Jinfei Liu,Juncheng Yang,Li Xiong,Jian Pei

DOI: https://doi.org/10.1109/icde.2017.117

2017-01-01

Abstract:Outsourcing data and computation to cloud server provides a cost-e ective way to support large scale data storage and query processing. However, due to security and privacy concerns, sensitive data (e.g., medical records) need to be protected from the cloud server and other unauthorized users. One approach is to outsource encrypted data to the cloud server and have the cloud server perform query processing on the encrypted data only. It remains a challenging task to support various queries over encrypted data in a secure and e cient way such that the cloud server does not gain any knowledge about the data, query, and query result. In this paper, we study the problem of secure skyline queries over encrypted data. The skyline query is particularly important for multicriteria decision making but also presents significant challenges due to its complex computations. We propose a fully secure skyline query protocol on data encrypted using semanticallysecure encryption. As a key subroutine, we present a new secure dominance protocol, which can be also used as a building block for other queries. Finally, we provide both serial and parallelized implementations and empirically study the protocols in terms of e ciency and scalability under di erent parameter settings, verifying the feasibility of our proposed solutions.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Mohammad A. Altahat,Tariq Daradkeh,Anjali Agarwal

DOI: https://doi.org/10.1109/access.2024.3386169

IF: 3.9

2024-04-16

IEEE Access

Abstract:Containers are recognized for their lightweight and virtualization efficiency, making them a vital element in modern application orchestration. In this context, the scheduler is crucial in strategically distributing containers across diverse computing nodes. This paper presents a novel two-stage container scheduling solution that addresses node imbalances and efficiently deploys containers. The proposed solution formulates the scheduling process as an optimization problem, integrating various objective functions and constraints to enhance server consolidation and minimize energy consumption. The confidentiality of migrated containers is ensured through encryption, and the associated costs are incorporated into the optimization constraints. This approach ensures security in container scheduling, considering container attributes as input features in our proposed attributes-based encryption model. By carefully selecting containers and destination nodes, this work seeks to establish balance within cloud-based clusters. This contributes to the improvement of container orchestration systems and their effectiveness in real-world scenarios. The proposed solution's efficacy is demonstrated in its ability to efficiently deploy containers in multi-data center cloud environments and seamlessly migrate them between hosts within the same data center or across different data centers. Our results show optimal consolidation with a reduction in the number of running hosts, ranging from 4% to over 18%. Additionally, the solution promotes minimal total power consumption with savings ranging from 3.5 to 16.25 megawatts, while also ensuring balanced server loads.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Liu,Jun Yan,Xingshen Wei,Haiqing Wang,Shishun Zhu

DOI: https://doi.org/10.1109/cieec50170.2021.9510589

2021-05-28

Abstract:In recent years, due to the elastic container technical characteristics and active open source community support, container technology has become an important basic technology for the new digital infrastructure of power. Now, the container technology is very popular and widely used in power cloud platform, but the problem of power system security risk caused by container can’t be ignored. Aiming at the problem of container security, this paper proposes a lightweight container security enhancement framework. Based on the methods of lightweight hardware virtualization isolation, cloud trust, and transparent encryption and decryption of container data, we implemented the container framework in the power cloud platform. Experiments show that the mechanism has played a practical role and has little impact on the business in terms of performance.

Rafael Xavier,Lisandro Zambenedetti Granville,Filip De Turck,Bruno Volckaert

DOI: https://doi.org/10.1007/s10922-020-09543-y

2020-06-11

Journal of Network and Systems Management

Abstract:The massive industrial adoption of cloud technology has led to research into cloud-enabling traditional applications. The EMD research project proposes an elastic, reliable, and secure cloud-enabled Audio and Video (A/V) collaboration platform in replacement of a reliable hardware appliance based which had fixed constraints in terms of scalability. In this context, this article introduces heuristics and architectures that efficiently and preemptively allocate EMD's A/V encrypted and container-based software components in the cloud. A software solution based on Kubernetes, a production-grade container orchestration platform, is compared with another solution focused on dedicated VMs. Both implement resource allocation heuristics that take into account the project's requirements and location-aware encryption enforcement necessities: encryption is enforced for more sensitive data. A company training scenario with dynamically distributed instructors is modelled using existing A/V stream concepts, and component prototypes are extended to support encryption and containerisation, whose prototype performance evaluation drives the investigation of heuristics and architectures and feeds their larger-scale simulation-based assessment. Results show that container orchestration costs are at least 52% lower than dedicated VMs for this scenario, but rely on relaxing a project requirement: the time taken to establish a new streaming session was to be kept below 2 s. The switch to orchestrated containers raised this up to a maximum of 2.5 s.

