Abstract:Effective activity and event monitoring is an essential aspect of digital forensic readiness. Techniques for capturing log and other event data are familiar from conventional networked hosts and transfer directly to the Cloud context. In both contexts, a major concern is the risk that monitoring systems may be targeted and impaired by intruders seeking to conceal their illicit presence and activities. We outline an approach to intrusion monitoring that aims (i)~to ensure the credibility of log data and (ii)~provide a means of data sharing that supports log reconstruction in the event that one or more logging systems is maliciously impaired.

What problem does this paper attempt to address?

The paper discusses intrusion monitoring strategies in cloud services, aiming to ensure the credibility of log data and provide a data sharing mechanism that allows for log reconstruction in the event of malicious attacks on multiple log systems, to support digital forensics. The authors point out that although covert monitoring does not immediately prevent security vulnerabilities, it is crucial for establishing auditable data to reveal unnoticed illegal or abnormal events. First, the paper introduces the characteristics and service models of cloud services (Software-as-a-Service, Platform-as-a-Service, Infrastructure-as-a-Service), emphasizing that management control is centralized in the hands of Cloud Service Providers (CSPs), who must deal with most of the security issues related to purchasing services. Next, the paper describes the three stages of attacks (reconnaissance, penetration and escalation, data extraction, attack and covering up), as well as the challenges faced by cloud services. Then, the paper discusses monitoring strategies, including operating system-level logging, intrusion detection systems (IDS), etc., and points out that these systems may become targets of attacks. In the cloud environment, each node has its own log daemon, but the central log server may become a target for attackers, so redundant measures are needed, such as using two active log servers supervised by a third server. The paper proposes a solution that combines Message Authentication Codes (MACs) and secret sharing techniques to ensure the integrity and authenticity of log data. Each event generates a MAC, which is stored in a chain with the MAC of the previous event, so even if an attacker tampers with some data, the event sequence can be recovered through the MAC chain. In addition, secret sharing techniques are used to distribute the log information, so that even if some nodes are compromised, the data can be recovered from other nodes. In conclusion, this paper aims to address how to establish an effective intrusion monitoring system in cloud services to ensure digital forensics can be conducted after a security incident, thereby enhancing the security and recovery capabilities of cloud services.

Strategies for Intrusion Monitoring in Cloud Services

Mitigating Data Exfiltration in Storage-as-a-Service Clouds

Managing Forensic Recovery in the Cloud

Intrusion detection techniques in cloud environment: A survey

A survey of intrusion detection techniques in Cloud

Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics

Detection of Information leakage in cloud

A review on intrusion detection techniques for cloud computing and security challenges

Monitoring Auditable Claims in the Cloud

Cloud Watching: Understanding Attacks Against Cloud-Hosted Services

Measuring and Mitigating the Risk of IP Reuse on Public Clouds

Crook-sourced intrusion detection as a service

IDPS: An Integrated Intrusion Handling Model for Cloud

Determining Training Needs for Cloud Infrastructure Investigations using I-STRIDE

Sentinel: in Case of the Untrustworthy Behaviors Inside the Clouds

Cloud Security Assurance: Strategies for Encryption in Digital Forensic Readiness

Exploring the landscape of network security: a comparative analysis of attack detection strategies

CIDS: Adapting Legacy Intrusion Detection Systems to the Cloud with Hybrid Sampling.

An Intrusion Detection Mechanism Based on Sampling and Feedback for Cloud Computing

Survey on Insider Threats to Cloud Computing