work load of 5000 concurrent users submitting normal, suspicious and malicious transactions over a time interval of 300 seconds), the FAR IDP system provides close to 95% service availability to normal transactions. Future work involves determining more quality attributes besides service availability, such as latency, throughput and accountability for a more trustworthy SaaS

Hosting critical infrastructure services in the cloud environment considerations

Critical infrastructure technology vendors will inevitability take advantage of the benefits offered by the cloud computing paradigm. While this may offer improved performance and scalability, the associated security threats impede this progression. Hosting critical infrastructure services in the cloud environment may seem inane to some, but currently remote access to the control system over the internet is commonplace. This shares the same characteristics as cloud computing, i.e., on-demand access and resource pooling. There is a wealth of data used within critical infrastructure. There needs to be an assurance that the confidentiality, integrity and availability of this data remains. Authenticity and non-repudiation are also important security requirements for critical infrastructure systems. This paper provides an overview of critical infrastructure and the cloud computing relationship, whilst detailing security concerns and existing protection methods. Discussion on the direction of the area is presented, as is a survey of current protection methods and their weaknesses. Finally, we present our observation and our current research into hosting critical infrastructure services in the cloud environment, and the considerations for detecting cloud attacks. © 2015 Inderscience Enterprises Ltd

Detecting and mitigating HX-DoS attacks against cloud web services

Cyber-Physical Systems allow for the interaction of the cyber world and physical worlds using as a central service called Cloud Web Services. Cloud Web Services can sit well within three models of Cyber- Physical Systems, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a- Service (IaaS). With any Cyber-Physical system use Cloud Web Services it inherits a security problem, the HX-DoS attack. HX-DoS attack is a combination of HTTP and XML messages that are intentionally sent to flood and destroy the communication channel of the cloud service provider. The relevance of this research is that TCP/IP flood attacks are a common problem and a lot of research to mitigate them has previously been discussed. But HTTP denial of service and XML denial of service problem has only been addressed in a few papers. In this paper, we get closer to closing this gap on this problem with our new defence system called Pre- Decision, Advance Decision, Learning System (ENDER). In our previous experiments using our Cloud Protector, we were successful at detecting and mitigate 91% with a 9% false positive of HX-DoS attack traffic. In this paper, ENDER was able to improve upon this result by being trained and tested on the same data, but with a greater result of 99% detection and 1% false positive

Déni-de-service: Implémentation d'attaques XML-DOS et évaluation des défenses dans l'infonuagique

