Yun Gao,Xiao Fu,Bin Luo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.01.001

2016-01-01

Abstract:Cloud users can get a lot of computer resources and storage space at low cost.However,the security risks,such as the spreading of illegal information,sensitive data leakage,data tampering,are still crucial problem in cloud computing envi-ronment.Hence,the forensics of cloud computing crime becomes particular important.Firstly,this paper introduced the con-cept of cloud forensics and listed the technical and legal challenges in could forensics.Then it introduced researches by now in cloud forensics and presented analysis summary on current researches.Finally,it put forward opportunities of cloud forensics.

Mansaf Alam,Shuchi Sethi

DOI: https://doi.org/10.48550/arXiv.1504.03539

2015-04-14

Distributed, Parallel, and Cluster Computing

Abstract:Recent research shows that colluded malware in different VMs sharing a single physical host may use a resource as a channel to leak critical information. Covert channels employ time or storage characteristics to transmit confidential information to attackers leaving no trail.These channels were not meant for communication and hence control mechanisms do not exist. This means these remain undetected by traditional security measures employed in firewalls etc in a network. The comprehensive survey to address the issue highlights that accurate methods for fast detection in cloud are very expensive in terms of storage and processing. The proposed framework builds signature by extracting features which accurately classify the regular from covert traffic in cloud and estimates difference in distribution of data under analysis by means of scores. It then adds context to the signature and finally using machine learning (Support Vector Machines),a model is built and trained for deploying in cloud. The results show that the framework proposed is high in accuracy while being low cost and robust as it is tested after adding noise which is likely to exist in public cloud environments.

Shams Zawoad,Ragib Hasan

DOI: https://doi.org/10.48550/arXiv.1302.6312

2013-02-26

Abstract:In recent years, cloud computing has become popular as a cost-effective and efficient computing paradigm. Unfortunately, today's cloud computing architectures are not designed for security and forensics. To date, very little research has been done to develop the theory and practice of cloud forensics. Many factors complicate forensic investigations in a cloud environment. First, the storage system is no longer local. Therefore, even with a subpoena, law enforcement agents cannot confiscate the suspect's computer and get access to the suspect's files. Second, each cloud server contains files from many users. Hence, it is not feasible to seize servers from a data center without violating the privacy of many other users. Third, even if the data belonging to a particular suspect is identified, separating it from other users' data is difficult. Moreover, other than the cloud provider's word, there is usually no evidence that links a given data file to a particular suspect. For such challenges, clouds cannot be used to store healthcare, business, or national security related data, which require audit and regulatory compliance. In this paper, we systematically examine the cloud forensics problem and explore the challenges and issues in cloud forensics. We then discuss existing research projects and finally, we highlight the open problems and future directions in cloud forensics research area. We posit that our systematic approach towards understanding the nature and challenges of cloud forensics will allow us to examine possible secure solution approaches, leading to increased trust on and adoption of cloud computing, especially in business, healthcare, and national security. This in turn will lead to lower cost and long-term benefit to our society as a whole.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Jian Zhang,Cheng Gao,Liangyi Gong,Zhaojun Gu,Dapeng Man,Wu Yang,Wenzhen Li

DOI: https://doi.org/10.1007/s11036-019-01503-4

2020-01-08

Mobile Networks and Applications

Abstract:As more and more applications migrate to clouds, the type and amount of malware attack against virtualized environments are increasing, which is a key factor that restricts the widespread deployment and application of cloud platforms. Traditional in-VM-based security software is not effective against malware attacks, as the security software itself becomes the target of malware attacks and can easily be tampered with or even subverted. In this paper, we propose a new malware detection method to improve virtual machine security performance and ensure the security of the entire cloud platform. This paper uses the virtual machine introspection(VMI) combined with the memory forensics analysis(MFA) technology to extract multiple types of dynamic features from the virtual machine memory, the hypervisor layer and the hardware layer. Furthermore, this paper proposes an adaptive feature selection method. By combining three different search strategies, three types of features are compared and analyzed from three aspects: effectiveness, system load and security. By adjusting the weight of each feature, it meets the detection requirements of different malware in the cloud environment as expected. Finally, the detection method improves the detection accuracy and generalization ability of the overall classifier using the AdaBoost ensemble learning method with Voting's combination strategy. The experiment used a large number of real malicious samples, and achieved an accuracy of 0.999 (AUC), with a maximum performance overhead of 5.6%.

