New Age Cyber Threat Mitigation for Cloud Computing Networks 9815136127, 9789815136128

Citation preview

New Age Cyber Threat Mitigation for Cloud Computing Networks Authored by Akashdeep Bhardwaj University of Petroleum and Energy Studies, Cybersecurity & Digital Forensics India

New Age Cyber Threat Mitigation for Cloud Computing Networks Author: Akashdeep Bhardwaj ISBN (Online): 978-981-5136-11-1 ISBN (Print): 978-981-5136-12-8 ISBN (Paperback): 978-981-5136-13-5 © 2023, Bentham Books imprint. Published by Bentham Science Publishers Pte. Ltd. Singapore. All Rights Reserved. First published in 2023.

BSP-EB-PRO-9789815136111-TP-171-TC-11-PD-20230614

BENTHAM SCIENCE PUBLISHERS LTD.

End User License Agreement (for non-institutional, personal use) This is an agreement between you and Bentham Science Publishers Ltd. Please read this License Agreement carefully before using the ebook/echapter/ejournal (“Work”). Your use of the Work constitutes your agreement to the terms and conditions set forth in this License Agreement. If you do not agree to these terms and conditions then you should not use the Work. Bentham Science Publishers agrees to grant you a non-exclusive, non-transferable limited license to use the Work subject to and in accordance with the following terms and conditions. This License Agreement is for non-library, personal use only. For a library / institutional / multi user license in respect of the Work, please contact: [email protected].

Usage Rules: 1. All rights reserved: The Work is the subject of copyright and Bentham Science Publishers either owns the Work (and the copyright in it) or is licensed to distribute the Work. You shall not copy, reproduce, modify, remove, delete, augment, add to, publish, transmit, sell, resell, create derivative works from, or in any way exploit the Work or make the Work available for others to do any of the same, in any form or by any means, in whole or in part, in each case without the prior written permission of Bentham Science Publishers, unless stated otherwise in this License Agreement. 2. You may download a copy of the Work on one occasion to one personal computer (including tablet, laptop, desktop, or other such devices). You may make one back-up copy of the Work to avoid losing it. 3. The unauthorised use or distribution of copyrighted or other proprietary content is illegal and could subject you to liability for substantial money damages. You will be liable for any damage resulting from your misuse of the Work or any violation of this License Agreement, including any infringement by you of copyrights or proprietary rights.

Disclaimer: Bentham Science Publishers does not guarantee that the information in the Work is error-free, or warrant that it will meet your requirements or that access to the Work will be uninterrupted or error-free. The Work is provided "as is" without warranty of any kind, either express or implied or statutory, including, without limitation, implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the results and performance of the Work is assumed by you. No responsibility is assumed by Bentham Science Publishers, its staff, editors and/or authors for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products instruction, advertisements or ideas contained in the Work.

Limitation of Liability: In no event will Bentham Science Publishers, its staff, editors and/or authors, be liable for any damages, including, without limitation, special, incidental and/or consequential damages and/or damages for lost data and/or profits arising out of (whether directly or indirectly) the use or inability to use the Work. The entire liability of Bentham Science Publishers shall be limited to the amount actually paid by you for the Work.

General: 1. Any dispute or claim arising out of or in connection with this License Agreement or the Work (including non-contractual disputes or claims) will be governed by and construed in accordance with the laws of Singapore. Each party agrees that the courts of the state of Singapore shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this License Agreement or the Work (including non-contractual disputes or claims). 2. Your rights under this License Agreement will automatically terminate without notice and without the

need for a court order if at any point you breach any terms of this License Agreement. In no event will any delay or failure by Bentham Science Publishers in enforcing your compliance with this License Agreement constitute a waiver of any of its rights. 3. You acknowledge that you have read this License Agreement, and agree to be bound by its terms and conditions. To the extent that any other terms and conditions presented on any website of Bentham Science Publishers conflict with, or are inconsistent with, the terms and conditions set out in this License Agreement, you acknowledge that the terms and conditions set out in this License Agreement shall prevail. Bentham Science Publishers Pte. Ltd. 80 Robinson Road #02-00 Singapore 068898 Singapore Email: [email protected]

BSP-EB-PRO-9789815136111-TP-171-TC-11-PD-20230614

CONTENTS FOREWORD ........................................................................................................................................... i PREFACE ................................................................................................................................................ ii CHAPTER 1 RANSOMWARE: RISING THREAT OF NEW-AGE DIGITAL EXTORTION 1. INTRODUCTION ...................................................................................................................... 2. RANSOMWARE VARIANTS & PROPAGATION ............................................................... 2.1. Crypto-Ransomware ........................................................................................................ 2.2. Locker Ransomware ........................................................................................................ 3. RANSOMWARE ATTACK & PROTECTION ..................................................................... 4. RESEARCH METHODOLOGY .............................................................................................. 5. PROPOSED MALWARE SOLUTION .................................................................................... 5.1. Environment Setup ........................................................................................................... 5.2. Malware Code Analysis Environment ............................................................................. 5.3. Malware Reporting Environment .................................................................................... 6. RESULTS OBTAINED .............................................................................................................. CONCLUSION ............................................................................................................................... CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

1 1 3 3 4 5 8 8 10 11 11 11 13 13 13 13 13

CHAPTER 2 DESIGN A RESILIENT NETWORK INFRASTRUCTURE SECURITY POLICY FRAMEWORK ....................................................................................................................................... 1. INTRODUCTION ...................................................................................................................... 2. INFORMATION SECURITY POLICY .................................................................................. 2.1. Stage #1: Security Policy Design ..................................................................................... 2.2. Stage #2: Security Policy Design ..................................................................................... 3. PROPOSED NETWORK SECURITY POLICY FRAMEWORK ....................................... 3.1. Architectural Foundation Model ...................................................................................... 3.2. Operational Security Design ............................................................................................ 4. RESEARCH WORK .................................................................................................................. CONCLUSION ............................................................................................................................... DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

16 16 19 20 20 21 22 23 24 27 27 27 27 27 28

CHAPTER 3 SECURITY ALGORITHMS FOR CLOUD COMPUTING ..................................... 1. INTRODUCTION ...................................................................................................................... 2. ASYMMETRIC ALGORITHMS ............................................................................................. 2.1. RSA .................................................................................................................................. 2.2. Diffie-Hellman Key Exchange (D-H) .............................................................................. 3. SYMMETRIC ALGORITHMS ................................................................................................ 4. RELATED WORK PERFORMED .......................................................................................... 4.1. Comparison Parameters ................................................................................................... 4.2. Performance Evaluation ................................................................................................... 5. PERFORMANCE RESULTS .................................................................................................... CONCLUSION ............................................................................................................................... DISCLOSURE ................................................................................................................................

29 29 32 32 33 33 34 35 36 36 40 40

CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

40 40 40 40

CHAPTER 4 SOLUTIONS FOR DDoS ATTACKS ON CLOUD ENVIRONMENT ................... 1. INTRODUCTION ...................................................................................................................... 2. REPORTS AND TRENDS ......................................................................................................... 2.1. Types of DDoS Attacks ................................................................................................... 3. PROPOSED SOLUTIONS ........................................................................................................ 3.1. On-Premise-based Solution ............................................................................................. 3.2. ISP DDoS Solution .......................................................................................................... 3.3. Scrubbing Defense DDoS Mitigation .............................................................................. 4. MULTI-TIERED NETWORK ARCHITECTURE ................................................................ CONCLUSION ............................................................................................................................... DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

42 42 44 50 51 51 52 52 53 54 55 55 55 55 55

CHAPTER 5 THREE-TIER NETWORK ARCHITECTURE TO MITIGATE DDoS ATTACKS ON HYBRID CLOUD ENVIRONMENTS ...................................................................... 1. INTRODUCTION ...................................................................................................................... 2. DDoS IMPACT ANALYSIS ..................................................................................................... 3. TRADITIONAL SECURITY V/S NEW-AGE DDoS ATTACKS ........................................ 4. EXISTING DDoS SOLUTIONS .............................................................................................. 4.1. On-premise Based ............................................................................................................ 4.2. Cloud-Based Security Services ........................................................................................ 4.3. Hybrid Cloud-based Security ........................................................................................... 5. PROPOSED DDoS SOLUTION .............................................................................................. 5.1. Infrastructure Setup .......................................................................................................... 5.2. Parameters For Data Analysis .......................................................................................... 5.3. Performance Analysis ...................................................................................................... 5.3.1. Single-Tier Network Architecture ....................................................................... 5.3.2. Three-Tier Network Architecture ........................................................................ CONCLUSION ............................................................................................................................... DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

56 56 56 58 60 60 61 61 62 62 63 63 63 66 68 69 69 69 69 69

CHAPTER 6 REVIEW OF SOLUTIONS FOR SECURING END-USER DATA OVER CLOUD APPLICATIONS ..................................................................................................................................... 1. INTRODUCTION ...................................................................................................................... 2. CHALLENGES IN CLOUD COMPUTING ........................................................................... 2.1. End User Challenges in Cloud ......................................................................................... 2.2. Gaps around End User Computing Applications ............................................................. 3. LITERATURE REVIEW .......................................................................................................... 4. PROPOSED SOLUTIONS TO CLOUD DATA SECURITY ISSUES ................................. 4.1. End-user Security using Public Key Cryptography .........................................................

70 70 72 72 73 73 75 75

4.2. Use Multi-factor Authentication ...................................................................................... 4.3. Use of Cloud Aware Applications ................................................................................... 5. RESEARCH WORK PERFORMED ....................................................................................... CONCLUSION ............................................................................................................................... DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ............................................................................................................................... CHAPTER 7 DDoS ATTACKS, NEW DDoS TAXONOMY, AND MITIGATION SOLUTIONS ............................................................................................................................................ 1. INTRODUCTION ...................................................................................................................... 2. RELATED WORK ..................................................................................................................... 2.1. As per the Degree of Attack Automation ........................................................................ 2.2. As per Exploitation of Vulnerabilities ............................................................................. 2.3. As per Attack Rate Dynamics .......................................................................................... 2.4. As per the Impact of Attacks ........................................................................................... 3. REVIEW OF DDoS RESEARCH ............................................................................................ 4. EFFECTIVE DDoS DETECTION PARAMETERS ............................................................. 5. PARAMETERS FOR DDoS COUNTERMEASURE ............................................................ CONCLUSION ............................................................................................................................... • FUNCTIONALITY – BE ABLE TO REDUCE, IF NOT BLOCK, THE IMPACT OF THE DDoS ATTACK, NO MATTER HOW LARGE OR POWERFUL THE DDoS FLOOD ATTACK IS .................................................................................................................................... DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ............................................................................................................................... CHAPTER 8 DESIGNING A FRAMEWORK FOR CLOUD SERVICE AGREEMENTS FOR CLOUD ENVIRONMENTS ................................................................................................................... 1. INTRODUCTION ...................................................................................................................... 2. CLOUD SERVICE AGREEMENTS OVERVIEW ................................................................ 3. LITERATURE REVIEW .......................................................................................................... 4. CSA METRICS ........................................................................................................................... 4.1. CSA Metrics for SaaS ...................................................................................................... 4.2. CSA Metrics for IaaS ....................................................................................................... 4.3. CSA Metrics for PaaS ...................................................................................................... 4.4. CSA Metrics for STaaS ................................................................................................... 4.5. Proposed Framework for Cloud Service Agreement (CSA) ............................................ CONCLUSION ............................................................................................................................... DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

77 78 80 81 81 82 82 82 82 84 84 85 86 87 87 87 88 90 91 93 93 94 94 94 94 94 97 97 99 101 104 104 105 105 106 110 111 112 112 112 112 112

CHAPTER 9 COMPARING SINGLE-TIER AND THREE-TIER INFRASTRUCTURE DESIGNS AGAINST DDoS ATTACKS .............................................................................................. 114 1. INTRODUCTION ...................................................................................................................... 114

2. LITERATURE SURVEY .......................................................................................................... 3. DDOS ATTACK IMPLEMENTATION .................................................................................. 3.1. Architecture Design and Implementation ........................................................................ 4. PERFORMANCE ANALYSIS .................................................................................................. 4.1. Single Tier Logs and Data Analysis ................................................................................ 4.2. Three-Tier Logs and Data Analysis ................................................................................. 5. PERFORMANCE DATA VALIDATION ............................................................................... Interpreting the T-Test Results ............................................................................................... 5.1. T-Test Validation for Average ICMP .............................................................................. T-Test Summary ..................................................................................................................... Test Interpretation ................................................................................................................... 5.2. T-Test Validation for Page Load Response ..................................................................... Test Interpretation ................................................................................................................... 5.3. T-Test Summary for Browser Throughput Parameters ................................................... Test Interpretation ................................................................................................................... 5.4. T-Test Summary for Application Server Response Parameters ...................................... 5.5. T-Test Summary for Application Server Response Parameters ...................................... Test Interpretation ................................................................................................................... CONCLUSION ............................................................................................................................... DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

115 118 118 119 120 121 124 125 125 126 126 127 127 127 129 129 130 130 130 131 131 131 131 131

CHAPTER 10 SECURITY CHALLENGES FOR CLOUD-BASED EMAIL INFRASTRUCTURE .............................................................................................................................. 1. INTRODUCTION ...................................................................................................................... 2. LIMITATIONS OF EMAIL PROTOCOLS ............................................................................ 3. LITERATURE SURVEY .......................................................................................................... 4. RESEARCH PERFORMED ..................................................................................................... 4.1. Survey of Email Service Providers .................................................................................. Survey Results for Survey#1 .................................................................................................. 4.2. Survey of Email Practices by Users ................................................................................. Survey Results for Survey#2 .................................................................................................. 4.3. Survey of Email User Awareness .................................................................................... Survey Results for Survey#3 .................................................................................................. 5. SECURITY ADVANTAGES OF CLOUD-BASED EMAIL SOLUTIONS ......................... CONCLUSION ............................................................................................................................... DISCUSSIONS AND RECOMMENDATION ............................................................................ DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

133 133 134 136 141 142 143 143 144 145 145 146 148 148 149 149 149 149 149

CHAPTER 11 EFFICIENT FAULT TOLERANCE IN CLOUD ENVIRONMENTS .................. 1. INTRODUCTION ...................................................................................................................... 2. FAULT TOLERANCE FOR CLOUD ENVIRONMENTS ................................................... 3. LITERATURE SURVEY .......................................................................................................... 4. RESEARCH WORK .................................................................................................................. 4.1. Fault Tolerance Assessment Algorithm ...........................................................................

152 152 153 154 158 158

4.2. Fault Tolerance Case Evaluations .................................................................................... 4.3. Reliability for Cloud Models ........................................................................................... CONCLUSION ............................................................................................................................... FUTURE SCOPE ............................................................................................................................ DISCLOSURE ................................................................................................................................ CONSENT FOR PUBLICATION ................................................................................................ CONFLICT OF INTEREST ......................................................................................................... ACKNOWLEDGEMENT ............................................................................................................. REFERENCES ...............................................................................................................................

159 163 163 164 165 165 165 165 165

SUBJECT INDEX .................................................................................................................................... 

i

FOREWORD To the Reader of this book: In submitting the wonderful manuscript titled ‘New Age Cyber Threat Mitigation for Cloud Computing Networks’ in book form, I believe that a few words about the book author of this remarkable personality will be of interest. I have known Dr. Akashdeep Bhardwaj for the past two decades, first as the IT manager of my organization, then as the IT Head leading the Data center teams for another organization. We have been in constant touch throughout as I reach out to him often for some IT-related security work projects that I deliver. With his passion for mentoring cyber warriors and give back his experience to society, Dr. Akashdeep ventured into academics, leaving behind a high profile and paying career in the Cybersecurity domain. My best wishes to him, and hoping he shares his experience in the form of these wonderful books with society.

Mohit Rampal CTO Ramognee Pvt. Ltd., Gurgaon, India

ii

PREFACE Cybersecurity attacks have presented the highest priority to securing Cloud infrastructure by using encryption for cloud traffic and against new-age attacks. The use of encryption algorithms for security consideration to use for Cloud and network-based services that require critical data and link encryption. This book suggests the use of a network security framework to bridge the gap between high-level specification requirements and the low-level implementation phase for network infrastructure security using the network architecture model with the security policies associated with the network components required to be enforced. Increasing use of email security protocols with encryption, PKI-based cryptographic techniques, IP address verification, and DNS-based domain validation are discussed to mitigate spoofing and other email threats. This book provides global Cloud and Network engineers with new options and recommends new methodologies and feasible solutions that can be implemented to secure the Cloud architecture and IT Infrastructure, thereby securing end users. This includes designing and implementing solutions against new-age attacks on the cloud infrastructure and network services.

Akashdeep Bhardwaj University of Petroleum and Energy Studies, Dehradun, India

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 1-15

1

CHAPTER 1

Ransomware: Rising Threat of New-Age Digital Extortion Abstract: What if someone stopped you from accessing your files or using your computer? What if they demanded an amount to get access back to you? Most financial and social interactions revolve around three critical aspects – firstly, the use of digital data and files; secondly, computer systems; and last, the insecure internet. This is where Ransomware using Bitcoin has become a major cause of concern in the form of a new-age digital extortion threat to home and corporate users. This chapter discusses Ransomware and the methods adopted by cybercriminals for holding ransom innocent users' digital data and systems and proposes a malware detection system. Crypto and Locker ransomware is reviewed for their propagation, attack techniques, and new emerging threat vectors, such as file Encryption Ransomware, Screen Lock Ransomware, Windows & Browser Lock, Pop Advertisements, and URL Redirection. The author proposed a Cloud-based malware detection system, performing comparison evaluation with and without the proposed anti-malware solution in the form of sandboxes, so even if the environment got compromised, it could be easily decommissioned and rebuilt from a fresh, clean virtual snapshot. Malware Behavioral environments were set up for analyzing malware before and after receiving malware payload files and logs from infected user devices. Malware Code Analysis gathered assembly code and memory dumps from memory and performed analysis on malware payload instructions. Reporting environment analyzed Web URLs proactively for malicious sites hosting malware code or payloads and checked the user system and devices for before and after analysis logs.

Keywords: Bitcoin, Crypto, Extortion, Locker, Malware, Ransomware. 1. INTRODUCTION The impact of Ransomware [1] has caused immense damage to end-users and corporates [2]. Access to authorized data being blocked and released only after the ransom demand has been made is a new age of digital extortion, which holds promise as a viable option against malicious attacks on user devices, including mobiles and handhelds. The recent explosion of the internet and personal computers have led to cybercriminals subjecting users to extortion on a massive scale never seen before. Ransomware is digital extortion by pushing a malware code to infect a user system from different infection vectors like browser exploit Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

2 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

kits, drive-by freeware apps, malicious email attachments, links offering free software, or advertisements offering free cash and incentives. The malware injects malicious code into the user system that installs randomly in the system location as an executable. This code then takes the user system hostage by preventing users from accessing their computer systems normally, stopping certain applications or input devices from running or encrypting user data files [3], and using scare tactics like asking the user to either do something like pay a ransom amount in the form of Bitcoin or fill in surveys [4] before releasing the system or data. The Ransomware malware has a high degree of capability inbuilt to run a 64 but code from its 32-bit TOR dropper; recent malware variants are known to switch the execution context of the processor from 32 to 64-bit on a WOW 64-bit environment [5]. Bitcoin is a network that allows a new form of monetary payment, medium of exchange and virtual Digital Cash. Individuals can purchase Bitcoins from online exchanges, direct sellers, or in-person with hard cash or credit cards. Bitcoin transactions are stored in a public ledger known as Blockchain, wherein money exchange is seen by the entire network almost immediately and recorded, making it difficult to identify the owners; however, the system is not anonymous [6]. These are not owned by any single company and are more like email exchanges where no one can block two entities from exchanging emails, details, or Bitcoins among themselves. Bitcoins are used for sending or receiving money with anyone, anywhere globally, at a very small transaction cost. The payments cannot be blocked or frozen. The rise in Bitcoin value has been phenomenal; about 25 Bitcoins are created every 10 minutes globally. In 2011, a single Bitcoin was under $1. Currently, 1 Bitcoin is worth 100s of US$. As Bitcoin’s demand and popularity increase, Bitcoin might well be worth hundreds of thousands of dollars. This chapter highlights the comparison of Signature-based antivirus scanning systems; the proposed malware detection and the alerting process have better mitigation results and advantages. The Anti-Malware scanning security [5], apart from being offered as a cloud service with the scanners operating from a secure cloud platform, showed far more resilience than other methods. Apart from having the advantages of being a cloud-based service that offers user-driven implementation, elasticity, and a pay-as-you-use model. This even helps save huge costs and promotes the concept of BYOD. The proposed Anti-Malware detection can be offered as a cloud service with specific customer blocking done so other users of the same application program benefit from the experience of other infected users. This system can be a pay-as-you-use model and dynamically elastic for capacity increase.

Digital Extortion

New Age Cyber Threat Mitigation for Cloud Computing Networks 3

2. RANSOMWARE VARIANTS & PROPAGATION Ransomware malware has been seen to have two major variants – the most common version is Crypto Ransomware which encrypts the files and data. In contrast, the other version is Locker Ransomware, which locks down the user system, applications, or input devices, preventing the target user from normal operations. 2.1. Crypto-Ransomware This is a data locker. The malware, once injected into the user system, works in stealth mode to search for files and data. The attacked system continues to work normally as critical OS, and system files are not targeted, or the system’s functionality is not tempered to raise any suspicion. Then, the malware encrypts the user files and data. This makes the files and data unusable to the user, forcing them to pay to obtain the decryption key. Crypto ransomware or Data locker, once injected into the user system, works in stealth mode to search for files and data with such extensions as FLV, RTF, PPT, CHM, TXT, DOC, CPP, ASM, XLS, JPG, MP3, MP4, CGI, KEY, MDB, PGP, PDF, and acts as a data locker. During this time, the system continues to work normally as critical OS and system files are not targeted, or the system’s functionality is not tempered to raise any suspicion. Then the malware encrypts the user files and data. This makes the files and data unusable, forcing the users to pay to obtain the decryption key, as illustrated in Fig. (1.1).

Fig. (1.1). Crypto-Ransomware.

4 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

2.2. Locker Ransomware Locker ransomware locks the user system or input interface devices like mouse or keyboard and denies access to computer systems, as presented in Fig. (1.2). The malware then asks the user to pay a fee to restore normal access and even ensures limited functionality to interact with the Ransomware [7], like keeping mouse, and numeric keyboard keys enabled to input the ransom amount. This malware keeps the system and files untouched and can be removed to restore a system to its original state relatively easily, compared to the data locker malware.

Fig. (1.2). Locker Ransomware.

Many ways help propagate malware and lead to Ransomware infection. ●

●

Traffic Redirection: This is the most common method to entice the user to click a malicious advertisement or redirect the user's web traffic to other sites hoisting the malware as an exploit kit. Usually, the redirected traffic originates from porn sites to a portal offering free games or upgrades for user applications. If the user accepts and downloads [8] the freeware, malware payload exploits vulnerabilities in the user's computer leading to the lock or encryption of their systems and files. Email attachments: Emails with attachments or links entice users to open and access web portals with ransomware malware. The email, on first look, seems to have legitimate senders like the user’s energy bill, tax returns, legal notifications, or even job seekers asking to open the attachment or clicking a link and updating it with the user’s latest information. While the user opens the

Digital Extortion

●

●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 5

attachment or browses the website, the malware sets about, infecting the user system in the background. Botnets: These are distributed by downloaders by compromising user systems and then downloading the malware as a second step. Downloads [9] are legitimate software like free games or tools which don’t have the malware themselves; they download the malicious code later. Social Engineering: At times, Ransomware has built-in functionality to spread to other systems by sending emails to users’ Outlook address book or from their phone list sending out SMS. This method is effective for spreading malware as it comes from a legitimate source and gets accepted easily. Ransomware as a Service: With the growing trend of digital extortion, cybercriminals have started providing Ransomware as a service or RaaS (in cloud computing terms), offering to carry out malware attacks on payment or from the profits running it like a business service on the cloud.

3. RANSOMWARE ATTACK & PROTECTION While Ransomware is devised for the extortion of money from innocent users, making them victims of malware attacks, how this is performed can be varied from operational and technical aspects. Ransomware attacks bring forth the malicious [10] nexus between cybercriminals and their effective use of psychological intimidation ransom demands. Most malware hides the belowmentioned folders to execute and propagate. A few Windows registry settings are also modified to enable the malware to manifest and stay ‘alive’: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\

Recent crypto Ransomware use symmetric as well as asymmetric encryption methods. In Symmetric crypto, a single key encrypts the user data, and the same key decrypts the encrypted data. The attacker sends the key after payment or request from the victim. Symmetric encryption using 256-bit keys is generally faster, more effective, and swift than other types. Asymmetric crypto involves two keys: a public key to encrypt the user data and a private key to decrypt that data. The attacker shares the private key with the victim after payment. Since two keys are involved, the attacker is relatively on a higher level of negotiation; the only problem seen here is when trying to encrypt a huge number of large-sized files and data, which could take a long time to expose the malware operation before the encryption is complete [11]. Also, in case the user disconnects internet access, the

6 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

data encryption process cannot start unless the Ransomware needs to contact the malware server and download the encryption key. This dependency on the malware server is a weak spot for this attack. To resolve this weak link, attackers follow some of the following methods ●

●

Malware like Crypto Defense uses AES symmetric and RSA asymmetric encryption techniques by encrypting user files with a common 256-bit AES key; however, using a different RSA private key to decrypt for each infection. However, access to the internet and server is required. CBT Locker malware generates a 256-bit AES symmetric key for encrypting user files and then encrypts that AES key with an RSA public key. The encrypted AES key is added to the encrypted files. To decrypt, the user requires the RSA key and has to reach [12] out to the attacker. Here internet access is not essential. Screen lock Ransomware displays a message on the user system screen, and even android mobiles with the malware Trojan constantly get the locker window to the foreground in a continuous [13] loop utilizing APIs from the operating system itself to perform this task. Windows & Browser Lock infects Windows OS, displaying a message on the system screen or browser, controlling the background threads and applications and ensuring the message is active. The malware is not executable [14], and the ransom message page contains just images and HTML code running JavaScript executing within the web browser. Popup Advertisements are displayed when accessing websites; the main concept and goal behind popup malware is to get the end-user to click the pop-up at least once. The malware attacker gets paid for each click by having a unique ID for its malware application. Once clicked, another web window opens that takes the end-user to another URL with malware waiting to be pushed using java or flash [15]. Initially, web browsers had pop-up blockers but those blocked even useful popup windows, and attackers' methods improved to bypass the web browser popup blockers using a simple Javascript or Mozilla web browser released a popup blocker patch update in 2005 that prevented Java and Flash pop-ups and using a simple function we can detect a popup blocker and work to bypass the blocker. In recent times, Adobe Flash has been used for pop-up advertisements making the pop-up virtually not getting detected as no popups are displayed and the advertisement runs from the web landing page itself or the current window. Then they push the ransomware script and execute it on the fly.

The main reason for using popups by malware creators is to redirect the unsuspecting end-user to another location with little or hardly any visible change in the URL as icic.com instead of the correct icici.com OR GO0GLE.com instead of GOOGLE.com. Such malicious redirects [16] allow the attackers to copy the site they wanted to browse (say a bank site) that is filled with multiple attack

Digital Extortion

New Age Cyber Threat Mitigation for Cloud Computing Networks 7

vector injection points where once the victim clicks anywhere on the page and becomes infected with malware leading to Ransomware executable files to be pushed to their systems [17] asking for their bank login and password. Another sinister method the attackers employ for planning Ransomware attacks is to push scripts [18] and get access to user trace logs for servers and sites. This method is used to detect which sites are accessed regularly by the user, collect his/her browsing pattern, plan an advanced intelligence method by the attackers against those sites, and push their malicious malware applications to those sites for ransomware attacks. URL Redirection is another method of the way leading the end-user by modifying the metadata of search engines for specific keywords, targeting those end-users who regularly the first search for a word and then access the website from a search engine instead of typing the website name. Like most cyber threats and attacks, Ransomware can be avoided by following the mentioned steps: ●

●

●

●

●

Always have an updated Antivirus, Anti Malware, and Web browser monitoring software with a personal firewall running on each user system. While a strong personal firewall enforces rules for what goes out or comes into the system and having an Anti-Malware application blocks most malicious code from infecting the user systems, ensuring the security applications are up to date is critical. Maintaining a regular back as often as possible or after a major project to either an external hard disk or an online cloud backup service reduces the threats. The user can simply wipe and reimage the system to the default starting afresh and restoring data. Popup blockers should always be kept enabled as these are the main tactic used by the attackers to display luring advertisements and offers. Users need to close the popup if finding them suspicious simply. Never open links and attachments inside spam emails or from unknown senders. Attackers create fake sites, trying to entice users to enter their user IDs and passwords. In case the system gets infected, and the screen displays the Ransomware note, immediately disconnect from the Internet. This would deny any personal data from being sent back to the attackers and shutting down the computer would stop the encryption process from continuing. By reimaging and reinstalling the OS and application software and restoring data from the back, the user would be too normal operations.

8 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

4. RESEARCH METHODOLOGY The authors reviewed existing online malware detection, blocking, and removal solutions. Some of the existing antimalware detection and blocking options are offered [20] by antivirus and cloud security companies. ●

●

●

● ● ● ● ●

Dynamic Analysis – automated analysis of suspicious files, which are scanned and analyzed for unique fingerprints and signatures or impact using tools. Reports are produced at the end of the analysis with information like registry keys used by malware; configuration changes done, device, file, or network activity trends. However, automated scanning does not necessarily provide detailed insight. These are signature-based scans comparing and matching against a database of known malware, Static Analysis – manual analysis takes a deep dive look at the malicious file’s activities by looking at file headers, embedded resources, payload, hashes, signature, and metadata, among a host of other analyzed properties. Heuristic scans are done here that do not need a signature analysis. Rules algorithms, commands, or which point to its malicious properties are evaluated to detect the malware. Cloud Services – using IaaS to build virtualized environment, record and analyze the behavior of malicious files and predict the next action or occurrence event. This is real-time protection, and systems are updated several times a day to mitigate zero-day attack vectors. The system integrates with antivirus engines with a lightweight agent running on user devices (laptops, desktops, mobiles) to monitor any deviation or new files in the user devices. Behavioral Malware analysis used the below-mentioned threat vector endpoints [19] to monitor as: Modification of the end-user “hosts” file Creation of “autorun. inf” file on a USB or removable disk or a network folder User Outbox generates thousands of emails in a very short time Sudden generation of new programs with the executable capability Suspicious “auto-run” registry keys getting modified

5. PROPOSED MALWARE SOLUTION The authors implemented Malware Detection as a Service (DaaS), as presented in Fig. (1.3), which provides malware detection, analysis, and reporting services. Testing the malware in this manner requires the malicious code to be run and observe its behavior, even as this results in infecting the sandbox system making it potentially unsafe. Hence the authors performed the tests on isolated system environments.

Digital Extortion

New Age Cyber Threat Mitigation for Cloud Computing Networks 9

3. File checked real time in the MDaaS Environments

MDaaS Cloud based Service for Anti Malware Mitigation

4. File identified as either safe or unsafe

2. Logs/Digital fingerprint sent to MDaaS Service

1.Malware detected

6. Threat identified and end user notified

5. Cloud Malware environment detects, analyzed and reports about the threat

User System browsing unsecure Internet

Fig. (1.3). Malware Detection Environments.

In this solution, three environments presented in Fig. (1.4) are implemented with virtual machines with malware tools. User device snapshots are taken to determine any changes to OS, Registry, processes, or files. A lightweight agent is installed that constantly pushes user system and device snapshot and status logs to the MDaaS Monitoring servers. This agent can send the malicious file from the user devices to the testbed environment for analysis, detection, and blocking. The servers are commissioned and decommissioned each time a new malware analysis is completed. This is done to avoid any chance of the malware polymorphic features getting into action and potentially infecting the analysis servers, leaking data or payload to other systems, contacting the attacker for new action to perform, or even upgrading themselves. The malware detection service environments are implemented using virtual machines running VMware Servers with Windows 2008 Server hosts in three lab environments. Malware Behavior Analysis Environment

Malware Code Analysis Environment

Malware URL Reporting Environment

Fig. (1.4). Malware Detection Environments.

10 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

AMOEBA, a device-level backup solution that doesn't need extra storage for backup, was suggested by Min et al. (2022) [22]. In order to quickly perform content-based detection algorithms for ransomware detection, AMOEBA is equipped with two key features: 1) a hardware accelerator, and 2) a fine-grained backup control mechanism that reduces the amount of space required for data backup. The authors prototyped AMOEBA using the OpenSSD platform in addition to implementing it using the Microsoft SSD simulator for assessments. Numerous tests using actual ransomware workloads demonstrated AMOEBA's strong ransomware detection accuracy and minimal performance overhead. Zhang et al. (2022) [23] employed DCGAN (Deep Convolutional Generative Adversarial Network) to train a generator, which demonstrated high performance to create adversarial samples and was then transferred to the generator of TGAN. PreD, a pre-training model developed on CNN (Convolutional Neural Network), is passed to the TGAN discriminator, and exhibits high performance for binary classification. In the TGAN training process, the generator and discriminator play games until the discriminator has a high capacity to detect unknown attacks, at which point it is output as an anomaly detector. A framework environment that enables systematic ransomware detection at the network and system level was built and tested by Lee et al. (2022) [24] using open-source endpoint detection and response technologies. The usage of EDR tools may swiftly extract ransomware assault elements and react to attacks, according to experimental results. 5.1. Environment Setup The first environment is conFig.d for Malware Behavior Analysis, with server snapshots taken before and after receiving malware payload files and logs from user devices that may have got infected. Infrastructure and Tools implemented: • Process Monitor with Proc DOT tool – to determine how the malware starts to infect and how the processes interact with the system, infecting OS, Files, and Registry. • Wireshark sniffer for Network Bandwidth Monitoring and observing the malware payload attempts to contact the attacker, DNS, or other external sources (P2P servers) for engaging bot traffic and trying to download the payload binaries or java scripts. • Process Explorer and Process Hacker tools to observe malware behavior processes like opening new ports and contacting attacker IP addresses.

Digital Extortion

New Age Cyber Threat Mitigation for Cloud Computing Networks 11

• Lightweight agent combined with Regshot tool to take user system and device snapshots for before and after state comparison. 5.2. Malware Code Analysis Environment The second environment is set up with Malware Code Analysis tools analyzing instructions in their assembly code, and memory dumps from memory. Infrastructure and tools implemented: ● ●

IDA Pro tool is used as a disassembler to parse Windows OS executable files Scylla is a Memory Dump tool that obtains code from system memory. This is a novel way of code analysis since executable payload instructions are mostly encoded, getting extracted in RAM only during execution time.

5.3. Malware Reporting Environment This environment acts as the reporting system for the Internet, analyzing Web URLs proactively for sites hosting malware codes or payloads. This also checked the user system and devices taking snapshots before and after analysis. Infrastructure and tools implemented: ●

●

●

●

MalWr, Threat Expert tools used to perform automated behavior analysis of payload executables. WebInspector MxToolKit for real-time threat assessment and reputation of Web URL hosting suspected malware payloads and codes. Process Monitor with ProcDOT – analyze processes read-write, update, or delete registry entries. This helped the authors ascertain how malware attempts its actions and begins the attack. File system and Registry analyses, collect the user data, and check for the presence of suspicious malware. The basic dynamic analysis method is done for analysis and the behavior observed.

6. RESULTS OBTAINED The approach includes identifying suspicious codes and applications based on their heuristic characteristics, codes, and behaviors. The authors performed multiple simulated malware attacks on a test-bed environment that simulated a standard infrastructure. Attacks were performed before (using signature-based anti-virus) and after implementing the proposed ‘malware-as-a-service.’ Fig. (1.5)

12 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

compared to signature-based antivirus scanning systems, this process can have advantages. Anti-Malware scanning security is shown here in that it can be offered as a cloud service with the scanners operating from a secure cloud platform. When the above suspicious actions were observed on the endpoint system, the MDaaS would detect and help block malicious or infected application programs and report the incident to the cloud sandbox system.

Fig. (1.5). Malware as a Service - Before and After Results.

In this way, other users of the same application program benefit from other users’ experience. Apart from having the advantages of being a cloud-based service that offers user-driven implementation, elasticity, and a pay-as-you-use model, this even helps save huge costs and promotes the concept of BYOD (Bring Your Device). The malware Detection as a Service (DaaS) approach also has a few more advantages: • Public Cloud Scanners are not limited by hardware infrastructure, making them highly scalable and elastic. Thus, tracking malware over long periods, searching in huge anti-malware databases, and having robust malware profiles of targeted threats are not confined to a lack of computing power. • Cloud Service is customizable, and able to be updated thru any method, OS type, or version apart from the default set of images. Organizations can upload their preferred images, signatures, or even a custom environment configured for scanning their employee systems.

Digital Extortion

New Age Cyber Threat Mitigation for Cloud Computing Networks 13

• Being a Cloud-based sandbox, the service is not limited by geography. When attackers target office employees in remote regions rather than on-premise sandbox (usually the organization’s IT Datacenter), the cloud service will quickly update employee systems globally and help avoid and block the attack. CONCLUSION Ransomware is the product of cybercriminals who seek to create a reliable source of direct income from victims worldwide. Starting from less persuasive forms of direct revenue generation using misleading applications, such as PC performance tools, cybercriminals learned and iterated over the years and ratcheted up the levels of aggression with each step. Malware attacks progressed from misleading apps to fake antivirus scams and later moved onto pure Ransomware in the form of locker and crypto Ransomware threats that are prevalent today. Bitcoin can change the financial landscape we see today, and the growing demand for this digital currency application might just be the beginning of new world order. Malicious code is the primary enabler for any attacker to help gain access and maintain a foothold on the end-user system. The probability of finding malware programs and malicious codes during detection is useful when used with the proposed cloud-based sandbox environment. CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

“Symantec Broadcom.” 2022. [Online] Available at: https://symantec.broadcom.com/hubfs/SymantecTargeted-Ransomware-White-Paper.pdf [Accessed 1 April 2022].

[2]

“Varonis” 2022. Ultimate Ransomware Guide: Types and Definitions of Ransomware Attacks | Varonis. [online] Available at: https://www.varonis.com/blog/what-is-ransomware [Accessed 3 April 2022].

[3]

S. Sunghyuck, and S. Lee, "New Malware Analysis Method on Digital Forensics", Indian J. Sci. Technol.. vol. 8, no. 17.

[4]

M. Cova, C. Leita, O. Thonnard, A.D. Keromytis, and M. Dacier, “An Analysis of Rouge AV Campaigns,” International Conference on Recent Advances in Intrusion Detection.

[5]

“Business home,” McAfee. [Online]. Available: https://www.mcafee.com/enterprise/en-in/threa-

14 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

-center/mcafee-labs/reports.html [Accessed: 17-Jan-2022]. [6]

P. Ducklin, “The current state of Ransomware – a new paper from SophosLabs,” Naked Security, 23Dec-2020. [Online]. Available: https://nakedsecurity.sophos.com/2015/12/22/the-current-stateof-ransomware-a-new-paper-from-sophoslabs [Accessed: 07-Jan-2022].

[7]

K. Jarvis, “CryptoLocker ransomware threat analysis,” Secureworks, 18-Dec-2020. [Online]. Available: https://www.secureworks.com/research/cryptolocker-ransomware [Accessed: 07-Fe-2022].

[8]

“2022 Sophos Security Threat Report,” Cybersecurity Evolved. [Online]. https://www.sophos.com/en-us/labs/security-threat-report [Accessed: 07-Jan-2022].

[9]

“The state of ransomware 2021,” SOPHOS. [Online]. Available: https://www.sophos.com/enus/content/state-of-ransomware [Accessed: 25-Jan-2022].

[10]

D. Uppal, V. Mehra, and V. Verma, "Basic survey on Malware Analysis, Tools and Techniques", Int. J. Comput. Sci. Appl., vol. 4, no. 1, pp. 103-112, 2014. [http://dx.doi.org/10.5121/ijcsa.2014.4110]

[11]

“Baiting inside attackers using decoy documents - researchgate.” [Online]. Available: https://www.researchgate.net/publication/221273051_Baiting_Inside_Attackers_Using_Decoy_Docu ments [Accessed: 07-Feb-2022].

[12]

Y. Song, M.E. Locasto, A. Stavrou, A.D. Keromytis, and S.J. Stolfo, "On the infeasibility of modeling polymorphic shellcode", Proceedings of the 14th ACM Conference on Computer and Communications Security - CCS ’07. [http://dx.doi.org/10.1145/1315245.1315312]

[13]

T. Yang, Y. Yang, K. Qian, D.C-T. Lo, Y. Qian, and L. Tao, "Automated Detection and Analysis for Android Ransomware", IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems, pp. 1338-1343, 2015. [http://dx.doi.org/10.1109/HPCC-CSS-ICESS.2015.39]

[14]

“Malware analysis and classification: A survey - researchgate.” [Online]. Available: https://www.researchgate.net/publication/276495476_Malware_Analysis_and_Classification_A_Surve y [Accessed: 07-Jan-2022].

[15]

D. Kim, W. Soh, and S. Kim, "Design of Quantification Model for Prevent of Cryptolocker", Indian J. Sci. Technol., vol. 8, no. 19, pp. 1-5, 2015. [http://dx.doi.org/10.17485/ijst/2015/v8i19/80196]

[16]

B-J. Han, Y-H. Choi, and B-C. Bae, "Generating Malware DNA to Classify the Similar Malwares", Journal of the Korea Institute of Information Security and Cryptology, vol. 23, no. 4, pp. 679-694, 2013. [http://dx.doi.org/10.13089/JKIISC.2013.23.4.679]

[17]

A-D. Schmidt, J.H. Clausen, A. Camtepe, and S. Albayrak, "Detecting symbian OS malware through static function call analysis", 4th International Conference on Malicious and Unwanted Software (MALWARE), 2009. [http://dx.doi.org/10.1109/MALWARE.2009.5403024]

[18]

Kihong Park and Heejo Lee, "On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack", Proceedings IEEE INFOCOM. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213). 2001.

[19]

M. Asha Jerlin, and C. Jayakumar, "A Dynamic Malware Analysis for Windows Platform - A Survey", Indian J. Sci. Technol., vol. 8, no. 27, 2015. [http://dx.doi.org/10.17485/ijst/2015/v8i27/81172]

[20]

U.V. Anbazhagu, "Efficacious spam filtering and detection in social networks", Indian J. Sci.

Available:

Digital Extortion

New Age Cyber Threat Mitigation for Cloud Computing Networks 15

Technol., vol. 7, no. 7, pp. 180-184, 2014. [http://dx.doi.org/10.17485/ijst/2014/v7sp7.24] [21]

S.J. Delany, P. Cunningham, and L. Coyle, "An assessment of case-based reasoning for spam filtering", Artif. Intell. Rev., vol. 24, no. 3-4, pp. 359-378, 2005. [http://dx.doi.org/10.1007/s10462-005-9006-6]

[22]

D. Min, Y. Ko, R. Walker, J. Lee, and Y. Kim, "A Content-Based Ransomware Detection and Backup Solid-State Drive for Ransomware Defense", IEEE Trans. Comput. Aided Des. Integrated Circ. Syst., vol. 41, no. 7, pp. 2038-2051, 2022. [http://dx.doi.org/10.1109/TCAD.2021.3099084]

[23]

X. Zhang, J. Wang, and S. Zhu, "Dual Generative Adversarial Networks Based Unknown Encryption Ransomware Attack Detection", IEEE Access, vol. 10, pp. 900-913, 2022. [http://dx.doi.org/10.1109/ACCESS.2021.3128024]

[24]

S-J. Lee, H-Y. Shim, Y-R. Lee, T-R. Park, S-H. Park, and I-G. Lee, "Study on Systematic Ransomware Detection Techniques", 24th International Conference on Advanced Communication Technology (ICACT), pp. 297-301, 2022. [http://dx.doi.org/10.23919/ICACT53585.2022.9728909]

16

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 16-28

CHAPTER 2

Design A Resilient Network Infrastructure Security Policy Framework Abstract: The information security policy development lifecycle tends to lack focus on the use of standard terms and semantics. This results in blurred outlines for monitoring, evaluation, and enforcement of the security policy for the employees confusing adhering to and implementing it, which leads to a lack of a process of publishing from the security policy, end-user awareness, translation of high-level policy to lowest level component configuration plans and actions to take in time of crisis. This leads to the critical need to design an empirically tested, comprehensive security policy. This chapter proposes bridging the gap between the high-level information security policy descriptions and low-level network infrastructure security implementation. With new and innovative technologies, such as Cloud, Remote Computing, Enterprise Mobility, and e-commerce on the rise, network security has remained an ever-increasing challenge. This chapter presents a security framework to bridge the gap between highlevel specification requirements and the low-level implementation phase for network infrastructure security using the network architecture model with the security policies associated with the network components required to be enforced. An architectural model and a set of design-level security policies are considered to achieve the framework design. Also discussed are the advantages and desired characteristics of the model, relating to existing processes worked in the design area, and future research directions are pointed.

Keywords: Information Security Policy, Network Architecture, Network Firewall, Network Infrastructure, Security Policy, Web Application Firewall. 1. INTRODUCTION With the ever-growing increase in the use of computer systems, applications on the cloud with the internet for data exchange and communication, the need for secure computing and a well-designed network security architecture is essential for all types of organizations ranging from corporates, academic or government entities or geographically spread end-users, different roles, and profiles as well as the use of different computing devices, communication channels [1]. This varied range introduces many new challenges to traditional approaches to designing network infrastructure architectures. This manuscript focuses on new and advanAkashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

Resilient Network Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 17

ced network infrastructure security systems defined as the setup of network devices, software, and integration technologies that help collaborate and implement the organization’s network security. The current information security policy development lifecycle tends to have a few disadvantages, the most critical being the overall lack of view of the policy. Typically, a narrow view can be found when focusing only on the development of the security policy documents and not including the actual practices for implementation or even maintenance of the security policies. This process does not address how the security policy would be developed, enforced, or even evaluated. The lifecycle designs usually focus on policy for development instead of focusing on the development process of the information security policy. They are utilizing a Hybrid cloud architecture design so that internet-facing tiers tend to be public clouds and internal secure applications and databases tend to be private clouds. This change in network architecture helps take on the volumetric network and application layer DDoS attacks to ensure the traffic reaching the internal network tiers is free from such attackers. Using Rate controls, built-in intelligent WAFs, and Client Reputation monitoring be used in combination as part of a comprehensive defense against all types and sizes of cyber threats. To understand the security landscape and grasp the areas affecting network security architecture, Fig. (2.1) provides a general representation of the various attack types and their mitigation approaches.

Sophisticated high level targeted attacks Large Scale Opportunistic attacks

RISK LEVEL

Zero Day Attacks (Unknown Vulnerabilities, APTs)

Commodity attacks Attack Types

New / Advanced Security technologies Analytics, Next Generation Firewalls

Enhanced Capability Signature based detection

Traditional approaches Firewalls, IDS/IPS, AV Scanners

Ways of mitigation

Fig. (2.1). Attack types and Mitigation Approaches.

As the security risk levels increase, the security needs of organizations become complex. Network Security system architecture with legacy traditional approaches like single-tier design and firewalls must undergo several design changes before acceptance [2]. Some of the changes essential to move from the traditional levels (like firewalls, IPsec, VPN) to enhanced levels include turning data centers into

18 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

auto-scaling clouds, virtualization-based software-defined networks, open stack network architecture, and multi-tenant-aware provisioning networks. Usually, the design of network security systems follows three standard phases, with the security policy (high level) being documented with some controls (like ISO, PCI) and guideline manual, followed by the formulation of security requirement specifications, and finally implementation phase (low level) that integrates and combines the security design. The problem with this approach is the gap between the high-level security specification requirements and the low-level implementation phase. The IT Security team receives the high-level description and goes directly to implement the security design, however complex and multiple network components and mechanisms involved. These network devices and components sometimes have completely different configuration setups [3] and features with little or no integration mechanisms. This causes errors and improper enforcement of the actual security design, leaving security holes and vulnerabilities with a false sense of security. The Information Security Policy aims to provide a framework for information security management across the enterprise. This applies to everyone with access to the enterprise information systems (including employees, contractors, third-party consultants, and visitors) and devices and systems attached to the enterprise computer and telecom network. The policy addresses the processing of information by the enterprise for its operational business purpose, regardless of being on paper or in electronic form. The policy also covers services provided by external parties as consultants to the enterprise, as described in Fig. (2.2).

Evaluate •Periodic review •Collect feedback •Examine incidents, reports •Plan for new risk assessments

Develop •Determine Security needs of enterprise •Identify Stakeholders •Define Roles and Responsibilities Implement •Select Policy Components •Draft initial policy •Review and redraft •Security policy delivery and Distribution

Fig. (2.2). Information Security Model.

Resilient Network Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 19

The Network Security Policy is a critical part of the Information Security policy that includes sub-policies for various network infrastructure components. Still, it is not limited to Routers, Switches, Firewalls, Load Balancers, RAS, Modems, and Wireless Access Points. 2. INFORMATION SECURITY POLICY The information security policy design needs to include information security governance, asset, data protection, and information security assurance to the senior corporate executives while ensuring the organization's business objective is served. Information Security Design steps are shown in Fig. (2.3), starting with the high-level policy description, high-level security analysis to the proposed network security design, and network implementation steps. High level Security Policy description - Use of natural language

#1. Information Security Policy #2. Security Requirement Analysis

High level Security requirement - Use of formal documents

#3. Network Security Design

x Architectural Foundation Model x Operational Security Policy implementation - Use of formal, modular design models

#4. Network implementation

Network Configuration - Use of ACL, Packet Filtering rules, Proxy Configs

Fig. (2.3). Information Security Design.

For example, Table 1 presents a revision history of the information security policy creation flow. Table 1. Information Security Policy Revision History. Revised on Version

Description

Approved by

01-Oct-2021

0.1

Initial Document Creation

IT Manager

10-Jan-2022

1.0

Publish Document

IT Manager

15-Jan-2022

1.1

Review document, and modify policy section reflecting organizational legal-contractual service level agreements for the protection of information, including ISO, PCI DSS.

IT Head

20-Jan-2022

1.2

Formal Editorial work

PMO

27-Jan-2022

1.3

Formal review and minor edits

PMO

20 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

(Table 1) cont.....

Revised on Version

Description

Approved by

15-Feb-2022

1.3a

Include missing protection of information assets policy clause as per Network Security Policy Design stage

PMO

22-Feb-2022

1.3b

Update mandatory requirements of the Information Security Policy concerning Policy requirements and Network Design

PMO

10-Mar-2022

1.4

Formal review and change to use new policy template

PMO

17-Mar-2022

1.5

Formal review to reflect jobs descriptions of IT Security roles defined by HR for the organization

HR Head

25-Mar-2022

2.0

Formal approval for Senior Management

Senior Executives

2.1. Stage #1: Security Policy Design The policy design starts with Information Security Policy definition stage; this typically consists of the higher management direction and support and the organization’s information security policy document to be implemented. The network security architecture [4] is only a part of the corporate information security plan. It is taken on board with other security components like physical, operational, data, access control, employee, communication, and social, among others. An example of a few high-level information security objectives would be: ● ● ●

●

●

Ensure information is accessible only to those intended Provide a secure computing environment to the staff at the organization's sites Ensure only authorized employees have access to the information and assets when required Ensure that information is secured against breaches of confidentiality, interruptions, integrity Address security of cloud-hosted services and applications to ensure that risks are identified, and required controls are implemented and documented

2.2. Stage #2: Security Policy Design The next stage is the Information Security Requirement analysis for risk mitigation, a formal representation of the management-defined high-level security policy. Within the requirement analysis, the focus is solely on technical security policy concerning network infrastructure. This includes having in place guidelines for Confidentiality in transmission, SSL for applications [5], User authentication and authorization, determining the right to view and modify data, determining where the data can be hosted securely, Integration with LDAP or its equivalent, Limiting access to production systems and devices, perform Vulnerability Scanning and Penetration testing, analyze logs for user access, implement an audit trail, ensure up to date security patches and updates [6], send logs to a central

Resilient Network Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 21

SIEM log system, ensure antivirus/malware software, ensure data communication is encrypted, restrict the transmission of sensitive information by email or other insecure vectors, deploy proven, standard encryption with strongly encrypted keys to make sure the connections are secure among others. The risk mitigation takes into account the entity-level controls answering queries like the ones described below. ●

●

●

●

Describe how the vulnerable protocols are being used – the type of environment, type of data (payment card, account), or even the types of devices supporting the protocols. Evaluate and document the risk to the environment until the vulnerable protocols are removed Implementing a process to monitor new and zero-day vulnerabilities and apply controls, including upgrading all web browsers. Use SSL/TLS with strong cryptographic encryption, using two-factor authentication, and initiate strong-encrypted sessions like IPsec Tunnels before performing any data transmission over SSL inside that tunnel.

3. PROPOSED NETWORK SECURITY POLICY FRAMEWORK This chapter proposes adding a Network Security Design stage to bridge the highlevel and low-level gaps in the security design architecture. This involves the high-level architecture model and security policies associated with those network component devices involved in security enforcement. This stage represents each technology being used, the integration between those technologies, and the link between each high-level security policy aims with the corresponding security components that would enforce and implement the policy, which involves security policy management, change and release management, assessing vulnerabilities, and application connectivity management as described in Fig. (2.4) below. Network Security Policy

Security Policy Management

Change Management Systems

Risk and Vulnerability Analysis

Application Connectivity Management

Fig. (2.4). Network Security Policy components.

The Network Security Policy design involves a two-stage process, as described below.

22 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

3.1. Architectural Foundation Model Some 10 to 15 years ago, network security designs had what can best be described as components with a hardcover outside while being soft inside – similar to chocolate gems candy. This means there was typically a secure edge perimeter in the form of a firewall but had little or no security control systems on the internal network. For an architecture design to be secure and effective, it is essential to use strategically placed security controls and techniques capable of blocking cyberattacks and intrusion at each stage of the process. This encompasses all the network security components and the data flow process required for secure communication. This model provides how critical components are established in the network, and the impact, and faults generated for each component. The network security components include enforcement of Authentication and Integrity, Confidentiality, 7 Access Control, and Audits are performed by network security components consisting of Network Management elements in the form of Proxy agents (for SNMP, DHCP, or DNS), Packet Filtering firewalls to create a set of rules to either accept or reject network traffic performing IP routing or be the destination for the traffic, Cryptography and SIEM log management for analysis. These components are typically off-the-shelf, and the model is associated with network quality attributes such as device integration, maintainability, reliability, performance, and modifiability. The network security architecture depends on different types of off-the-shelf components; hence the architectural model becomes a critical aspect of the network security policy design process. The security architecture should be implemented to work on the premise that in case the first-level attack is successful and able to breach the initial defenses, the internal network components should be able to block any subsequent stages of that attack. This is a clear requirement for an intrusion which is a zero-day or near zero-day attack [7]. Another feature of the model is being formal. This allows the model to be analyzed logically in an auto-computational process instead of being manually reviewed, which is prone to human errors. Another feature is being hierarchical and allowing the configuration to be synthesized directly from the model and be scalable. This provides the ability to have yet-to-be-developed lowlevel components as black-box sub-components in a high-level design model. These low-level systems can be commissioned independently in a top-down design development approach [9]. A bottom-up approach can also be taken up, which begins with a process at low-level to high-level functionalities using precommissioned low-level black boxes. For example, a network firewall can be modeled using proxy agent black boxes and packet-filtering black boxes. Then a firewall black-box could be used as the high-level component of the security

Resilient Network Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 23

design integrating with other high-level components and elements like trust management, certificate management, or even IOS version control. The module design [10] breaks the high-level main design objective into smaller repeatable blocks. For example, when designing a huge network setup with several smaller sites, having the same design and similar deployment process for each site, including a common set of security controls like ACL or firewall rules. Then any change across all the sites can be applied smoothly without major rollout changes. Thus, the Architectural Foundation model consists of the following two areas as: ●

Network Components security configurations for Security devices such as Network Firewalls, Web Application Firewalls, VPN Gateways, Packet Filters, and Caching devices Perimeter devices like Routers, Load Balancers Network devices like Switches Data Flow which represents communication and traffic flow between the different components in the model and captured using tools like Netflow analyzer or Wireshark. ❍

❍ ❍

●

3.2. Operational Security Design This design defines a set of low abstraction level security policies close to the actual technical implementations yet have device and vendor independence with traffic analysis, as shown in Fig. (2.5). The network security policy design uses IETG RFC3060 Policy Core Information Model (PICM). This model proposes using extensible class hierarchal policy [11] component objects representing different high-level network policies, including network QoS parameters and Security configurations, to manage, implement, and control network infrastructure access as per the illustration above. The policy rule associates a set of actions or actions to be performed with conditions to be implemented and if the rule is defined as active or passive for a specific duration or scheduled as per conditions. Policy Rule Overview Security Policy Conditions

Security Policy Actions

Security Policy Time period conditions Fig. (2.5). Security Policy Rule Overview.

24 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

This further helps enforce security mechanisms like IPsec, Dual Sign-on, Logging network-related activities, or keynote credentials. This converts the network component policy entities into the configurational architectural level model [12] for the device-level network infrastructure security system. The Network Security Design provides a standard, uniform, and concise representation of the overall network security systems to be implemented, taking the high-level policies to actual implementations for each component using PCIM’s abstraction, which hides the lowest level of complex configuration codes from the higher view. This helps improve the design efficiency and understanding of the security system. If automated, the model can be developed as a system with input being the final design level policies, architectural model [13] required along with devicedependent specific information, and the output turns out to be the low-level configurations to be implemented for each network device component. Netflow and packet capture provides a foolproof and excellent process of determining the traffic flows in the network that helps identify network devices and paths that would get impacted during a cyber-attack. This also provides network speed, storage, optimum location of network monitoring points, and actual computing power requirement with logical flow visibility for the network infrastructure. 4. RESEARCH WORK For example, the authors tested the proposed model on an ongoing network infrastructure setup designed for a commercial data center. The data center is proposed to host secure web applications for customers globally and provide them the application access in the cloud-based SaaS. The authors pointed out the use of SSL and the use of Secure Shell in the design, which is an ineffective and insecure protocol by current attack vectors. The regular SSL traffic from the internet went through the edge router to a network firewall which is blindly allowed, as shown in Fig. (2.6).

SSL Client traffic

Internet

Fig. (2.6). Traffic flow with simple SSL.

Edge Router

Network Firewall (rule to allow all SSL traffic)

Web App Servers

Resilient Network Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 25

Network Policy is further comprised of network component level policies as: ●

●

●

●

●

●

VPN Policy – provides guidelines for working from home or outside office network via VPN Client using IPSec or L2TP connections. Wireless Policy – covers all wireless data communication systems like laptops, blackberries, smartphones, and PDAs capable of transmitting data packets without physical transmission media. Risk assessment Policy – takes into account the network device risk assessments conducted within the enterprise, their frequency, and the teams to perform (internal It or external consultants). Audit Policy – provides the authority of the enterprise information security team to conduct an information security audit to investigate any possible security incidents ensuring conformance to the enterprise security policy, and monitoring end-user activity. Encryption Policy – provides a guideline on using proven encryption algorithms like 3DES, RSA, Blowfish, and RC5 to ensure effective security for the enterprise and ensure legal regulations are followed. Password Policy – establishes a secure standard defining password creation (alphanumeric, length, special characters), a way of protecting passwords, and the frequency of changing them.

Defining standards to be followed for wireless is part of the scope of the policy, which includes using Advanced Encryption System (AES), Extensible Authentication Protocols (EAP), Temporal Key Integrity Protocol (TKIP), and Protected Extensible Authentication Protocol (PEAP). Similarly, for Network devices, use of TACACS+ for user authentication, disabling services and features (like IP directed broadcasts, TCP/UDP Small devices, dropping incoming packets with invalid or spoofed IP Addresses (like RFC1918), Cisco Discovery Protocol, Telnet/FTP/HTTP services, Dynamic Trunking, enabling QoS, NTP, Netflow and SNMP with certain standard strings and disabling auto configuration. By applying the proposed Network Security Policy design framework, the authors have considered the information security policy to be implemented and the low-level configuration to be set up. It is recommended by PCI DSS 3.1 that SSL be replaced by TLS (currently version 2.0), which leads the infrastructure security design consideration to have the capability to decrypt SSL/TLS. The network security design phase also came up with a secure shell (SSH) with no other VPN/IPsec into the data center network, as depicted below in Fig. (2.7).