RÉSUMÉ L’infonuagique est un paradigme informatique dont la popularité et les usages n’ont fait que croître ces dernières années. Il doit son succès à sa grande adaptabilité et capacité de mise à l’échelle, ainsi qu’à sa facilité d’utilisation. Son but est de permettre à l’individu ou à l’entreprise d’utiliser des ressources informatiques qu’il ou elle ne possède pas physiquement, en utilisant des techniques déjà connues et éprouvées comme la virtualisation et les services web. Plusieurs modèles d’infonuagique existent, selon la fonctionnalité recherchée. Par exemple, déposer, partager et accéder depuis n’importe quel terminal un fichier sur Dropbox, et exécuter une application extrêmement gourmande en ressources sur une machine louée le temps de l’exécution sont deux exemples d’utilisation de l’infonuagique. Le modèle d’infonuagique influe sur la portion des ressources gérées par l’utilisateur, en comparaison des ressources gérées par le fournisseur. Dans le cas de Dropbox, l’utilisateur n’a pas besoin de se soucier des ressources allouées à sa requête ni de savoir quel système d’exploitation a servi ou encore comment est gérée la base de données, alors que dans l’autre cas tous ces paramètres rentreront probablement en compte et seront donc à la charge de l’utilisateur. Un réseau d’infonuagique peut tout autant être un réseau public accessible de tous moyennant finances, qu’un réseau privé bâti et utilisé seulement par une entreprise pour ses propres besoins. L’attrait considérable de l’infonuagique, pour les particuliers comme pour les entreprises, augmente par le fait même les risques liés à la sécurité de ces réseaux, ceux-ci devenant une cible de choix pour les attaquants. Ce risque accru allié à la confiance que l’utilisateur doit porter au fournisseur pour gérer et protéger ses données explique que nombreux sont ceux encore réticents à utiliser l’infonuagique, que ce soit pour des questions de confidentialité pour une entreprise ou de vie privée pour un particulier. La diversité des technologies utilisées implique une grande variété d’attaques possibles. Notamment, les réseaux d’infonuagique pâtissent des mêmes vulnérabilités que les réseaux conventionnels, mais également des failles de sécurité liées à l’utilisation de machines virtuelles. Cependant, ces menaces sont dans l’ensemble bien connues et la plupart du temps des mesures sont mises en place pour les contrer. Ce n’est pas le cas des vulnérabilités liées à l’utilisation des services web, utilisés abondamment dans le cas de l’infonuagique. Les réseaux d’infonuagique se donnent pour but d’être accessibles depuis n’importe où et n’importe quel appareil, ce qui passe nécessairement par l’utilisation de services web. Or les serveurs web sont extrêmement vulnérables aux attaques de type XML-DoS, mettant à profit des requêtes SOAP (Simple Object Access Protocol) utilisant un message XML malveillant. Ces attaques ont pour but d’utiliser une très grande partie si ce n’est pas toutes les ressources CPU et mémoire de la machine hébergeant le serveur web victime, la rendant indisponible pour des utilisateurs légitimes, ce qui est le but recherché lors d’une attaque de déni de service. Ces attaques sont extrêmement intéressantes d’un double point de vue. Elles sont tout d’abord très difficiles à détecter, car l’utilisateur qui en est à l’origine est perçu comme un utilisateur légitime (attaque au niveau de la couche application, donc impossible de la détecter au niveau de la couche TCP/IP). De plus, elles présentent une dissymétrie importante entre les ressources dont l’attaquant a besoin pour monter l’attaque, et les ressources nécessaires pour traiter la requête. En effet, une requête SOAP mal formée bien que très basique peut déjà demander des ressources considérables au serveur web victime. Ce type d’attaques ayant été assez peu étudié, malgré son efficacité et l’omniprésence des services web dans l’infonuagique, nous nous sommes proposé de démontrer et de quantifier l’impact que peuvent avoir ces attaques dans le cadre de l’infonuagique, pour ensuite proposer des solutions possibles pour s’en défendre. Nous avons jugé qu’il était plus approprié de recourir à des outils de simulation pour mener nos travaux, pour plusieurs raisons comme notamment la possibilité de suivre de façon précise l’évolution des ressources des différents serveurs du réseau, et la plus grande liberté qui nous était laissée de construire notre propre topologie. Notre première contribution est de mettre en avant les équipements vulnérables dans un réseau d’infonuagique, et les différentes façons de les attaquer, ainsi que les différents types d’attaques XML-DoS. Cette analyse nous a permis d’apporter notre deuxième contribution, qui consiste à utiliser et à modifier en profondeur un simulateur d’infonuagique (le simulateur GreenCloud, basé sur le simulateur NS2) afin de le rendre apte à l’étude des attaques XML-DoS et plus réaliste. Une fois ces changements effectués, nous montrons l’efficacité des attaques XML-DoS et les répercussions sur les usagers légitimes. Par ailleurs, nous réalisons une comparaison critique des principales défenses contre les attaques XML-DoS et contre les services web en général, et sélectionnons celle qui nous semble la plus pertinente, afin de la mettre à l’épreuve de la simulation et de mesurer son efficacité. Cette efficacité doit être démontrée aussi bien en terme de capacité à déjouer l’attaque menée à l’étape précédente, que de précision en terme de "false positives" et "false negatives". Un des défis majeurs consiste en effet à concilier une défense qui se veut universelle pour toutes les machines du réseau, tout en étant capable de s’adapter à la grande hétérogénéité des services web qui cohabitent au sein d’un réseau d’infonuagique. Ces expérimentations sont alors l’objet de discussions et de conclusions sur la position à adopter quant aux attaques XML-DoS dans les réseaux d’infonuagique, notamment les défenses à adopter et les pratiques à observer, la défense choisie à l’étape précédente ayant montré quelques limitations. Nous sommes partis de l’hypothèse que chacun des modèles d’infonuagique pouvait être touché par ce type d’attaques, bien que de façons différentes. Quel que soit le modèle d’infonuagique, il peut en effet avoir recours à des services web et se retrouve donc vulnérable d’une façon ou d’une autre, qu’il s’agisse d’un serveur web gérant toutes les requêtes entrantes des utilisateurs, ou un serveur web qu’un utilisateur a lui-même installé sur une machine virtuelle qu’il loue au fournisseur. Nous avons aussi jugé essentiel d’introduire les spécificités liées à l’utilisation de machines virtuelles, comme la compétition pour les ressources entre machines virtuelles situées sur une même machine physique.