computer science, information systems,telecommunications, hardware & architecture

Fei Ye,Yunzhi Zheng,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1002/ett.4178

IF: 3.6

2020-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Cloud forensics has become increasingly critical in cloud computing security in recent years. A fundamental problem in cloud forensics is how to safely and effectively obtain, preserve, and analyze evidence. With massive cloud forensic systems and tools having been proposed over the years, we identify one challenge that is not adequately addressed in the current literature. The problem is "credibility of cloud evidence"; this is where the evidence collected in the cloud is unreliable due to its multitenancy and the multiple participants in the forensic process. In this paper, we develop a new Cloud Forensics Tamper-Proof Framework (TamForen) for cloud forensics, which can be used in an untrusted and multitenancy cloud environment. This framework relies on the cloud forensics system independent of the daily cloud activities and is implemented based on the Multilayer Compressed Counting Bloom Filter. Unlike existing cloud forensics methods that depend on the support and trust of cloud service providers, TamForen takes into account the untrustworthiness of participants in the forensics process and conducts tamper-proof protection of data in a decentralized way without violating users' privacy. We simulate a cloud forensics environment to evaluate TamForen, and the results show that TamForen is feasible.

Gaofeng Zhang,Xiao Liu,Yun Yang

DOI: https://doi.org/10.1109/tc.2014.2298013

IF: 3.183

2015-05-01

IEEE Transactions on Computers

Abstract:Cloud computing is proposed as an open and promising computing paradigm where customers can deploy and utilize IT services in a pay-as-you-go fashion while saving huge capital investment in their own IT infrastructure. Due to the openness and virtualization, various malicious service providers may exist in these cloud environments, and some of them may record service data from a customer and then collectively deduce the customer's private information without permission. Therefore, from the perspective of cloud customers, it is essential to take certain technical actions to protect their privacy at client side. Noise obfuscation is an effective approach in this regard by utilizing noise data. For instance, noise service requests can be generated and injected into real customer service requests so that malicious service providers would not be able to distinguish which requests are real ones if these requests’ occurrence probabilities are about the same, and consequently related customer privacy can be protected. Currently, existing representative noise generation strategies have not considered possible fluctuations of occurrence probabilities. In this case, the probability fluctuation could not be concealed by existing noise generation strategies, and it is a serious risk for the customer's privacy. To address this probability fluctuation privacy risk, we systematically develop a novel time-series pattern based noise generation strategy for privacy protection on cloud. First, we analyze this privacy risk and present a novel cluster based algorithm to generate time intervals dynamically. Then, based on these time intervals, we investigate corresponding probability fluctuations and propose a novel time-series pattern based forecasting algorithm. Lastly, based on the forecasting algorithm, our novel noise generation strategy can be presented to withstand the probability fluctuation privacy risk. The simulation evaluation demonstrates that our strategy can significantly improve the effectiveness of such cloud privacy protection to withstand the probability fluctuation privacy risk.

engineering, electrical & electronic,computer science, hardware & architecture

Xiaoyu Zhang,Chao Chen,Yi Xie,Xiaofeng Chen,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.1016/j.csi.2022.103672

2023-01-01

Abstract:Deep Neural Network (DNN), one of the most powerful machine learning algorithms, is increasingly leveraged to overcome the bottleneck of effectively exploring and analyzing massive data to boost advanced scientific development. It is not a surprise that cloud computing providers offer the cloud-based DNN as an out-of-the-box service. Though there are some benefits from the cloud-based DNN, the interaction mechanism among two or multiple entities in the cloud inevitably induces new privacy risks. This survey presents the most recent findings of privacy attacks and defenses appeared in cloud-based neural network services. We systematically and thoroughly review privacy attacks and defenses in the pipeline of cloud-based DNN service, i.e., data manipulation, training, and prediction. In particular, a new theory, called cloud-based ML privacy game, is extracted from the recently published literature to provide a deep understanding of state-of-the-art research. Finally, the challenges and future work are presented to help researchers to continue to push forward the competitions between privacy attackers and defenders.

