Collaborative Intrusion Detection in Federated Cloud Environments using Dempster-Shafer Theory of Evidence

Moving services to the Cloud environment is a trend that has been increasing in recent years, with a constant increase in sophistication and complexity of such services. Today, even critical infrastructure operators are considering moving their services and data to the Cloud. As Cloud computing grows in popularity, new models are deployed to further the associated benefits. Federated Clouds are one such concept, which are an alternative for companies reluctant to move their data out of house to a Cloud Service Providers (CSP) due to security and confidentiality concerns. Lack of collaboration among different components within a Cloud federation, or among CSPs, for detection or prevention of attacks is an issue. For protecting these services and data, as Cloud environments and Cloud federations are large scale, it is essential that any potential solution should scale alongside the environment adapt to the underlying infrastructure without any issues or performance implications. This thesis presents a novel architecture for collaborative intrusion detection specifically for CSPs within a Cloud federation. Our approach offers a proactive model for Cloud intrusion detection based on the distribution of responsibilities, whereby the responsibility for managing the elements of the Cloud is distributed among several monitoring nodes and brokering, utilising our Service-based collaborative intrusion detection – “Security as a Service” methodology. For collaborative intrusion detection, the Dempster-Shafer (D-S) theory of evidence is applied, executing as a fusion node with the role of collecting and fusing the information provided by the monitoring entities, taking the final decision regarding a possible attack. This type of detection and prevention helps increase resilience to attacks in the Cloud. The main novel contribution of this project is that it provides the means by which DDoS attacks are detected within a Cloud federation, so as to enable an early propagated response to block the attack. This inter-domain cooperation will offer holistic security, and add to the defence in depth. However, while the utilisation of D-S seems promising, there is an issue regarding conflicting evidences which is addressed with an extended two stage D-S fusion process. The evidence from the research strongly suggests that fusion algorithms can play a key role in autonomous decision making schemes, however our experimentation highlights areas upon which improvements are needed before fully applying to federated environments

Collaborative Intrusion Detection in Federated Cloud Environments

Moving services to the Cloud is a trend that has steadily gained popularity over recent years, with a constant increase in sophistication and complexity of such services. Today, critical infrastructure operators are considering moving their services and data to the Cloud. Infrastructure vendors will inevitably take advantage of the benefits Cloud Computing has to offer. As Cloud Computing grows in popularity, new models are deployed to exploit even further its full capacity, one of which is the deployment of Cloud federations. A Cloud federation is an association among different Cloud Service Providers (CSPs) with the goal of sharing resources and data. In providing a larger-scale and higher performance infrastructure, federation enables on-demand provisioning of complex services. In this paper we convey our contribution to this area by outlining our proposed methodology that develops a robust collaborative intrusion detection methodology in a federated Cloud environment. For collaborative intrusion detection we use the Dempster-Shafer theory of evidence to fuse the beliefs provided by the monitoring entities, taking the final decision regarding a possible attack. Protecting the federated Cloud against cyber attacks is a vital concern, due to the potential for significant economic consequences

An elastic scaling method for cloud security

Cloud computing is being adopted in critical sectors such as transport, energy and finance. This makes cloud computing services critical in themselves. When cyber attacks and cyber disruptions happen, millions of users are affected. A cyber disruption in this context means a temporary or permanent loss of service, with impact on users of the cloud service who rely on its continuity. Intrusion detection and prevention methods are being developed to protect this sensitive information being stored, and the services being deployed. There needs to be an assurance that the confidentiality, integrity and availability of the data and resources are maintained. This paper presents a background to the critical infrastructure and cloud computing progression, and an overview to the cloud security conundrum. Analysis of existing intrusion detection methods is provided, in addition to our observation and proposed elastic scaling method for cloud security

IoT Forensics: Challenges For The IoA Era

Challenges for IoT-based forensic investigations include the increasing amount of objects of forensic interest, relevance of identified and collected devices, blurry network boundaries, and edgeless networks. As we look ahead to a world of expanding ubiquitous computing, the challenge of forensic processes such as data acquisition (logical and physical) and extraction and analysis of data grows in this space. Containing an IoT breach is increasingly challenging – evidence is no longer restricted to a PC or mobile device, but can be found in vehicles, RFID cards, and smart devices. Through the combination of cloud-native forensics with client-side forensics (forensics for companion devices), we can study and develop the connection to support practical digital investigations and tackle emerging challenges in digital forensics. With the IoT bringing investigative complexity, this enhances challenges for the Internet of Anything (IoA) era. IoA brings anything and everything “online” in a connectedness that generates an explosion of connected devices, from fridges, cars and drones, to smart swarms, smart grids and intelligent buildings. Research to identify methods for performing IoT-based digital forensic analysis is essential. The long-term goal is the development of digital forensic standards that can be used as part of overall IoT and IoA security and aid IoT-based investigations

Distributed attack prevention using Dempster-Shafer theory of evidence

This paper details a robust collaborative intrusion detection methodology for detecting attacks within a Cloud federation. It is a proactive model and the responsibility for managing the elements of the Cloud is distributed among several monitoring nodes. Since there are a wide range of elements to manage, complexity grows proportionally with the size of the Cloud, so a suitable communication and monitoring hierarchy is adopted. Our architecture consists of four major entities: the Cloud Broker, the monitoring nodes, the local coordinator (Super Nodes), and the global coordinator (Command and Control server - C2). Utilising monitoring nodes into our architecture enhances the performance and response time, yet achieves higher accuracy and a broader spectrum of protection. For collaborative intrusion detection, we use the Dempster Shafer theory of evidence via the role of the Cloud Broker. Dempster Shafer executes as a main fusion node, with the role to collect and fuse the information provided by the monitors, taking the final decision regarding a possible attack