----------ABSTRACT Cloud Computing is a computing paradigm that has emerged in the past few years as a very promising way of using highly scalable and adaptable computing resources, as well as accessing them from anywhere in the world and from any terminal (mobile phone, tablet, laptop...). It allows companies or individuals to use computing infrastructures without having to physically own them, and without the burden of maintenance, installations, or updates. To achieve that, Cloud Computing uses already known and tested technologies such as virtualization and web services. Several Cloud Computing models exist, divided by how much of the infrastructure the user is in charge of, ranking from nothing at all (the provider is in charge of everything, from the operating system to the applications installed) to managing a whole virtual machine without even an operating system preinstalled. For instance, sharing and accessing a document on Dropbox, or running a resource intensive application on a rented machine, are both exemples of what can be done with Cloud Computing. In the case of Dropbox, the user doesn’t care what resources are allocated for his requests, no more than he needs to know on what operating system the request was run or how the database was accessed. But all those aspects will be part of what the user has to know and adjust in the second case. A Cloud Computing network can be public, as it is the case for Amazon, which allows you to access its resources if you pay for it, or private, if a company decides to build a cluster for its own needs. The strong appeal of Cloud Computing, for both businesses and individuals, dramatically increases the security risks, because it becomes a key target for attackers. This increased risk, added to the confidence the users must have in their services provider when it comes to managing and protecting their data, may explain why many are still reluctant to take the leap to Cloud Computing. For instance, a company may be reluctant for confidentiality reasons, while individuals may hesitate for privacy concerns. The broad range of technologies used in Cloud Computing makes it at risk for a wide variety of attacks, since it already comes with all the vulnerabilities associated with any conventional network, and all the security breaches that affect virtual machines. However, those threats are usually well documented and easily prevented. But this is not the case of the vulnerabilities that come from the use of web services, that are heavily used in Cloud Computing. Cloud Computing networks aim at being accessible from all over the world and on almost any device, and that implies using web services. Yet, web services are extremely vulnerable to XML-DoS type of attack. Those attacks take advantage of Simple Object Access Protocol (SOAP) requests using a malicious XML content. Those requests can easily deplete a web server from its resources, be it CPU or memory, making it unavailable for legitimate users; this is exactly the goal of a denial-of-service attack. The XML-DoS attacks are extremely interesting in two ways. First, they are very hard to detect, since the attack takes place on the application layer, so the user appears to be legitimate (it’s impossible to detect it on the TCP/IP layer). Second, the resources needed to mount the attack are very low compared to what is needed on the web server side to process even a basic but malformed request. This type of attack has been surprisingly left quite aside, despite its efficiency and the omnipresence of web services in Cloud Computing networks. This is the reason why we decided to prove and quantify the impact such attacks can have on Cloud Computing networks, to later propose possible solutions and defenses. We estimated that using a simulated environment was the best option for various reasons, like the possibility to monitor the resources of all the servers in the network, and the greater freedom we had to build our own topology. Our first contribution is to emphasize the vulnerable equipments in a Cloud Computing network, and the various ways to attack them, as well as the various forms an XML-DoS attack can take. Our second contribution is then to use, modify and improve a Cloud Computing simulator (the GreenCloud simulator, based on NS2), in order to make the study of XML-DoS attacks possible. Once the changes are made, we show the efficiency of XML- DoS attacks, and the impact they have on legitimate users. In addition, we compare the main existing defenses against XML-DoS attacks and web services attacks in general, and pick the one that seems to be best suited to protect Cloud Computing networks. We then put this defense to the test in our simulator, to evaluate its efficiency. This evaluation must take into consideration not only the ability to mitigate the attack we led in the previous step, but also the number of false positives and false negatives. One of the major challenges is to have a defense that will conciliate the ability to protect all the machines in the network, while still being able to adapt to the great heterogeneity of the various web services hosted at the same time in a Cloud Computing network. Those experimentations are then subjected to discussions and conclusions on the decisions to take when it comes to XML-DoS attacks. In particular, what defenses should be adopted and what practices should be followed, because the evaluation of the defense at the previous step will show that it may not be the optimal solution; this will be our final contribution. We made the assumption that all the Cloud Computing models could be the target of a XML-DoS attack in some way. No matter the model, it can actually use web services and is then vulnerable to those attacks, whether it is a web server handling incoming requests for all the users, or a web server a user installed on the virtual machine he rents. We thought it was essential to take into consideration the specificity of virtual machines, such as the contention for resources when they are located on the same physical machine

Collaborative Intrusion Detection in Federated Cloud Environments using Dempster-Shafer Theory of Evidence

Moving services to the Cloud environment is a trend that has been increasing in recent years, with a constant increase in sophistication and complexity of such services. Today, even critical infrastructure operators are considering moving their services and data to the Cloud. As Cloud computing grows in popularity, new models are deployed to further the associated benefits. Federated Clouds are one such concept, which are an alternative for companies reluctant to move their data out of house to a Cloud Service Providers (CSP) due to security and confidentiality concerns. Lack of collaboration among different components within a Cloud federation, or among CSPs, for detection or prevention of attacks is an issue. For protecting these services and data, as Cloud environments and Cloud federations are large scale, it is essential that any potential solution should scale alongside the environment adapt to the underlying infrastructure without any issues or performance implications. This thesis presents a novel architecture for collaborative intrusion detection specifically for CSPs within a Cloud federation. Our approach offers a proactive model for Cloud intrusion detection based on the distribution of responsibilities, whereby the responsibility for managing the elements of the Cloud is distributed among several monitoring nodes and brokering, utilising our Service-based collaborative intrusion detection – “Security as a Service” methodology. For collaborative intrusion detection, the Dempster-Shafer (D-S) theory of evidence is applied, executing as a fusion node with the role of collecting and fusing the information provided by the monitoring entities, taking the final decision regarding a possible attack. This type of detection and prevention helps increase resilience to attacks in the Cloud. The main novel contribution of this project is that it provides the means by which DDoS attacks are detected within a Cloud federation, so as to enable an early propagated response to block the attack. This inter-domain cooperation will offer holistic security, and add to the defence in depth. However, while the utilisation of D-S seems promising, there is an issue regarding conflicting evidences which is addressed with an extended two stage D-S fusion process. The evidence from the research strongly suggests that fusion algorithms can play a key role in autonomous decision making schemes, however our experimentation highlights areas upon which improvements are needed before fully applying to federated environments

Theoretical and Applied Foundations for Intrusion Detection in Single and Federated Clouds