computer science, software engineering, hardware & architecture

Janardhan Kalikiri,Gaurav Varshney,Jaswinder Kour,Tarandeep Singh

2024-06-13

Abstract:In recent years, insider threats and attacks have been increasing in terms of frequency and cost to the corporate business. The utilization of end-to-end encrypted instant messaging applications (WhatsApp, Telegram, VPN) by malicious insiders raised data breach incidents exponentially. The Securities and Exchange Board of India (SEBI) investigated reports on such data leak incidents and reported about twelve companies where earnings data and financial information were leaked using WhatsApp messages. Recent surveys indicate that 60% of data breaches are primarily caused by malicious insider threats. Especially, in the case of the defense environment, information leaks by insiders will jeopardize the countrys national security. Sniffing of network and host-based activities will not work in an insider threat detection environment due to end-to-end encryption. Memory forensics allows access to the messages sent or received over an end-to-end encrypted environment but with a total compromise of the users privacy. In this research, we present a novel solution to detect data leakages by insiders in an organization. Our approach captures the RAM of the insiders device and analyses it for sensitive information leaks from a host system while maintaining the users privacy. Sensitive data leaks are identified with context using a deep learning model. The feasibility and effectiveness of the proposed idea have been demonstrated with the help of a military use case. The proposed architecture can however be used across various use cases with minor modifications.

Cryptography and Security

Yingxin Cheng,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1016/j.ins.2016.07.019

IF: 8.1

2016-01-01

Information Sciences

Abstract:The results of memory forensics can not only be used as evidence in court but are also beneficial for analyzing vulnerability and improving security. Thus, memory forensics has been widely used in many fields, including cloud security. Traditional memory forensics, usually an after-the-fact method, is time-consuming and often loses important transient information. Thus, live methods, which investigate memory directly, are presented. However, most of them are kernel based and easy to detect or confuse. Although virtualization technology can overcome these shortages, it must be preinstalled and has high cost. To solve these problems, we propose a lightweight live memory forensic framework based on hardware virtualization. It can build a virtualization environment on-the-fly. The operating system will be migrated to the virtual machine without termination or modifications. Then, the forensic methods can acquire and analyze evidence at the hypervisor level. Two novel forensic methods are proposed to verify the effectiveness of the framework. They focus on acquiring accurate data and system behavior, respectively. The main ideas are guaranteeing data accuracy in multi-view extraction and analyzing memory behavior in a para-synchronous style. Experiments have proved that these methods are able to obtain reliable and integrated evidence at an acceptable cost.

HUI Wen,LIN Chuang,ZHAO Hai-ying,YANG Yang

DOI: https://doi.org/10.3969/j.issn.1002-137X.2011.12.006

2011-01-01

Computer Science

Abstract:Current researches about media forensics face the following key challenges:heterogeneity,scalability,and efficiency.We proposed a new computing paradigm for media forensics,called "Media Forensics Cloud",which integrates the concept of cloud computing to handle large-scale media forensics service effectively.To address the above challenges,first,we presented a layered architecture of Media Forensics Cloud,which can provide efficient and scalable media forensics service.Then we presented the key technologies of Media Forensics Cloud,namely resource virtualization,forensic task parallelization,and service adaptation,by which users can efficiently access media forensics service from different terminals at anytime anywhere.Lastly,we presented a key study of Media Forensics Cloud to demonstrate the feasibility of our design.

Zhan Qin,Jian Weng,Yong Cui,Kui Ren

DOI: https://doi.org/10.1109/mcc.2018.022171667

2018-01-01

IEEE Cloud Computing

Abstract:Millions of private images are generated in various digital devices every day. The consequent massive computational workload makes people turn to cloud computing platforms for their economical computation resources. Meanwhile, the privacy concerns over the sensitive information contained in outsourced image data arise in public. In fact, once uploaded to cloud, the security and privacy of the image content can only presume upon the reliability of the cloud service providers. Lack of assuring security and privacy guarantees becomes the main barrier to further deployment of cloud based image processing systems. This paper studies the design targets and technical challenges lie in constructing cloud-based privacy-preserving image processing system. We explore various image processing tasks, including image feature detection, digital watermarking, content-based image search etc. The state-of-the-art techniques, including secure multiparty computation, and homomorphic encryption are investigated. A detailed taxonomy of the problem statement and the corresponding solutions is provided.