Discord Server Forensics: Analysis and Extraction of Digital Evidence

In recent years we can observe that digital forensics is being applied to a variety of domains as nearly any data can become valuable forensic evidence. The sheer scope of web-based investigations provides a vast amount of information. Due to a rapid increase in the number of cybercrimes the importance of application-specific forensics is greater than ever. Criminals use the application not only to communicate but also to facilitate crimes. It came to our attention that the gaming chat application Discord is one of them. Discord allows its users to send text messages as well as exchange image, video, and audio files. While Discord’s community is not as large as that of the most popular messaging apps the stable growth of its userbase and recent incidents indicate that it is used by criminals. This paper presents our research into the digital forensic analysis of Discord client-side artefacts and presents experimental development of a tool for extraction, analysis, and presentation of the data from Discord application. The work then proposes a solution in form of a tool, ‘DiscFor’, that can retrieve information from the application’s local files and cache storage

Deep COLA: A Deep COmpetitive Learning Algorithm for Future Home Energy Management Systems

A smart grid ecosystem requires intelligent Home Energy Management Systems (HEMSs) that allow the adequate monitoring and control of appliance-level energy consumption in a given household. They should be able to: i) profile highly non-stationary and non-linear measurements and ii) conduct correlations of such measurements with diverse inputs (e.g. environmental factors) in order to improve the end-user experience, as well as to aid the overall demand-response optimisation process. However, traditional approaches in HEMS lack the ability to capture diverse variations in appliance-level energy consumption due to unpredictable human behaviour and also require high computation to process large datasets. In this paper, we go beyond current profiling schemes by proposing Deep COLA; a novel Deep COmpetitive Learning Algorithm that addresses the limitations of existing work in terms of high dimensional data and enables more efficient and accurate clustering of appliancelevel energy consumption. The proposed approach reduces human intervention by automatically selecting load profiles and models variations and uncertainty in human behaviour during appliance usage. We demonstrate that our proposed scheme is far more computationally efficient and scalable data-wise than three popular conventional clustering approaches namely, K-Means, DBSCAN and SOM, using real household datasets. Moreover, we exhibit that Deep COLA identifies per-household behavioral associations that could aid future HEMSs

The Internet of Things: Challenges and considerations for cybercrime investigations and digital forensics

The Internet of Things (IoT) represents the seamless merging of the real and digital world, with new devices created that store and pass around data. Processing large quantities of IoT data will proportionately increase workloads of data centres, leaving providers facing new security, capacity and analytics challenges. Handling this data conveniently is a critical challenge, as the overall application performance is highly dependent on the properties of the data management service. This paper explores the challenges posed by cybercrime investigations and digital forensics concerning the shifting landscape of crime – the IoT and the evident investigative complexity – moving to the Internet of Anything (IoA)/Internet of Everything (IoE) era. IoT forensics requires a multi-faceted approach where evidence may be collected from a variety of sources such as sensor devices, communication devices, fridges, cars and drones, to smart swarms and intelligent buildings

Digital Forensic Acquisition and Analysis of Discord Applications

Digital forensic analyses are being applied to a variety of domains as the scope and potential of digital evidence available is vast. The importance of forensic analyses of web-based devices and tools is increasing, coinciding with the rise in online criminal activity. Discord - an application that allows text, image, video, and audio communication using VoIP - has become increasingly popular and is consequently subject to increased use by cybercriminals. While researching Discord servers and forensic artefacts, it is apparent that there is limited literature and experimentation in this domain. This paper presents our research into digital forensic analyses of Discord client-side artefacts and presents DiscFor, a novel tool designed for the extraction, analysis, and presentation of Discord data in a forensically sound manner. DiscFor creates a safe copy of said data, presenting the current cache state and converting data files into a readable format

A Secure Fog-based Platform for SCADA-based IoT Critical Infrastructure

The rapid proliferation of Internet of Things (IoT) devices, such as smart meters and water valves, into industrial critical infrastructures and control systems has put stringent performance and scalability requirements on modern Supervisory Control and Data Acquisition (SCADA) systems. While cloud computing has enabled modern SCADA systems to cope with the increasing amount of data generated by sensors, actuators and control devices, there has been a growing interest recently to deploy edge datacenters in fog architectures to secure low-latency and enhanced security for mission-critical data. However, fog security and privacy for SCADA-based IoT critical infrastructures remains an under-researched area. To address this challenge, this contribution proposes a novel security “toolbox” to reinforce the integrity, security, and privacy of SCADA-based IoTcritical infrastructure at the fog layer. The toolbox incorporates a key feature: a cryptographic-based access approach to the cloud services using identity-based cryptography and signature schemes at the fog layer. We present the implementation details of a prototype for our proposed Secure Fog-based Platform (SeFoP) and provide performance evaluation results to demonstrate the appropriateness of the proposed platform in a real-world scenario. These results can pave the way towards the development of more secured and trusted SCADA-based IoT critical infrastructure, which is essential to counter cyber threats against next-generation critical infrastructure and industrial control systems. The results from the experiments demonstrate a superior performance of SeFoP, which is around 2.8 seconds when adding 5 virtual machines (VMs), 3.2 seconds when adding 10 VMs, and 112 seconds when adding 1000 VMs compared to Multi-Level user Access Control (MLAC) platform