26 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Network firewall, WAF, DNS, DDoS Forward Proxy, Web Filtering

Inbound Client Traffic (2K or 4K Keys)

IPS, FireEye, DLP, Anti-Bot, WebSafe

Internet (SSL/TLS Strong Ciphers

SSL/TLS Decryption takes place at perimeter

Access control, SSO, SAML, SSL VPN

Fig. (2.7). Traffic flow with SSL/TLS.

For secure inbound traffic, SSL/TLS decryption is taken as a high-level policy design, then having low-level configuration like forwarding proxies as an option to decrypt the SSL/TLS client traffic coming to the data center network. The design model recommended using Big IP with LTM to perform the decryption at the perimeter Next-Generation Firewall Proxy with the corresponding cert assigned to each client. So for the high-level plan by the executive management to ensure secure customer access to the organization applications as per the enterprise Information security Policy, this transforms into SSL/TLS ClientServer authentication in the Information Security requirement stage. Then as per the proposed framework in this chapter, the low-level configuration setup procedure work needs to be implemented that transforms into the ability of the devices (BigIP LTM here) to maintain secure sessions between the application server and clients. The IT Security engineering team decided to control SSL Network Traffic coming towards the application server by configuring the Server SSL Profile. ●

●

ConFig. BigIP for various client browsers from the internet ranging from Internet Explorer, Mozilla, Firefox, and Opera Creating SSL profile Key/Certificate pair installation on the BigIP LTM Terminate client-server secure sessions on the BigIP Associate the SSL profile with a virtual server address (VIP) Creating SSL ciphers like SSL v2/v3, and TSL v1 for per-session authentication Use of compatible BigIP LTM version of 11.20.0 or later, since the existing 9.0.0-9.4.8 and 10.0.0-10.2.2 are not compatible with TLS 1.1 or 1.2. ❍ ❍ ❍

● ●

Unique BigIP LTM configuration strings are as follows. SSL profile to use only TLS 1.1-compatible and TLS 1.2-compatible ciphers DEFAULT:!MYSSLv3:!MYTLSv1 tmsh create /multi profile myclient-ssl mycipher DEFAULT:!MYSSLv3:!MYTLSv1

Resilient Network Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 27

SSL profile to support TLS 1.0 and SSL 3.0 clients DEFAULT:-SSLv3:-TLSv1:RC4-SHA tmsh create /myltm profile myclient-ssl mycipher DEFAULT:-MYSSLv3:-MYTLSv1:RC4-SHA SSL profile to support TLS 1.0, but not SSL 3.0 clients DEFAULT:!SSLv3:-TLSv1:RC4-SHA tmsh create /myltm profile myclient-ssl myciphers DEFAULT:!MYSSLv3:-MYTLSv1:RC4-SHA

Inbound traffic decryption to specific network devices requires the use of digital certificates on the SSL/TLS interception device, which allows deep-level visibility of the secure SSL/TLS traffic. This led the design team to decide on using an embedded hardware-based crypto card. This further provided enhancement in the decryption performance of the network. Other forms of cyberattacks like ARP spoofing, CAM table overflows, and DHCP response spoofing can also be understood using the network security policy model and the optimized deployment implemented. CONCLUSION The design framework proposed in this chapter introduces conceptual models in the form of an Architectural Design model and low-design-level security policies integrated with the security development configurations over various levels of abstraction with the high-level policies. This gives the network security design a clear and concise understanding. By clearly understanding which network devices are involved in what conditions and volumes, the proposed design can immensely benefit the design architecture. DISCLOSURE "Part of this chapter has previously been published in Design a Resilient Network Infrastructure Security Policy Framework, in Indian Journal of Science and Technology, 2016, vol. 9, no. 19, pg 1-8". CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none.

28 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

REFERENCES [1]

R. Saikeerthana, and A. Umamakeswari, "Secure data storage and data retrieval in cloud storage using cipher policy attribute-based encryption", Indian J. Sci. Technol., vol. 8, no. S9, p. 318, 2015. [http://dx.doi.org/10.17485/ijst/2015/v8iS9/65600]

[2]

R. Manjusha, and R. Ramachandran, "Secure authentication and access system for cloud computing auditing services using associated digital certificate", Indian J. Sci. Technol., vol. 8, no. S7, p. 220, 2015. [http://dx.doi.org/10.17485/ijst/2015/v8iS7/71223]

[3]

M. Thiyagarajan, C. Raveendra, and V. Thiagarasu, "Web service authentication and multilevel security", Indian J. Sci. Technol., vol. 8, no. 15, 2015. [http://dx.doi.org/10.17485/ijst/2015/v8i15/73850]

[4]

N. Salawu, "Secure authentication and key management protocols for mobile multihop WiMAX networks", Indian J. Sci. Technol., vol. 7, no. 3, pp. 282-295, 2013. [http://dx.doi.org/10.17485/ijst/2014/v7i3.16]

[5]

B. Lakshmipriya, R. Leena Sri, and N. Balaji, "A novel approach for performance and Security Enhancement during live migration", Indian J. Sci. Technol., vol. 9, no. 4, 2016. [http://dx.doi.org/10.17485/ijst/2016/v9i4/87031]

[6]

K. Kim, S. Lee, Y. Yun, J. Choi, and H. Mun, "Security evaluation metric of windows-based information security products", Indian J. Sci. Technol., vol. 8, no. S8, p. 10, 2015. [http://dx.doi.org/10.17485/ijst/2015/v8iS8/71501]

[7]

R. Von Solms, K.-L. Thomson, and P. M. Maninjwa, “Information security governance control through comprehensive policy architectures,” 2011 Information Security for South Africa, 2011. [http://dx.doi.org/10.1109/ISSA.2011.6027522]

[8]

J. Hwang, and I. Syamsuddin, "Information security policy decision making: An analytic hierarchy process approach", Third Asia International Conference on Modelling & Simulation, 2009. [http://dx.doi.org/10.1109/AMS.2009.49]

[9]

N. Hadjina, and A. Klaic, Methods and Tools for the development of information security policy - a comparative literature review. MIPRO Proceedings of 34 International Convention, 2011, 4(21), pp. 1532-37.

[10]

A. Klaic, and M. Golub, “Conceptual modeling of information systems within the information security policies,” J. Bus. Econ. Manag., pp. 371–376, 2013. [http://dx.doi.org/10.7763/JOEBM.2013.V1.80]

[11]

M. Siponen, S. Pahnila, and M.A. Mahmood, "Compliance with information security policies: An empirical investigation", Computer, vol. 43, no. 2, pp. 64-71, 2010. [http://dx.doi.org/10.1109/MC.2010.35]

[12]

I.E. van Vuuren, E. Kritzinger, and C. Mueller, "Identifying gaps in it retail information security policy implementation processes", Second International Conference on Information Security and Cyber Forensics (InfoSec), 2015. [http://dx.doi.org/10.1109/InfoSec.2015.7435517]

[13]

M. Niemimaa, A.E. Laaksonen, and D. Harnesk, "Interpreting information security policy outcomes: A frames of reference perspective", 46th Hawaii International Conference on System Sciences, 2013. [http://dx.doi.org/10.1109/HICSS.2013.282]

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 29-41

29

CHAPTER 3

Security Algorithms For Cloud Computing Abstract: With growing awareness and concerns regarding Cloud Computing and Information Security, there is growing awareness and usage of Security Algorithms in data systems and processes. This chapter presents a brief overview and comparison of Cryptographic algorithms, with an emphasis on Symmetric algorithms should be used for Cloud-based applications and services that require data and link encryption. In this chapter, we review Symmetric and Asymmetric algorithms with an emphasis on Symmetric Algorithms for security consideration on which one should be used for Cloud-based applications and services that require data and link encryption.

Keywords: Asymmetric, AES, Cryptography, 3DES, MD5, RSA, RC6, Security Algorithm, Symmetric. 1. INTRODUCTION Imagine two people who share critical secret information have to split up. This requires them to share and communicate their data and information from a distance, even as there lays a threat of an eavesdropper having the ability to stop, interfere or intercept their communications and seeks that same information. They decide to lock their information in a box using a lock that only the other knows the combination to and has the key to open it. The box is locked and sent over to the other user, who uses the combination key to unlock the box and read its contents. In simple terms, Cryptography [1] can be seen as a method of storing and disguising confidential data in a cryptic form so that only those for whom it is intended can read it and can communicate information in the presence of an adversary and the security algorithms mitigate security issues by use of cryptography, authentication and distributing keys securely. Cryptography is thus the science of making data and messages secure by converting the end-user data to be sent into cryptic non-readable form and encrypting or scrambling the plaintext by taking user data or what is referred to as clear text and converting it into Ciphertext [2] and then performing decryption which is reverting to the original plain text as presented in Fig. (3.1). Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

30 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Fig. (3.1). Encryption and Decryption process.

With this ability, Cryptography is used to provide the following security: ●

●

●

●

Data Integrity: information has value only if it is correct; this refers to maintaining and assuring the accuracy and consistency of data, and its implementation for computer systems that store user data, processes, or retrieve that data. Authentication for determining whether someone or something is who or what it is declared to be. Non Repudiation: is the assurance that a party, contract, or someone cannot deny the authenticity of their signature and sending a message that they originated. Confidentiality: relates to loss of privacy, unauthorized access to information, and identity theft.

In pure science terms [3], Cryptography is the science of using mathematics to make plain text information (P) into an unreadable Ciphertext (C) format called encryption and reconverting that Ciphertext back to a plain text called decryption with the set of Cryptographic Algorithms (E) using encryption keys (k1 and k2) and the decryption algorithm (D) that reverses and produces the original plain text back from the Ciphertext. This can be interpreted as Ciphertext C = E {P, Key} and Plain text C = D {C, Key}. Defining some terms used in Cryptography: ●

●

●

●

●

●

The plaintext is the original intelligible source information or data that is input to algorithms The Ciphertext is the scrambled message output as a random stream of unintelligible data The encryption Algorithm substitutes and performs permutations on plain text to Ciphertext Decryption Algorithm is encryption run in reverse by taking the secret key and transforming the Ciphertext to produce the original plain text Keys are used as input for encryption or decryption and determine the transformation Sender and Recipients are persons who are communication and share the plaintext

Cloud Computing

New Age Cyber Threat Mitigation for Cloud Computing Networks 31

Concerning Cloud computing, the security concerns [4] are end-user data security, network traffic, file systems, and host machine security which cryptography can resolve to some extent and thus helps organizations in their reluctant acceptance of Cloud Computing. Various security issues arise in the Cloud: ●

●

●

●

●

Ensuring Secure Data Transfer: In a Cloud environment, the physical location and reach are not under end-user control of where the resources are hosted. Ensuring Secure Interface: integrity of information during transfer, storage, and retrieval needs to be ensured over the insecure internet. Have Separation of data: privacy issues arise when personal data is accessed by Cloud providers or boundaries between personal and corporate data do not have clearly defined policies. Secure Stored Data: question mark on controlling the encryption and decryption by either the end-user or the Cloud Service provider. User Access Control: for web-based transactions (PCI DSS), web data logs need to be provided to compliance auditors and security managers.

Security Algorithms are classified broadly as: ●

●

●

●

●

Private Key / Symmetric Algorithms: Use a single secret key is used for encrypting a large amount of data and are have a fast processing speed. These algorithms use a single secret key that is known to the sender and receiver. RC6, 3DES, Blowfish, and 3DES are some prime examples of these algorithms. Public Key / Asymmetric Algorithms: Use a key pair for the cryptographic process, with the public key for encryption and the private for decryption. These algorithms have a high computational cost and thus slow speed if compared to the single key symmetric algorithms. RSA and Diffie Hellman are some types of public-key algorithms. Signature Algorithms: Used to sign and authenticate use data are single key based. Examples include: RSA and DH Hash Algorithms: Compress data for signing to a standard fixed size. Examples include: MD5, SHA Other ways of classifying Algorithms based on their processing features as illustrated in Fig. (3.2).

With several Cloud services, Servers, and hosted applications under IT management, most Cloud providers have no defined process to ensure the security of data from threats and attacks [5]. Cyber attacks this target the end-user data, which the Cloud Service providers seek to try and secure by using Cryptographic algorithms whose primary goal is to make it as difficult as possible to ensure decrypting the generated Ciphertext from the plain text. When the key length is

32 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

long, that makes it harder to decrypt the Ciphertext, which in turn makes the algorithms efficient and effective.

Fig. (3.2). Classification of Algorithms.

2. ASYMMETRIC ALGORITHMS Asymmetric Algorithms [6] have a pair of related keys, one key for encryption called the Public key and a different, but interrelated key for Decryption called the Private Key when performing the transformation of plain text into Ciphertext. The main asymmetric algorithms are ECC, Diffie-Hellman, and RSA. 2.1. RSA RSA Algorithm, named after its inventors (Rivest, Shamir, and Adelman), is best suited for data traveling to/from Web and Cloud-based environments. In working with Cloud Computing, the end-user data is first encrypted and then stored in the Cloud. When the data is required, the end-user needs to place a request to the Cloud Service provider to access the data. For this, the Cloud service provider first authenticates the user to be the authentic owner and then delivers the data to the requester using RSA Asymmetric Algorithm. This algorithm has support from .NET Security Framework as well. Here two keys are involved – first, the Public Key [7], which is known to all, and the other Private Key, which is known only to the end-user. Data conversion from plain text to cipher text is done using Public Key by the Cloud service provider, and the Ciphertext to plain text decryption is done by the end-user using a Private Key as the Cloud service consumer. Once the user data is encrypted with the Public Key, that cipher data can only be decrypted with the corresponding Private Key. In this Algorithm, prime numbers are used to generate the public and private keys based on mathematical formulas and by multiplying the numbers together. This uses the block size data in which plain text or the Ciphertext are integers between 0 and 1 for some n values. Here the processed plaintext is also encrypted in blocks, and the binary value of each block needs to be less than the number (n). RSA is multiplicative homomorphic, which

Cloud Computing

New Age Cyber Threat Mitigation for Cloud Computing Networks 33

essentially means that to find the product of the plain text, multiply the Ciphertext so that the outcome of the result is the Ciphertext of the product. 2.2. Diffie-Hellman Key Exchange (D-H) This is a method for exchanging cryptographic keys [8] by first establishing a shared secret key to use for intercommunication and not for encryption or decryption. This key exchange process ensures the two parties that have no prior knowledge of each other jointly establish a shared secret key over the insecure internet. Transformations of keys are interchanged, and both end up with the same session key that looks like a secret key. Then each can then calculate a third session key that cannot easily be derived by an attacker who knows both exchanged values. This key encrypts the subsequent communications using a symmetric key cipher but is vulnerable to the Man-in-the-Middle (MITM) attack. This key exchange is not used for exchanging real large data, unlike RSA. 3. SYMMETRIC ALGORITHMS Symmetric algorithms involve a single shared secret key [9] to encrypt as well as decrypt data and are capable of processing a large amount of data from a computing standpoint are not very power-intensive, so has a lower overhead on the systems and have high speed for performing encryption and decryption. Symmetric algorithms encrypt plaintexts as Stream ciphers bit by bit at a time [10] or as Block ciphers on a fixed number of 64-bit units, as presented in Fig. (3.3).

Fig. (3.3). Symmetric Algorithms.

There are, however few problems with Symmetric Algorithms: ●

Exchanging Shared Secret Key [11] over insecure internet.

Symmetric-key algorithms share secret keys required by the sender and receiver during the encryption or decryption process. In case a third person gains access to

34 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

the secure secret key, Ciphertext messages can easily be decrypted. The fact of having one single secret key algorithm is the most critical issue faced by Cloud service providers when dealing with end-users who communicate over insecure internet. The only option is to have that secret key be changed often or kept as secure as possible during the distribution phase. ●

Problem confirming if the content is altered or sent by the claimed sender.

If a hacker has the secret key, decrypt the Ciphertext, modify the information being sent with that key and send it to the receiver. Since a single key is involved during the crypto process, either side of the transactions can get compromised. Such data integrity and non-repudiation issues, however, need to involve the use of Digital signatures or Hashing functions like MD5. ●

Tools for cracking Symmetric encryption

By use of Brute force [12] by running hacking tools that can crack the combinations and keys to determine the plaintext message and perform Cryptanalysis where the attacks are focused on the characteristics of the algorithm to deduce a specific plaintext or the secret key. Then hackers can Fig. out the plaintext for messages that would use this compromised setup. 4. RELATED WORK PERFORMED With DDoS and Malware attacks on the rise, Cloud Providers are focusing more on having end-user data as secure as possible and having low priority for cloud performance due to inconsistent selection of algorithms for encryption and encoding. By selecting the right cryptographic scheme, end-user data security can be achieved without losing out on cloud performance. Since Algorithm analysis is essential in gathering knowledge against any accidental or unintentional use of an algorithm that may prove to be inefficient or significantly impact application system performance due to encryption or decryption. For those cloud-based web applications or portals needing real-time or time-sensitive data, an algorithm that might be taking a long time to long to run would prove a hindrance for the realtime application as it may render the results to be useless. Such an efficient algorithm might end up needing lots of computing power or storage to execute over the cloud, making the algorithm useless in that environment.

Cloud Computing

New Age Cyber Threat Mitigation for Cloud Computing Networks 35

4.1. Comparison Parameters Authors compared Symmetric encryption algorithms and encoding algorithms using size and time to decide on the selection of the right algorithms based on the parameters as: ● ●

●

File Size: indicates files of different sizes to be taken Encryption Computation Time: time an algorithm takes to produce a Ciphertext from a plain text Encoding Computation Time: time taken by the encoding algorithm to produce a hash code

Performance metrics were collected based on the following: ●

●

●

Encryption & Decryption Time: This is calculated as the time required for encryption which involves converting the plain text payload file into Ciphertext. The authors used the encryption time to find their throughput, which indicated the computation cost, i.e., the encryption speed. The decryption time is calculated for the amount of time required to convert the Ciphertext back into plain text. CPU Processing Time: This is determined as the time CPU is committed to the process and reflects the CPU load during the encryption process. The CPU Clock Cycle and Battery power are the energy consumed during the encryption and decryption process. Size of payload to be tested: This is the actual size of the text file that is being used for the experimental work.

The authors then used the below infrastructure for our data-gathering research work: ●

●

●

Connectivity: 1Mbps WAN circuit link connected to a public Cloud server provider Cloud Simulation: Hosted Web application server on the IaaS systems for cloud environment Working environment: Programming language environment - Java Setup one 64-bit Windows Server 2008 Operating system Running on VMware based on a Virtual machine Over hardware as Intel Core i5-3230M CPU @ 2.66GHz, 8GB memory. ❍ ❍ ❍ ❍

36 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

4.2. Performance Evaluation This section presents actions that are performed as input using different algorithms to encrypt the data (text file) to determine the time required for reading the file, encrypting it, creating the encrypted data, then sending the data to a cloud location and receiving a confirmation. The input variables are ● ● ● ● ●

File upload: D:\SACC\Data\Encrypt.txt (input) as presented in Fig. (3.4) Choosing algorithm: Encoding Hash Key size: Mode: Encrypt or Decrypt

Fig. (3.4). Encrypting text file to send to the cloud.

5. PERFORMANCE RESULTS The data from experimental work on Symmetric algorithms are illustrated in the below graphs by using varied file sizes as input and recording the computation

Cloud Computing

New Age Cyber Threat Mitigation for Cloud Computing Networks 37

cost for those algorithms. Encoding algorithms check for data integrity for enduser data on the cloud and computation cost data obtained for different algorithms by varying the payload size. (Fig. 3.5) illustrates the computation cost required for encryption algorithms such as DES 56, 3DES 168 and AES 128. These three algorithms are provided with data to encrypt, ranging from 1Kilobyte to 25 Mega byte in size, and the total time (in milliseconds) is measured for calculating the compute time. Computational Cost - Encryption DES 56

TDES 168

AES 128

60000

11000

50000

Computational Cost (Time) ms

23000 40000

30000

21000 20000

2000 4200

10000

18 25 15

29 39 21

35 60 50

370 575 400

1600

1KB

20KB

500KB

1MB

10MB

0 25MB

Encrypted Data Fig. (3.5). Computational Cost for Encryption.

(Fig. 3.6) illustrates the decryption cost required for decryption algorithms such as SHA 256 and MD5. The two algorithms are provided with data to decrypt, ranging from 1Kilobyte to 50 Mega-byte in size, and the decryption time (in milliseconds) is measured and the algorithms compared.

38 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Computatinal Cost - Decryption 2500 SHA 256

MD5

2200

Decryption Time (ms)

2000

1500 1300

1000

475

500

250

225

140 15

5

65

25

80

125

0 1KB

20KB

500KB

1MB

10MB

50MB

Encrypted Data

Fig. (3.6). Computational Cost for Decryption.

Fig. (3.7) illustrates the total time required for encryption and decryption, which involves the total round trip for encryption and text data. The process provides data to encrypt and decrypt, ranging from 1Kilobyte to 25 Mega-byte in size and calculating the round trip time involved.

Cloud Computing

New Age Cyber Threat Mitigation for Cloud Computing Networks 39

Round Trip Computation 250000

Encrypted Data

Text Data 210000

Round Trip Time

200000

150000

100000

50000

33000

7000 0

100

50Kb

500Kb

0 1Mb

10MB

25MB

Encrypted Data Fig. (3.7). Execution Time (Text file to encrypted file and back).

Further observations from work performed: ●

●

●

Data Security for Cloud-based applications can be increased by using RSA and AES Encryption algorithms When using keys such as 1024-bit RSA and 128-bit AES, determining the private key is not possible even if the attacker has the public keys generated After the end-user logins to the Cloud web portal, he accesses the applications but does not log out and just leaves the session idle, then in this case, if an attacker breaks into the user system attempting to download and access the data

40 New Age Cyber Threat Mitigation for Cloud Computing Networks

●

●

Akashdeep Bhardwaj

from the user system, the attacker would be required to enter the private key. In case the attacker, in his attempt to break into the user system, is successful, he is even able to somehow guess the private key and then go on to download the encrypted data. The attacker might be successful in getting the encrypted data, but still accessing the original data might still not be possible.

CONCLUSION With Cloud computing emerging as a new in-thing in the technology industry, public and private enterprises and corporate organizations are either using Cloud services or are in the process of moving there but face security, privacy, and data theft issues. This makes Cloud security a must to break the acceptance hindrance of the cloud environment. Use of security algorithms and ensuring these are implemented for the cloud and need to be properly utilized to ensure end-user security. The authors analyzed Symmetric algorithms for different encryption and encoding techniques and found AES to be a good candidate for key encryption and MD5 to be faster when encoding. DISCLOSURE “Part of this chapter has previously been published in Security Algorithms for Cloud Computing, in Procedia Computer Science, 2016, vol. 85, no. 19, pg 535542”. CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

M. Ali, T. Wood-Harper, and R. Ramlogan, A framework strategy to overcome trust issues on cloud computing adoption in higher education. Modern Principles, Practices, and Algorithms for Cloud Security, 2020, pp. 162-183. [http://dx.doi.org/10.4018/978-1-7998-1082-7.ch008]

[2]

J-J. Hwang, H-K. Chuang, Y-C. Hsu, and C-H. Wu, "A business model for cloud computing based on a separate encryption and decryption service", International Conference on Information Science and Applications, 2011.

Cloud Computing

New Age Cyber Threat Mitigation for Cloud Computing Networks 41

[http://dx.doi.org/10.1109/ICISA.2011.5772349] [3]

S.A. Nooh, "Cloud cryptography: User end encryption", International Conference on Computing and Information Technology (ICCIT-1441), 2020. [http://dx.doi.org/10.1109/ICCIT-144147971.2020.9213745]

[4]

N. Gonzalez, C. Miers, F. Redigolo, T. Carvalho, M. Simplicio, M. Naslund, and M. Pourzandi, "A quantitative analysis of current security concerns and solutions for cloud computing", IEEE Third International Conference on Cloud Computing Technology and Science, 2011. [http://dx.doi.org/10.1109/CloudCom.2011.39]

[5]

"Simplifying secure cloud computing environments with Cloud Data Centers", In: Cloud Computing Security, 2016, pp. 409-422.

[6]

P. Mitra, "Introductory chapter: Recent advances in cryptography and network security", In: Recent Advances in Cryptography and Network Security, 2018. [http://dx.doi.org/10.5772/intechopen.71917]

[7]

W. Jansen, and T. Grance, “Guidelines on security and privacy in public cloud computing,” 2011. [http://dx.doi.org/10.6028/NIST.SP.800-144]

[8]

A. Behl, "Emerging security challenges in cloud computing: An insight to cloud security challenges and their mitigation", World Congress on Information and Communication Technologies, 2011. [http://dx.doi.org/10.1109/WICT.2011.6141247]

[9]

S. Yadav, U. Verma, and C. Bhardwaj, "Data security in cloud computing using homomorphic encryption", Int. J. Sci. Res. (Ahmedabad), vol. 3, no. 5, pp. 78-81, 2012. [http://dx.doi.org/10.15373/22778179/MAY2014/26]

[10]

Security Guidance for Critical Areas of Focus in cloud computing V3.0. CSA, 2015.

[11]

A. Mahalanobis, "The Diffie-Hellman key exchange protocol and non-abelian nilpotent groups", Isr. J. Math., vol. 165, no. 1, pp. 161-187, 2008. [http://dx.doi.org/10.1007/s11856-008-1008-z]

[12]

U. Somani, K. Lakhani, and M. Mundra, "Implementing digital signature with RSA encryption algorithm to enhance the data security of cloud in cloud computing", First International Conference On Parallel, Distributed and Grid Computing (PDGC 2010), 2010. [http://dx.doi.org/10.1109/PDGC.2010.5679895]

42

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 42-55

CHAPTER 4

Solutions for DDoS Attacks on Cloud Environment Abstract: The internet has become the key driver for virtually every organization’s growth, brand awareness, and operational efficiency. Unfortunately, cyber terrorists and organized criminals know this fact too. Using a Distributed Denial of Service attack, they can deny corporates and end-users internet access, make the website go slow, and deny access to corporate networks and data, making them unable to service legitimate users. It is not just these that are vulnerable; DDoS attacks are diversions. Due to the increased attack volume, collateral damage is becoming a major cause of concern – packet loss, delays, and high latency for internet traffic of those whose network traffic traverses the WAN saturated by a DDOS attack. DDOS attacks disrupt services and distract security resources, while other attacks, like fraudulent transactions, are attempted. Adaptive DDOS attacks are prevalent – attackers attack traffic on the fly to avoid identification and confuse mitigation plans. Reflective and Amplification attacks are most common – leveraging misconfigured DNS, NTP, and other network resources by spoofing source IP addresses. The bitter reality is that for cloud computing to be useful, it has to be exposed to insecure WANs and the public internet. With Cloud services presence being advertised and the interfaces defined, unauthorized attacks would always look to target the services.

Keywords: Cloud Computing, Cloud Security, CSP, Denial of Service, Scrubbing. 1. INTRODUCTION Denial of Service attacks [1] is a cyberattack method to deny legitimate users access to online web applications (Email, Chat, Ecommerce, and Banking), SaaS, PaaS, or IaaS Cloud services and computing resources like network resources or even VoIP infrastructure with a single attack address as illustrated in Fig. (4.1). Distributed Denial of Service attacks or DDoS attacks [2], as presented in Fig. (4.2), amplify the effects of a DoS attack by using thousands of machines to launch their assaults and disrupt operations at a large scale by bombarding the target web applications and network devices with information requests that overwhelm the server. Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

Cloud Environment

New Age Cyber Threat Mitigation for Cloud Computing Networks 43

Router Attacker send ICMP

packets via the router

Intrusion Detection

Firewall

Load Balancers

Spoofs the source IP Address

request to fool the IDS

Web Servers

Database Servers

Devices behind firewalls respond and

Servers acknowledge the request

Fig. (4.1). Denial of Service Attacks.

Fig. (4.2). Distributed Denial of Service Attacks.

Attackers exploit vulnerable systems across geographies, compromising them by infecting them with a Trojan virus. This is a small application that enables remote access to command-and-control capabilities of the user systems without their knowledge to attack the intended target servers in an attempt to make one or more services like Cloud services or hosted web applications unavailable to the intended users by sending a flood of network packets, data or transaction requests over the network from multiple systems at the same time. These are called Zombies or Bots [3]. These infected systems or Bots further compromise others, with the compromised systems working as a Botnets group. The problems faced by the users range from: ●

Resource exhaustion, like over-utilizing and consuming the WAN pipes, or server CPU time

44 New Age Cyber Threat Mitigation for Cloud Computing Networks ●

●

●

●

Akashdeep Bhardwaj

Exploitation for user accounts lockout by repeatedly attempting with invalid credentials Process disruption by crashing a web application process by attacking a vulnerability in the code Pushing malware that affects processors opens sockets to trigger errors in computer micro-codes Corrupting data by altering user types to an invalid type, making it incorrect to input data

2. REPORTS AND TRENDS As per F5 Denial of Service and Cloudflare trend reports, Figs (4.3 to 4.9) illustrate the dismal state of security on the Internet and cloud domains regarding various cyberattacks. 2020 Q1

2020 Q2

2020 Q3

2020 Q4

2021 Q1

1200

1000

800

600

400

200

0 Volumetric DDoS

Fig. (4.3). Frequency of DDoS Attack Types.

Protocol DDoS

Application DDoS

Cloud Environment

New Age Cyber Threat Mitigation for Cloud Computing Networks 45

F5

Volumetric Protocol Application

U

D

P

fr ag D me N n U S r tat D P efl ion (v ec ol ti um on LD TC etri A P ( c) P S re YN fle ) D ct N NS ion IC TP qu M re e P r f (v lec y ol ti um on TC et P ric) ( TC AC P K) (R ST C SS H D O ) A R Pr t h m GE efl er em N ec ac ref tio he lec n ti r H efle on TT c PS tio n H TT (GE SM P T P (G ) re ET fle ) ct io n

Other

Fig. (4.4). Frequency of DDoS Attacks Tactics.

Peak attack size

Number of attacks

500

14%

Attack size (Gbps)

12% 400

10% 8%

300

6%

200

4% 100

2%

Distribution of attacks as a percentage of total

16%

600

0% Jan Feb Mar Apr May Jun Q1

Jul Aug Sep Oct Nov Dec Jan Feb Mar

Q2

Q3 2020

Fig. (4.5). DDoS attacks compared with sizes.

Q4

Q1 2021

F5

46 New Age Cyber Threat Mitigation for Cloud Computing Networks API

Web app

DNS

Network

Akashdeep Bhardwaj Protocol

SSL/TLS

Volumetric

90% 80% 70% 60% 50% 40% 30% 20% 10% 0% CY 2018

CY 2019

Fig. (4.6). Allocation of support calls placed to F5 SIRT for various DDoS attacks.

Fig. (4.7). DDoS activity per Industry.

CY 2020

Cloud Environment

New Age Cyber Threat Mitigation for Cloud Computing Networks 47

Fig. (4.8). Network-layer DDoS Attacks.

Fig. (4.9). Top emerging Network Threat Vectors.

Infrastructure-based attacks had the major share of DDoS attacks at 90% in Q1 2015 compared to application attacks at about 10%. Some new attack technologies have also been tracked that include: ● ● ● ●

Joomla and SaaS-based applications being targeted by DDoS agents Heap-based buffer overflow vulnerability on Linux servers Use of new Microsoft SQL Reflection technique by attackers Data breach using login attacks

As per the Verisign Data Breach Investigation Report, Fig. (4.10) presents the top misused breach variety, while Fig. (4.11) presents the time between events captured by security systems such as SIEM.

48 New Age Cyber Threat Mitigation for Cloud Computing Networks

Fig. (4.10). Top Misused Breach varieties.

Fig. (4.11). Time between SIEM Events.

Akashdeep Bhardwaj

Cloud Environment

New Age Cyber Threat Mitigation for Cloud Computing Networks 49

Even as the world continues to re-open to various degrees, we still feel the impact of 2020’s move to an almost completely virtual world. Many large companies are shifting to a hybrid model, mixing the ability to work from home with working in the office. Some are even offering their employees the opportunity to work remotely indefinitely. There is no denying that the way we work, bank, play, and relax has been impacted by COVID-19. Shouting “pivot” may have shot into popular culture in the TV show Friends, but it’s a rallying cry revived in the 2020s by businesses, individuals, and criminals alike. Web-based and application attacks were high in 2020 and show no indication of slowing anytime soon. Akamai observed 6,287,291,470 web attacks globally, with 736,071,428 in the financial services sector alone, as illustrated in Fig. (4.12). Daily Web Application Attacks October 1, 2020 - October 31, 2021

120 M Jun 23, 2021 113,875,654

Oct 29, 2021 103,574,362

Attacks (Millions)

90 M

Mar 11,2021 71,670,235

Oct 29,2021 55,106,461

60 M

Oct 25,2021 32,179,701

30 M

Oct 10,2021 21,343,101

Jan 21,2021 16,628,110

0M Oct 01 20

Nov 01 20

Dec 01 20

Jan 01 21

Feb 01 21

Mar 01 21

Apr 01 21

All Verticals

May 01 21

Jun 01 21

Jul 01 21

Aug 01 21

Sep 01 21

Oct 01 21

Nov 01 21

Financial Services

Fig. (4.12). Web Application Attacks.

Gaming was a haven for many people worldwide, including our team, especially during the height of the lockdown. While the gaming industry saw a decrease in DDoS attacks, the industry also saw more growth in overall attack traffic than any other industry, as illustrated in Fig. (4.13). Attackers are lurking, developing new techniques and attack methods — API functionality is one of their primary targets. While teams are moving toward having security baked into the development lifecycle, the process is slow. This leaves organizations behind the eight ball and forces them, in some cases, to launch known vulnerable code into the wild because the business use for said code is critical.

50 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Weekly DDoS Attack Events - Gaming October 1, 2020 - October 31, 2021

200

Jan 18,2021 190.0

Sep 27,2021 200.0

Mar 29,2021 183.0

DDoS Attack Events

150

100 Aug 02,2021 79.0

Mar 01,2021 75.0

Sep 27,2021 74.0

50

Oct 20

Nov 20

Dec 20

Jan 21

Feb 21

Mar 21

Apr 21

All Verticals

May 21

Jun 21

Jul 21

Aug 21

Sep 21

Oct 21

Nov 21

Gaming

Fig. (4.13). DDoS Attack Events on Gaming Industry.

2.1. Types of DDoS Attacks Depending on the area of the infrastructure on which the attack is focused, DDoS attacks fall into the following three broad categories: • Network or Volumetric DDoS Attacks [4] clog the WAN circuits connecting the IP bandwidth networks by sending a flood of data packets on the transport layer (TCP or UDP) and network at OSI Layers at levels 3 and 4, to have excessive requests overwhelming the connection capacity until the systems are unavailable or overwhelm the resources and deny the ability to respond to legitimate traffic. The common of these attacks are SYN and DNS floods. • Application DDoS attacks [5] mimic legitimate user traffic to evade an organization’s common security measures and create bottlenecks in an application or web server to establish a connection and exhaust it. These sophisticated threats are harder to detect because not many machines are required to attack, generating a low traffic rate that appears to be legitimate. These attacks overload web servers and databases upon which a Cloud Application service is running and flood the Web application with legitimate requests to overwhelm server processing power or exploit business logic flaws. The application crashes and takes the site offline. They do not require high volumes, for even a rate of 50 – 100 requests/second is enough to cripple most mid-sized websites.

Cloud Environment

New Age Cyber Threat Mitigation for Cloud Computing Networks 51

• TCP State-Exhaustion Attacks [6] attempt to consume the connection state tables and existing server resources like CPU or memory or intermediate communication equipment in many infrastructure components such as loadbalancers, firewalls, and the application servers themselves. These attacks can take down devices capable of maintaining a state on millions of connections. These are based on TCP and tend to attack the server socket to clog the website, or online service, measured in packets per second (p/s). 3. PROPOSED SOLUTIONS With Distributed Denial of Service (DDoS) attacks on Cloud Services becoming the main threat, and have increased multifold in their complexity, flooding volumetric traffic and sophistication worldwide, corporate enterprises, banking, financial, and hosting companies have come to realize the critical need to mitigate DDoS attacks. Some use ISP service offerings or customized in-house onpremises systems, which can deflect one specific DDoS attack or need to be constantly upgraded and customized to mitigate other attacks. In all, most solutions are unable to provide proper and adequate protection against varied levels of network or application attacks. They always seem to lack the features to mitigate and block the new types of attacks that are constantly evolving. To provide solid DDoS protection, a robust, secure, and scalable solution is required that we have proposed here. Here are some traditional solutions in use to mitigate DDoS: 3.1. On-Premise-based Solution On-Premise infrastructure as a private cloud with limited ISP leased bandwidth, basic security devices such as firewalls, and IDS. Even though an in-house OnPremise defense system may have DDoS mitigation defense functionalities, it would not be able to deliver proper DDoS mitigation due to: truly. ●

●

In-house defense system’s inability to protect against volumetric floods – when attacks flood and saturate the ISP WAN circuits and the enterprise defense network themselves, it becomes a challenge to stop high-volumetric attacks on the networks. The second issue is the constant need for ongoing investment in IT infra, training, and resources to keep up with the ever-increasingly dynamic DDoS threats. Most enterprises using cloud services would not want to have an internal IT or dedicated Security group that cannot invest resources for On-premise infrastructure as a private cloud with limited ISP leased bandwidth and basic security devices such as firewalls and IDS. Even though a house On-premise defense system may have DDoS mitigation defense functionalities, however, it would not be able to deliver proper DDoS mitigation due to truly

52 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

3.2. ISP DDoS Solution While ISPs offer DDOS mitigation as an additional service, blocking DDoS attacks at the ISP level has a few drawbacks. ●

●

●

●

With multiple customers sharing the same WAN link and the ISP providing the DDoS Service solutions using common equipment during an attack, the ISP would face issues with internet traffic for each ‘protected’ customer. During the DDoS attack on one customer, the ISP’s WAN equipment would be galvanized to handle the increased traffic flood, affecting other customers who are not targeted. Having multiple customers with hundreds of policies to implement, like blocking IP addresses, blacklisting domains, and allowing/denying ports to avoid any false positives, ISPs would sometimes lower their guard by ‘softening’ their policies and lowering the alert thresholds. This can result in some malicious traffic getting passed through, leading to an application attack, even if it's not a flood attack. At times, the attacker traffic ends up behaving similarly to a legitimate user’s traffic request, thus leading to the ISP being unable to protect against dual network and application DDoS attacks. ISPs' core business area is network data delivery and is focused on providing WAN circuit uptimes and load balancing; expecting decent DDoS expertise would be asking a lot from network equipment vendors and lack the required expertise to quickly respond to new types of attacks and add new attack signatures. Then there’s the cost consideration for organizations having multiple ISPs who may have implemented BGP or WAN load balancing circuits for which implementing a DDoS protection service would require additional services from each WAN provider.

3.3. Scrubbing Defense DDoS Mitigation The use of scrubbing defense architecture is performed in two ways for DDoS protection – either have all the traffic go through a third-party defense system and send the cleaned traffic to the customer’s network OR use two detection systems, one placed in the house or on the data center premise at network perimeter level and the second mitigation system based at the Security Operations Center (SOC) at the Cloud Datacenter level. These defenses complement each other in providing quick and early detection for the attack types while at the same time ensuring minimum disruption to network and business operations. ●

The defense system at the Customer Premise performs traffic analysis, attack detection, and signaling by constantly monitoring network traffic and the traffic

Cloud Environment

●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 53

pattern to establish a normal behavior baseline threshold, much like an IDS. Then the system can detect anomalies and DDoS attacks at an initial stage and instantly alert the Data Center Security Operation Center for mitigation. When the WAN circuit networks are under a volumetric DDOS attack, customer traffic is routed to the scrubbing data center for blocking and mitigating the traffic. Once the initial filtering is performed, the scrubbed traffic is rerouted to the subscriber’s Cloud provider. The Scrubbing center teams collected and stored the attack data to enable real-time monitoring, historical reporting, and analysis. There are, however, issues of Compliance and regulations, the need to install detection systems as either a hardware device or a thick client for each customer, and Data privacy issues for traffic flowing to a third-party scrubbing center.

4. MULTI-TIERED NETWORK ARCHITECTURE Using three-layered network architecture is a much better option for enterprises working with critical financial domains or government organizations. This involves using the Hybrid Cloud model by having two Public clouds, which act as defense layers, and one Private cloud, which hosts the SaaS application and critical database. In this model, the traffic flows, as shown in Fig. (4.14).

• User and Attackers • Acts as Network Defense layer Tier 1: Public Data center (inbound)

Tier 2: Public Data center (Inbound/outbound) • Traffic checked for network attacks come in • App attacks are checked here

• Clean traffic arrives here • SaaS services access layer • Server and Database hosted here Tier 3 : Private Data center (allows Saas/Web access)

Fig. (4.14). Three-Tier Traffic Flow.

The first two layers are DDoS protection defenses, with only legitimate traffic allowed to access the third tier hosting the actual Cloud-based Software application and its components like Servers, OS, Virtual Machines, Web portal apps, and databases. Data Traffic flow and protection can be visualized in Fig. (4.15).

54 New Age Cyber Threat Mitigation for Cloud Computing Networks

Inbound traffic

Akashdeep Bhardwaj

Outbound traffic

Public Cloud (Tier1)

Public Cloud (Tier2)

Private Cloud (Tier3)

Legitimate Users Network Defense SYN

Network Firewall services, DNS, Simple Load Balancing using only Layer 3 & 4 devices. DDoS Attackers

Application Defense

App Requests Cloud Service Access

SSL Termination, Web App Firewall Stack, Malware inspection Network Defense

Perform: screening for SYN, ICMP, UDP Floods, IP Black listings, Anonymous probes & Threat Intelligence

App Defense

Access to in house network for Cloud App, Web portals, VMs and Database

Servers/DB

Perform: screening for ARP Spoofing, SSL Floods, HTTP attacks (slow post, recurssive POST/GET, BotNets, Key loggers, Cache poisoning of DNS, Malware and Spyware.

Fig. (4.15). Three-Tier DDoS Mitigation Architecture.

The first layer performs network defense; it needs to be set up for only inbound traffic and can block and mitigate 80 to 90% of DDoS attacks at this level. The user traffic passing through the first tier has only level 3 and 4 devices; user data packets are checked for the network attack, so SYN Floods and ICMP floods get mitigated here. The network firewall services and simple load balancing with DNS Services are performed along with an IP Block listing Reputation check to control the inbound traffic at the source data packet level. The traffic now flows over to the second tier, where application attack checks are performed to mitigate ARP Spoofing, BotNets, Key loggers, Cache poisoning of DNS, Malware, and Spyware. With both tiers being Public Clouds, scalability and provisioning is not an issue, so this caters to volumetric network attacks and application-level attacks. The traffic now has only authenticated, legitimate Cloud service users. This allows access to the Web applications and Database of the SaaS Cloud from the third tier, a Private data center allowing access to critical data. Once processed, the traffic is sent back from Tier 3 to the Tier2 data center and back to the user via the internet. CONCLUSION As Cloud Computing technology adopts and advances toward embracing Cloud services, DDoS attacks have only increased in the past few years. They show no signs of abating in volume, complexity, or magnitude. The traditional IT defense systems on-premise DDoS solutions or taken from ISPs can hardly be expected to take on the wide range of new types of dynamic attacks. DDOS attacks are becoming large enough to overwhelm Cloud providers’ ability to absorb Serverbased attacks and harness data center computational and networking resources to stage DDOS attacks of unprecedented volumes. Due to the increased attack

Cloud Environment

New Age Cyber Threat Mitigation for Cloud Computing Networks 55

volume, collateral damage is becoming a major cause of concern – packet loss, delays, and high latency for internet traffic of those whose network traffic traverses the WAN saturated by a DDOS attack. DDOS attacks disrupt services and distract security resources, while other attacks, like fraudulent transactions, are attempted. Adaptive DDOS attacks are prevalent – attackers attack traffic on the fly to avoid identification and confuse mitigation plans. Reflective and Amplification attacks are most common – leveraging misconfigured DNS, NTP, and other network resources by spoofing source IP addresses. The bitter reality is that for cloud computing to be useful; it has to be exposed to insecure WANs and the public internet. With Cloud services presence being advertised and the interfaces defined, unauthorized attacks would always look to target the services. DISCLOSURE “Part of this chapter has previously been published in Chapter 7 Infrastructure Design to Secure Cloud Environments Against DDoS-Based Attacks, in Security Incidents & Response Against Cyber Attacks, 2021, pg 125-171.” CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

“What is a denial-of-service (DoS) attack? | Cloudflare” https://www.cloudflare.com/learning/ddos/ glossary/denial-of-service/ (accessed: Dec. 01, 2022).

[2]

“What is a DDoS attack? Distributed Denial-of-Service attacks”, https://www.techtarget.com/ searchsecurity/definition/distributed-denial-of-service-attack (accessed: Dec. 01, 2022).

[3]

“Cyber-security information - Panda Security”, https://www.pandasecurity.com/en/security-info/ (accessed: Dec. 01, 2022).

[4]

“How do layer 3 DDoS attacks work? | L3 DDoS | Cloudflare”, https://www.cloudflare.com/learning/ ddos/layer-3-ddos-attacks/ (accessed: Dec. 01, 2022).

[5]

“Application Layer DDoS Attacks | NETSCOUT”, https://www.netscout.com/what-is-ddos/ application-layer-attacks (accessed: Dec. 01, 2022).

[6]

“What Is a Distributed Denial of Service (DDoS) Attack? | NETSCOUT”, https://www.netscout. com/what-is-ddos (accessed: Dec. 01, 2022).

56

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 56-69

CHAPTER 5

Three-tier Network Architecture to Mitigate DDoS Attacks on Hybrid Cloud Environments Abstract: With the rise of cyber-attacks on cloud systems globally, Cloud Service Providers, Data carriers, and hosting providers are forced to consider the novel challenges posed and requirements for attacks and, more specifically, DDoS protection in large hosting environment setups. This chapter proposes using a multi-tiered network design based on a Hybrid cloud solution comprising an On-premise solution and a public cloud infrastructure capable of handling hurricane-sized DDoS storms.

Keywords: DDoS, Hybrid Cloud, Multi-tier, Network Firewall Three-tier, Web Application Firewall. 1. INTRODUCTION While DDoS attacks began within gaming and gambling Websites, newer attacks are being used for political reasons, financial gain, and as a diversionary tactic to steal intellectual property. With new vector attacks and threats on the rise, corporates and enterprises must protect their IT infrastructure from advanced attack methods. Today's attacks take on a variety of patterns and sizes. Due to increased botnet accessibility, large attacks are more common, and 20Gbps events have been reported. 2. DDoS IMPACT ANALYSIS To ascertain the DDoS impact and trend, the authors contacted 350 industry professionals, including Cloud experts (30%), CXOs (10%), IT Managers (30%), and engineers involved in DDoS mitigation (30%). They performed a survey collecting data and details on DDoS effects on organizations, with the survey meant for those respondents who were responsible and in charge of IT and DDoS Security within their roles. Below are the survey results from the data gathered and a list of questions that were asked:

Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

Three-tier Network Architecture ● ●

● ● ● ●

New Age Cyber Threat Mitigation for Cloud Computing Networks 57

Does your organization have the ability to block and prevent DDoS attacks? Is your organization prepared to deal with and respond to DDoS attacks in your data centers? Did you face downtime due to DDoS attacks? Has a DDoS attack ever resulted in downtime for your Cloud-hosted services? Rate and prioritize areas as a result of a DDoS attack. What are the barriers that prevent DDoS mitigation implementation?

Figs. (5.1 to 5.4) illustrate the outcome of the responses received in the survey.

Fig. (5.1). Ability to block/prevent DDoS attacks.

Fig. (5.2). Infra & Application Layer Attacks.

58 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Fig. (5.3). DDoS Attack on organizations.

Fig. (5.4). Barriers Preventing DDoS Mitigation.

The survey results provided insights into the existing state of DDoS levels for organizations, with most admitting that the impact of DDoS attacks was on the rise with new attack vectors and volumetric attacks beyond their existing infrastructure. Unfortunately, most organizations we reviewed do not have a plan despite acknowledging the impact and still rely on operational infrastructure. 3. TRADITIONAL SECURITY V/S NEW-AGE DDoS ATTACKS Traditional network security solutions such as Firewalls [1], Intrusion Prevention Systems (IPS) [2], and Web Application Firewalls (WAF) [3] are insufficient to

Three-tier Network Architecture

New Age Cyber Threat Mitigation for Cloud Computing Networks 59

handle emerging DDoS threats and become bottlenecks during many attacks. Traditional security systems were designed to prevent intrusions that would lead to data loss or breaches by having devices perform full session inspections and network firewalls to enforce policy on user traffic that helped determine if the traffic needs to be allowed into the data center as per predefined rules. Although traditional security systems are always considered to be critical devices, in today’s scenario, such devices are unable to defend the cloud-based data centers' availability for having online services due to the following reasons: ●

●

●

Firewall, WAF & IPS are Stateful Packet Inspection systems - that inspect and keep track of thousands of incoming and outbound network packet connections at layer 4 (Transport) or lower for TCP Streams or UDP packets for IP Address and Port Numbers. These are stored in a state table, with each packet matched dynamically to confirm that the traffic is transmitted over pre-established legitimate connections. This works fine for typical regular network activity. During a Denial-of-Service attack, thousands of packets are sent to a target network each second. These devices do not have L3 to L7 DDoS defense capabilities. Cannot differentiate between legitimate [4] and malicious traffic - while intrusion attempts or port sniffing are detected and blocked by firewalls and IPS, the recent DDoS flood attacks have millions of sessions, each being legitimate. Firewalls and Intrusion devices are not built to detect all sessions but rather work on a session-by-session basis where each session tends to pose no concern. Incorrect Network Design - Firewalls, IPS, or WAF solutions are elements of layered defense infrastructure. Still, they are not placed as the first wall of defense where DDoS attack vectors should be blocked and, at times, deployed near the application systems and data center servers. DDoS attacks are often successful and move through perimeter security without actually being detected by these security device solutions. DDoS mitigation should ideally be designed to have dedicated systems deployed at ISP or WAN circuit level to block the attack traffic even before the enterprise access routers.

Major evaluation criteria to evaluate for ensuring DDoS mitigation by the IT team: ●

●

Ensure proper Threat Intelligence with a Dedicated Research team - Having a dedicated team to track rapid dynamic changes in attack vectors and the toolkit strategy being employed gives an edge to define countermeasures against emerging cyber threats regularly. Have First-hand exposure - Having prior expertise and experience in tackling cyber hacktivist groups provides a definite advantage in fighting DDoS attackers

60 New Age Cyber Threat Mitigation for Cloud Computing Networks

●

●

Akashdeep Bhardwaj

and mitigating their attacks. Build Robust Mitigation Capability - Whether big or small, every organization requires a proper DDoS strategy with high-end mitigation infrastructure and the capability to defend against existing and emerging attack vectors as well as against large-sized floods. Ensure Sufficient Capacity - Since DDoS exhaust computing resources and aim to create server outages or saturate network pipes, the availability of the cost of bandwidth to withstand large DDoS attacks before mitigation policies start to fire is paramount when deciding on having BGP, Proxy, or DNS mitigation plans and QoS.

4. EXISTING DDoS SOLUTIONS To ensure the IT infrastructure and Operation teams ensure DDoS mitigation, a workable solution is required with the following recommendations to be able to: ● ● ●

Defend volumetric attacks, so the need for cloud component Block application attacks without requiring any SSL key surrender Deploy network infrastructure acceptable to the IT operations team

There are a few approaches to DDoS attack mitigation solutions from a design perspective that we discuss here: on-premise, cloud, and hybrid-based designs. 4.1. On-premise Based A dedicated On-Premise DDoS attack mitigation solution is best suited for government entities, financial institutions, and healthcare but is not useful for all. When the highest level of security is mandatory, and organizations prefer to give as little visibility into their customer data or their encryption certificates to a few third-party providers, this can be considered a limited-scope option. On-premise DDoS devices would store encryption certificates and inspect traffic locally without scrubbing, redirection, or inspection. The mitigation system would be required to protect against various DDoS vectors like Flooding (UDP / ICMP, SYN), SSL-based, Application layer (HTTP GET / POST), or Low & Slow attacks. With mitigation systems in the house, the proximity to data center resources is useful, and the systems can be fine-tuned immediately by the inhouse IT teams. They tend to have a far greater awareness of their setup for any changes in traffic flows or from the application servers. Thus, it would tend to have a higher probability of detecting suspicious trends or traffic requests.

Three-tier Network Architecture

New Age Cyber Threat Mitigation for Cloud Computing Networks 61

4.2. Cloud-Based Security Services Providing anti-DDoS and advanced mitigation protection in the form of managed security services, many cloud service providers offer protection from network floods by deploying mitigation equipment at the ISP network edge level or with scrubbing centers. This involves traffic diversion from the enterprise network to the detection or scrubbing center. When a DDoS attack starts, human intervention is required and takes at least 15-30 minutes, during which the online services are left unprotected and exposed. Although the Cloud-based DDoS mitigation service guarantees to an extent, blocking of network flood attacks from reaching the enterprise edge devices or flooding the WAN circuit, which is free of volumetric network flood attacks. However, there exist glaring issues with Cloud-based DDoS mitigation services: ● ● ●

Cannot detect and block Application layer attacks and slow attacks Unable to protect Stateful infrastructure systems like firewalls or IPS Unable to deal with attacks like application-layer attacks, state exhaustion, and multi-vector attacks

4.3. Hybrid Cloud-based Security Using Hybrid Cloud features offers the best-of-breed mitigation option. In contrast, the Hybrid infrastructure combines the on-premise in-house setup with DDoS mitigation providers to act as an integrated mitigation solution. In a hybrid solution, using a dedicated DDoS mitigation provider’s ability to detect and block multiple DDoS vectors or even having a Public Cloud provider dynamically increase the network pipe bandwidth during a DDoS attack, take off some time after being detected till the time mitigation starts and saves the on-premise infrastructure from the attack and affecting the availability of its online services. A typical solution is that during a DDoS attack, the total traffic is diverted to a DDoS mitigation provider’s cloud, where it is scanned, and scrubbed, with the attack traffic getting identified and removed before being rerouted back to the inhouse data center of the enterprise. A hybrid solution allows enterprises to benefit from: ●

●

●

Widest security coverage can only be achieved by combining on-premise and cloud coverage. Shortest response time by employing an on-premise solution that starts immediately and automatically to mitigate the attack. Single contact point during an attack both for on-premise and cloud mitigation.

62 New Age Cyber Threat Mitigation for Cloud Computing Networks ●

●

●

●

●

Akashdeep Bhardwaj

Scalability – each tier is independent of the other and can scale horizontally; in case of a web application attack spike, adding more WAF devices to ensure enough WAF capability can be done in the application defense tier without affecting the network tier. Performance – since requests come in tiers, network utilization is minimized, and load is reduced overall. Availability – in case the first or second tier is down, as BCP, the third tier can process user requests. Vendor independence – network and application defense infrastructure can be set up using hardware platforms or different software versions. Policy independence - when new policies are applied at the application defense tier, the other tier directs only that specific traffic towards the policies until they are validated and ready for production.

5. PROPOSED DDoS SOLUTION Based on the growing threats and impact of attacks, corporate enterprises having their cloud services, as well as cloud providers, implement DDoS mitigation utilizing Hybrid Cloud Architecture. With the multi-vector DDoS attacks faced in Layers 3, 4, and 7 to protect against the volumetric, application, and encrypted attack vectors, detecting and having mitigation tactics is essential. By utilizing public cloud features to cover for scalability taking on floods and acting as the first point of defense with network and web application firewalls detecting attack traffic and mitigating the DDoS threats and the SaaS application, web portals, and backend database reside in a secure in the house a private data center. 5.1. Infrastructure Setup Two network infrastructure architectures were set up for testing their proposed theory using the below-mentioned infrastructure hardware and software. ● ● ● ● ● ● ●

●

Network: Cisco 3600 Router, Cisco 3550 switch Load Balancer: F5 Big IP 4200v LTM for Application Traffic Management Firewalls: Cisco ASA 5506-X network firewall and Imperva WAF Server Hardware: Dell 64-bit i5 quad-core, 16GB RAM, 2 x 500GB hard disk Bare Metal Server: VMware Workstation version 10 Virtual system: SaaS Application servers running Windows Server 2008 OS Front end: Web Portal running .NET Application with two-factor authentication for user access Back end: SQL 2008 database running on another Windows Server 2008 OS

Three-tier Network Architecture ●

New Age Cyber Threat Mitigation for Cloud Computing Networks 63

Tools used for DDoS simulation - Low Orbit Ion Cannon (LOIC), R.U.D.Y, Slowloris

The networks were attacked for network and application layer attacks using ICMP flooding with 1000 echo requests with increasing buffer size (3700 to 3805 bytes) using DDoS tools like LOIC, R.U.D.Y, and Slowloris that simulated attacks to deny legitimate users access to the web application portal. When performing the simulated DDoS attacks, the Real User Monitoring statistics are taken as the criteria, and parameters were gathered for the logs to help generate graphs for DDoS attacks. These parameters were chosen since they determine what performance issues the actual users are experiencing on the site at the moment in real-time during an attack. 5.2. Parameters For Data Analysis ●

●

●

●

Average ICMP – latency in milliseconds before and during the DDoS attack on the application. Page Load Response – relates to the amount of time the portal pages take to load and determining where exactly the time is spent from when a user log authenticates and logs in to until the page has loaded completely. Application Server Response – determining the % of the time for the page load process. Status codes of SaaS applications – are the HTTP status codes the Web server uses to communicate with the Web browser or user agent.

5.3. Performance Analysis 5.3.1. Single-Tier Network Architecture The first network infrastructure, illustrated in Fig. (5.5), was designed and implemented with a single inbound and exit gateway, simulating a single-tier network comprising of a standard network and routing device connecting to a web portal comprising of a front-end and back-end database. This simulated a typical standard Cloud-based environment having a simple standard network design implemented in a data center with network devices from Cisco, F5, VMware, and Microsoft OS servers.

64 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Internet

Legit user

Attackers

Users & Attackers

Router - Data center

Inbound

User Traffic Outbound Router Active-Standby mode

11.252.15.1/24 11.252.15.2/24

Network Firewall

11.252.15.3/24

Application Firewall Load Balancer

11.252.15.4/24

Network Switch

11.252.15.5/24

SaaS Application

App

11.252.15.100/24

Virtual Hosts

Virtual switch ESX Server

Backend Database

11.252.15.200/24

11.252.15.250/24

Actions performed at Network Defense Tier: Firewall services - Network and Application User Sessions and Authentication SaaS Hosting and access

Single Tier Data Center

Fig. (5.5). Single-Tier Traditional Architecture.

With a standard single-tier network design defense against multi-vector DDoS attacks, ensuring DDoS mitigation becomes next to impossible. Floods, volumetric, and layer seven attacks critically overloaded and degraded computing systems, leading to access issues for legitimate users. Logs and Data gathered for each attack are displayed in Figs. (5.6 to 5.8) for reference.

Three-tier Network Architecture

New Age Cyber Threat Mitigation for Cloud Computing Networks 65

Before and After Attack Statistics: Website Response for Network Defense Time Buffer Size Echo Attack# (pm) (bytes) Requests 3700 13:00 1000 13:30 3750 1000 3760 1000 14:00 3780 14:30 1000 1000 3790 15:00 15:30 3795 1000 Attack#1 3800 16:00 1000 16:30 3820 1000 17:00 3810 1000 3805 17:30 1000 1000 3820 18:00 3810 18:30 1000 3805 19:00 1000 3750 1000 13:00 13:30 3745 1000 3760 1000 14:00 14:30 3780 1000 3770 1000 15:00 15:30 3783 1000 Attack#2 1000 16:00 3780 16:30 3794 1000 17:00 3790 1000 17:30 3789 1000

Average ICMP (ms) 6545 6670 6575 6791 6583 6745 6790 6794 6690 6512 6692 6589 6995 2795 2911 2805 2963 2746 2933 2988 2994 2666 2934

Real User Monitoring Page Load Browser Response (ms) Throughput (rpm) 1800 45 1856 54 1727 55 1627 46 1606 41 1806 55 50 1651 1761 54 47 1800 42 1849 48 1835 50 1635 1839 50 30 1325 32 1327 29 1208 30 1306 1235 29 1245 32 28 1219 1270 29 1256 31 28 1293

App server response (ms) 1636 1496 1624 1784 1713 1686 1488 1795 1833 1565 1726 1570 1663 1297 1243 1298 1043 1097 1213 1228 1064 1066 1282

Status code 200 429 200 200 429 204 429 204 503 503 503 503 503 200 200 200 200 200 200 200 200 200 200

Attack Vector Details

No standard network layer defense in place. single tier architecture Ping AppServer -n 1000-1 3xxx Size: 3xxx, Echo request count: 1000

Network Firewall Defense implemented: Attack vector categories of attack as ICMP/UDP/SYN floods performed.