computer science, information systems,telecommunications

Yulong Shen

DOI: https://doi.org/10.1109/tbdata.2017.2707552

2017-01-01

IEEE Transactions on Big Data

Abstract:The k-nearest neighbors (k-NN) query is a fundamental primitive in spatial and multimedia databases. It has extensive applications in location-based services, classification & clustering and so on. With the promise of confidentiality and privacy, massive data are increasingly outsourced to cloud in the encrypted form for enjoying the advantages of cloud computing (e.g., reduce storage and query processing costs). Recently, many schemes have been proposed to support k-NN query on encrypted cloud data. However, prior works have all assumed that the query users (QUs) are fully-trusted and know the key of the data owner (DO), which is used to encrypt and decrypt outsourced data. The assumptions are unrealistic in many situations, since many users are neither trusted nor knowing the key. In this paper, we propose a novel scheme for secure k-NN query on encrypted cloud data with multiple keys, in which the DO and each QU all hold their own different keys, and do not share them with each other; meanwhile, the DO encrypts and decrypts outsourced data using the key of his own. Our scheme is constructed by a distributed two trapdoors public-key cryptosystem (DT-PKC) and a set of protocols of secure two-party computation, which not only preserves the data confidentiality and query privacy but also supports the offline data owner. Our extensive theoretical and experimental evaluations demonstrate the effectiveness of our scheme in terms of security and performance.

Mazharul Islam

2023-06-06

Abstract:Security has become a significant concern with the increased popularity of cloud storage services. It comes with the vulnerability of being accessed by third parties. Security is one of the major hurdles in the cloud server for the user when the user data that reside in local storage is outsourced to the cloud. It has given rise to security concerns involved in data confidentiality even after the deletion of data from cloud storage. Though, it raises a serious problem when the encrypted data needs to be shared with more people than the data owner initially designated. However, searching on encrypted data is a fundamental issue in cloud storage. The method of searching over encrypted data represents a significant challenge in the cloud. Searchable encryption allows a cloud server to conduct a search over encrypted data on behalf of the data users without learning the underlying plaintexts. While many academic SE schemes show provable security, they usually expose some query information, making them less practical, weak in usability, and challenging to deploy. Also, sharing encrypted data with other authorized users must provide each document's secret key. However, this way has many limitations due to the difficulty of key management and distribution. We have designed the system using the existing cryptographic approaches, ensuring the search on encrypted data over the cloud. The primary focus of our proposed model is to ensure user privacy and security through a less computationally intensive, user-friendly system with a trusted third party entity. To demonstrate our proposed model, we have implemented a web application called CryptoSearch as an overlay system on top of a well-known cloud storage domain. It exhibits secure search on encrypted data with no compromise to the user-friendliness and the scheme's functional performance in real-world applications.

Cryptography and Security

Cong Liu,Yong Cui,Kun Tan,Quan Fan,Kui Ren,Jianping Wu

DOI: https://doi.org/10.1109/INFOCOM.2018.8485861

2018-01-01

Abstract:The trends of the increasing middleboxes make the middle network more and more complex. Today, many middlehoxes work on application layer and offer significant network services by the plain-text traffic, such as firewalling, intrusion detecting and application layer gateways. At the same time, more and more network applications arc encrypting their data transmission to protect security and privacy. It is becoming a critical task and hot topic to continue providing application-layer middlehox services in the encrypted Internet, however, the state of the art is far from being able to be deployed in the real network. In this paper, we propose a practical architecture, named PlainBox, to enable session key sharing between the communication client and the middleboxes in the network path. It employs Attribute-Based Encryption (ABE) in the key sharing protocol to support multiple chaining middleboxes efficiently and securely. We develop a prototype system and apply it to popular security protocols such as TLS and SSH. We have tested our prototype system in a lab testhed as well as real-world websites. Our result shows PlainBox introduces very little overhead and the performance is practically deployable.

