Embed Size (px)
Citation preview
Cloud Monitoring and Forensic using Security Metrics
Sandeep Saxena
Computer Science and Engineering
Galgotias College of Engineering & Technology
Greater Noida, India
Goutam Sanyal
Computer Science and Engineering
National Institute of Technology
Durgapur, India
Abstract— In current scenario cloud forensic comes as
challenging job for cloud providers because cloud is not
physically exits in one place or within country wide. It’s
dispersing throughout the worldwide area and each and every
country posses its own jurisdiction to access any personal or
private data. So we need some common approach to perform
these talks efficiently and effectively. We may use service level
agreement (SLA) between cloud service provider (CSP) and
consumer to have right to perform monitoring their activities
throughout the session used by consumer in cloud environment
and save that activities in some place on cloud server for the
purpose of further forensics if any illegal or malicious activities
performed. We know that intrusion detection system (IDS) is
widely used for forensic analysis whenever required. Host-
based IDS is used for a particular system for study which able
to watch the regular activities of user/consumer. The intrusion
detection system specially involve two types of techniques:
Anomaly Detection involving the detection based on
behavior/heuristic rules and Misuse detection involving the
detection based on patterns and signature.
Keywords- Cloud, Security Metrics, Forensic, Cloud
Monitoring
I.
INTRODUCTION
We are entering into new epoch of computing, and it’s all
about the ―cloud‖. This immediately brings up several
important questions, which deserve thoughtful answer:
―why we use
cloud computing?‖ ―Is it real, or just another
catchphrase?‖ And most important,‖ How does it affect us?‖
In a nutshell, cloud computing is completely real and will
affect more or less everyone. Cloud Computing is defined as
―Cloud computing paradigm is used to enable expedient,
on-demand network (cloud) access to a public pool of
configurable computing resources (e.g. Networks, Servers,
Storage, Application and Services) that can be fast
stipulated and released with minimal management effort
or service provider interaction
‖. It is also known as self-
service environment for computing resources.
In cloud terminology, the turn of phrase ―as-a-service‖ is
widely used, which simply means that a given cloud
products (whether Infrastructure-as-a-service, Platform-as-
a-service or software-as-a-service) is obtainable in a way
that it can be ―rented‖ by customers over the Internet. By
―rented,‖ we are implying that you pay only for as much as
you use. It is frequently described as an ―on demand‖
service because it is accessible whenever you need it. In
current communication infrastructure, there are two types of
cloud shortly public and private cloud [1].
Public Clouds:
Service provider runs cloud platforms and made them
available to many end-user organizations. These cloud
provide application-as-a-service or platform as-a-service.
Private Clouds:
A cloud platform runs solely for an only end-user
organization, such as a financial sectors or retailer. This
technology seems like public clouds, but the economic
prospects are different. It exists within premises of
individual organization.
Figure 1: Public cloud (service provider) and Private cloud
(On-Premises)
However various researches are done in cloud computing
arena, but this is not to say that cloud computing is perfect.
It’s not. Actually, it’s not even close. It’s very much new,
and there are thousands of bend to still be worked out.
According to the National Institute of Standard and
Technology (NSIT) Computer Security Division, the cloud
paradigm still suffers from significant security lacunae. For
example, Software as a service (SaaS) vendors are
implementing various security approaches, raising critical
questions about where data is hosted, international privacy
270978-1-4673-1850-1/12/$31.00 © 2012 IEEE
2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
laws, exposure of data to foreign entities, nonstandard
authentication, monitoring, forensics and leaks in
multitenant architecture. These security concerns are putting
mission critical data at risk, while slowing the adoption of
cloud computing technologies. That’s why cloud monitoring
and forensics are so important issues to allure consumer and
gaining consumer belief that consumer is secure enough not
only outside the cloud user other than inside consumer also
which are existed in cloud service environment.
Organization of this paper is as follows, Section II covers
the analysis of previous related research in the area of
forensics of cloud. Section III represents the proposed
methodology and generic security architecture of cloud
system. At last section IV concludes the paper and gives its
future directions.
II. ANALYSIS OF PREVIOUS RESEARCHES
In current scenario a way of validation security design is
based on Model and Methodology approaches. For example,
NIST also introduces a system security model in which
security services are fictionally defined [2]. It differentiated
between security support and prevention, detection and
recovery services.
NIST is also defined a Model for security metrics ,which is
limited to the definition of key security services term not
considering a construct theory of security for any specific
system of interest.
A security model that comes that construct theory of
security is the International Telecommunications Union’s
(ITU) data network and Open communication security
architecture for system providing end-to-end
communications( X.805 Standard) [3].it presents
telecommunication architecture as combination of three
layers:
Infrastructure Level: The set of hardware and software
components that provide telecommunication functionality.
Service Level: The billable customer traffic flows.
Application Level: this is the layer that motivates users to
pay for the control layer services.
In current IT generation security tenets are three:
confidentiality, integrity and Availability. Confidentiality
concern about communication must be secure from intruder
which tries to access data for passive or active attacks.
Integrity means data must be same as transfer from source.
Availability means data must be available to authenticated
and authorized users. These three security tenets we are
consider where ever to apply security in IT environments.
But rather then these issues ,we must be know that source
may be intruder which try to perform some illegal or
malicious activity on current network or particular
user/users which are on same network. For such issues, we
need to monitor the user’s activity as prevention measure to
provide security to other users on network/internet.
Monitoring and Forensic is major concern of security for
taking appropriate action against intruders or attackers. In
new of era technology cloud computing is the most
demanding feature to secure our cloud environment from
insiders. Because this is the most flexible environment to
provisioned and De-provisioned any cloud services.
The Architectural Services of Cloud Computing are three
types of services: Software-as-a-service (SAAS), Platform-
as-a-service (PAAS) and Infrastructure-as-a-service (IAAS).
Software-as-a-service (SaaS):
SaaS is a highest layer of service which provides complete
application as a service on demand and multi-tenancy-which
means single instance of the application, runs on provider’s
infrastructure and serves many client organizations.
Example of SaaS is salesforce.com, Google Apps etc.
Platform-as-a-service (PAAS):
The middle layer or PAAS is offering every phase of
software development and testing or it can be specialized
around a particular area, such as content management. For
example Google Apps Engine, this serves application on
Google’s Infrastructures [4].
Infrastructure-as-a-service (IAAS):
The lowest layer IAAS is providing basic storage and
computing capabilities as standard services over the
network. Servers, Switches, Gateways, Routers, Storage
Systems and other resources are pooled in one place.
For example Amazon Web Services, whose provides EC2
and S3 service offer bare-bones compute and Storage
services respectively [5]. Another example is joyent which
provide line of virtualized servers, that provides a highly
scalable on-demand infrastructure for running web site, web
application etc.
IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-
Service) and SaaS (Software-as-a-Service), these service
Details may form a basis for a differentiation in system level
function that will help recognize the basis for security
features. IaaS service may commend secure network and
storage services. SaaS service may provide secure
application service, but leave end user ID provisioning and
auditing to the customer [9].
In Cloud computing Environment may malicious insider
which perform some malicious activities, for the purpose of
gaining trust of our customer we may implement Trusted
Third party to provide Strong authentication for financial
transaction, Authorization, Data confidentiality and Non-
Repudiation on cloud Environment [10].
Monitoring system is used for monitor consumer activity
regularly when we find any illegal or malicious activity
through the consumer we need to start forensics to find root
cause. Forensic analysis deals with detection, prevention,
acquisition and provenance method used as digital evidence
to establish cyber crime in court of law [6]. Computer
forensic tools (CFT) are used for recover data as evidence to
verify of action/activity validate in front of court of law.
Forensic Experts install packet sniffers and monitoring tools
(MT) on targeted machine to collect volatile information. If
computer investigation is involved in a private cloud, the
digital evidence resides within the organization or within its
outsourced supplier. The main areas for potential evidence
are servers, application and data repositories reside within
271
2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
the company or organization. But in public cloud, it will be
much more difficult to identify and collect evidence because
As we know cloud computing environment aims to be
dynamic and customizable [11].
III. PROPOSED GENERIC MODEL FOR CLOUD
MONITORING AND FORENSICS
In current environment cloud computing will get high trust
of business and financial institutions by using strong
monitoring and forensic methodology to ensure privacy,
confidentiality, and tracking of all activities of consumer at
cloud service provider (CSP) end. It is must be ensure that
the consumer of a CSP is persuaded that the data forensic
have attribution data managed in a secure manner. If this
information is compromised then whole model will be
collapse.
In this paper, we proposed a methodology through which we
can develop a complete architecture to provide service to
our consumer included secure monitoring and forensic
system. Before implementing this model we have a Service
Level Agreement (SLA) with our consumers. SLA having
rules and regulation which signed by consumer that if any
illegal or malicious activities will perform, stop their system
and remote service and will take appropriate action against
him.
A. PROPOSED METHODOLOGY
Figure 2 represents proposed methodology, which will be
implemented with the help of various monitoring and
Forensic tools and techniques available in current
Technology. This methodology is developed for secure
monitoring and forensic system. In which we can’t
performed forensic until find any malicious or illegal
activities from particular consumer system. In this
methodology, we use pattern or signature based Misuse
detection which also use in Intrusion Detection System
(IDS).
When any signature will be finding from the data or
information communicated on communication channel then
at that time automatic forensic system will be activated to
collect data or information and save in metrics for digital
evidence.
Our proposed methodology contains 5 steps given in figure.
Step 1: Monitoring Consumer Activity and Save Session
log Records
The threat of a malicious insider or disgruntle employee is
well-known to most organizations. This threat is bigger for
consumers of cloud services by the union of IT services and
customers under a same management Domain, combined
with a most general lack of transparency in to provider
procedures and processes.
Figure 2: Monitoring and Forensic Methodology
For example, a provider may not disclose how it grants
employees access to physical and virtual resources, how it
monitors these employees or consumers, or how it analyzes
and reports on policy compliance. To make difficult matters,
there is often little or no visibility into the recruiting
standards and practices for cloud employees. This kind of
situation clearly creates a smart opportunity for an adversary
— ranging from the professional hacker, to organized crime,
to commercial espionage, or even nation-state sponsored
intrusion. The level of access approved could enable such an
adversary to yield confidential data or gain complete control
over the cloud services with little or no risk of detection [7].
For the purpose of to provide security to other consumer
from malicious insider, we need to monitor each and every
consumer of our cloud environment. In this step we monitor
the consumer activity and save their records during the
session. This record is maintained temporary on the cloud
environment for the further steps.
Step 2: Find any Malicious Activity Match with
Signature
In this step, we continue to scan user activities at the
system and application level. In order to identify malicious
or illegal activities, we have develop signature based
methods in which we check the contents of packets going
outside from cloud system and match with the saved
signature, if signature is matched then it’s identified that this
consumer is performed malicious activities. After
identifying malevolent host, we mentioned it as a malicious
node in cloud environment. For the development of new
272
2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
signature we use real time experience from our existed non-
cloud environment.
Step 3: Automated Forensic System will be activated to
Store All Activities and Data in Metrics
As early as we identified malevolent host, an automated
forensic system is activated and collects all previous and
current activities of that particular malevolent node. When
we collect all data for forensic purpose then we saved that
data in predefined security matrices as per predefined
format. This data is saved on separate Forensic server,
which will access by the cloud administrator. Step 4: Stop Remote Access OR Outside the cloud
Services (at the same Time, Message send to
consumer on Phone and Email).
After identifying illegal activities performed by malevolent
host, it is required to collect all data from that node and
saved in security metrics for the purpose of forensics. We
stop the services of the malevolent node to access outside to
his cloud environment and regularly watch and store their
activities.
For confirmation of wrong authentication, we send a
message to consumer phone no. and email id that we find
that you have performed some malicious activity on the
cloud service environment.
Step 5: Administrator Checks Security Metrics and
collects data then send to higher authority for Legal
Processing.
In this step, administrator performed further proceedings. In
this phase administrator analyzed the data which had saved
in security metrics and collect details of consumer which
has been performed malicious activities. He collects all
details their personnel information, their malicious
activities, collect evidence after forensic and victims, and
sends all these details to higher authority for further legal
proceedings.