Fig. (5.6). Single Tier Network Attack Logs. Results with Single Tier Defense 4500 4000

7655

7967 7202

7677

7993

7903 7114

6779

3500

6242

6265

3000

9000

7766

8000 6015

6042

7000 6000

2500

5000

2000

4000

1500

3000

1000

2000

500

1000

0

0 13:00

13:30

14:00

Average IOVP (ms)

14:30

15:00

Butter Size (bytes)

15:30

16:00

Page Load Response (ms)

16:30

17:00

17:30

Browser Througout (mm)

18:00

18:30

App server response (ms)

19:00

Fig. (5.7). Attack Log Results. Trend with Single Tier Network Defense 60

8000 7000

50

6000

40

5000

30

4000 3000

20

2000

10

1000 0 Attack#1

Attack#2 Page Load Response (ms)

Attack#3 Buffer Size (Bytes)

Attack#4 Average 1CVP (ms)

Fig. (5.8). Single Tier with & without Network Defenses.

Attack#5

Attack#6 Browser Throughput (rpm)

Attack#7 App server response (ms)

0

66 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

5.3.2. Three-Tier Network Architecture The second network infrastructure was designed with three tiers, having different IP addressing schemes and connected via VPN. This simulated two Public clouds and one Private cloud. The first two network tiers comprised defenses against network and application-level attacks, while the third tier allowed access to the hosted SaaS application and database server. Web application attacks are being launched not only from large and established botnets but also from smaller botnets that hide within mobile carrier networks and are harder to detect. With any cloud security solution, staying ahead of the changing threat landscape is paramount. Consequently, there has been rapid growth in security services to help remove the heavy burden on in-house security teams of continually updating WAF rules and attack signatures. However, there is no silver bullet regarding web application protection. There are compelling advantages to having separate network and application defense tiers for the on-premises portion of the DDoS Protection architecture. The first tier is built around the network firewall defense system in which Layer 3 and 4 for IP and TCP defenses with simple Load Balancer features are provided against Network DDoS attacks that launch flood attacks or volumetric attacks leading to network saturation. These attacks range from ICMP (ping), UDP, or SYN floods. The second tier provides application-layer defense in which layer seven attack mitigations are performed with Web Application Firewall and Load Balancing rules. This tier also performs SSL termination and mitigation for POST Flood, DNS poisoning, ARP spoofing, and Malware or Spyware detection. The traffic now has legitimate users and typically without network and application attackers. It is then allowed to access the private tier cloud (or Tier 3), the inhouse data center for web portals hosting SaaS applications and databases. Once the processing is done, user traffic is sent back to tier 2 from where it exits to the user (instead of going back to tier 1 and following the route back). This asynchronous route of entering from tier 1 and going back via tier 2 is also part of ensuring the attackers cannot perform attacks that need the same exist and entry gateways and routes, as presented in Fig. (5.9). DDoS attacks were performed initially on the single-tier network design and our proposed three-tier network design. They gathered results that prove our proposed hybrid cloud design has the first tier for receiving inbound traffic from users and attackers with layer 3 and 4 devices and performing network attack mitigation using a network firewall blocking ICMP floods. The inbound traffic was then allowed to flow to the second tier, which mitigated application-level attacks using a WAF. Here, using F5 and Cisco devices smartly, we could block 80% of the

Three-tier Network Architecture

New Age Cyber Threat Mitigation for Cloud Computing Networks 67

attacks. This was gathered after comparing the attack data with a single-tier network setup. The three-tier network design is implemented in a test data center with Cisco and F5 network devices for routing, VPN, and switching. We used VMware and Microsoft OS servers with a SQL Server as a backend database to simulate Cloud-based SaaS applications. DDoS attack simulations were performed on the three-tier architecture to check the trends for network and application-level results after the attacks. Internet

Users Attacker

Users & Attacker Traffic Inbound Tier#1 1 Router

ISP Router - Data center #1

User Traffic Outbound

ISP Router - Data center #2

BCP/Disaster Recovery In House Router - Data center # 3

Tier 2 Router

202.122.134.1 /16

Tier 3 Router

10.253.16.1 /24 192.168.1.1 /24 Network Firewall GTM Load Balancer

10.253.16.2 /24 Application Firewall

192.168.1.2 /24

11.252.15.1 /24 Network Firewall

10.253.16.3 /24

192.168.1.3 /24

11.252.15.3 /24

10.253.16.4 /24

192.168.1.4 /24

GTM Load Balancer DNS

11.252.15.2 /24

Web App Firewall

11.252.15.4 /24 11.252.15.5 /24

Layer 3 Switch 192.168.1.10 /24

VPN Tunnel

VPN Manager 10.253.10.x VPN Public Cloud Tier 1 Actions performed at Network Defense Tier: Network Firewall services Block TCP, SYN, ICMP floods Denotes User traffic - inbound Denotes Attacker traffic - inbound Denotes Partially cleaned traffic

VPN Manager 10.253.16.x VPN

Layer3 Switch Public-Private VPN 10.253.16.10 /24 10.253.16.200 /24 VPN Manager VPN Manager Jump Box Server 11.252.15.x VPN 10.253.16.x VPN

Public Cloud Tier 2 Actions performed at Application Defense Tier: SSL Negotiation User Sessions Source NAT Traffic Redirection Remote Desktop - Jump Box Server

Denotes User traffic - outbound

M Load Balancer 11.252.15.20 /24 Layer 3 Switch

11.252.15.99 /24

Application Portal Virtual Hosts: .Net App 11.252.15.200 /24 SQL Database 11.252.15.250 /24 vmware Private Cloud Tier 3 Data Center Actions performed at Access Tier: Web App Portal & Access Tier Virtual Machines .NET Portal & SQL Database Disaster Recovery Site

Fig. (5.9). Three-Tier Network Architecture.

With each attack, ICMP flooding was performed with 1,000 echo requests each with increasing buffer size (3700 to 3805 bytes). They made the target server respond and process the ICMP requests, taking a toll on CPU resources and ultimately blocking valid requests. Application-level attacks were made using HTTP Flood GET with increasing thread count, and 1000 echo requests using “GET /app/?id=437793msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP” and Slow socket buildup simulating slow HTTP attack using Perl with logs taken from Wireshark. Logs and Data gathered for each attack are displayed in Fig. (5.10) for reference.

68 New Age Cyber Threat Mitigation for Cloud Computing Networks Website Response for Network & Application Defense Buffer Threads Echo Attack# Time (pm) Size Count Requests (bytes)

13:00 13:30 14:00 14:30 15:00 15:30 Attack#1 16:00 16:30 17:00 17:30 18:00 18:30 19:00 13:00 13:30 14:00 14:30 15:00 15:30 Attack#2 16:00 16:30 17:00 17:30 18:00 18:30 19:00 13:00 13:30

3700 3750 3760 3780 3790 3795 3800 3820 3810 3805 3820 3810 3805 3700 3750 3760 3780 3790 3795 3800 3820 3810 3805 3820 3810 3805 3700 3750

1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000

10 15 20 25 30 35 40 45 50 55 60 65 70 10 15 20 25 30 35 40 45 50 55 60 65 70 10 15

HTTP FLood Get Attack (Wireshark log)

Slowloris socket buildup (perl slowloris.pl)

Average ICMP (ms)

GET /app/?id=437793msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=71309&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=44201&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=52083&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=31881&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=79045&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=74109&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=62360&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=97608&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=91863&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=35656&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=77718&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=24975&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=36320&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=45075&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=28843&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=24543&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=51274&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=47162&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=57423&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=41929&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=85859&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=47645&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=22544&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=44380&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=36712&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=81182&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP GET /app/?id=41289&msg=BOOM%2520HEADSHOT! HTTP/1.1Host: IP

5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections 5sec TCP timeout with 1000 socket connections

7655 7967 7202 7677 7993 6779 6016 7114 6242 7903 7766 6015 6042 1746 1574 1548 1798 1795 1549 1525 1827 1753 1661 1733 1685 1536 1697 1867

Akashdeep Bhardwaj Real User Monitoring Browser App Page Load Throughpu Server Response (ms) t (rpm) response

1775 1826 1887 1773 1775 1850 1704 1804 1743 1751 1722 1860 1772 1033 947 935 871 1000 888 917 878 1029 908 1065 1020 1093 906 1028

50 61 70 58 65 61 63 55 50 52 72 67 64 11 15 11 18 18 15 10 12 18 17 11 17 11 16 12

1528 1645 1517 1683 1692 1682 1534 1606 1547 1651 1685 1669 1674 776 859 850 715 739 736 791 807 768 789 892 899 771 701 823

Status code

Attack Vector Details

200 429 200 200 429 204 429 204 503 503 503 503 503 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200

No standard network or application layer defense in place three tier architecture Ping AppServer-n 1000 -l 3xxx Size: 3xxx, Echo request count: 1000

Network & Web Application Firewall Defense implemented: Attack vector categories of attack as ICMP/UDP/SYN floods performed.

Fig. (5.10). Three-tier Network Attack Logs.

Fig. (5.11) graph displays the trend readings obtained after performing the attacks that clearly show that using network and application defense tiers helps mitigate DDoS attacks in a much cleaner way than a single-tier with only a network firewall or a Web Application firewall. Trend with Three Tier Defense: WAF and Network Firewall 9000

80

8000

70

7000

60

6000

50

5000

40

4000

30

3000 2000

20

1000

10

0

0

Attack#1

Attack#2 Average ICMP (ms)

Attack#3 Buffer Size (Bytes)

Attack#4

Attack#5

Browser Throughput (rpm)

Attack#6 App server response (ms)

Attack#7 Page Load Response (ms)

Fig. (5.11). Trend with network and web defense tiers.

With a Network firewall on the first tier and a Web Application Firewall (WAF) on the second tier, we find network and application attack trend graph displayed low response for user performance parameters as compared to the single-tier design comparing ICMP TTL, Page load response, Browser throughput and Application server response. CONCLUSION Corporate enterprises today are recognizing the advantages of the recommended multi-tiered hybrid architecture. Enterprises valuing cyber security are re-

Three-tier Network Architecture

New Age Cyber Threat Mitigation for Cloud Computing Networks 69

architecting their security controls. The hybrid DDoS Protection architecture could provide the flexibility and manageability required to combat modern DDoS multi-vector threats. By providing increased layers of network and web application security in the form of separate tiers, it is possible to protect the integrity, availability, and performance of critical web applications, resulting in the improved brand and customer confidence and reduced business risk from under-provisioning security devices. For further research, the authors propose that Rate controls, built-in intelligent WAFs, client reputational monitoring, DDoS defense, and other cloud security approaches be used in combination as part of a comprehensive defense against all types and sizes of cyber threats. It can be a daunting task to manage, coordinate, tune and update all these defensive layers, which is why many organizations leverage the services of cloud security providers. DISCLOSURE “Part of this chapter has previously been published in Three Tier Network Architecture to Mitigate DDoS Attacks on Hybrid Cloud Environments, in ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, 2016, article no. 109, pg 1-7.” CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

“What is a Firewall? The Different Types of Firewalls - Check Point”, https://www.checkpoint.com/ cyber-hub/network-security/what-is-firewall/ (accessed: Dec. 01, 2022).

[2]

“What is Intrusion Prevention System? | VMware Glossary.” , https://www.vmware.com/topics/ glossary/content/intrusion-prevention-system.html (accessed: Dec. 01, 2022).

[3]

“What is a Web Application Firewall (WAF)? | Glossary | F5.”, https://www.f5.com/services/ resources/glossary/web-application-firewall (accessed: Dec. 01, 2022).

[4]

“Network Based Intrusion Detection System - ScienceDirect.com.” https://www.sciencedirect.com/ topics/computer-science/network-based-intrusion-detection-system (accessed: Dec. 01, 2022).

70

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 70-83

CHAPTER 6

Review of Solutions for Securing End-User Data Over Cloud Applications Abstract: With more and more organizations working on the cloud over unsecured internet, sharing files and emails and saving them on cloud storage is imperative. Securing the end-user sensitive data in transit has thus started to get maximum priority to protect it from Cloud company staff, hackers, and data thieves. In this study, an attempt is made to review the research on end-user data security. There is an urgent need for solutions for end-users data protection privacy during the times when migrating from one cloud service provider to another. This chapter reviews the challenges in Cloud computing services regarding end-user data, analyzes the issues face, and presents solutions to overcome them. The chapter identifies end-users data security issues when using cloud computing services. The focus is directed to critical issues related to unauthorized access to integrity during data in transit. This can be addressed using Public Key Cryptography or PKI. For Confidentiality and Data Integrity for end-user data over Cloud. Then for migrating from one cloud service provider to another, data security and privacy are addressed by Cloud-aware applications. Lastly, using Multi-Factor Authentication combined with network and application detection systems, Intrusion Detection Systems, and Network traffic routing in case of cyber-attacks can help achieve denial of service attack mitigation or prevent man-in-the-middle and network snooping in Cloud Computing.

Keywords: Cloud Computing, Cloud Security, CSP, PKI, Public Key Cryptography, IDS, Firewall. 1. INTRODUCTION The end-user data required to be protected by four types ranging from usage data which is the information collected from computer systems than is sensitive information on health and bank accounts, then is Personally identifiable information, information to identify an individual, and finally, Unique device identity information that is uniquely traceable like IP addresses, unique hardware identities (MAC address). A survey conducted by International Data Corporation (IDC) declares that 47% of IT Heads are highly concerned about security threats in cloud computing. In a recent survey conducted by Cisco, two-thirds of the respondents acknowledged that security and privacy are the top two security Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

Data Over Cloud Applications

New Age Cyber Threat Mitigation for Cloud Computing Networks 71

issues for cloud consumers. As per a recent survey conducted by International Data Group (IDG), the top three challenges in implementing a cloud-based security strategy differs between IT and the line of business (LOB). They use solution paths such as digital keys, multi-factor authentication, and cloud-aware applications. Cloud-based services provide a flexible, scalable, pay-per-use, shortterm contract model for IT Services, making Cloud-based services an efficient, affordable, and easy-to-implement option reducing capital expenditure involving IT hardware, licenses, office space, computing power, and bandwidth. Security of user data needs to be in place, especially in today’s context with Cloud-based applications being hosted on the service provider premise and the end-user residing in a remote data center, well outside the user’s control. When there is a need to provide End users with the right IT resources to enable them to perform their tasks, we usually do not emphasize the importance of securing the end-user data. End-user data for end-user functionalities [1] such as support, buying hardware, software, and licenses, then plan endlessly for installation, support, and maintenance, as well as worry about capacity planning, creating IDs, configuring profiles, or sitting on a budgeted pile of money waiting for hiring to be completed. ●

●

●

Web-based services: Internet email services (Gmail, Yahoo, and Hotmail), Online stores (Amazon, Fab furnish, Jabong), and Web hosting (NetMagic, Tulip). These have been around for many years. Distributed computing: Splitting the processing workload among multiple systems usually connected at the same sites is done in Parallel and Grid computing technologies. Datacenters: Single application being hosted in one location (over a single or even multiple servers) does not qualify as a Cloud. Cloud computing leverages pooled hardware resources and automation services involving a great deal of virtualization hosted across data centers.

In these avenues, there are different types of security challenges [2] and versatile solutions for each cloud deployment model and overcoming them. • Software as a Service (SaaS) is paid on demand where users access over the cloud, examples as On-Demand CRM Salesforce, Google Apps, Microsoft Office 365, and Microsoft Sky Drive. • Platform as a Service (PaaS) provides end-users with a complete environment so that developers can deploy their apps, perform testing and hosting of web applications and databases, and provide virtual servers, OS, development framework, and coding apps. Examples are Google apps, Azure from Microsoft, and Rack Space.

72 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

• Infrastructure as a Service (IaaS) provides hardware and computing power to end-user to provision and harness resources from computing, network devices, storage, or servers where the customers pay only for the amount of infrastructure used and do not worry about buying hardware, maintaining or upgrading issues [3]. Infrastructure can be scaled dynamically based on application resources and market demands. Some examples are Amazon EC2, Rack Space, Attenda RTI, and Eucalyptus (Open source). 2. CHALLENGES IN CLOUD COMPUTING 2.1. End User Challenges in Cloud End users typically face the following challenges in Cloud Computing: ●

●

●

●

●

●

Limited support for customization: there are limits to the customization that can be done for Cloud applications and services to suit end-user-specific requirements. Constraints on features: cloud apps tend to be less feature-rich than their on-site or in-house counterparts because of in-built capabilities. Application latency: latency becomes a major factor for Cloud apps dependent on the transfer of large volumes [4] or time-sensitive data. Statelessness: performance issues arise for Cloud apps as the communication is unidirectional; single requests and responses from end users traveling to and from a service provider experience drop or disconnects travel over different paths/routes tend to arrive out of sequence. Legal restrictions sometimes force organizations to secure and control their data in a specific geographical location for the Cloud provider’s data center. Security of end-user data is the most critical issue; depending on the Cloud provider’s architecture and model, cloud vendors are primarily responsible for managing environmental and virtualization security, ensuring Security, Authentication, Integrity, and Privacy for data stored on their sites or in transit over unsecured internet links. Here data breaches, compromised credentials/broken authentication, hacked interfaces and APIs, system vulnerabilities due to Zero Day attacks, Account hijacking, Malicious insider threats, Advanced persistence threats, permanent data loss, inadequate compliance checks, DDoS attacks, and use of shared resources and storage are among the most critical security issues plaguing end users and their data.

Typical concerns raised by end-users to Cloud Service Providers or CSPs when adopting Cloud services are:

Data Over Cloud Applications ●

●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 73

How do Cloud Service Providers instill Confidentiality and Integrity in end-user data? How should the CSPs protect stored data from attacks in their cloud data centers? How do we change CSPs and be able to move and migrate from one CSP to another?

2.2. Gaps around End User Computing Applications While the Confidentiality, Integrity, and Availability triad is the most critical in the development, maintenance, and availability of cloud applications during regular execution for any business enterprise, checking on unauthorized users using organization email or sharing critical end-user documents or financial data is essential to be performed regularly. Another critical gap could be the application data stored in business users' computers, leading to confidentiality issues. The absence of strong and appropriate access control may allow end-users or other potential violators to alter the integrity of end-user computing applications, leading to wrong business decisions. The End User Computing configuration items typically reside and are stored on the user's local system or in shared drives, not following the right change management processes. Also, lack of access control leads to accidental and intentional manipulation of the end-user data or their application configuration items, causing availability and integrity issues. Risk assessment control areas can be defined, which need to include Input / Output/Edits, Data processing, Report / Output file, Backups, Business continuity plans, Change management, Incident / Problem Management, Access provisioning, Data privacy, Monitoring, Disposal of end-user computing application and Disposal of end-user data. 3. LITERATURE REVIEW Modern information threat vectors for end-user data have risen in recent years; these range from hackers on hire seeking to steal end-user intellectual property data to employees unaware of data security and protection. Proper data protection systems need to be in place, and a culture of security awareness needs to be a high-priority goal of the information security team. European Network and Information Security Agency (ENISA) has identified thirty-five security risks, subdividing them into policy, organizational, legal, technical, and non-clou-related risks. The ENISA identified the eight most important risks from these risks, five of which are directly or indirectly related to data confidentiality risks. These risks include isolation failure, malicious insider threats, data protection, insecure data deletion, and management interface compromise. Similarly, Cloud

74 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Security Alliance (CSA) identifies the thirteen risks of cloud computing. From among the thirteen risks, CSA declares seven high-priority risks, five of which are directly or indirectly involved with data confidentiality which include: malicious insiders, insecure application programming interfaces, traffic hijacking, and account service and data losses. In 2015, S Jegadeeswari, P Dinadayalan, and N Gnanambigai [5] suggested a new cloud security model related to the quality of Service (QoS) for end-user data regarding confidentiality to the outsourced data on the cloud in the form of Neural Data Security model. This ensured security and high confidentiality using the RSA security algorithm. Jun Hu et al. [6] address the data security access control model for secure data access based on MAC control for the government cloud platform model. This model includes necessary technical strategies to ensure data security during access. The paper reviewed the relationships between risk factors and expected solutions. A data access security model with a 3-stage control technology was proposed, and high reliability for data was displayed. A review of data security issues in cloud computing presented by Sahil Zatakiya et al. [7] as a unique cloud computing pattern with resources being provided on demand via the internet. Security and privacy issues related to the cloud and its data storage are analyzed in the paper, along with various attacks on cloud computing. Challenges like security issues and data challenges were identified, along with solutions regarding the security issues. N Hemalatha et al. [8] address a comparative analysis of cloud computing encryption techniques and data security issues. This paper discusses cloud computing technologies, delivery models, cloud classification, and encryption mechanisms. A comparative study is based on encryption techniques to maintain security and confidentiality over a cloud. Cloud computing is classified into various parts regards to data storage, integrity, backup and recovery, security, and confidentiality. Data privacy and security are analyzed, and encryption techniques used in the cloud environment are compared. Zhang Xin et al. [9] address research on cloud computing data security models based on multi-dimensions. A complete data security three-layer defense model based on multi-dimension is proposed. User authentication and unauthorized user access are discussed. Every layer has its role yet combines data security in cloud computing environments. The data security and authentication hybrid cloud computing model is presented by Jingxin K.W. et al. [10]. Various methods to protect user data are discussed

Data Over Cloud Applications

New Age Cyber Threat Mitigation for Cloud Computing Networks 75

regarding security, including single encryption, multilevel virtualization, and authentication interface based on PKI and CA model for better performance. Faraz Fatemi M. et al. [11] proposed an efficient, scalable user authentication scheme for cloud computing environments by designing a user authentication and access control model to enhance trust and reliability. Separate server systems to store authentication and cryptography resources from the real-time servers are proposed; these help decrease the user authentication dependency and encryption process on the main authentication server. 4. PROPOSED SOLUTIONS TO CLOUD DATA SECURITY ISSUES 4.1. End-user Security using Public Key Cryptography For Authentication and Integrity issues faced in cloud computing, implementing Public Key Cryptography seems to be the right approach, as shown in Fig. (6.1). When data is in transit over unsecured internet circuits, unauthorized access to end-user data is the main security issue faced by one and all when utilizing Cloud computing services.

Fig. (6.1). Encryption-Decryption process.

To resolve the Cloud Service Providers’ Security issue of Authentication and Integrity, Public Key Cryptography should be used to encrypt digital data. Encryption is the conversion of data into seemingly random, incomprehensible data. It ensures that data remains jumbled to everyone for whom it is not intended, even if the intended user has access to the encrypted data—using the PKI framework, which internally has security policies [12], communication protocols, and procedures to enable secure and trusted communication between cloud service providers or CSPs and the end-users over unsecured internet circuits and Cloud

76 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

computing environments inside as well as outside the organization. The Public Key Infrastructure is on the hybrid mode encryptions like Symmetric and Asymmetric. The only option for transforming the user data into an intelligible form is to reverse the encryption or decryption using a single secret key or two keys (Public and Private). The Public Key is available to everyone via a public repository or directory, while the Private Key remains confidential to its respective owner [13]. Since the key pairs are related mathematically, whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa. Public Key Crypto is enabled in the Cloud by utilizing. ● ●

●

● ●

Each entity encrypts data using its private keys. All systems and elements in the system, such as cloud computing infrastructure units, platforms, virtualization tools, and other involved entities, have their keys. While fulfilling their information exchange and processing functions, all the systems and elements will first use public and private keys to perform authentication. Events that occur in cloud computing are also assigned a unique key. In this way, the crypto cloud system guarantees the security and credibility of information exchange.

To reap the advantages of Cloud Computing, Services Providers are best advised to go for the following practices and design features of PKI that can further enhance security. ●

●

●

●

●

Key Management Server (KMS) should be implemented inside the organization, for the enterprise data stored in the Cloud requires Encryption Keys to decrypt as end-user requests [14], which only the key management server provides them. The Encryption Keys for decrypting data from Ciphertext to the original plain text should not be on the cloud virtual machines. The security process should be implemented so that these keys reside in memory for a few seconds. Any data moving out or coming into the data centers can be encrypted and decrypted. The Virtual Machines hosted in the Cloud provider’s environment should be encrypted at all points of time to protect against any data loss in case the virtual snapshot is compromised. In case data encryption is not required, the service provider should revoke any associated keys so that even if any data trail remains in the system, it cannot be decrypted. Storage of keys should be done using Hardware Security Model or HSM for performing encryption and decryption.

Data Over Cloud Applications ●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 77

Unsecure encryption algorithms such as RC4, MD5, SHA-1, and Data Encryption Standard (DES) must always be avoided. AES is the symmetric key block cipher algorithm to provide cloud data security. This block cipher uses a 128-bit block size, and key lengths can be 128, 192, and 256. Advantages of AES: Performs in software and hardware platform environments with equal ease Inherent process facilities result in very good software performance Speedy key setup time and the good key ability Less memory for implementation Benefits from instruction-level parallelism No serious weak keys in AES ❍ ❍ ❍ ❍ ❍ ❍

4.2. Use Multi-factor Authentication Multifactor authentication, or using at least two separate identifiers of authentication instead of just an Id and password, helps increase security access by adding multiple barriers for inbound user access before entry is allowed. This reduces the likelihood of an attacker's break-in and makes it harder for anyone with a stolen password to gain entry to the system accessing critical data. Protect the users' data stored [15] in cloud servers from external attacks using multi-factor authentication, firewalls, and load balancers with specific ports and IDS intrusion detection Systems. Establishing robust data center architecture and protection system process for cloud storage systems by applying the following: ●

●

●

Multi-factor Authentication (XFC) – this is something the user knows (password) and something the user has been provided by the Cloud provider (RSA Token) or other processes, as shown in Fig. (6.2) below. Security Systems like Firewalls and Load Balancers before the Storage servers allow only specific ports and data flow inside the Cloud data centers. Intrusion Detection System or IDS to detect unauthorized activities in four main areas In the virtual machine (VM) itself: By deploying IDS on the VM, IDS can monitor the system activity to detect and alert possible issues. In the hypervisor or host system: by having the IDS deployed on the hypervisor host, IDS can monitor the hypervisor and the traffic between VMs running on the hypervisor. It is a more centralized location for IDS, but there may be issues in keeping up with performance or dropping some information in case the amount of data is huge. In the virtual network: by deploying the IDS within the host, virtual network monitoring can be done, which allows the IDS to monitor the network traffic between the Virtual machines [15] on host systems, as well as the traffic ❍

❍

❍

78 New Age Cyber Threat Mitigation for Cloud Computing Networks

❍

❍

❍

Akashdeep Bhardwaj

between the host and VMs. This “network” traffic never hits the traditional network. In the traditional network: Deploying IDS allows IDS to detect and alert regarding the traffic passes from the network devices and infrastructure. Using different VLANs and Switches inside data centers for inbound and outbound traffic using. Limiting user access and separation of data – this is done by applying separation for the data that is being stored in servers as per end user profiles, i.e., read-only for external level 1 users, read-write for the corporate employee as level 2, read-write-delete-modify for enterprise administrators as level 3 users as illustrated in Fig. (6.2).

Fig. (6.2). Multi-Factor Authentication Overview.

Real-time examples of multi-factor authentication use are Office 365 and Azure MFC. Office 365 Exchange, SharePoint, Lync, Dynamics CRM, Project Management, and Office 2013 can be used with multi-factor authentication. 4.3. Use of Cloud Aware Applications Provisioning users are migrating from one cloud provider to another and moving their Applications, Data, and services between providers by ensuring the implementation of cloud-aware architectures. This is done by ensuring the applications being built are Cloud-aware [16], and Cloud migration planning is performed for the new Cloud provider’s data center. The application needs to be made more Cloud-aware, for which there is a need to:

Data Over Cloud Applications ● ● ●

New Age Cyber Threat Mitigation for Cloud Computing Networks 79

Review Code and then Architect applications to increase cloud portability. Design and Develop open standards for cloud computing Use tools that can work to move applications around clouds without any modifications

For Cloud migration planning, there is a need to involve the following: ● ● ● ●

Discovery of the new environment Application, Server, and Data migration plan Post-migration configuration Verification testing

During the migration from one Cloud Service Provider to another, users should also include checking on the use of standardized storage protocols, for example, the ISO standard Cloud Data Management Interface (CDMI) by providers for the Cloud Providers have integration and trust relationship with other providers [17]. Cloud Aware applications can decrease server count and can handle the massive workload by the ability to scale elastically, maximize tenants and minimize idle computing resources. Furthermore, to reduce data transfer costs, application developers and data center handlers need to: ●

●

●

Minimize payload sizes by using APIs that return only the data required by the consumer needs and perform data compression, reduce CPU computing cost for encoding and decoding Minimize data transfers by using immutable cache data and seek to replace “chatty” protocols Instrument code by tracking data transfers throughout an application, which helps identify optimization options and the use of load traffic generation tools which can provide insight into the impact of such optimizations

Cloud Aware Application Maturity Model provides a simple way to assess the level of cloud maturity of an application, just as the Richardson Maturity Model measures the maturity of a REST API. The maturity model suggests changes that can be implemented to increase an application’s resilience, flexibility, and scalability in a cloud environment. As listed in Table 1 below, there are four levels to the maturity model, with level 3 representing the highest level of maturity and level 0 representing applications that are not cloud-aware.

80 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

5. RESEARCH WORK PERFORMED The authors set up a web application server using .NET framework 2.0 with Windows 2012 Standard Edition running IIS using HTTPS and SQL Server 2008 as the backend for Admin Portal to set up the multi-factor authentication system as a system for user access to the cloud service and created an OTP Client application. The authentication process is defined in Fig. (6.3). Table 1. Cloud Aware Application Maturity Levels. Maturity Level

Application Description

Level 3: Adaptive

Dynamically migrate infrastructure between providers without any service The application can dynamically scale out or scale in based on stimuli

Level 2: Abstracted

Services are stateless Application is unaware, unaffected by dependent service failures Application is infrastructure agnostic and can run anywhere

Level 1: Loosely Coupled

Application is composed of loosely coupled services Application services are discoverable by name Application computing and storage are kept separated Application consumers one or more cloud services: compute, storage, and network

Level 1: Loosely Coupled

The application runs on virtualized infrastructure An application can be instantiated from an image or script

Fig. (6.3). Web Application with OTP Authentication.

Data Over Cloud Applications ● ●

●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 81

User registered and verified end-user mobile for receiving SMS SMS received by the mobile is a four-digit verification code in the form of onetime-password (or OTP) To register and verify the OTP device and pair it with a cloud account, the OTP Client application scans and verifies the code form. Once done, a passcode is generated to enter the cloud site along with the end user name and password, as shown in Fig. (6.4).

Fig. (6.4). Traffic flow for End User Authentication.

CONCLUSION In this chapter, the authors identified issues end-users face when using Cloud computing services. Then the chapter focused on three specific issues and suggested solutions for making data on the cloud more secure from unauthorized access for integrity during transmission with the Public Key Cryptography, using security systems and solutions to enable end-users to have their data interoperate with different cloud providers when migrating from one cloud provider to another. The result analysis is as follows. ●

●

●

Public Key Cryptography, therefore, helps achieve Confidentiality and Data Integrity for end-user data over Cloud. With Cloud-aware apps, proper Cloud migration planning and the use of standard Cloud storage protocols between the Cloud provider helps achieve application and data migration between providers in a smooth manner. Using multi Factor Authentication along with Intrusion Detection Systems and network traffic routing helps achieve mitigation from attackers for Cloud Computing.

DISCLOSURE “Part of this chapter has previously been published in Review of solutions for securing end-user data over cloud applications, in International Journal of Advanced Computer Research, 2018, vol. 8, no. 3, pg 222-229”.

82 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

C. Schutz, Y. Gao, D. Hou, S. Powers, S. Grimberg, and J. DeWaters, "A Time Series data transformation engine for non-programmer end users", 3rd MEC International Conference on Big Data and Smart City (ICBDSC), 2016. [http://dx.doi.org/10.1109/ICBDSC.2016.7460388]

[2]

S. Bouchana, and M.A. Janati Idrissi, "Towards an assessment model of end user satisfaction and data quality in Business Intelligence Systems", 10th International Conference on Intelligent Systems: Theories and Applications (SITA), 2015. [http://dx.doi.org/10.1109/SITA.2015.7358431]

[3]

S. Yadav, U. Verma, and C. Bhardwaj, "Data security in cloud computing using homomorphic encryption", Int. J. Sci. Res. (Ahmedabad), vol. 3, no. 5, pp. 78-81, 2012. [http://dx.doi.org/10.15373/22778179/MAY2014/26]

[4]

L. Fallon, and D. O’Sullivan, "Secco: A TEST framework for controlling and monitoring end User Service Sessions", IEEE Network Operations and Management Symposium (NOMS), 2014. [http://dx.doi.org/10.1109/NOMS.2014.6838299]

[5]

A. Gholami, and M.G. Arani, "A trust model based on quality of service in the cloud computing environment", Int. J. Database Theory Appl., vol. 8, no. 5, pp. 161-170, 2015. [http://dx.doi.org/10.14257/ijdta.2015.8.5.13]

[6]

J. Hu, L. Chen, Y. Wang, and S-H. Chen, "Data Security Access Control Model of cloud computing", International Conference on Computer Sciences and Applications, 2013. [http://dx.doi.org/10.1109/CSA.2013.15]

[7]

S. Zatakiya, and P. Tank, "A review of data security issues in a cloud environment", Int. J. Comput. Appl., vol. 82, no. 17, pp. 15-18, 2013. [http://dx.doi.org/10.5120/14254-2352]

[8]

N. Hemalatha, A. Jenis, A. Cecil Donald, and L. Arockiam, "A comparative analysis of encryption techniques and data security issues in cloud computing", Int. J. Comput. Appl., vol. 96, no. 16, pp. 1-6, 2014. [http://dx.doi.org/10.5120/16875-6873]

[9]

Zhong-Hua Pang, and Guo-Ping Liu, "Design and implementation of secure networked predictive control systems under deception attacks", IEEE Trans. Control Syst. Technol., vol. 20, no. 5, pp. 13341342, 2012. [http://dx.doi.org/10.1109/TCST.2011.2160543]

[10]

J.K. Wang, and X. Jia, "Data Security and authentication in Hybrid cloud computing model", IEEE Global High Tech Congress on Electronics, 2012. [http://dx.doi.org/10.1109/GHTCE.2012.6490136]

Data Over Cloud Applications

New Age Cyber Threat Mitigation for Cloud Computing Networks 83

[11]

F. Fatemi Moghaddam, S. G. Moghaddam, S. Rouzbeh, S. K. Araghi, N. M. Alibeigi, and S. D. Varnosfaderani, “A scalable and Efficient User Authentication Scheme for Cloud Computing Environments,” IEEE Region 10 Symposium, 2014. [http://dx.doi.org/10.1109/TENCONSpring.2014.6863086]

[12]

F. Hang, and L. Zhao, "Supporting end-user service composition: A systematic review of current activities and Tools", IEEE International Conference on Web Services, 2015. [http://dx.doi.org/10.1109/ICWS.2015.70]

[13]

C. Fidas, C. Sintoris, N. Yiannoutsou, and N. Avouris, "A survey on tools for end user authoring of mobile applications for Cultural Heritage", 6th International Conference on Information, Intelligence, Systems and Applications (IISA), 2015. [http://dx.doi.org/10.1109/IISA.2015.7388029]

[14]

V. Tzeremes, and H. Gomaa, "Xana: An end user software product line framework for Smart Spaces", 49th Hawaii International Conference on System Sciences (HICSS), 2016. [http://dx.doi.org/10.1109/HICSS.2016.721]

[15]

X. Yao, X. Han, and X. Du, "A light-weight certificate-less public key cryptography scheme based on ECC", 23rd International Conference on Computer Communication and Networks (ICCCN), 2014. [http://dx.doi.org/10.1109/ICCCN.2014.6911773]

[16]

S. Vollala, V.V. Varadhan, K. Geetha, and N. Ramasubramanian, "Efficient modular multiplication algorithms for public key cryptography", IEEE International Advance Computing Conference (IACC), 2014. [http://dx.doi.org/10.1109/IAdCC.2014.6779297]

[17]

X. Han, B. Wang, A. Wang, L. Wu, and W. Rhee, "Algorithm-based countermeasures against power analysis attacks for public-key cryptography SM2", Tenth International Conference on Computational Intelligence and Security, 2014. [http://dx.doi.org/10.1109/CIS.2014.116]

84

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 84-96

CHAPTER 7

DDoS Attacks, New DDoS Taxonomy, And Mitigation Solutions Abstract: Cloud computing has started to gain acceptance for adoption and implementation among organizations, however, this new technology area has already started to deal with security, performance, and availability challenges. Within Cloud Security issues being paramount for corporates, and private enterprises, the denial of service attacks are rated as the highest priority threat to the cloud environments. This chapter presents a review of the academic literature research work on the DDoS attack on the Cloud, introduces a new DDoS Classification taxonomy, and proposes parameters for determining an effective DDoS solution.

Keywords: Cloud Computing, Cloud Security, DoS, DDoS, Distributed Denial of Service, ICMP Flood. 1. INTRODUCTION To determine the DDoS attack, existing academic literature research work is surveyed by IEEE, ACM Science Direct, Elsevier, and ACM, searching for keywords, such as Cloud Security, DDoS Mitigation, Detecting DDoS, Hybrid Cloud, Network Architecture, Packet Flooding, SYN Flood, TCP Flood, and UDP Flood. The chapter is classified in terms of Infrastructure level Direct Network layer attacks, as illustrated in Fig. (7.1) for Infrastructure-layer and Applicationlayer attacks. A new Taxonomy for classifying DDoS Attacks is also proposed in the chapter by Degree of Attack Automation, Exploitation of Vulnerabilities, Attack Rate Dynamics, and Impact of DDoS Attacks. This section reviews related research work that has already been carried out in the same domain area. The author surveyed several research publications from IEEE, ACM, Science Direct, and other digital libraries using keywords as mentioned below and in Fig. (1) for DDoS attacks like Cloud Security, DDoS Mitigation, Detecting DDoS, Hybrid Cloud, Network Architecture, Packet Flooding, SYN Flood, TCP Flood, and UDP Flood. With the advances in technology, and new powerful attack tools available for launching DDoS attacks, the attack trends and threats security offered are not static. This trend forces cloud service providers to maintain stateAkashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

DDoS Attacks, New DDoS

New Age Cyber Threat Mitigation for Cloud Computing Networks 85

of-art defenses to stay ahead of the most recent attack. The main focus of a network security attack is to be able to infiltrate, crash data center devices or alter configuration information, adversely impacting the uptime, availability, reputation, productivity, quality of service, and revenue of the service providers. Cloud DDoS Attack

Application Level

Outdated Patches Misconfigurations System Weakness Protocol Vulnerabilities

Infrastructural Level

Direct Attack

Reflector Attack

Network Layer DDoS Application Layer DDoS

Hide Attack Identity IP Address Spoofing Overwhelm target

Fig. (7.1). DDoS Attacks in the cloud.

2. RELATED WORK While several research surveys have been published on the DDoS topic, this survey is different from them in the following manner: ●

●

Wong and Tan (2014) [1] focused on DDoS attacks on Cloud infrastructure and application systems, while DDoS attacks and DDoS Mitigation are the focus of this survey. Several other surveys and conference papers are of limited scope in Darwish et al. (2013) [2]. Consequences of DDoS attacks against a cloud environment were highlighted in some review papers as well by Anwar, and Malik 2014 [3] for DDoS attacks on the cellular network were explained by Merlo et al. (2014) [5], while Hybrid cloud environment architecture design is focused here.

This section presents the classification, as illustrated in Fig. (7.2), for the DDoS attacks as per degrees of automation, vulnerabilities exploited, attack rate dynamics, and impact of the attack.

86 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Manual On basis of Degree of Automation

Semiautomatic

Direct Attack Indirect Attack

Fullyautomatic

Ob basis of Exploitation of Vulnerabilities DDoS Attack Classification On basis of the Attack Rate Dynamics

Bandwidth Depletion

Resource Depletion

ICMP, SYN, UPD Flooding Amplification Attacks Malformed Packets Protocol Exploitation

Continuous Attack Rate Variable Attack Rate

Disruptive Attacks On basis of Attack Impact Degrading Attacks

Rate Increasing Rate Fluctuating Self-Recoverable Attacks Human Recoverable Attacks Non-Recoverable Attacks

Fig. (7.2). DDoS Attack Classification.

2.1. As per the Degree of Attack Automation The Manual attacks involve the attacker scanning the network, IP Addresses, and machines for vulnerabilities, breaking into the system and deploying a code, and executing a malicious payload for remote control access of that user system which is kept ready to launch an attack on the attackers' command. Semi-automatic attacks involve deploying attack scripts that scan and compromise the user machines and download a payload and install the attack codes. These victim systems are bots under the control of the handlers who choose when and how the attack type and targets victims. On the other hand, automatic attacks are carried

DDoS Attacks, New DDoS

New Age Cyber Threat Mitigation for Cloud Computing Networks 87

out with a high degree of automation, with the compromised user systems having the attack code and software with a predetermined type of attack, duration, and victim’s IP address. The attacker has minimal interaction once the payload gets deployed or during the automatic attack. 2.2. As per Exploitation of Vulnerabilities Bandwidth Depletion attacks involve flooding and amplification, clogging the WAN pipes with attack network packets. Flooding involves bots and zombies sending huge volumes of traffic to clog and congest the target’s bandwidth pipes. The response from the victim slows down with the increase in such flood requests, saturating the bandwidth pipe, and preventing access to authorized users. Amplification attacks involve the bots and zombies sending messages to the target’s subnet by broadcast. Resource Depletion attacks involve the use of malformed data packets with incorrect IP packets sent by the zombies with the malicious intent to crash it and protocol exploits which involve exploiting a specific protocol feature to have the victim consume resources and ultimately make it unavailable to the legitimate users. 2.3. As per Attack Rate Dynamics Continuous and variable-rate DDoS attacks are the most common. Continuous rate attacks are executed without breaking or lowering the force of an attack. This leads to disruptions in services quickly however, this attack gets detected as well. Variable-rate attacks vary the attack frequency and force, carefully avoiding detection which ranges from having the attack increase in force or having a fluctuating rate of attack. 2.4. As per the Impact of Attacks Disruptive and degrading are two common types of attack. While the impact of disruptive attacks is a complete shutdown and leads to a full denial of services to legitimate clients. Recovery from such disruptive attacks has an impact based on automated self-healing recovery, Human intervention, and non-recoverable. Degrading attacks consume the victim's resources bit by bit in small portions. This is much smarter than other attacks, making the attack difficult to detect. Table 7.1 describes the attack types and features of the DDoS tools.

88 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Table 7.1. DDoS Attack Names, Features, Tools. DDoS Attack

DDoS Type and characteristics

DDoS Tools

Infrastructure

Application

Direct

Reflector

-

ICMP Flood

√

-

√

-

LOIC

SYN Flood

√

-

√

-

TFN

UDP Flood

√

√

√

√

LOIC

HTTP Flood

-

√

√

-

DDoSIM

XML Flood

-

√

√

-

DAVOSET

Ping of Death

√

-

√

-

PING

Slowloris

-

√

√

-

Plyloris

Smurf

√

-

-

√

Nemesis

3. REVIEW OF DDOS RESEARCH DDoS attack reasons identified by Vanitha et al. (2017) [6] range from extortion, political issues, revenge, proficiency testing, and even unethical competition between cloud service providers. DDoS affecting pricing models was reviewed for Fraudulent Resource Consumption (FRC) exploits the pay-as-you-go pricing model by Idziorek et al. (2013) [7] and a low rate DDoS attack evading early detection affects the pricing model by Palmieri et al. (2013, 2014) [8] described a new subtle DDoS with focus to attack computing resources exhausting the Cloud center energy which and ultimately increase cloud delivery costs. HTTP and XML DDoS attacks were discussed by Chonka et al. (2012) [9] for SaaS web services application attacks, while Dantas et al. (2014) [10] examined HTTP PRAGMA and HTTP POST attacks. For Infrastructure level Direct Network layer attacks: For TCP Flood attacks where Transmission Control Protocol (TCP) has a three-way handshake before establishing actual packet exchanges with connection-orientated protocol features. Each SYN message sent by a connecting host is acknowledged with SYN + ACK and the handshaking process completes with ACK, finally establishing a connection between two hosts. Attackers exploited this three-way handshake feature by initiating connections that were half-open, leading to a huge number of transmission block allocations exhausting the kernel memory (Wong and Tan 2014) [1]. Zargar et al. (2013) [6] researched network and transport layer protocols to flood a host using TCP SYN, UDP, and ICMP floods. Exploiting TCP SYN for half-open connection feature leading to the large number of transmission block allocations causing exhaustion of kernel memory was

DDoS Attacks, New DDoS

New Age Cyber Threat Mitigation for Cloud Computing Networks 89

examined by Wong and Tan (2014) [1]. Amazon Cloud Services being affected by TCP SYN floods were also reported. For Infrastructure level Direct Application layer attacks: HTTP Flood Attacks on Application layer target cloud services by sending web packet floods at high rates to overwhelm a target web application server using malformed HTTP packets (Choi et al. 2014) [11]. These consume the target cloud web server’s resources preventing legitimate users from accessing the services, also such attacks are challenging to mitigate since these consume very little bandwidth flow and are mostly stealthy. The target server gets inundated with HTTP and SML floods which appear as legitimate GET and POST requests (Wong and Tan, (2014) [1] reported that one-fourth of the global DDoS attacks target the application layer while HTTP GET floods to comprise one-fifth of the global HTTP attacks. Some authors presented a scalable network-application profiler (SNAP) that guides the engineers to identify and fix performance-related issues. This passively ensures the TCP statistics are collected, logs from socket-call having low overhead for computation and storage across shared computing resources like servers, circuits, or switches and connections to pinpoint the location of the problem like TCP/application conflicts, application-generated micro-bursts, network congestion or sending buffer mismanagement. SNAP combines socketcall logs of data-transfer behaviors with TCP for the application from the network stack that highlights the data delivery. The profiler leverages the topology, network routing, and application deployment in the data center to correlate performance issues for network connections and aims to find the congested resource or problematic software component. The SNAP deployment is done in a real-time production data center running over 8,000 servers and over 700 application components that uncovered over 15 major performance issues in the web application software, the network stack on the server, and the underlying network. Malik et al. (2012) [12] performed a study to define a methodology for secure protection of end-user critical data information for cloud providers that. Various data protection techniques are analyzed, ranging from firstly Mirage Image Management system, which addresses the problems of ensuring virtual machine images are safe, secondly the Client-based Privacy Manager to help reduce the threat of data loss (DL) of personal data on the cloud, as well as provides additional privacy-related benefits. Thirdly the Transparent Cloud Protection System is designed to monitor the reliability of cloud components. This system protects data integrity in cloud computing by allowing the cloud to monitor infrastructure components.

90 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Yu et al. (2014) [13] propose deploying intrusion prevention systems at access points inside the cloud environment for an individual cloud environment. During the DDoS attack, the various IPS monitor incoming packets. The authors proposed a novel scheme based on Hellinger distance (HD) to detect low-rate and multi-attribute DDoS attacks. Leveraging the SIP load balancer to detect and mitigate DDoS attacks is suggested in the research paper. Table 7.2 presents the comprehensive summary of existing Cloud Computing DDoS attack mechanisms that have been reviewed in this research paper. Table 7.2. Summary of DDoS Attack Mechanism summary. Year

Reference

Detection Type

Deployed Location

DDoS Level

2010

Lo et al. [14] Bakshi and Yogesh [15]

Signature Signature

Access point Access point

Infrastructure level Infrastructure level

2011

Cha and Kim [11] Kwon et al. [13] Gul and Hussain [16]

Hybrid Anomaly Signature

Access point Access point Access point

Infrastructure level Not defined Not defined

2012

Karnwal et al. [17] Bedi and Shiva [18] Chonka and Abawajy [9]

Signature Anomaly Hybrid

Distributed Access point Access point

Application-level Not defined Not defined

2013

Lonea et al. [19] Karnwal et al. [17] Gupta and Kumar [20] Zakarya et al. [21] Huang et al. [14] Choi et al. [11] Ismail et al. [22]

Anomaly Signature Hybrid Signature Anomaly Signature Hybrid

Access point Distributed Access point Access point Access point Access point Distributed

Infrastructure level Application-level Infrastructure level Not defined Not defined Infrastructure level Infrastructure level

2014

Shamsolmoali et al. [23] Teng et al. [23]

Signature Signature

Access point Distributed

Infrastructure level Application-level

Signature Signature Signature Signature

Access point Distributed Access point Access point

Infrastructure level Not defined Application-level Infrastructure level

Alqahtani and Gamble [24] Girma et al. [25] 2015 Wang et al. [26] Marnerides et al. [27]

4. EFFECTIVE DDoS DETECTION PARAMETERS After reviewing the above-mentioned research manuscripts for DDoS attack issues and classification attacks, the following parameters are selected for determining an effective DDoS detection method. ●

Real-time Response Detection mechanism – those methods with real-time, highspeed, immediate, or proactive response mechanisms for Advanced Application

DDoS Attacks, New DDoS

●

●

●

●

●

●

●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 91

Attacks and Cloud Diversion attacks that can reduce the attack surface for, say, routing inbound traffic or have to network ACLs that create stateless allow-an-deny rules in case of attacks are effective as compared to reactive detection mechanisms Ability to auto-scale – dynamic, auto scalability mechanisms that can handle flood attacks, scale-up bandwidth links, or even utilize elastic load balancing (ELB) to have better fault tolerance in case of an increase in attackers Throughput – end-to-end time is taken for the request generated by legitimate clients for the server. The ability to sustain high levels of throughput determines the DDoS effectiveness. Request Response Time – relates to the average time for a successful HTTP response. With the increase in attack rate, processing capability impacts the request-response. Zero-Day Attack Detection Ability – being able to detect new, unknown attacks covering OWASP vulnerabilities as well as ranging from Netflow, Headerless Layer7 packet, Open Flow, OOP Synchronous, Software Defined Networking (SDN) to feeds from Partners/Works with Other Vendor Signals. Performance Degradation – due to resource crunch of CPU cycles, Memory, Storage, or network bandwidth. Accuracy of Defense Mechanism – is a critical parameter to judge the detection mechanism regards to Sensitivity (True Positive or True Negative ratio), Reliability (False Positive or False Negative ratio) for the desired outcomes. Over-Under Mitigate – detection effectiveness is also measured on the vendor’s ability to mitigate as per Rate-Only, HTTP Server based Redirects, SSL Protections, Routing Techniques, Heuristic Behavior, JavaScript ChallengeResponse, and Signature. Reporting – determine how well and effective is the detection reported. Parameters taken into account are Real-Time Displays, All Attacking Vectors Granularly, Attack-Back Options, Mitigation Response, Mitigation Response – Real-Time, Historical Mitigation Effectiveness Measure, Forensics Reports, Legitimate and attack Traffic Displayed, Emergency Response Options and Mitigation Response and Integrated Reporting with Cloud Portals.

5. PARAMETERS FOR DDoS COUNTERMEASURE While several research proposals and partial DDoS mitigation solutions are available, as discussed above, most of these only assist in preventing very few aspects of the full DDoS attack. There seems to be no one-shot comprehensive countermeasure against each known DoS attack. Every day, attackers keep coming up with new vector threats and attack derivatives in their attempts to bypass existing and new countermeasures deployed. This leads us to the

92 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

conclusion that more research is required when trying to design and develop an effective DDoS countermeasure solution. DoS refers to a broad category of network-based assaults that aim to reduce access to information and communication resources. The DoS attack entails a single source that generates traffic to the target in order to take advantage of its capacity restriction and render the information and communication resource unavailable. DoS assaults become less successful as technology advances, including the creation of devices with more powerful network processing capabilities. This suggests that no one device could possibly generate enough traffic to cause congestion at the destination. DDoS assaults are being used to increase the quantity of traffic that is directed towards the attack target. Multiple devices work together to direct a lot of traffic to the targeted location during DDoS assaults. Depending on the TCP/IP (Transmission Control Protocol/Internet Protocol) layer that the produced traffic targets, DDoS assaults can be classified. As a result, they are separated into those directed at the application layer and those directed at the infrastructure layer (data and network). One of the six TCP header flags (ACK, SYN, URG, FIN, RST, and PSH) that can be used to synchronize consecutive packet numbers when starting a TCP session is the SYN flag. This flag is frequently employed in DDoS attacks. Except for SYN, other TCP header flags, and other protocols or protocol parameters that were employed in DDoS assaults depending on infrastructure and application layer (SYN is the most prevalent variety of DDoS attack, according to). Taking into account the parameters in DDoS attack detection, the defense mitigation mechanisms are evaluated as shown on a scale of 1 (Low) to 5 (Medium) and 10 (High) in Table 7.3. Table 7.3. Comparing DDoS mitigation defense mechanisms. Detection Parameter

Centralized, based on

Distributed

Source

Destination

Network

Hybrid

Accuracy

3

9

3

5

Scalability

3

4

6

6

Performance

6

7

6

5

Complexity

2

3

7

6

Overall

No

No

No

Yes

The ideal time to mitigate a DDoS attack is right at the launching location and stage by not allowing it to reach the target or even travel over WAN circuits. However, achieving this is far from implementation. Classification, analysis, and comparison of DDoS tools are performed by the research authors for a better understanding of the existing tools, methods, and attack mechanism along with a

DDoS Attacks, New DDoS

New Age Cyber Threat Mitigation for Cloud Computing Networks 93

study of DDoS tools. This will provide a better understanding of DDoS tools in present times. DDoS research are categorized in the preceding section as per application level and infrastructure level attacks. From the literature survey performed, most of the research is directed toward Infrastructure level DDoS attacks primarily due to the ease with which the Infrastructure attacks for network and application floods can be performed. In Infrastructure level attacks, there is no exploitation of the vulnerability, the attackers flood the bandwidth pipes with malicious traffic and consume computing resources, denying legitimate access to authenticated users. Application attacks, on the other hand, exploit system and web application vulnerabilities at OSI layer 7 mimicking human behavior related to system weakness, outdated patches, and misconfigurations while carrying out the attack. CONCLUSION This chapter provides a survey of the academic literature on DDoS attacks against cloud computing. New cloud attack taxonomy and parameters to determine effective DDoS solution is presented. A comprehensive DDoS mitigation solution involves detection, blocking, and mitigation in real-time as well as being positioned at the DDoS attack source. For this, the DDoS detection nodes need to be spread across the internet globally. These nodes are used for DDoS attack detection, response, and prevention. Apart from this feature, the following factors need to be considered for the proposed DDoS mitigation solution as • FUNCTIONALITY – BE ABLE TO REDUCE, IF NOT BLOCK, THE IMPACT OF THE DDoS ATTACK, NO MATTER HOW LARGE OR POWERFUL THE DDoS FLOOD ATTACK IS • Ease of implementation – does not require any network design modification or infrastructure data flow reconfiguration. • Low overhead – should not pose additional overhead on the existing data center systems and processing power. • Recognize legitimate traffic – should not be reporting a large number of false positives wherein legitimate traffic is getting dropped during a DDoS blocking process. • Findings - With the new taxonomy classifying DDoS attacks become clear and simple since it is based on detailed technical action items which can easily be obtained and measured. Then the impact, as well as priority, can be ascertained. For an effective DDoS solution, the chapter proposed four parameters like mitigation functionality that would help reduce if not block DDoS attack impact,

94 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

irrespective of the capacity of DDoS flood, then with implementation ease implying no network redesign or modification in the infrastructure, plus no have any additional overhead on data center infrastructure and finally be able to recognize the real user legitimate traffic and have as low false positives as possible. • Application Improvements - The use of new taxonomy and parameters can help in making correct informed decisions regarding the selection of a DDoS mitigation service. This can help increase customer confidence, reduction in business downtimes, and business reputation which otherwise take hits due to the DDoS attacks. DISCLOSURE “Part of this chapter has previously been published in DDoS Attacks, Detection Parameters and Mitigation in Cloud Environment, in International Journal for Modern Trends in Science and Technology, 2017, vol. 03, special issue no. 01, pg 79-82”. CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

F. Wong, and C.X. Tan, "A survey of trends in massive DDOS attacks and cloud-based mitigations", Int. J. Netw. Secu. Appl, vol. 6, no. 3, pp. 57-71, 2014. [http://dx.doi.org/10.5121/ijnsa.2014.6305]

[2]

A. Girma, M. Garuba, J. Li, and C. Liu, "Analysis of ddos attacks and an introduction of a hybrid statistical model to detect ddos attacks on cloud computing environment", 12th International Conference on Information Technology - New Generations, 2015. [http://dx.doi.org/10.1109/ITNG.2015.40]

[3]

Z. Anwar, and A.W. Malik, "Can a DDOS attack Meltdown My Data Center? A simulation study and defense strategies", IEEE Commun. Lett., vol. 18, no. 7, pp. 1175-1178, 2014. [http://dx.doi.org/10.1109/LCOMM.2014.2328587]

[4]

S.T. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks", IEEE Commun. Surv. Tutor., vol. 15, no. 4, pp. 2046-2069, 2013. [http://dx.doi.org/10.1109/SURV.2013.031413.00127]

DDoS Attacks, New DDoS

New Age Cyber Threat Mitigation for Cloud Computing Networks 95

[5]

A. Merlo, M. Migliardi, N. Gobbo, F. Palmieri, and A. Castiglione, "A Denial of Service Attack to UMTS Networks Using SIM-Less Devices", IEEE Trans. Depend. Secure Comput., vol. 11, no. 3, pp. 280-291, 2014. [http://dx.doi.org/10.1109/TDSC.2014.2315198]

[6]

K.S. Vanitha, "S. V. UMA and S. K. Mahidhar, "Distributed denial of service: Attack techniques and mitigation", International Conference on Circuits, Controls, and Communications (CCUBE), pp. 226231, 2017. [http://dx.doi.org/10.1109/CCUBE.2017.8394146]

[7]

M. Ficco, and F. Palmieri, "Introducing fraudulent energy consumption in cloud infrastructures: A new generation of denial-of-service attacks", IEEE Syst. J., vol. 11, no. 2, pp. 460-470, 2017. [http://dx.doi.org/10.1109/JSYST.2015.2414822]

[8]

A. Chonka, and J. Abawajy, "Detecting and Mitigating HX-DoS Attacks against Cloud Web Services", 15th IEEE International Conference on Network based Information Systems (NBiS), pp. 429-434, 2012. [http://dx.doi.org/10.1109/NBiS.2012.146]

[9]

Y. Dantas, V. Nigam, and F. Iguatemi, "A Selective Defense for Application Layer DDoS Attacks", IEEE Joint Intelligence and Security Informatics Conference (JISIC), pp. 75-82, 2014. [http://dx.doi.org/10.1109/JISIC.2014.21]

[10]

J. Choi, C. Choi, B. Ko, D. Choi, and P. Kim, "Detecting Web-based DDoS Attack using Map Reduce Operations in Cloud Computing Environment", Journal of Internet Security and Information Security, vol. 3, no. 4, pp. 28-37, 2013. [JISIS].

[11]

A. Malik, and N. Muhammad, (2012). Security Framework for Cloud Computing Environment - A Review. J. emerg. trends comput. inf. Sci. cis. J, 3 (3), 390-394. ISSN 2079-8407.

[12]

H. Kwon, T. Kim, S.J. Yu, and H.K. Kim, Self-similarity based lightweight intrusion detection method for cloud computing. Intelligent Information and Database Systems, 2011, pp. 353-362. [http://dx.doi.org/10.1007/978-3-642-20042-7_36]

[13]

C. Lo, C. Huang, and J. Ku, "A Cooperative Intrusion Detection System Framework for Cloud Computing Networks", IEEE 39th International Conference on Parallel Processing Workshop (ICPPW), pp. 280-284, 2010. [http://dx.doi.org/10.1109/ICPPW.2010.46]

[14]

A. Bakshi, and Y.B. Dujodwala, "Securing cloud from DDOS attacks using intrusion detection system in virtual machine", Second International Conference on Communication Software and Networks, 2010. [http://dx.doi.org/10.1109/ICCSN.2010.56]

[15]

I. Gul, and M. Hussain, "Distributed Cloud Intrusion Detection Model", Int. J. Adv. Sci. techn., vol. 34, pp. 71-82, 2011.

[16]

T. Karnwal, T. Sivakumar, and G. Aghila, "A Comber approach to protect cloud computing against XML ddos and HTTP ddos attack", Conference on Electrical, Electronics and Computer Science, 2012. [http://dx.doi.org/10.1109/SCEECS.2012.6184829]

[17]

S. Bedi, and S. Shiva, "Securing Cloud Infrastructure against co-resident DoS attacks using Game Theoretic Defense Mechanisms", International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 463-469, 2012. [http://dx.doi.org/10.1145/2345396.2345473]

[18]

A.M. Lonea, D.E. Popescu, O. Prostean, and H. Tianfield, Evaluation of experiments on detecting distributed denial of service (ddos) attacks in eucalyptus private cloud. Soft Computing Applications, 2013, pp. 367-379. [http://dx.doi.org/10.1007/978-3-642-33941-7_34]

96 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

[19]

S. Gupta, and P. Kumar, "VM profile based optimized network attack pattern detection scheme for DDOS attacks in cloud", Commun. Comput. Inf. Sci., vol. 377, pp. 255-261, 2013. [http://dx.doi.org/10.1007/978-3-642-40576-1_25]

[20]

M. Zakarya, "DDoS Verification and Attack Packet Dropping Algorithm in Cloud Computing", World Appl. Sci. J., vol. 23, no. 11, pp. 1418-1424, 2013. [http://dx.doi.org/10.5829/idosi.wasj.2013.23.11.950]

[21]

N. Ismail, A. Aborujilah, S. Musa, and A. Shahzad, "Detecting Flooding based DoS attack in Cloud Computing Environment using Covariance Matrix approach", ACM 7th International Conference on Ubiquitous Information Management and Communication (ICUIMC’13), 2013. [http://dx.doi.org/10.1145/2448556.2448592]

[22]

P. Shamsolmoali, and M. Zareapoor, "Statistical-based filtering system against DDOS attacks in cloud computing", International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2014. [http://dx.doi.org/10.1109/ICACCI.2014.6968282]

[23]

R. Gamble, and B. Alqahtani, "Defending against UDP flooding by negative selection algorithm based on eigenvalue sets", Fifth International Conference on Information Assurance and Security, 2009.

[24]

M.H. Bhuyan, D.K. Bhattacharyya, and J.K. Kalita, "An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection", Pattern Recognit. Lett., vol. 51, pp. 1-7, 2015. [http://dx.doi.org/10.1016/j.patrec.2014.07.019]

[25]

K. Wang, and B.B. Gupta, "Detecting ddos attack using Software Defined Network (SDN) in cloud computing environment", 5th International Conference on Signal Processing and Integrated Networks (SPIN), 2018.

[26]

N. Marnerides, and L.L. Iacono, "Vulnerable cloud: Soap message security validation revisited", IEEE International Conference on Web Services, 2009.

[27]

H. Sutton, "Review commonalities of perpetrators of 2017 mass attacks", Campus Secur. Rep., vol. 15, no. 3, pp. 9-9, 2018. [http://dx.doi.org/10.1002/casr.30400]

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 97-113

97

CHAPTER 8

Designing A Framework For Cloud Service Agreements For Cloud Environments Abstract: Cloud Computing has emerged as the prime IT computing model for ondemand access using a pool of shared resources with the least IT support. Cloud computing is starting to replace the legacy office IT infrastructure and helpdesk support system. Corporate and home users alike are hugely turning into cloud service consumers and moving their data and work to the cloud. Therefore, the Cloud Service Agreement (CSA) between cloud service consumers and cloud service providers has a critical significance that can guarantee the highest level of service quality and delivery. The current CSA parameters and CSA terms tend to fall short of the service delivery commitments with no common terminology or standard followed industry-wide by the cloud service providers. Comparing similar service offerings and agreements from multiple cloud service providers continues to be a complex issue. This chapter provides a pragmatic approach to Cloud Service Agreements, comparing the current process with the proposed parameters and the new framework for CSA to determine the role of various elements and terms in the decision-making process for cloud service agreements for SaaS, PaaS, IaaS, and STaaS.

Keywords: Cloud Service Agreement, CSA, Cloud Service Agreement Framework, Cloud Computing, Service Level Agreement, SLA. 1. INTRODUCTION Cloud computing is the new IT medium to provide virtualized computing resources in a dynamic, elastic, and scalable manner. This enables dynamic ondemand requests from cloud service consumers, corporate employees, or home users to access computing resources. These include user requests for CPU, Memory, Storage space, Network/Firewall devices, Operating systems, Databases, Software, apps, and development environments to be delivered and made available involving minimum IT Administration or IT helpdesk support. As the number of cloud-based services made available over the internet by the cloud service providers multiplies, this requires having a well-defined Cloud Service Agreement (CSA) as an essential component that should be referred to by endusers and cloud service providers (National Institute of Standards and Technology, (2011) [1]. This guarantees service delivery superiority and agreeAkashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

98 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

ment compliance is preserved and delivered at defined levels irrespective of the dynamic nature of future requests. Service Level Agreements for Cloud Computing Services are termed Cloud Service Agreement CSA) and include the cloud service consumer, cloud service provider, and the service agreements between them (SoftLayer, 2016) [2]. The Cloud Service Consumer is the end-user needing to access cloud computing services. These individuals (like corporate employees) consume services from the cloud service provider demanding appropriate cloud service delivery and the service level agreements that are in place with that cloud service provider. As cloud computing provides scalability and flexibility, cloud consumers pay for the type and amount of cloud services used and pay accordingly. Cloud users thus require CSAs to ascertain the service delivery and technical performance demands that are delivered by the cloud service provider. Cloud service providers are organizations responsible for providing the cloud services to end users/cloud users and are mandated to deliver and administer the computing infrastructure required to ensure the cloud services are accessible to the cloud consumers. Cloud Service Agreements, therefore, help accomplish specific environments requested by the cloud service consumers regarding service, security, privacy, and solutions for issues when faced with delivery failures. A cloud service provider could also state in the service agreement about guarantees that are not available to users, i.e., restrictions and duties that cloud users have to approve. A cloud user can select a cloud supplier with preferable pricing and more complimentary requirements. Normally, a cloud supplier's pricing strategy and service agreements are non-negotiable, unless the user is looking for comprehensive or customized services from the cloud service provider. The Cloud Service Agreement concerning the cloud service provider as well as the cloud service consumer is examined in this chapter to draw attention to its importance. This chapter discusses the general overview of Service Level Agreements and the advantages the proposed Cloud Service Agreement delivers, such as: improving customer acceptance levels, enhancing relationships, and enhancing the cloud service quality. Cloud Service Agreements contain responsibilities and activities that need to be completed after service starts to get delivered. The service contract governs quantifiable terms and conditions for the service provider in case there are delivery issues and the minimum objectives are not being met. Cloud Service Agreement is being implemented in a variety of Cloud domains related to IT delivery services such as Web Hosting Services, Network Delivery, and Data Centre Management.

Designing A Framework

New Age Cyber Threat Mitigation for Cloud Computing Networks 99

2. CLOUD SERVICE AGREEMENTS OVERVIEW The clients of SaaS might be corporations that offer their users/customers access to software applications, end-users who immediately exploit software applications, or software application providers who constitute applications for the clients. SaaS expenses can be paid according to the number of end-users, the usage time, the network bandwidth spent, the quantity of information kept, or the period of keeping information. Cloud clients of PaaS can exploit the instruments and the resources supplied by cloud service providers to progress, examine, install and administer the applications presented in a cloud medium. PaaS clients can be application designers who develop and maintain application software. Also, they can be application examiners who execute and examine applications in cloudbased locations. They can be application publishers who distribute applications through the cloud or can be application managers who constitute and control applications. PaaS expenses can be paid based on, operation, database space, network resources used by the PaaS application, or the period of the platform convention. With Security, Availability, and Quality as the prime features of cloud services, the cloud Service Agreements should be adhered to as described in the belowmentioned stages by user and cloud service consumers when evaluating Cloud Service Agreements and negotiating service delivery terms with cloud providers. The Cloud Service Agreement stages as mentioned by Clouds Standard Customer Council (2014) [3] are described above in Fig. (8.1). Clients of IaaS have an entrance to virtual computing machines, network storage space, network groundwork elements, and other essential resources on which they can install and operate random software. The clients of IaaS can be system designers or system managers who are concerned with running, organizing, and controlling services for IT groundwork processes. IaaS users are provided with abilities to enter these resources, and are paid depending on the quantity of period of the resources used like; CPU hours consumed by virtual computing machines, capacity, network bandwidth used, and quantity of IP addresses utilized for particular periods. Cloud users want a CSA before delivering their deployment of cloud information stations to have confidence about the resources supplied and to have the facility to get the preferred level of efficiency. The study on Cloud Service Agreement and Quality of Service (QoS) metrics has been done by lots of investigators in business and service-oriented construction like e-commerce and web services. Nevertheless, the normal IT Service Level Agreement (SLA) metrics in these fields are not appropriate for cloud computing because the kind and form of resources supplied and deployed are various. So, new SLA samples are needed to provide an elastic technique for making conventions between users and suppliers.

100 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Therefore, a theoretical CSA Framework for Cloud Computing has identified dynamic service agreement metrics for various sets of cloud clients. Stage #1: Understand Roles & Responsibilities Stage #2: Evaluate Business level ageement Stage #3: Understand service & Deployment models Stage #4: Identify performance metrics Stage #5: Determine Security & Privacy parameters Stage #6: Identify Management requirements Stage #7: Prepare Disaster Recovery plan Stage #8: Understand DR plan Stage #9: Develop effective governance process Stage #10: Exit process Fig. (8.1). Cloud Service Agreement Stages.

In dynamic mediums like Clouds, several challenges such as automatic compromise, dynamic SLA, organizational function, and environmental modifications must be considered. There are many significant examples of what researchers have mentioned as the variances between delivery agreements used in cloud computing and peer web services (Mactores, 2016) [4]. Some of them are: ●

QoS Parameters: many web services emphasize parameters like response time, SLA contravention degree for the job, reliability, and availability, stages of client variation, and charge of service. In Cloud computing, additional QoS parameters require to be included (e.g., the energy-associated QoS, Security

Designing A Framework

●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 101

associated QoS, Privacy associated QoS, and trust-associated QoS). Over 20 QoS parameters are mentioned by the SMI (Service Management Index) grouped to be exploited. Automation: The entire procedure of SLA discussion, providing service, transfer, and control has to be automated for a very highly dynamic and accessible service employment. This makes the agreement process faster, transparent, and easier to implement. Allocation: SLA-oriented resource distribution in Cloud computing is probably contrastive from allocation in web services because, in the cloud, resources are assigned and spread worldwide without a centric guide. So the plan and the construction for SLA resource distribution in those environments are contrastive.

On the other hand, as per National Institute for Standards and Technology (2011) [1], Cloud Computing Reference Architecture, most of the requirements are still the same for both kinds of services, such as Availability, Scalability, Security, Privacy, etc. Moreover, a clear technique for cost computation, because users consume cloud computing wish to pay as they consume, so yearly or monthly billing durations are not appropriate for cloud computing. A cost computation for resource booking technique is not a single technique for each kind of cloud service. For example, the storage service can be paid according to the time and volume of the client’s information. Instead, cloud Customer Relationship Management (CRM) might be paid according to the number of customers. In a planned structure, the SLA parameters are determined by metrics. These metrics state how service parameters can be calculated. Also determines estimations of quantifiable parameters. The proposed CSA metrics for cloud computing examine four kinds of cloud services which are SaaS, PaaS, IaaS, and Storage as a Service (STaaS). 3. LITERATURE REVIEW Ibrahim et al. (2016) [5] proposed a framework for SLA assurance and correlated metrics to use by cloud providers and cloud consumers. The framework defined performance metrics for the performance of the different applications in environments to ensure service and delivery quality as stated in SLA and evaluated through simulations and using testbed experiments. Murugesan and Bojanova et al. 2016 provided an overview of cloud-based service entities that are involved from an SLA perspective. Their overview described typical elements of Cloud-based SLA to guide cloud consumers in systematically evaluating the SLAs for various cloud services. Future directions in SLAs were also discussed in their paper for various cloud-based services and cloud service providers.

102 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

An overview of the SLA in Cloud Computing was presented by Mirobi et al. (2016) [6], along with benefits, importance, and necessities. Their paper also classified Cloud Computing Service Level Agreements and proposed a framework for cloud computing service agreements. Costa (2015) [7] proposed a model for Service Response Time Measurement of Cloud Environment Service Level Agreements. This model was assessed using Amazon EC2 Cloud with TPC-DS as the benchmark standard for measuring the performance of decision-support solutions as the benchmark for generating a database of structured data making the proposed solution more relevant for QoS issues. Mohamadi et al. (2016) [8] reviewed various methods for cloud service level agreement and their comparisons for improving parameters, simulating the environment of implementation or workload and application. With Cloud providers offering software product applications and licenses on a pay-as-you-use basis, Li et al. (2016) [9] presented and reviewed complex licensing and Quality of Services expected by cloud service consumers for SaaS applications. Cloud service providers typically focus on IaaS or PaaS service consumers. Their work proposed a novel resource management system for SaaS Cloud SLA by analyzing the requirements of SaaS Clouds. The proposed management system executed the latest technologies, which depending on cloud consumer requirements and demands, could scale in and out. The architectural design and evaluation for implementation showcased a case study for a real SaaS Cloud environment. Fowley et al. (2015) [10] proposed that cloud services could be provided as a utility for which a comprehensive mechanism is required for specifying the cloud service agreements to reduce the service perception differences among cloud service customers and cloud service providers. They suggested a logic-driven approach for specifying cloud service agreements to allow agreements and negotiations during cloud service agreement formulations. Ashok and Mukhopadhyay (2016) [11] proposed introducing one single gateway during cloud service provision negotiations based on an intelligent strategy of simplifying resource procuring costs for cloud service consumers. Their paper proposed having a negotiator on behalf of the cloud service provider and cloud service consumer bargaining to reach a mutually acceptable cloud service agreement and help cloud service consumers finalize service providers offering an acceptable quality of service and ensure the cloud service provider allocates resources efficiently. Mittal, et al. (2015) [12] suggested automating the service level agreement management and monitoring process for cloud-related legal documents and customer service agreements using semantic web technologies. Their paper

Designing A Framework

New Age Cyber Threat Mitigation for Cloud Computing Networks 103

proposed automatic extraction of SLA measures directly from cloud service providers’ web portals and then cross-referencing metrics and measures from legal terms of the service documents. This results in a reduction of the actual manual effort that would otherwise be required for cloud service performance monitoring and measurement. Describing resource management as a problem for high-performance clouds in form of nonlinear optimization, .

Xiong and Chen (2015) [13] came up with the SLA subject to the needs and performance metrics. The issues are taken up about Service Level Agreement (SLA) defined for system throughput, response time, and utilization. The SLAbased approach is proposed, and trustworthiness, a percentile of response time, and availability are quantified. The authors proposed a solution for the nonlinear optimization problem and demonstrated its effectiveness through illustrative examples. Anithakumari and Chandrasekaran (2015) [14] proposed an efficient framework to monitor and analyze the SLA parameters to find the possibility of occurrence of SLA violations. An adaptive resource allocation utilizing the predicted SLA violations results is implemented by allocating additional resources on the detection of the possibility of occurrence of a violation. This helped reduce the occurrence of SLA violations. The paper took account of interactive entities like cloud service providers, cloud service brokers, and cloud service customers each having different objectives and expectations. Wang et al. (2016) [15] presented a framework to assist users in finding cloudbased services more suitable on their own and reduce the cost of these services. The paper proposed establishing a cloud service agent model based on Service Level Agreement (SLA) and studies the game model for SLA negotiation and the queuing model for SLA monitoring. Simulation results showed that the game model for SLA negotiation and the queuing model for SLA monitoring is effective for the cloud service agent model based on SLA. Hussain et al. (2016) [16] proposed an intelligent, profile-based SLA violation prediction model from the cloud service provider's perspective. As cloud service providers transcend barriers and engage with current or potential customers globally, this results in economic growth and expands business horizons - thereby creating the internet economy. The model monitored SLA in the pre-interaction phase to intelligently predict consumers’ likely resource usage by considering the consumer's reputation from the previous transaction history. The model determined the level of required resources based on reliability and helped cloud service providers make decisions regarding SLAs formation, maximizing profit, and avoiding service violations in the post-interaction phase. Additionally, the

104 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

model predicted any violation before it occurred and recommended mitigating violations to avoid penalties. Since Cloud computing has emerged as a new computing paradigm that has revolutionized the IT industry, software licensing of products being offered as a Service on a multi-tenant and rental basis on usage increased the complexity of management of the resources and providing expected Quality of Service, which is guaranteed by a formal legal SLA. Most cloud vendors focus either on the infrastructure level or platform level and do not cater to the needs of SaaS. This work fills the gap by proposing a novel SLA-based resource management system designed after analyzing the requirements of SaaS in Clouds and implemented using the latest technologies, which can be scaled in and out depending on updates in the user demand. 4. CSA METRICS Proposed metrics for SaaS, IaaS, PaaS, and STaaS are provided in this section. These parameters can be used to develop an efficient robust framework for Cloud Service Agreements (CSA). The requirements of cloud service users are different as it depends on the type of service they subscribe to. For example, SaaS users will have different metrics for their QoS when compared to IaaS, PaaS, and STaaS users. The parameters for each type of service denote what each user is concerned about and is critical to be included in their CSA. 4.1. CSA Metrics for SaaS Superior examples of SaaS are mail, calendar, and social websites supplied by Google, Yahoo, and Microsoft. Alhamad, et al. (2014) [17] parameters for SaaS cloud service referenced from Conceptual SLA Framework for Cloud Computing are shown in Table 8.1 below. Table 8.1. CSA metrics for SaaS Services. SaaS Parameters

Description of the SaaS Parameters

SaaS_Reliability

Attribute to consistently perform according to defined specifications

SaaS_Usability

Relate to a clear, defined access process, ease of use, and visual consistency

SaaS_Scalability

Continue functioning when context changes in size or volume requests

SaaS_Availability

Relates to uptime for service as required, for user-specified time and usage

SaaS_Customization

Flexible support for different users with different profiles and needs

SaaS_Downtime_metrics

Monthly cumulative downtime of application or web portal

Designing A Framework

New Age Cyber Threat Mitigation for Cloud Computing Networks 105

(Table 8.1) cont.....

SaaS Parameters

Description of the SaaS Parameters

SaaS_Response_metrics

Monthly response time of application or web portal

SaaS_Billing

Invoicing based on application usage and services requested

4.2. CSA Metrics for IaaS Firms such as amazon.com supply infrastructure as a service. Many clients do not know clearly which significant parameter must be declared on the hardware side of the SLA. Referring to Alhamad, et al. (2014) Conceptual SLA Framework for Cloud Computing significant parameters for clients concerned with utilizing the cloud as an infrastructure service are shown in Table 8.2. Table 8.2. CSA metrics for IaaS Services. IaaS Parameters

Description of the IaaS Parameters

IaaS_CPU_speed

Virtual machine's CPU speed

IaaS_RAM_size

Virtual machine's memory size (GB)

IaaS_VM_Boot_time

Time for the Virtual machine to restart & be ready

IaaS_Storage_size

Data storage size allocated as per term of the contract

IaaS_MaxVM_per_User

Maximum of Virtual machines for one user

IaaS_MinVM_per_User

Minimum number of Virtual machines for one user

IaaS_Scale_up_time

Time to increase a specific number of Virtual machines

IaaS_Scale_down_time

Time to decrease a specific number of Virtual machines

IaaS_Max_VM_allowed

Maximum Vs that can be run per server

IaaS_Availability

Cloud service uptime during a specific period

IaaS_Response_time

Time to receive & complete the user request

IaaS_Compute_metrics

Availability time, Server Reboot time & Outage period

IaaS_Network _metrics

Availability time, Data packet loss, Latency, Mean/Max/Min jitter

IaaS_Storage_metrics

Availability time, I/O per second, Max restore time

IaaS_Billing

Invoicing based on Infrastructure system & services requested

4.3. CSA Metrics for PaaS In the platform as a service case, developers who exploit PaaS do not need to install equipment or organize hardware to do the software or app development jobs. For SLA metrics associated with PaaS, the Conceptual SLA Framework for Cloud Computing (Alhamad, et al., 2014) illustrates the key parameters that can be utilized as an essential principle when developers need to negotiate CSA with

106 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

PaaS suppliers as shown in Table 8.3 below. Table 8.3. CSA metrics for PaaS Services. PaaS Parameters

Description of the PaaS Parameters

PaaS_Integration

Tools to deploy, manage & integrate apps with other platforms

PaaS_Scalability

Relates to User sessions, Transactions & Operations accommodated

PaaS_Billing

Invoicing based on resources, time or services requested

PaaS_Browser

support for Microsoft Explorer, Mozilla Firefox, Google Chrome

PaaS_Developers

Support developers design, code & manage platform environment

PaaS_Billing

Invoicing based on development platform rent for services requested

4.4. CSA Metrics for STaaS Online clients enter their information from diverse places. Earlier, online storage providers were not able to store large amounts of data because there was not enough area on storage disks, network storage, and storage technologies were not up to par. Now, storage service providers like S3 of amazon.com have an array of storage hardware and storage server farms. Also, they can handle and provide millions of clients efficiently with their improved technology of information delivering and guaranteeing that information are suitable for diverse kinds of applications and devices. The parameters (Alhamad, et al., 2014) for information storage service metrics are fundamental necessities to negotiate with storage suppliers, as shown in Table 8.4 below. Table 8.4. CSA metrics for STaaS Services. STaaS Parameters

Description of STaaS Parameters

STaaS_Location

Data Center locations for storing data

STaaS_Scalability

Ability to increase or decrease requested space

STaaS_Billing

Invoicing based on digital storage size and rent for services requested

STaaS_Security

Encryption for storage, data transfers, and authentication

STaaS_Privacy

Defining how data to be stored and transferred

STaaS_Backup

Defining how data would be stored

STaaS_Recovery

Ability to recover user data during disasters

STaaS_Throughput

Data retrieved within a specific period

STaaS_Put_Blob & Get_Blob

2 seconds x MBs being transferred

STaaS_Copy_Blob

90 seconds within the same storage access account

STaaS_Put_Block_List

60 seconds within the same storage access account

Designing A Framework

New Age Cyber Threat Mitigation for Cloud Computing Networks 107

(Table 8.4) cont.....

STaaS Parameters

Description of STaaS Parameters

STaaS_Get_Block_List

10 seconds from the same storage access account

STaaS_Batch_Operation

30 seconds within the same storage access account

Cloud Service Agreements also include uptime and service credit for the following service level parameters. Typically Cloud service providers provide service credits to compensate for downtimes the clients face in a single calendar month, not exceeding 30 days of service added at the end of the billing cycle. Below is a sample calculation (Source: Cloud Forge 2016) SLA for Uptime & Service Credit agreement for a violation during the annual cycle of the SLA between the provider and customer. ●

● ● ●

●

Monthly Uptime % = (Maximum Time – Unscheduled Down Time)/Available Downtime For Monthly Uptime < 99.95% → Service Credit = 10%, For Monthly Uptime < 99.00% → Service Credit = 25% Service Credit = (Outage Period minutes x Affected customer Ratio)/Scheduled availability Affected Customer Ration = (Unique visitors (measured by IP Addressed affected by unscheduled service outage) / total unique visitors as measured by IP Address.

An analysis of Cloud Metrics for SaaS Cloud Service Providers and the Cloud Service Agreements is presented below as per critical service agreement features regarding the subscription plan, access rights, SLA availability formulation, ownership of data, backup frequency and process, security features implemented and the agreement termination and renewal is provided in the Table 8.5 below: Table 8.5. SaaS-Cloud Service Provider Agreement comparison. Agreement Features

Salesforce (Sales CRM SaaS)

Workday (Management CRM SaaS)

Subscription Plan and Pricing

Plans range from a starter pack of $25 to an Does not publish their pricing, the unlimited full feature access of $ subscriptions are One time, quote-based 300/month payment

User Access

Out-of-box 5 User License, Complete CRM Customer defined access control rights for any size team to Customizable and unlimited CRM, customer allowed to add & permissions, customizable as own data to application database required with multi-tenancy features

SLA - Guaranteed availability

Master Service Agreement 2016 for 24x7 availability

Workday Master Service Agreement

108 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

(Table 8.5) cont.....

Agreement Features

Salesforce (Sales CRM SaaS)

Workday (Management CRM SaaS)

Data Ownership

Multiple layers of external firewalls, IDS, SIEMs, and 24x7 scanning

The customer owns its customer data, no direct access to the database

Data Backup

Customer data is backed up to tape in a separate data center. Tapes are not transported offsite from this data center, reducing the risk of loss.

Center

Security Features

Connection via SSL/TLS, individual user session, Unique IDs and re-verification, Logical separation of each customer data

SSL v3 / TLS sessions, Single Sign-On & x509 cert authentication for web and service integrations, Delegated authentication with Perimeter-level Defense and Network Intrusion Prevention

Termination or Renewal

Master Service Agreement 2016

Workday Master Service Agreement

Provision of SLA reports

24x7 available, real-time for customer

Available and customized as required.

Copyright

Customer violation reporting

Infringement on data content DMCA policy

Service & Support

Phone, Chat, Online, Email

Phone, Chat, Online, Email

Resolution times

24x7

24x7

Service Credits

As per non-availability of application with exclusions

Available as per agreed SLA and payment terms (no refunds)

Apart from the above-mentioned agreement features, major points of discussion and disagreement are known to come up during cloud negotiations between the vendors and clients. Some of these questions are mentioned below which are an essential part of SLA negotiation engagements. ●

Responsibility for Damages from Interruptions in Delivery Service?

Cloud providers for the most part refuse to accept any violations or service delivery liability and at times even large corporate clients face difficulty in getting the Cloud providers to confirm monetary liability or pass on credits. CSA should specify this aspect in the agreement. ●

Service Level Agreements Availability Level and Performance?

SLA contracts should clearly state the commitments on service availability and 5 to 6 measurable performance parameters and must be adjusted as per pricing charges — the more client pays, the better performance should be guaranteed.

Designing A Framework ●

New Age Cyber Threat Mitigation for Cloud Computing Networks 109

Will Service Availability Extends to Client Data?

While cloud service providers highlight redundancy or fault tolerance, clients prefer due diligence and data content security. The SLAs should include the necessary backups, data integrity, and defined liability for data loss procedures. ●

Client Data Physical Location?

Data Protection Directives forbid keeping data outside the geographical boundaries (EU, US specifically), which makes it mandatory for the providers to disclose the data center locations and the clients to perform due diligence for verifying the data storage location. ●

Avoid Vendor Lock-in and Exit if Required?

Exit plans should be clearly defined in the SLA before proceeding with any cloud engagement. Vendors may charge early termination fees as part of their fixed setup recovery cost, so the exit or renewal provisions should be negotiated upfront. The use of multiple service providers reduces the reliance on a single provider service which is always a better option to have at hand. ●

Maintenance of Data for Legal and Compliance and During Exit?

Negotiations around which party maintains and manages the data retention for legal and compliance purposes need to be discussed with providers on the assistance they can provide to clients. This could include maintaining multiple backups, having long-term storage, and having a definite time for after-service termination for data recovery before final deletion. ●

Providers Changing Terms of Service?

Most SLAs do not have any SLA change clause, which could allow the service providers to change certain or at times all the agreement terms unilaterally, thereby forcing the client to accept the changes in terms and services. Clients should be in a position to negotiate advance notifications for any such changes. ●

Maintaining the Intellectual Property Rights (IPR)?

Service Provider terms may specify sharing detailed design, code, and documentation when integrating the client applications with data center systems. This may even involve IPR ownership to use the client application even after contract termination or transfer. Another contentious issue relates to ownership rights to service enhancements from client suggestions or bug fixes. The provider should not make these available to the competitors.

110 New Age Cyber Threat Mitigation for Cloud Computing Networks ●

Akashdeep Bhardwaj

Specify Grounds for Service Termination

Delay or non-payment is the primary reason for terminating contracts, however, service providers could stop service due to a breach of acceptable use policies, receiving third-party complaints, and IPR breaches. 4.5. Proposed Framework for Cloud Service Agreement (CSA) The main objective of this proposed framework is to realize the consequences of the decision-making process about the Cloud Service Agreement for single and multiple perspectives and dependencies with two main aspects, as described in Fig. (8.2). PROCESS ASPECT DECISION ASPECT IT Service Evaluation

IT v/s C C Service Assessment

IT Support or Cloud Computing?

Traditional IT Operations

Cloud Assessment

Traditional IT Operations

SLA Review Access Cloud Computing Deployment models

Public v/s Private Adopt Unilateral SLA A

Adopt Bilateral SLA

Go for Public or Private Cloud? Survey Public Cloud Vendor offers

S Survey Private Cloud Vendor offers

Choose Service Provider, adopt Unilateral SLA

Choose Service Provider, adopt Bilateral SLA

Decision point Decision outcome

Fig. (8.2). Proposed Cloud Computing Service Agreement Framework.