Tianyi Gao,Xinshu Ma,Suhas Narreddy,Eugenio Luo,Steven W. D. Chien,Michio Honda

2024-09-25

Abstract:Cloud applications need network data encryption to isolate from other tenants and protect their data from potential eaves- droppers in the network infrastructure. This paper presents SDT, a protocol design for emerging datacenter transport pro- tocols to integrate data encryption while using existing NIC offloading designed for TLS over TCP. Therefore, SDT could enable a deployment path of new transport protocols in data- centers without giving up hardware offloading.

Cryptography and Security,Networking and Internet Architecture

Sudha K,Dr. Umarani C

DOI: https://doi.org/10.22214/ijraset.2022.41550

2022-04-30

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: The ongoing headlines or broadcast shows the strong goon, that damages the instruction or details secrecy in obtaining cryptographic keys, through pressure in secure communication programming technique When the instruction key or details is open, one major suitable option is to safeguard the privacy of the details. All things considered, assuming that the data is covered with past facilities, a goon spotted with the encoded key, will think twice about disclosing the ciphertext blocks. The major advantage of implementing key transparency in this paper is to information secrecy over a foe which identifies the encryption key and has an aspiration to get over an enormous part of the ciphertext blocks. Keywords: Cloud Storage, Security, Auditing Mechanism, Key Transparency, Data Confidentiality, MySQL.

Sébastien Vaucher,Rafael Pires,Pascal Felber,Marcelo Pasin,Valerio Schiavoni,Christof Fetzer

DOI: https://doi.org/10.1109/ICDCS.2018.00076

2018-07-27

Abstract:Containers are becoming the de facto standard to package and deploy applications and micro-services in the cloud. Several cloud providers (e.g., Amazon, Google, Microsoft) begin to offer native support on their infrastructure by integrating container orchestration tools within their cloud offering. At the same time, the security guarantees that containers offer to applications remain questionable. Customers still need to trust their cloud provider with respect to data and code integrity. The recent introduction by Intel of Software Guard Extensions (SGX) into the mass market offers an alternative to developers, who can now execute their code in a hardware-secured environment without trusting the cloud provider. This paper provides insights regarding the support of SGX inside Kubernetes, an industry-standard container orchestrator. We present our contributions across the whole stack supporting execution of SGX-enabled containers. We provide details regarding the architecture of the scheduler and its monitoring framework, the underlying operating system support and the required kernel driver extensions. We evaluate our complete implementation on a private cluster using the real-world Google Borg traces. Our experiments highlight the performance trade-offs that will be encountered when deploying SGX-enabled micro-services in the cloud.

Distributed, Parallel, and Cluster Computing

Yousef Elmehdwi,Bharath K. Samanthula,Wei Jiang

DOI: https://doi.org/10.48550/arXiv.1307.4824

2013-07-18

Abstract:For the past decade, query processing on relational data has been studied extensively, and many theoretical and practical solutions to query processing have been proposed under various scenarios. With the recent popularity of cloud computing, users now have the opportunity to outsource their data as well as the data management tasks to the cloud. However, due to the rise of various privacy issues, sensitive data (e.g., medical records) need to be encrypted before outsourcing to the cloud. In addition, query processing tasks should be handled by the cloud; otherwise, there would be no point to outsource the data at the first place. To process queries over encrypted data without the cloud ever decrypting the data is a very challenging task. In this paper, we focus on solving the k-nearest neighbor (kNN) query problem over encrypted database outsourced to a cloud: a user issues an encrypted query record to the cloud, and the cloud returns the k closest records to the user. We first present a basic scheme and demonstrate that such a naive solution is not secure. To provide better security, we propose a secure kNN protocol that protects the confidentiality of the data, user's input query, and data access patterns. Also, we empirically analyze the efficiency of our protocols through various experiments. These results indicate that our secure protocol is very efficient on the user end, and this lightweight scheme allows a user to use any mobile device to perform the kNN query.

Cryptography and Security

Zhonghan Cheng,Hao Huang,Diming Zhang,Zhenjiang Qian

DOI: https://doi.org/10.2991/ccis-13.2013.64

2013-01-01

Abstract:As an open-source distributed programming framework, Hadoop has gradually become popular in industry recently. Its distributed file system (HDFS) enables storing large data with advantages of high fault tolerance and throughput. However, the fact that the current HDFS does not support intra-cloud data encryption yet makes data privacy becomes a key security issue. This paper presents ahybrid encryption method based on HDFS. We adopt symmetric encryption to encrypt and decrypt file blocks at datanodes and use asymmetric encryption scheme to protect the symmetric keys. By this method, we can prevent datanode intruders from stealing user data, while ensuring that clients are lightweight. The experiments show that with and without block encryption algorithm, our solution brings43% and 2% performance degradation compared to the generic HDFS.

