Skip to main content
SpringerLink
Log in

Federated Cloud Security Architecture for Secure and Agile Clouds

  • Chapter
  • First Online:
High Performance Cloud Auditing and Applications

Abstract

Cyber threats against clouds have evolved rapidly. Traditional reactive cyber defense technologies are not effective and sufficient to protect federated clouds. This chapter introduces the novel federated cloud security architecture that includes proactive cloud defense technologies for secure and agile cloud development. The federated security architecture consists of a set of seamlessly integrated systematic security mechanisms at the application layer, the network layer and the system layer in federated cloud computing environments. Features of the architecture include: (1) it is centered on proactive cyber defense; (2) it facilitates to detect early warning cyber attacks against at one layer and deploy early warning signs of attacks to other layers for countermeasures; (3) it uses command and control (C2) to coordinate both in-cloud and cross-cloud defense activities via federated cloud security centers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Almotairi, S.I., Clark, A.J., Dacier, M., Leita, C., Mohay, G.M., Pham, V.H., Thonnard, O., Zimmermann, J.: Extracting inter-arrival time based behaviour from honeypot traffic using cliques. In: Proceedings of the 5th Australian Digital Forensics Conference, Perth, pp. 79–87 (2007)

    Google Scholar 

  2. Almotairi, S., Clark, A., Mohay, G., Zimmermann, J.: Characterization of attackers’ activities in honeypot traffic using principal component analysis. In: Proceedings of the 2008 IFIP International Conference on Network and Parallel Computing, NPC’08, Shanghai, pp. 147–154. IEEE Computer Society, Washington, DC (2008)

    Google Scholar 

  3. Almotairi, S., Clark, A., Mohay, G., Zimmermann, J.: A technique for detecting new attacks in low-interaction honeypot traffic. In: Proceedings of the 4th International Conference on Internet Monitoring and Protection, ICIMP’09, Venice, pp. 7–13. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  4. An, K.: Resource management and fault tolerance principles for supporting distributed real-time and embedded systems in the cloud. In: Proceedings of the 9th Middleware Doctoral Symposium of the 13th ACM/IFIP/USENIX International Middleware Conference, MIDDLEWARE’12, Montreal, pp. 4:1–4:6. ACM, New York (2012). doi:10.1145/2405688.2405692

    Google Scholar 

  5. Anderson, T.E.: weforum.org, Exploring the future of cloud computing: riding the next wave of technology-driven transformation. http://goo.gl/BeR45 (2010)

  6. Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: A view of cloud computing. Commun. ACM 53(4), 50–58 (2010). doi:10.1145/ 1721654.1721672

    Article  Google Scholar 

  7. Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., Song, D.: Provable data possession at untrusted stores. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07, Alexandria, pp. 598–609. ACM, New York (2007). doi:10.1145/1315245.1315318

    Google Scholar 

  8. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS’10, Chicago, pp. 38–49. ACM, New York (2010). doi:10.1145/1866307.1866313

    Google Scholar 

  9. Azab, A.M., Ning, P., Zhang, X.: Sice: A hardware-level strongly isolated computing environment for x86 multi-core platforms. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11, pp. 375–388. ACM, New York (2011). doi:10.1145/2046707. 2046752

    Google Scholar 

  10. Benczur, A.A., Csalogany, K., Sarlos, T., Uher, M., Uher, M.: Spamrank – fully automatic link spam detection. In: Proceedings of the 1st International Workshop on Adversarial Information Retrieval on the Web, AIRWeb’05, Chiba (2005)

    Google Scholar 

  11. Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vtpm: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium – Volume 15, USENIX-SS’06, Vancouver. USENIX Association, Berkeley (2006)

    Google Scholar 

  12. Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, WWW’11, pp. 197–206. ACM, New York (2011). doi:10.1145/1963405.1963436

    Google Scholar 

  13. Chellapilla, K., Maykov, A.: A taxonomy of javascript redirection spam. In: Proceedings of the 3rd International Workshop on Adversarial Information Retrieval on the Web, AIRWeb’07, Banff, pp. 81–88. ACM, New York (2007). doi:10.1145/1244408.1244423

    Google Scholar 

  14. Choi, H., Zhu, B.B., Lee, H.: Detecting malicious web links and identifying their attack types. In: Proceedings of the 2nd USENIX Conference on Web Application Development, WebApps’11, Portland, pp. 121–132. USENIX Association, Berkeley (2011)

    Google Scholar 

  15. Clark, A., Dacier, M., Mohay, G., Pouget, F., Zimmermann, J.: Internet attack knowledge discovery via clusters and cliques of attack traces. J. Inf. Assur. Secur. 1(1), 21–32 (2006)

    Google Scholar 

  16. Conti, G., Abdullah, K.: Passive visual fingerprinting of network attack tools. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, VizSEC/DMSEC’04, Washington DC, pp. 45–54. ACM, New York (2004). doi:10.1145/1029208.1029216