Changnan Jiang,Chunhe Xia,Zhuodong Liu,Tianbo Wang

DOI: https://doi.org/10.3390/e25071053

2023-07-12

Abstract:In traditional centralized Android malware classifiers based on machine learning, the training sample uploaded by users contains sensitive personal information, such as app usage and device security status, which will undermine personal privacy if used directly by the server. Federated-learning-based Android malware classifiers have attracted much attention due to their privacy-preserving and multi-party joint modeling. However, research shows that indirect privacy inferences from curious central servers threaten this framework. We propose a privacy risk evaluation framework, FedDroidMeter, based on normalized mutual information in response to user privacy requirements to measure the privacy risk in FL-based malware classifiers. It captures the essential cause of the disclosure of sensitive information in classifiers, independent of the attack model and capability. We performed numerical assessments using the Androzoo dataset, the baseline FL-based classifiers, the privacy-inferred attack model, and the baseline methodology of privacy evaluation. The experimental results show that FedDroidMeter can measure the privacy risks of the classifiers more effectively. Meanwhile, by comparing different models, FL, and privacy parameter settings, we proved that FedDroidMeter could compare the privacy risk between different use cases equally. Finally, we preliminarily study the law of privacy risk in classifiers. The experimental results emphasize the importance of providing a systematic privacy risk evaluation framework for FL-based malware classifiers and provide experience and a theoretical basis for studying targeted defense methods.

Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao

DOI: https://doi.org/10.1109/tst.2013.6574680

2013-01-01

Tsinghua Science & Technology

Abstract:With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app's virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

Xiaoyu Zhang,Chao Chen,Yi Xie,Xiaofeng Chen,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.48550/arXiv.2105.06300

2021-05-13

Abstract:Deep Neural Network (DNN), one of the most powerful machine learning algorithms, is increasingly leveraged to overcome the bottleneck of effectively exploring and analyzing massive data to boost advanced scientific development. It is not a surprise that cloud computing providers offer the cloud-based DNN as an out-of-the-box service. Though there are some benefits from the cloud-based DNN, the interaction mechanism among two or multiple entities in the cloud inevitably induces new privacy risks. This survey presents the most recent findings of privacy attacks and defenses appeared in cloud-based neural network services. We systematically and thoroughly review privacy attacks and defenses in the pipeline of cloud-based DNN service, i.e., data manipulation, training, and prediction. In particular, a new theory, called cloud-based ML privacy game, is extracted from the recently published literature to provide a deep understanding of state-of-the-art research. Finally, the challenges and future work are presented to help researchers to continue to push forward the competitions between privacy attackers and defenders.

Cryptography and Security,Artificial Intelligence

Josh Payne,Ashish Kundu

DOI: https://doi.org/10.48550/arXiv.1912.12370

2019-12-28

Abstract:In cloud computing environments with many virtual machines, containers, and other systems, an epidemic of malware can be highly threatening to business processes. In this vision paper, we introduce a hierarchical approach to performing malware detection and analysis using several recent advances in machine learning on graphs, hypergraphs, and natural language. We analyze individual systems and their logs, inspecting and understanding their behavior with attentional sequence models. Given a feature representation of each system's logs using this procedure, we construct an attributed network of the cloud with systems and other components as vertices and propose an analysis of malware with inductive graph and hypergraph learning models. With this foundation, we consider the multicloud case, in which multiple clouds with differing privacy requirements cooperate against the spread of malware, proposing the use of federated learning to perform inference and training while preserving privacy. Finally, we discuss several open problems that remain in defending cloud computing environments against malware related to designing robust ecosystems, identifying cloud-specific optimization problems for response strategy, action spaces for malware containment and eradication, and developing priors and transfer learning tasks for machine learning models in this area.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning

Yuzhe Chen,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom42002.2020.9348005

2020-01-01

Abstract:With the development of cloud computing and wireless networks, cloud storage services are widely used in daily life. People can get access to cloud storage anytime and anywhere. Cloud storage forensics is a computer forensic scenario that currently appears frequently. In this paper, we first briefly introduce the general methods of traditional cloud storage forensics and then introduce forensic investigations that are conducted on three cloud storage services: BaiduNetDisk, 115yun, and WeiYun. The findings of the forensic analysis are presented in detail to help the development of forensics for cloud storage services.

Le-Jun Fan,Yuan-Zhuo Wang,Jing-Yuan Li,Xue-Qi Cheng,Chuang Lin

DOI: https://doi.org/10.1007/s11390-015-1601-7

IF: 1.871

2015-01-01

Journal of Computer Science and Technology

Abstract:Private information leak behavior has been widely discovered in malware and suspicious applications. We refer to such software as privacy leak software (PLS). Nowadays, PLS has become a serious and challenging problem to cyber security. Previous methodologies are of two categories: one focuses on the outbound network traffic of the applications; the other dives into the inside information flow of the applications. We present an abstract model called Privacy Petri Net (PPN) which is more applicable to various applications and more intuitive and vivid to users. We apply our approach to both malware and suspicious applications in real world. The experimental result shows that our approach can effectively find categories, content, procedure, destination and severity of the private information leaks for the target software.

Donghai Tian,Runze Zhao,Rui Ma,Xiaoqi Jia,Qi Shen,Changzhen Hu,Wenmao Liu

DOI: https://doi.org/10.1002/ett.4584

IF: 3.6

2022-07-01

Transactions on Emerging Telecommunications Technologies

Abstract:We present MDCD, a malware detection system for virtualization environments. By utilizing the run‐time utilization and memory object information of the target VM, we can effectively detect the malicious programs in the target VM. With the increasing popularity of cloud computing applications, the threat of malware attack against cloud environments is getting worse. To defend against malware attacks in the cloud, some virtualization‐based approaches are proposed. However, the existing methods suffer from limitations in terms of detection accuracy, deployment effort, and performance cost. To address these issues, we propose MDCD, a novel dynamic malware detection solution for cloud environments. This method first utilizes a lightweight agent to collect the run‐time utilization information from the target virtual machine (VM). Then, it leverages the memory forensics analysis technique to extract the memory object information from the target VM's memory. To fully make use of the run‐time utilization and memory object information for malware detection, we propose a multi‐CNN model, which combines multiple convolutional neural networks (CNNs) efficiently. The evaluation shows that our approach can achieve an average detection accuracy, precision, recall, and F1 Score of 98.89%, 97.01%, 98.17%, and 97.89% respectively. Compared with the existing solutions, our method can detect multiple malicious processes effectively with little deployment effort.

telecommunications

Shengli Zhou,Lifa Wu,Canghong Jin

DOI: https://doi.org/10.1109/cc.2017.8068773

2017-01-01

China Communications

Abstract:A Service Level Agreement（SLA） is a legal contract between any two parties to ensure an adequate Quality of Service（Qo S）. Most research on SLAs has concentrated on protecting the user data through encryption. However, these methods can not supervise a cloud service provider（CSP） directly. In order to address this problem, we propose a privacy-based SLA violation detection model for cloud computing based on Markov decision process theory. This model can recognize and regulate CSP’s actions based on specific requirements of various users. Additionally, the model could make effective evaluation to the credibility of CSP, and can monitor events that user privacy is violated. Experiments and analysis indicate that the violation detection model can achieve good results in both the algorithm’s convergence and prediction effect.

Tomer Panker,Nir Nissim

DOI: https://doi.org/10.1016/j.knosys.2021.107095

2021-08-01

Abstract:Most organizations today use cloud-computing environments and virtualization technology. Linux-based clouds are the most popular cloud environments among organizations, and thus have become the target of cyber-attacks launched by sophisticated malware. Existing malware detection solutions for Linux-based VMs are installed and operated on the VM itself and are considered untrusted since malware can detect, interfere with, and even evade them. Thus, Linux cloud-based environments remain exposed to various malware-based attacks. This paper presents the first trusted framework for detecting unknown malware in Linux VM cloud-environments. Our framework acquires volatile memory dumps from the inspected VM by querying the hypervisor in a trusted manner and overcoming malware's ability to detect the security mechanism and evade detection. Then, using machine-learning algorithms we leverage informative traces (our 171 proposed features) from different parts of the VM's volatile memory. The framework was evaluated in seven rigorous experiments, on a total of 21,800 volatile memory dumps taken from two widely used virtual servers (10,900 from each server) during the execution of a diverse yet representative collection of benign and malicious Linux applications. Notably, the results show that our proposed framework can accurately (with high TPRs and low FPRs): (a) detect unknown malware (b) detect new unknown malware from unseen malware categories, which is a critical ability for coping with new malware trends and phenomena; (c) categorize an unknown malware by its attack category; (d) detect unknown malware on an unknown virtual-server; and lastly (e) detect fileless malware, a critical capability demonstrating the ability to detect substantially different attack modus operandi.

computer science, artificial intelligence