Les systèmes infonuagiques deviennent de plus en plus complexes, plus dynamiques et hétérogènes. Un tel environnement produit souvent des données complexes et bruitées, empêchant les systèmes de détection d’intrusion (IDS) de détecter des variantes d’attaques connues. Une seule intrusion ou une attaque dans un tel système hétérogène peut se présenter sous des formes différentes, logiquement mais non synthétiquement similaires. Les IDS traditionnels sont incapables d’identifier ces attaques, car ils sont conçus pour des infrastructures spécifiques et limitées. Par conséquent, une détection précise dans le nuage ne sera absolument pas identifiée. Outre le problème de l’infonuagique, les cyber-attaques sont de plus en plus sophistiquées et difficiles à détecter. Il est donc extrêmement compliqué pour un unique IDS d’un nuage de détecter toutes les attaques, en raison de leurs implications, et leurs connaissances limitées et insuffisantes de celles-ci. Les solutions IDS actuelles de l’infonuagique résident dans le fait qu’elles ne tiennent pas compte des aspects dynamiques et hétérogènes de l’infonuagique. En outre, elles s’appuient fondamentalement sur les connaissances et l’expérience locales pour identifier les attaques et les modèles existants. Cela rend le nuage vulnérable aux attaques «Zero-Day». À cette fin, nous résolvons dans cette thèse deux défis associés à l’IDS de l’infonuagique : la détection des cyberattaques dans des environnements complexes, dynamiques et hétérogènes, et la détection des cyberattaques ayant des informations limitées et/ou incomplètes sur les intrusions et leurs conséquences. Dans cette thèse, nous sommes intéressés aux IDS génériques de l’infonuagique afin d’identifier les intrusions qui sont indépendantes de l’infrastructure utilisée. Par conséquent, à chaque fois qu’un pressentiment d’attaque est identifié, le système de détection d’intrusion doit être capable de reconnaître toutes les variantes d’une telle attaque, quelle que soit l’infrastructure utilisée. De plus, les IDS de l’infonuagique coopèrent et échangent des informations afin de faire bénéficier chacun des expertises des autres, pour identifier des modèles d’attaques inconnues.----------ABSTRACT: Cloud Computing systems are becoming more and more complex, dynamic and heterogeneous. Such an environment frequently produces complex and noisy data that make Intrusion Detection Systems (IDSs) unable to detect unknown variants of known attacks. A single intrusion or an attack in such a heterogeneous system could take various forms that are logically but not synthetically similar. This, in turn, makes traditional IDSs unable to identify these attacks, since they are designed for specific and limited infrastructures. Therefore, the accuracy of the detection in the cloud will be very negatively affected. In addition to the problem of the cloud computing environment, cyber attacks are getting more sophisticated and harder to detect. Thus, it is becoming increasingly difficult for a single cloud-based IDS to detect all attacks, because of limited and incomplete knowledge about attacks and implications. The problem of the existing cloud-based IDS solutions is that they overlook the dynamic and changing nature of the cloud. Moreover, they are fundamentally based on the local knowledge and experience to perform the classification of attacks and normal patterns. This renders the cloud vulnerable to “Zero-Day” attacks. To this end, we address throughout this thesis two challenges associated with the cloud-based IDS which are: the detection of cyber attacks under complex, dynamic and heterogeneous environments; and the detection of cyber attacks under limited and/or incomplete information about intrusions and implications. We are interested in this thesis in allowing cloud-based IDSs to be generic, in order to identify intrusions regardless of the infrastructure used. Therefore, whenever an intrusion has been identified, an IDS should be able to recognize all the different structures of such an attack, regardless of the infrastructure that is being used. Moreover, we are interested in allowing cloud-based IDSs to cooperate and share knowledge with each other, in order to make them benefit from each other’s expertise to cover unknown attack patterns. The originality of this thesis lies within two aspects: 1) the design of a generic cloud-based IDS that allows the detection under changing and heterogeneous environments and 2) the design of a multi-cloud cooperative IDS that ensures trustworthiness, fairness and sustainability. By trustworthiness, we mean that the cloud-based IDS should be able to ensure that it will consult, cooperate and share knowledge with trusted parties (i.e., cloud-based IDSs). By fairness, we mean that the cloud-based IDS should be able to guarantee that mutual benefits will be achieved through minimising the chance of cooperating with selfish IDSs. This is useful to give IDSs the motivation to participate in the community