    Google Scholar 

  17. Dai, W., Jin, H., Zou, D., Xu, S., Zheng, W., Shi, L.: Tee: A virtual drtm based execution environment for secure cloud-end computing. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS’10, Chicago, pp. 663–665. ACM, New York (2010). doi:10.1145/1866307.1866390

    Google Scholar 

  18. Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM’07, pp. 1–8. ACM, New York (2007). doi:10.1145/1314389.1314391

    Google Scholar 

  19. Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. ACM SIGOPS Oper. Syst. Rev. 37(5), 193–206 (2003). doi:10.1145/1165389.945464

    Article  Google Scholar 

  20. Gyongyi, Z., Garcia-Molina, H.: Web spam taxonomy. In: Proceedings of the 1st International Workshop on Adversarial Information Retrieval on the Web, AIRWeb’05, Chiba (2005)

    Google Scholar 

  21. Juels, A., Kaliski, B.S., Jr.: Pors: proofs of retrievability for large files. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07, Alexandria, pp. 584–597. ACM, New York (2007). doi:10.1145/1315245.1315317

    Google Scholar 

  22. Kartaltepe, E.J., Morales, J.A., Xu, S., Sandhu, R.: Social network-based botnet command-and-control: emerging threats and countermeasures. In: Proceedings of the 8th International Conference on Applied Cryptography and Network Security, ACNS’10, Beijing, pp. 511–528. Springer, Berlin/Heidelberg (2010)

    Google Scholar 

  23. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: sel4: formal verification of an OS kernel. In: Proceedings of the 2009 ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP’09, Big Sky, pp. 207–220. ACM, New York (2009). doi:10.1145/1629575.1629596

    Google Scholar 

  24. Li, F., Hadjieleftheriou, M., Kollios, G., Reyzin, L.: Dynamic authenticated index structures for outsourced databases. In: Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data, SIGMOD’06, Chicago, pp. 121–132. ACM, New York (2006). doi:10.1145/1142473.1142488

    Google Scholar 

  25. Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE Trans. Inf. Forensics Secur. 6(1), 175–188 (2011). doi:10.1109/TIFS.2010.2086445

    Article  Google Scholar 

  26. Luna Garcia, J., Langenberg, R., Suri, N.: Benchmarking cloud security level agreements using quantitative policy trees. In: Proceedings of the 4th ACM Workshop on Cloud Computing Security Workshop, CCSW’12, Raleigh, pp. 103–112. ACM, New York (2012). doi:10.1145/2381913. 2381932

    Google Scholar 

  27. Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious urls. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD’09, Paris, pp. 1245–1254. ACM, New York (2009). doi:10.1145/1557019.1557153

    Google Scholar 

  28. Mahoney, M.V., Chan, P.K.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD’02, Edmonton, pp. 376–385. ACM, New York (2002). doi:10.1145/775047.775102

    Google Scholar 

  29. McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: Trustvisor: efficient TCB reduction and attestation. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP’10, Oakland, pp. 143–158. IEEE Computer Society, Washington, DC (2010). doi:10. 1109/SP.2010.17

    Google Scholar 

  30. Meer, H., Arvanitis, N., Slaviero, M.: defcon.org, Clobbering the cloud. http://goo.gl/42hRL (2009)

  31. Nazario, J.: usenix.org, PhoneyC: a virtual client Honeypot. http://goo.gl/euYt0 (2009)

  32. Niu, Y., Chen, H., Hsu, F., Wang, Y.M., Ma, M.: A quantitative study of forum spamming using context-based analysis. In: Proceedings of the 2007 Network and Distributed System Security Symposium, NDSS’07, San Diego (2007)

    Google Scholar 

  33. Pang, H., Zhang, J., Mouratidis, K.: Scalable verification for outsourced dynamic databases. Proc. VLDB Endow. 2(1), 802–813 (2009)

    Google Scholar 

  34. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS’07, Alexandria, pp. 103–115. ACM, New York (2007). doi:10.1145/1315245.1315260

    Google Scholar 

  35. Pham, V.H.: eurecom.fr, Honeypot traces forensics by means of attack event identification. http://goo.gl/wGPlV (2009)

  36. Pouget, F., Dacier, M.: Honeypot-based forensics. In: Proceedings of the 2004 AusCERT Asia Pacific Information Technology Security Conference, AusCERT’04, Gold Coast (2004)

    Google Scholar 

  37. securityfocus.com, Zeus botnet finds hold in Amazon cloud. http://goo.gl/rFjzF (2009)

  38. Seifert, C., Steenson, R.: honeynet.org, Capture – Honeypot Client (Capture-HPC). http://goo.gl/u7qJZ (2006)

  39. Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. In: Proceedings of the 2012 ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM ’12, Helsinki, pp. 13–24. ACM, New York (2012). doi:10.1145/2342356.2342359

    Google Scholar 

  40. Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., Lo Iacono, L.: All your clouds are belong to us: security analysis of cloud management interfaces. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW’11, Chicago, pp. 3–14. ACM, New York (2011). doi:10.1145/2046660.2046664

    Google Scholar 

  41. Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesly Longman, Boston (2002)