B. PROPOSED GENERIC MODEL FOR CLOUD
MONITORING AND FORENSICS:
In current environment cloud computing will get high trust
of business and financial institutions by using strong
monitoring and forensic methodology to ensure privacy,
confidentiality, and tracking of all activities of consumer at
cloud service provider (CSP) end. It is must be ensure that
the consumer of a CSP is persuaded that the data forensic
have attribution data managed in a secure manner. If this
information is compromised then whole model will be
collapse [8].
In this paper, we proposed a methodology through which we
can develop a complete architecture to provide service to
our consumer included secure monitoring and forensic
system. Before implementing this model we have a Service
Level Agreement (SLA) with our consumers. SLA having
rules and regulation which signed by consumer that if any
illegal or malicious activities will perform, stop their system
and remote service and will take appropriate action against
him.
Figure 3: Generic architecture for cloud monitoring and
forensic
Figure 3 represents generic architecture as per proposed
methodology for cloud monitoring and forensic. In this
architecture, we used Host-based IDS for monitoring of
incoming and outgoing network communication on
consumer system. An ID includes both Anomaly Detection
and Misuse Detection techniques for identifying activities
on host system. It includes 6 steps which are shows in
Figure 2.
In first step, when any malicious activities identify on
consumer system then it reports to Cloud Server.
In step second, when Cloud Server receives any malicious
activities from cloud system/consumer system then it invoke
s forensics system and collects data from consumer system.
In step Third, Cloud server collects data in metrics because
it may be multiple consumers performed malicious/illegal
activities during their log session.
In step four, Cloud administrator checks data saved in
metrics and verifies consumer’s details available on cloud.
In step fifth, Cloud Administrator send collect
data/information to Higher Authority to perform further
proceedings.
In step six, Higher Authority checks and verifies
data/information and discusses with their legal advisor then
takes legal action against consumer as per cyber law and
jurisdiction time.
IV. CONCLUSION AND FUTURE WORK
The cloud services is rapidly growing and favoring the new
advent of service providers. User confidence and its privacy
is the biggest challenging phenomenon for cloud service
providers. In this paper we proposed a novel forensics
methodology and its legal jurisdiction to assure the
confidentiality of user of clouds. In order to perform
forensics on cloud we create security matrix and perform
monitoring of each user’s activity to create audit trail for
investigation purposes. To make this process legally right
273
2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
there is a procedure of service level agreement with
customer. In future we will focus on the rule base of
security matrix and integrity part of user’s data.
REFERENCES
1. Cary Landis and Dan Blacharski, ―Cloud
Computing Made Easy‖ , Version 0.3.
2. G. Stoneburner, ―Underlying Technical Models for
Information Technology Security,‖ National
Institute of Standards and Technology, 2001
3. G. McGraw, Software Security: Addison-
Wesley,2006
4. Google App Engine, http://appengine.google.com
5. Amazon Elastic Compute Cloud(EC2),
http://www.amazon.com/ec2
6. Gary C. Kessler, ―Anti-Forensic and the Digital
Investigator‖ Champlain College Burlington, VT ,
USA Edith Cowan University, Mount Lawley,
WA, Australia
7. CSA cloud Security Alliance, top Threats to cloud
Computing V1.0, 2010
8. Shaftab Ahmad and M. yahin Akhtar Raja,
―Tackling Cloud Security Issues And Forensic
Model‖, IEEE 2010
9. Jennifer Bayuk, ―Cloud Security Metrics‖ , 6th
International Conference on System of Systems
Engineering, Albuquerque, New Mexico, USA –
June 27-30,2011 (IEEE)
10. D. Zissis and D. Lekkas ,‖Addressing Cloud
Computing Security issues‖, Future Generation
Computer System (2011) Elsevier,
doi:10.1016/j.future.2010.12.006
11. M.Tayor, J. Haggerty, D. Gresty and R. Hegarty,
―Digital evidence in cloud computing systems‖,
Computer Law and Security Review 26 (2010)
304-308, published by Elsevier Ltd.
274
2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