Mengqi Zhan,Yang Li,Guangxi Yu,Yan Zhang,Bo Li,Weiping Wang

DOI: https://doi.org/10.1109/tifs.2023.3266629

IF: 7.231

2023-04-28

IEEE Transactions on Information Forensics and Security

Abstract:The deepening of digital transformation has led to an increasing amount of data from industries being transmitted over the Internet. However, packets in plaintext originally designed for transmission in private networks suffer from significant security threats on the Internet. Unfortunately, existing encryption schemes, such as the representative TLS, are difficult to be applied to these industrial protocols due to their specific requirements and conditions such as low latency requirements and restricted operating environments. In this paper, we present a high-performance encryption/decryption middlebox called GuardBox to provide confidentiality and integrity for packets. GuardBox is expected to transparently encrypt/decrypt packets sent/received by protected industrial equipment with low latency and supports almost any application-layer protocol. To do that, we design a high-performance packet I/O framework and an optimized encryption/decryption scheme for GuardBox. More importantly, we use commodity trusted hardware, Intel SGX, to ensure the security of keys and the encryption/decryption process. Our extensive evaluation demonstrates that GuardBox can provide confidentiality and integrity for packets transmitted over the Internet with low latency and a near-native throughput.

computer science, theory & methods,engineering, electrical & electronic

Duane Wilson,Giuseppe Ateniese

DOI: https://doi.org/10.48550/arXiv.1404.2697

2014-04-10

Cryptography and Security

Abstract:With the advent of cloud computing, a number of cloud providers have arisen to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and business organizations. SaaS (different than Software-as-a-Service in this context) refers to an architectural model in which a cloud provider provides digital storage on their own infrastructure. Three models exist amongst SaaS providers for protecting the confidentiality data stored in the cloud: 1) no encryption (data is stored in plain text), 2) server-side encryption (data is encrypted once uploaded), and 3) client-side encryption (data is encrypted prior to upload). This paper seeks to identify weaknesses in the third model, as it claims to offer 100% user data confidentiality throughout all data transactions (e.g., upload, download, sharing) through a combination of Network Traffic Analysis, Source Code Decompilation, and Source Code Disassembly. The weaknesses we uncovered primarily center around the fact that the cloud providers we evaluated were each operating in a Certificate Authority capacity to facilitate data sharing. In this capacity, they assume the role of both certificate issuer and certificate authorizer as denoted in a Public-Key Infrastructure (PKI) scheme - which gives them the ability to view user data contradicting their claims of 100% data confidentiality. We have collated our analysis and findings in this paper and explore some potential solutions to address these weaknesses in these sharing methods. The solutions proposed are a combination of best practices associated with the use of PKI and other cryptographic primitives generally accepted for protecting the confidentiality of shared information.

G. Dumindu Samaraweera,J. Morris Chang

DOI: https://doi.org/10.48550/arXiv.2107.01640

2021-07-04

Databases

Abstract:During the last few years, the explosion of Big Data has prompted cloud infrastructures to provide cloud-based database services as cost effective, efficient and scalable solutions to store and process large volume of data. Hence, NoSQL databases became more and more popular because of their inherent features of better performance and high scalability compared to other relational databases. However, with this deployment architecture where the information is stored in a public cloud, protection against the sensitive data is still being a major concern. Since the data owner does not have the full control over his sensitive data in a cloud-based database solution, many organizations are reluctant to move forward with Database-as-a-Service (DBaaS) solutions. Some of the recent work addressed this issue by introducing additional layers to provide encryption mechanisms to encrypt data, however, these approaches are more application specific and they need to be properly evaluated to ensure whether they can achieve high performance with the scalability when it comes to large volume of data in a cloud-based production environment. This paper proposes a practical system design and implementation to provide Security-as-a-Service for NoSQL databases (SEC-NoSQL) while supporting the execution of query over encrypted data with guaranteed level of system performance. Several different models of implementations are proposed, and their performance is evaluated using YCSB benchmark considering large number of clients processing simultaneously. Experimental results show that our design fits well on encrypted data while maintaining the high performance and scalability. Moreover, to deploy our solution as a cloud-based service, a practical guide establishing Service Level Agreement (SLA) is also included.

A.Abdo,Taghreed S. Karamany,Ahmed Yakoub

DOI: https://doi.org/10.1016/j.jksuci.2024.101999

IF: 9.006

2024-03-09

Journal of King Saud University - Computer and Information Sciences

Abstract:Cloud computing has revolutionized the way businesses and individuals manage and utilize computing resources, providing significant benefits such as scalability, flexibility, and cost-effectiveness. However, the increasing use of cloud computing to store and transmit sensitive data has raised concerns about data security. Ensuring confidentiality and data integrity while enabling effective data transmission is a significant challenge. To overcome this issue, the proposed approach integrates encryption and compression methods to enhance transmission performance in the cloud and prevent unauthorized access to confidential information. This approach applies multiple layers of robust encryption algorithms, followed by LZMA, which aims to compress data size while ensuring data security. The proposed approach is well-suited for real-time implementation and delivers high encryption quality and compression capabilities. Various performance metrics evaluate its performance, including space-saving percentage, processing time, and the NIST randomness test. It provides a substantial improvement in space-saving percentage from 58.63% to 81.8%, ensuring efficiency. The security analysis confirms that ciphertexts generated by this approach pass all NIST tests, generating a 99% confidence level regarding the randomness of the ciphertext. The proposed hybrid approach offers an effective solution for addressing the challenges of securing sensitive data while taking advantage of the benefits of cloud computing.

computer science, information systems

Francesco Minna,Balakrishnan Chandrasekaran,Agathe Blaise,Filippo Rebecchi,Fabio Massacci

DOI: https://doi.org/10.1109/msec.2021.3094726

2021-09-01

Abstract:Container-orchestration software such as Kubernetes make it easy to deploy and manage modern cloud applications based on microservices. Yet, its network abstractions pave the way for "unexpected attacks" if we approach cloud network security with the same mental model of traditional network security.

computer science, information systems, software engineering

Debajyoti Mukhopadhyay,Gitesh Sonawane,Parth Sarthi Gupta,Sagar Bhavsar,Vibha Mittal

DOI: https://doi.org/10.48550/arXiv.1303.7075

2013-03-28

Cryptography and Security

Abstract:Cloud computing is a term coined to a network that offers incredible processing power, a wide array of storage space and unbelievable speed of computation. Social media channels, corporate structures and individual consumers are all switching to the magnificent world of cloud computing. The flip side to this coin is that with cloud storage emerges the security issues of confidentiality, data integrity and data availability. Since the cloud is a mere collection of tangible super computers spread across the world, authentication and authorization for data access is more than a necessity. Our work attempts to overcome these security threats. The proposed methodology suggests the encryption of the files to be uploaded on the cloud. The integrity and confidentiality of the data uploaded by the user is ensured doubly by not only encrypting it but also providing access to the data only on successful authentication.

Zhirong Shen,Jiwu Shu,Wei Xue

DOI: https://doi.org/10.1109/jsen.2016.2634018

IF: 4.3

2016-01-01

IEEE Sensors Journal

Abstract:Cloud computing has become an increasingly popular service for data storage and processing. To keep users' data on the cloud from leaking to unauthorized users, probably including the cloud service providers, the data must be stored in an encrypted form. In the meantime, for data intended for sharing, an efficient access control must be provided. A common operation on the data is keyword search. Currently, search operation over encrypted search is performed at the cloud servers and access control for the in-cloud data is usually enforced by users. Separation of the two types of operations can lead to reduced efficiency and compromised privacy for users with a given set of access privileges to search over encrypted cloud data. In this paper, we study the problem of keyword search with access control over encrypted data in cloud computing. We first propose a scalable framework where user can use his attribute values and a search query to locally derive a search capability, and a file can be retrieved only when its keywords match the query and the user's attribute values can pass the policy check. Using this framework, we propose a novel scheme called KSAC. KSAC utilizes a recent cryptographic primitive called HPE to enforce fine-grained access control, perform multi-field query search, and support the derivation of the search capability. Intensive evaluations on real-world dataset are conducted to validate the applicability of the proposed scheme.