    Google Scholar 

  42. Steinberg, U., Kauer, B.: Nova: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys’10, Paris, pp. 209–222. ACM, New York (2010). doi:10.1145/1755913.1755935

    Google Scholar 

  43. Stone-Gross, B., Holz, T., Stringhini, G., Vigna, G.: The underground economy of spam: a botmaster’s perspective of coordinating large-scale spam campaigns. In: Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats, LEET’11, Boston, pp. 25–32. USENIX Association, Berkeley (2011)

    Google Scholar 

  44. Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11, Chicago, pp. 401–412. ACM, New York (2011). doi:10.1145/2046707. 2046754

    Google Scholar 

  45. Szefer, J., Lee, R.B.: Architectural support for hypervisor-secure virtualization. In: Proceedings of the 7th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS’12, London, pp. 437–450. ACM, New York (2012). doi:10.1145/2150976.2151022

    Google Scholar 

  46. Ta-Min, R., Litty, L., Lie, D.: Splitting interfaces: making trust between applications and operating systems configurable. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI’06, Seattle, pp. 279–292. USENIX Association, Berkeley (2006)

    Google Scholar 

  47. Thonnard, O., Dacier, M.: A framework for attack patterns’ discovery in honeynet data. Digit. Investig. 5, S128–S139 (2008). doi:10.1016/j.diin. 2008.05.012

    Article  Google Scholar 

  48. trustedcomputinggroup.org, TPM specifications version 1.2. http://goo.gl/0IWyy (2011)

  49. Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.T.: Automated Web patrol with strider HoneyMonkeys: finding Web sites that exploit browser vulnerabilities. In: Proceedings of the 2006 Network and Distributed System Security Symposium, NDSS’06, San Diego. The Internet Society, San Diego (2006)

    Google Scholar 

  50. Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP’10, Oakland, pp. 380–395. IEEE Computer Society, Washington, DC (2010). doi:10.1109/SP.2010. 30

    Google Scholar 

  51. Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P.: Managing security of virtual machine images in a cloud environment. In: Proceedings of the 1st ACM Workshop on Cloud Computing Security, CCSW’09, Chicago, pp. 91–96. ACM, New York (2009). doi:10.1145/1655008.1655021

    Google Scholar 

  52. Wu, B., Davison, B.D.: Cloaking and redirection: a preliminary study. In: Proceedings of the 1st International Workshop on Adversarial Information Retrieval on the Web, AIRWeb’05, Chiba, pp. 7–16. Chiba (2005)

    Google Scholar 

  53. van Doorn, L.: Trusted computing challenges. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, STC’07, Alexandria, pp. 1–1. ACM, New York (2007). doi:10.1145/1314354.1314356

    Google Scholar 

  54. Xu, S., Yung, M.: Socialclouds: concept, security architecture and some mechanisms. In: Proceedings of the 1st International Conference on Trusted Systems, INTRUST’09, Beijing, pp. 104–128. Springer, Berlin/Heidelberg (2010). doi:10.1007/978-3-642-14597-1_7

  55. Zheng, Q., Xu, S.: Fair and dynamic proofs of retrievability. In: Proceedings of the 1st ACM Conference on Data and Application Security and Privacy, CODASPY’11, San Antonio, pp. 237–248. ACM, New York (2011). doi:10.1145/1943513.1943546

    Google Scholar 

  56. Zheng, Q., Xu, S., Ateniese, G.: Efficient query integrity for outsourced dynamic databases. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW’12, Raleigh, pp. 71–82. ACM, New York (2012). doi:10.1145/2381913.2381927

    Google Scholar 

Download references

Acknowledgements

This material is based upon work partially supported by the Air Force Office of Scientific Research (AFOSR) under Grant No. FA9550-09-01-0165 and the Air Force Research Laboratory (AFRL) Visiting Faculty Research Program (VFRP) extension grant LRIR 11RI01COR. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the funding agency.

Author information

Authors and Affiliations

  1. University of Texas at San Antonio, San Antonio, TX, USA

    Weiliang Luo, Li Xu, Zhenxin Zhan, Qingji Zheng & Shouhuai Xu

Authors
  1. Weiliang Luo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Li Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhenxin Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qingji Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shouhuai Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Weiliang Luo .

Editor information

Editors and Affiliations

  1. Air Force Research Laboratory, Rome, New York, USA

    Keesook J. Han

  2. School of Computing and Engineering, University of Missouri - Kansas City, Kansas City, Missouri, USA

    Baek-Young Choi

  3. Department of Engineering Technology The Dwight Look College of Engineering, Texas A&M University, College Station, Texas, USA

    Sejun Song

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Luo, W., Xu, L., Zhan, Z., Zheng, Q., Xu, S. (2014). Federated Cloud Security Architecture for Secure and Agile Clouds. In: Han, K., Choi, BY., Song, S. (eds) High Performance Cloud Auditing and Applications. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-3296-8_7

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-3296-8_7

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-3295-1

  • Online ISBN: 978-1-4614-3296-8

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation