TOWARDS AN INCENTIVE COMPATIBLE FRAMEWORK OF SECURE CLOUD COMPUTING

Cloud computing has changed how services are provided and supported through the computing infrastructure. It has the advantages such as flexibility , scalability , compatibility and availability . However, the current architecture design also brings in some troublesome problems, like the balance of cooperation benefits and privacy concerns between the cloud provider and the cloud users, and the balance of cooperation benefits and free-rider concerns between different cloud users. Theses two problems together form the incentive problem in cloud environment. The first conflict lies between the reliance of services and the concerns of secrets of cloud users. To solve it, we proposes a novel architecture, NeuCloud, to enable partially, trusted, transparently, accountably privacy manipulation and revelation. With the help of this architecture, the privacy-sensitive users can be more confident to move to public clouds. A trusted computing base is not enough, in order to stimulate incentive-compatible privacy trading, we present a theoretical framework and provide the guidelines for cloud provider to compensate the cloud user\u27s privacy-risk-aversion. We implement the NeuCloud and evaluate it. Moreover, a improved model of NeuCloud is discussed. The second part of this thesis strives to solve the free-rider problem in cloud environment. For example, the VM-colocation attacks have become serious threats to cloud environment. We propose to construct an incentive-compatible moving-target-defense by periodically migrating VMs, making it much harder for adversaries to locate the target VMs. We developed theories about whether the migration of VMs is worthy and how the optimal migration interval can be determined. To the best of our knowledge, our work is the first effort to develop a formal and quantified model to guide the migration strategy of clouds to improve security. Our analysis shows that our placement based defense can significantly improve the security level of the cloud with acceptable costs. In summary, the main objective of this study is to provide an incentive-compatible to eliminate the cloud user\u27s privacy or cooperative concerns. The proposed methodology can directly be applied in commercial cloud and help this new computing fashion go further in the history. The theoretical part of this work can be extended to other fields where privacy and free-rider concerns exist

Optimizing resource allocation for secure SDN-based virtual network migration

International audienceRecent evolutions in cloud infrastructures allowed service providers to tailor new services for demanding customers. Providing these services confronts the infrastructure providers with costs and constraints considerations. In particular, security constraints are a major concern for today's businesses as the leak of personal information would tarnish their reputation. Recent works provide examples on how an attacker may leverage the infrastructure's weaknesses to steal sensitive information from the users. Specifically, an attacker can leverage maintenance processes inside the infrastructure to conduct an attack. In this paper, we consider the migration of a virtual network as the maintenance process. Then we determine the optimal monitoring resources allocation in this context with a Markov Decision Process. This model takes into account the impact of monitoring the infrastructure, the migration process and finally how the attacker may chose particular targets in the infrastructure. We provide a working prototype implemented in Python

Moving Target Defense for Securing SCADA Communications

In this paper, we introduce a framework for building a secure and private peer to peer communication used in supervisory control and data acquisition networks with a novel Mobile IPv6-based moving target defense strategy. Our approach aids in combating remote cyber-attacks against peer hosts by thwarting any potential attacks at their reconnaissance stage. The IP address of each host is randomly changed at a certain interval creating a moving target to make it difficult for an attacker to find the host. At the same time, the peer host is updated through the use of the binding update procedure (standard Mobile IPv6 protocol). Compared with existing results that can incur significant packet-loss during address rotations, the proposed solution is loss-less. Improving privacy and anonymity for communicating hosts by removing permanent IP addresses from all packets is also one of the major contributions of this paper. Another contribution is preventing black hole attacks and bandwidth depletion DDoS attacks through the use of extra paths between the peer hosts. Recovering the communication after rebooting a host is also a new contribution of this paper. Lab-based simulation results are presented to demonstrate the performance of the method in action, including its overheads. The testbed experiments show zero packet-loss rate during handoff delay

A new secure proxy-based distributed virtual machines management in mobile cloud computing

The mobile cloud computing as an excellent paradigm offers on-demand services, whereas users can be confident once using them. Nevertheless, the existing cloud virtualization systems are not secure enough regarding the mediocre degree of data protection, which avoids individuals and organizations to engage with this technology. Therefore, the security of sensitive data may be affected when mobile users move it out to the cloud exactly during the processing in virtual machines (VMs). Many studies show that sensitive data of legitimate users’ VMs may be the target of malicious users, which lead to violating VMs’ confidentiality and privacy. The current approaches offer various solutions for this security issue. However, they are suffering from many inconveniences such as unauthorized distributed VM access behavior and robust strategies that ensure strong protection of communication of sensitive data among distributed VMs. The purpose of this paper is to present a new security proxy-based approach that contains three policies based on secured hashed DiffieHellman keys for user access control and VM deployment and communication control management in order to defend against three well-known attacks on the mobile cloud environment (co-resident attacks, hypervisor attacks and distributed attacks). The related attacks lead to unauthorized access to sensitive data between different distributed mobile applications while using the cloud as a third party for sharing resources. The proposed approach is illustrated using a healthcare case study. Including the experimental results that show interesting high-efficiency protection and accurate attacks identification