●

●

Process: steps that are involved in Cloud Computing Outsourcing when deciding between traditional IT support service v/s Cloud Computing. The Cloud service consumers decide on the IT Services not by the SLA nature, in fact, depending on business reasons (seeking better Services) to implement faster product delivery, handle dynamic scaling of IT operations and economic parameters (like Billing as described in Tables for the proposed cloud parameters). These are utilized to convert commercial IT investments into payas-you-use expenses. Decisions: this relates to the negotiating decision points involved in the Cloud Computing agreement on governance being managed unilaterally or bilaterally. After a cloud provider is finalized, a cloud deployment model needs to be considered, which involves deciding to go with either a Private Cloud or Public Cloud provider. Here the criteria involved are customization degree of service

Designing A Framework

New Age Cyber Threat Mitigation for Cloud Computing Networks 111

agreement, negotiating for obtaining service agreement, anticipated governance model, and finally, the IT Service visibility expected by the Cloud consumers. During the Cloud Agreement signing phase, the cloud service client can choose to go with one of the below service agreements: ●

●

Unilateral Service Agreements are documented by accessing the organization’s service capability to determine internal cloud awareness, compare cloud agreements of different providers and finally formulate metrics to monitor the cloud provider performance regards to availability, uptime, escalations, or bandwidth latency. Bilateral Service Agreements are determined by the cloud service provider and cloud service consumers together to form a service relationship. In this agreement, the relationship structure takes into account the expectations and responsibilities that are drawn as also the degree of customization delivered by the cloud service provider and is defined as part of the service provisioning agreement. PROCESS ASPECT

DECISION ASPECT

IT Service Evaluation IT Service Assessment

Traditional IT Operations

ITC or Cloud Computing?

Traditional IT Operations

Cloud Assessment SLA Review

Combined Deployment Survey Cloud offers Access Cloud deployment models

Adopt SLA – Unilateral / Bilateral

Service Provider? Survey Public Cloud Vendor offers

Survey Private Cloud Vendor offers

Adopt Unilateral SLA

Adopt Bilateral SLA

Decision point Decision outcome

Fig. (8.3). Proposed Integrated Cloud Computing Framework.

Alternatively, Integrated Cloud Computing Framework is also proposed here, which improves upon the previous framework, as presented in Fig. (8.3). CONCLUSION In this chapter, the service agreement for cloud computing services is reviewed along with a discussion on the requirements of cloud SLA, proposed metrics for various cloud-based models, and a comparison among the current major cloud service providers. Based on this analysis, there is a genuine need for a resilient, robust approach to handling cloud SLAs or CSAs. There is a lack of cloud service

112 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

agreement standards which becomes more significant when performance monitoring of different cloud models is required. The framework presented here can be extended along several lines. From the research method perspective, our exploratory approach should evolve into theory building and hypothesis testing as more empirical data about Cloud adoption become available. From the research output perspective, we are currently working on extensions regarding different service and deployment models, the relative importance of Cloud Service elements related to industry-specific features, and new aspects and perspectives in the enterprise modeling for Cloud outsourcing decisions. For future work on CSA frameworks, researchers can look into standardizing cloud service agreement models for clouds by proposing further metrics for both SLA monitoring and standardized SLA monitoring framework. Cloud SLA pricing models can be further investigated as well. DISCLOSURE “Part of this chapter has previously been published in Designing a Framework for Cloud Service Agreement for Cloud Environments, in International Journal of Cloud Applications and Computing, 2016, vol. 06, no. 04, pp 83-96”. CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

National Institute for Standards and Technology (2011). NIST Cloud Computing Reference Architecture NIST Special Publication 500-292 - Recommendations of the National Institute of Standards and Technology. Retrieved November 3, 2016, from, www.nist.gov/customcf/get_pdf. cfm?pub_id=909505

[2]

SoftLayer Technologies (2016). Cloud Service Agreement. SL CSA Z126-6304-SoftLayerWW-7 and i16-6605-09 (10-2016). SoftLayer, an IBM Company. Retrieved November 3, 2016, from, http://www.softlayer.com/sites/default/files/assets/page/softlayer-csa.pdf

[3]

Clouds Standard Customer Council (2014), Practical Guide to Cloud Computing Version 2.0. Retrieved November 3, 2016, from, http://www.cloud-council.org/deliverables/CSCC-PracticalGuide-to-Cloud-Computing.pdf

[4]

Mactores (2016). Cloud Vendor Decision Framework. Retrieved November 3, 2016, from, http://www.mactores.com/services/cloud-vendor-decision-framework

Designing A Framework

New Age Cyber Threat Mitigation for Cloud Computing Networks 113

[5]

A.A. Ibrahim, D. Kliazovich, and P. Bouvry, "Service Level Agreement Assurance between cloud services providers and cloud customers", 16th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), 2016. [http://dx.doi.org/10.1109/CCGrid.2016.56]

[6]

G.J. Mirobi, and L. Arockiam, "Service Level Management in cloud computing", International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), pp. 376-387, 2015. IEEE. [http://dx.doi.org/10.1109/ICCICCT.2015.7475308]

[7]

C.M. Costa, C.R. Leite, and A.L. Sousa, "Service response time measurement model of service level agreements in cloud environment", IEEE International Conference on Smart City/SocialCom/SustainCom (SmartCity), 2015. [http://dx.doi.org/10.1109/SmartCity.2015.196]

[8]

A. Mohamadi, and S. Barani, "A review on approaches in Service Level Agreement in Cloud Computing Environment", 4th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS), 2015. [http://dx.doi.org/10.1109/CFIS.2015.7391639]

[9]

Z. Li, L. O’Brien, and R. Ranjan, "Xana: An end user software product line framework for Smart Spaces", 49th Hawaii International Conference on System Sciences (HICSS), 2016. [http://dx.doi.org/10.1002/9781118821930.ch29]

[10]

F. Fowley, C. Pahl, P. Jamshidi, D. Fang, and X. Liu, "A Classification and Comparison Framework for Cloud Service Brokerage Architectures", IEEE Trans. Cloud Comput., vol. 6, no. 2, pp. 358-371, 2018. [http://dx.doi.org/10.1109/TCC.2016.2537333]

[11]

L. Ashok, and D. Mukhopadhyay, "Single Gateway Negotiation for cloud service during Service Level Agreement", International Conference on Information Technology (ICIT), 2015. [http://dx.doi.org/10.1109/ICIT.2015.15]

[12]

S. Mittal, K.P. Joshi, C. Pearce, and A. Joshi, "Automatic extraction of metrics from SLAS for Cloud Service Management", IEEE International Conference on Cloud Engineering (IC2E), 2016. [http://dx.doi.org/10.1109/IC2E.2016.14]

[13]

K. Xiong, and X. Chen, "Ensuring Cloud Service guarantees via Service Level Agreement (sla)-based resource allocation", IEEE 35th International Conference on Distributed Computing Systems Workshops, 2015. [http://dx.doi.org/10.1109/ICDCSW.2015.18]

[14]

S. Anithakumari, and K. Chandrasekaran, "Monitoring and management of Service Level Agreements in cloud computing", International Conference on Cloud and Autonomic Computing, 2015. [http://dx.doi.org/10.1109/ICCAC.2015.28]

[15]

C. Wang, L. Sun, and H. Chen, "The Cloud Service Agent Model based on Service Level Agreement", International Conference on Network and Information Systems for Computers, 2015. [http://dx.doi.org/10.1109/ICNISC.2015.70]

[16]

W. Hussain, F.K. Hussain, O. Hussain, and E. Chang, "Profile-based Viable Service Level Agreement (SLA) violation prediction model in the cloud", 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2015. [http://dx.doi.org/10.1109/3PGCIC.2015.106]

[17]

M. Alhamad, T. Dillon, and E. Chang, "Conceptual SLA framework for cloud computing", 4th IEEE International Conference on Digital Ecosystems and Technologies, pp. 606-610, 2010. [http://dx.doi.org/10.1109/DEST.2010.5610586]

114

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 114-132

CHAPTER 9

Comparing Single-Tier And Three-Tier Infrastructure Designs Against DDoS Attacks Abstract: With the rise in cyber-attacks on cloud environments like Brute Force, Malware, or Distributed Denial of Service attacks, information security officers and data center administrators have a monumental task. Starting from the need to safeguard the client data, data center security, and ensuring cloud service availability, the team needs to ensure the highest priority to service delivery performance and functionality being offered to the service consumers. Organizations design data center and service delivery to cater to maximize device provisioning & availability, improve application performance, ensure better server virtualization and end up securing data centers using security solutions at the internet edge protection level. These security solutions prove to be largely inadequate in times of a DDoS cyber-attack. In this chapter, traditional data center design is compared to the proposed three-tier data center architecture design. The author performed DDoS attacks on both architectures to determine the resilience to withstand DDoS attacks by measuring the Real User Monitoring parameters and then validated the data using the Parametric T-Test.

Keywords: DDoS, Data Center, ICMP, LOIC, RUDY, Single Tier, Slowloris, Three Tier. 1. INTRODUCTION Modern-day cybercrime attacks are specific, targeted, and designed to compromise high-value customer data, including personal, financial, and corporate intellectual property. Distributed denial of service attacks is not just aimed at bringing down network infrastructure, hog bandwidths, or compromising applications. Bigger dangers are lurking behind these attacks targeting data security. Modern-day Data center designs have evolved in recent times, migrating from in-house private hosting centers with physical servers to hybrid clouds, spread across multiple locations with Software Designed Networks (or SDNs), virtualized hosts, Application Centric Infrastructure (or ACIs) running automation for IT recovery, detection tasks, dynamically accelerating application deployments with DevOps policy model for network, storage, servers, and services. Designing secure data centers has now become mandatory as well as challenging. Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 115

The motivation to perform this research firstly aims at designing a secure data center architecture; secondly, with security implementations being highly complex, one-off customized implementations as per client requirements, network architects and cloud providers tend to lean towards accelerating application and service delivery, dynamic scalability, resource availability, reduced operating costs and increasing business agility. Cloud providers tend to keep security on low priority, which results in security gaps that impact security and performance, realtime protection, Internet peering, or the use of dedicated protection technology right at the Data Center edge routers checking the inbound traffic seems to be the best way to mitigate DDoS attacks targeting the proposed businesses proactively. 2. LITERATURE SURVEY Lone et al. (2013) [1] deployed a virtual machine-based intrusion detection with a graphical interface to monitor cloud fusion alerts by using Eucalyptus cloud architecture for the front end and MySQL database for the back end. Attacks are captured by the Barnyard tool while using SNORT for signature-based DDoS rules. The Stacheldraht tool is utilized for generating resource depletion data packets. These packets consist of UDP, TCP SYN, and ICMP floods. These attack packets are captured during the attack and stored in the central MySQL database. However, a limitation of this signature-based approach is that unknown or zeroday attacks could not be detected. Bakshi et al. (2010) [2] proposed an Intrusion Detection based on Signature detection for DDoS by using virtual machines running SNORT to analyze realtime inbound traffic. The defense framework identifies the attacker’s IP Address and auto scripts an Access Control List configuration for dropping the entire packets from that IP Address and black listing it immediately. Gul et al. (2011) [3] have mentioned that an intrusion detection model that analyzes and reports on the attack packets is utilized to handle a large packet flow. These reports should be shared with the cloud actors involved. To improve the performance of the Intrusion Detection System, multi-threading techniques are used. The final evaluation concluded that the use of multi-thread deployment, as compared to a single-threaded deployment, is more efficient. Shamsolmoali et al. (2014) [4] proposed using a statistical filtering system with two levels of filtering. The first level of filtering involves removing the header fields of incoming data packets, then comparing the time to live (TTL) value with a predetermined hop count value. If the values are not similar, the packet is termed to be spoofed and immediately dropped. The second level of filtering

116 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

involves comparing the incoming packet header with a stored normal profile header. Zakarya (2013) [5] proposed an entropy-based detection technique that identifies attack flow based on distribution ratio using the attack packet dropping algorithm. The entropy rate identifies the attack flow, dropping the packets if the DDoS is confirmed. Cloudsim simulation shows an accuracy of almost 90%. Vissers et al. (2014) [6] utilized Gaussian Model to perform defense against application-layer attacks on cloud services using the parametric technique. Malicious XML content in use requests inside SOAP resulted in DDoS attacks. Initially, the detection involves HTTP header inspection to detect any HTTP floods and SOAP action inspection. Then XML content processing action is checked for spoofing by comparing previous data. While this works very well for existing DDoS attacks, the disadvantage is the inability to detect the new-age threat vectors arising from new request schematics. Girma et al. (2015) [7] proposed a Hybrid statistical model to classify the DDoS attack pattern using an entropy-based system and covariance matrix measuring the heightened data dependency. Similarly, Ismail et al. (2013) [8] proposed a dualphase mathematical model with a covariance matrix for detecting DoS attacks on cloud application services. The first phase involves baselining the normal traffic pattern by mapping it into a covariance matrix. The next phase compares the current traffic with the baseline traffic pattern. Using game theory, Bedi and Shiva (2012) [8] proposed securing cloud infrastructure from DDoS attacks. The legitimate and malicious virtual machine behaviors are modeled with a game-inspired firewall defense. Huang et al. (2013) [9] proposed a Multi-stage detection and text-based system with a Turing test to mitigate HTTP request flooding attacks. The system works in a modular fashion, with Source checking and counting modules intercepting incoming packets, the DDoS attack detection module checks for the DDoS attack, with the Turing test challenging the packets by using text-based questions and answers to determine if the packet is suspicious. The attack detection module retrieves and records the traffic behavior of each virtual cluster for any suspicious traffic behavior by the inbound data packets. The text-based turning testing module receives the redirected blocked packets and presents a randomly selected question to the requester. Access is granted only if the question gets answered correctly. The question pool is updated regularly, and the system is a Linux kernel. The performance test suggested a low reflection ratio and high efficiency.

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 117

Chen et al. (2009) [10] proposed a three-layer DDoS defense mechanism based on web services. Combining web server characteristics using statistical filtering using Simplified Hop Count filtering algorithm (SHCF) and SYN Proxy Firewall at network, transport, and application layer to filter malicious traffic and secure access for legitimate traffic. Limiting traffic at the application layer is also applied inside a Linux kernel. These collaborative defense mechanisms provide sustained availability of web services and can defend against DDoS attacks effectively. Xiao et al. (2009) [11] proposed an effective approach against DDoS attacks based on a three-way handshake process. The proposal is based on discarding the first inbound handshake requests; these requests consume computing resources. This ensures the new normal network requests can live easily, allowing new client requests even in DDoS attack duration, thereby raising the environment’s overall security capability and the system protected against DDoS Attacks. Durcekova et al. (2012) [12] focused on DDoS application layer attack detection, and these attacks have more impact than the traditional network layer denial of service attacks. The focus is on the DoS/DDoS attack description and consequently aimed at detecting application layer Denial of Service attacks and then proposed a few methodologies to use for the application layer attack detection. While most current effort focuses on detecting network and transport layer attacks, two detection architectures for Web Application traffic monitoring are proposed to discover any dynamic changes in the normal traffic trends. Akbar et al. (2015) [13] proposed a novel scheme based on Hellinger distance (HD) to detect low-rate and multi-attribute DDoS attacks. Leveraging the SIP load balancer for detecting and mitigating DDoS attacks is proposed. Usually, DDoS detection and mitigation schemes are implemented in SIP proxy, however, leveraging the SIP load balancer to fight against DDoS by using existing load balancing features is done with the proposed scheme implemented by modifying the leading open-source Kamailio SIP proxy server. The scheme is evaluated by an experimental test setup and the results outperform the existing prevention schemes against DDoS for system overhead, detection rate, and false-positive alarm. Selvakumar et al. (2015) [14] proposed application layer DDoS attack detection using logistic regression modeling user behavior. Current solutions can detect only limited application-layer DDoS attacks. This can detect all types of application-layer DDoS attacks that tends to have huge complexities. To find an effective solution for the detection of application-layer DDoS attacks, the normal user browsing behavior needs to be re-modeled so that a normal user and attacker can be differentiated. This method uses feature construction and logistic

118 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

regression to model the normal web user behavior to detect application-layer DDoS attacks. The performance of the proposed method is evaluated in terms of the metrics such as total accuracy, false-positive rate, and detection rates. Comparing the logistic regression solution the existing method revealed results better than any of the current models in place. A simulation study of application-layer DDoS attacks is performed by Bhandari et al. (2015) [15]. The impact of Web Service Application layer DDoS attacks is determined using the GNS2 Simulator for a web cache model. These web attacks are launched on the server’s capacity to handle requests and determine if any legitimate users would be impacted in receiving the required web application services. Transaction throughput, successful HTTP transactions, server queue utilization by legitimate users, transaction drops, and Transaction survival ratio metrics are calculated to measure the attack’s impact. 3. DDOS ATTACK IMPLEMENTATION 3.1. Architecture Design and Implementation The author implemented two infrastructure architectures for cloud-based hoisting SaaS environments for testing the proposed theory against DDoS Attacks. The infrastructure designs are attacked at the network and application layer with increasing ICMP size (3700 → 3805 bytes) and measured Real User Monitoring parameters as the criteria to determine the performance and response of the two architectures during a DDoS attack. Application layer attack is performed with HTTP Flood GET attack. Here the thread count is increased for reach requests with a slow socket HTTP attack. The logs are gathered using Wireshark as the sniffer in the network infrastructure. The first infrastructure is implemented as having the same inbound and outbound exit gateway, which implies synchronous routing, as illustrated in Fig. (9.1). This is implemented as a standard single-tier data center design hosting a front-end web application portal and a backend SQL Database as a private cloud data center designed on a single-tier network infrastructure. Chapter five refers to Single-tier infrastructure design. The second infrastructure implemented is the proposed secure three-tier data center design; this design comprises three tiers with different locations and an IP Addressing scheme connected with secure internal VPN links. This simulated Hybrid cloud architecture informs of two public clouds and one private cloud data center, as displayed in Chapter 5. The first tier (Data Center # 1) is configured for network layer 3 & 4 defense with only simple Load Balancer features. The first tier is a private data center with Network defenses to mitigate flood and

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 119

volumetric attacks that could otherwise lead to network saturation issues. The network-level attacks are ICMP (ping), UDP, or SYN floods. The second tier (Data Center #2) is configured for application layer seven defense using a Web Application Firewall and Load Balancing rules to maintain inbound user sessions. SSL termination and defenses for DNS poisoning, ARP spoofing, POST Flood, and Malware detection are performed here. After network and application attack cleanup in tier # 1 and tier #2, legitimate users remain in the remaining traffic; now, the users are directed to a hardened web server hosting only terminal services. Only by using this jump box can the users access the web application with two-factor authentication. This third tier (Data Center #3) has the data center hosting a web portal and database simulating the SaaS application for the users. Portal access is allowed only on the jump box, and outbound traffic routines configured to exit from the second tier instead of returning via the original route of going back the same route. The data center infrastructure implementation involved hardware and software, as described below. The two designs are implemented with routing, switching, and firewall services. Imperva WAF is used with VMware virtual machines running Web application portals on .NET and IIS using Microsoft Windows Server OS and SQL Database Server as the backend. The hardware and software used for the implementation are described as follows. ●

● ● ● ●

● ● ●

●

Network layer – Cisco 3600 Router, Cisco 3550 switches, F5 Big IP Load Balancer 4200v LTM Defense Firewalls – Cisco ASA 5506-X, Imperva Web Application Firewall Bare Metal Server – Dell i5 quad-core, 16 GB RAM, 500GB storage space Virtualization – VMware Workstation ver10 Application Servers – Windows Server 2008 OS 64-bit with .NET, IIS & SQL 2008 Database DDoS Attack Tools Low Orbit Ion Cannon (LOIC) – UDP, TCP, HTTP GET Requests attacks R.U.D.Y – slow layer seven attacks HTTP POST requests with abnormally long content-length headers Slowloris – opens multiple connections as long as possible, sends partial HTTP requests that never actually get completed, and ends up slowly consuming the target server’s maximum of concurrent pool and sockets, which is not detected.

4. PERFORMANCE ANALYSIS DDoS attacks were performed on a single tier and the proposed three-tier infrastructure architecture. Results were gathered for real user monitoring

120 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

parameters during the network attacks and validated using the T-Test hypothesis. 4.1. Single Tier Logs and Data Analysis Fig. (9.3) illustrates the data and graphs for the Network Firewall and Application layer logs and graphs for the DDoS attack performed on single-tier data center architecture to determine the resilience of handling DDoS attacks. In Fig. (9.1) below Network, firewall defense is implemented after attack#2 with ICMP, Page Load, Browser Throughput, and Application Response as the key values.

Fig. (9.1). Single Tier Network Attack Parameters.

Fig. (9.2) illustrates Real User Monitoring values obtained during an application layer attack on Single Tier network infrastructure. Application firewall defense is implemented after attack#2 with ICMP, Page Load, Browser Throughput, and Application Response key values.

Fig. (9.2). Single Tier Architecture - Application attack logs.

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 121

Results of Single Tier Architecture attacks obtained before and during the DDoS attack are presented in the graph in Fig. (9.3). The average ICMP, Browser Throughput, Page Load Response, and Application server response is presented below. This data is obtained from Figs. (9.1 and 9.2). Single Tier Architecture Attack Results 7000

6512.77

6000 5000 4149.46

4164.69

4025.15

4121.00

4125.23

4174.69

4000 3000 2000

1639.38 1108.77

1085.23

1058.00

1083.54

1098.08

1092.92

1000 0

Attack#1

Attack#2

Attack#3

Attack#4

Attack#5

Attack#6

Attack#7

Average of Average ICMP (ms)

Average of Page Load Response (ms)

Average of Browser Throughput (rpm)

Average of App server response (ms)

Fig. (9.3). Single Tier Network Attack Results.

4.2. Three-Tier Logs and Data Analysis DDoS attacks are performed on the designed network architectures and Network and application results obtained before and after attack scenarios. Network attacks like ICMP flood are made with 1000 ICMP echo requests, with increasing buffer size from 3700 bytes to 3805 bytes., Application attack like HTTP Flood attack increases the thread count by “GET /app/?id = 437793 msg = BOOM%2520HEADSHOT! HTTP/1.1 Host: IP” and Slow socket buildup simulating slow web attacks by use of Perl. Logs and data gathered from the network firewall for each attack are displayed in Fig. (9.4). Results of Three Tier Architecture attacks obtained before and during the DDoS attack are presented in the graph in Fig. (9.5). The average ICMP, Browser Throughput, Page Load Response, and Application server response is presented below. The graph in Fig. (9.6) presents the results of Three Tier Architecture attacks obtained before and during the DDoS attack for ICMP Response.

122 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Fig. (9.4). Three-Tier Architecture Attack Logs. Three Tier Network Architecture Attack Results 8000.00

7105.46 7000.00

Real USer Parameter Values

6000.00

5000.00

4000.00

3000.00

2000.00

1671.54

1710.54

1722.77

1683.23

1686.92

1668.85

1000.00 0.00 Average ICMP (ms)

Attacks

Page Load Response (ms)

Browser Throughput (rpm)

App server response (ms)

Fig. (9.5). Three-Tier Network Architecture Attack Results.

Results of Three Tier Architecture attacks obtained before and during DDoS attacks for Page Load Response are presented in the graph in Fig. (9.7) below. Results of Three Tier Architecture attacks obtained before and during the DDoS attack for Browser Throughput are presented in Fig. (9.8) below.

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 123 Average ICMP (ms)

8000.00 7000.00

7105.46

ICMP Response (ms)

6000.00 5000.00 4166.33

4165.92

4031.92

4125.50

4101.67

4141.58

2823.75

2813.58

2839.67

2817.33

2874.67

4000.00 3000.00 2852.75 2000.00

1713.25

1703.00

1691.67

1682.83

1000.00

1681.92

1705.25

0.00 Attack#1

Attack#2

Attack#3

Network Defense

Attack#4

Attack#5

Application Defense

Attack#6

Attack#7

Three Tier Architecture

Fig. (9.6). Real User Monitoring – Average ICMP for Single and Three-Tier Architectures. Page Load Response (ms) 70.00

Web Page Load Response (ms)

60.00

50.00

40.00

60.62 49.00

41.77 29.58

28.92

30.00

30.58

25.08

20.00 14.42

10.00

14.33

13.00

29.17

29.08

25.92

25.67

25.58

25.50

29.50

14.42

13.83

Attack#5

Attack#6

25.42

13.33

0.00 Attack#1

Attack#2

Attack#3

Network Defense

Attack#4

Application Defense

Attack#7

Three Tier Architecture

Fig. (9.7). Real User Monitoring – Page Load response for Single and Three-Tier Designs. Browser Throughput (rpm)

1800.00

1787.85

Browser Throughput (rpm)

1753.23 1600.00 1586.08 1400.00 1272.42 1200.00 1191.75

1269.67

1285.75

1216.67 1175.00

1273.75

1201.50

1283.58

1216.42

1278.58

1199.33

1000.00 957.58

1001.83

978.92

Attack#3

Attack#4

974.17

980.25 940.67

800.00 Attack#1

Attack#2

Network Defense

Application Defense

Attack#5

Attack#6

Attack#7

Three Tier Architecture

Fig. (9.8). Real User Monitoring – Browser Throughput for Single and Three-Tier Designs.

124 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Results of Three Tier Architecture attacks obtained before and during DDoS attacks for Application Server Response are presented in Fig. (9.9) below. Application Server Response (ms)

1700.00

Application Server Response (ms)

1659.92

1500.00

1300.00 1180.67 1139.92 1100.00 1090.50

1108.25

1151.33

1155.08

1145.83

1127.00

1097.17

1065.83

1108.00

1066.67

900.00

801.75

780.83

805.83

819.75

Attack#4

Attack#5

797.83

810.17

700.00 Attack#1

Attack#2

Attack#3

Network Defense

Application Defense

Attack#6

Attack#7

Three Tier Architecture

Fig. (9.9). Real User Monitoring – Application Server Response.

Graph in Fig. (9.10) displays the availability trend metrics obtained after performing the DoS attacks on the two architectures for network and application layer design. SaaS Availability Monitor 1668.85 Attack#7

4174.69 3954.85 1686.92

Attack#6

4125.23 3778.15 1683.23

DDoS Attacks performed

Attack#5

4121.00 3778.92 1722.77

Attack#4

4025.15 3777.38 1710.54

Attack#3

4164.69 3776.23 1671.54

Attack#2

4149.46 3776.62 1763.85

Attack#1

6512.77 3788.08

0.00

1000.00

2000.00

3000.00

4000.00

5000.00

6000.00

7000.00

SaaS Availability parameter Three Tier Architecture

Application Desfense

Network Defense

Fig. (9.10). Real User Monitoring – Application Server Response.

5. PERFORMANCE DATA VALIDATION The author also performed Parametric Statistic T-test to validate the Real User

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 125

Monitoring data obtained from Single and Three Tier architectures attack. The primary reason is to ensure there are no violations for the data represented in a random sample from the test population. The sample means distribution is normal, and the variances of different real user parameters are very similar. The null hypothesis assumes if the data violates these assumptions, then it is assumed the authors committed a Type I error which is more or less often than the alpha probability. Interpreting the T-Test Results Table 9.1 presents the T-Test parameters used for validation and interpretation of the test results. Table 9.1. T-Test Validation parameters. t

Denotes the T-Test

DF(x)

denotes the degree of freedom for # of tests performed

x.xx

denotes the ‘T-Static’ value of the calculations

Table 9.2 describes the T-Test null hypothesis for chances of A=B or A≠B. Table 9.2. Defining T-Test Null Hypothesis. p ≤ 0.05

Not likely to be a result of chance and A ≠ B, so the difference is significant, the Null hypothesis is incorrect – hence Null is rejected, the relationship between A and B

p ≥ 0.05

Likely chance and A = B, so no significant difference, the Null hypothesis is correct – hence fail to reject the Null, no relationship between A and B

5.1. T-Test Validation for Average ICMP Table 9.3 presents the average of the PING or ICMP packets time rate in milliseconds for the single and three tiers implemented in this research. Table 9.3. Average ICMP for Single Tiers and Three Tiers. Average ICMP (ms) Attack#

Network Defense

Application Defense

Three Tier Architecture

Attack#1

6690.08

6512.77

7105.46

Attack#2

2852.75

4166.33

1682.83

Attack#3

2823.75

4165.92

1691.67

Attack#4

2813.58

4031.92

1703.00

126 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

(Table 9.3) cont.....

Average ICMP (ms) Attack#5

2839.67

4125.50

1713.25

Attack#6

2817.33

4101.67

1681.92

Attack#7

2874.67

4141.58

1705.25

T-Test Summary Table 9.4 presents the maximum, minimum, mean and standard deviation along with missing and not-missing data for 90 observations. Table 9.4. T-Test Summary of Mean-Standard Deviation. Missing Data

Variable Observations

Not missing Minimum Maximum Data

Mean

Standard Deviation

6545

90

0

90

2618.000

6995.000 3342.400

1330.157

7655

90

0

90

1523.000

7993.000 2406.511

1860.344

95% Confidence interval (CI) on the difference between the two means: [806.553, 1065.225]. Table 9.5 presents the calculation for T-Test for the Two Paired Sample Data (Single Tier and Three Tiers). Table 9.5. T-test for Two Paired Sample Data (Single Tier and Three Tiers). Difference

935.889

Observed value (t)

14.378

Critical value (|t|)

1.987

Degree of Freedom (DF)

89

Two-tailed P-value

< 0.0001

The ALPHA

0.05

Test Interpretation H0: the difference between two means = 0 Ha: the difference between the two means ≠ 0 P-value is lower than the significance-level-alpha (0.05) – which infers that H0 – the null hypothesis can be rejected, and the alternative hypothesis (Ha) is accepted.

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 127

5.2. T-Test Validation for Page Load Response Table 9.6 presents the Page Load Response for th two tiers - Single Tiers and Three Tiers. Table 9.6. Page Load Response for Single Tiers and Three Tiers. Page Load Response (ms) Attack#

Network Defense

Application Defense

Three Tier Architecture

Attack#1

49.00

41.77

60.62

Attack#2

29.58

25.50

14.42

Attack#3

28.92

25.58

14.33

Attack#4

30.58

25.67

13.00

Attack#5

29.50

25.92

14.42

Attack#6

29.08

25.08

13.83

Attack#7

29.17

25.42

13.33

Test Interpretation H0: the difference between two means = 0 Ha: the difference between the two means ≠ 0 P-value is lower than the significance-level-alpha (0.05) – which infers that H0 – the null hypothesis can be rejected, and the alternative hypothesis (Ha) is accepted. 5.3. T-Test Summary for Browser Throughput Parameters Table 9.7 presents the T-Test data present and missing along with minimum, maximum, mean and standard deviation for Page Load Response. Table 9.7. T-Test Summary for Page Load Response. Variable Observations

Missing Data

Not missing Minimum Maximum Mean Data

Standard Deviation

45

90

0

90

27.000

55.000

32.000

7.213

50

90

0

90

10.000

72.000

20.311

16.593

95% Confidence interval (CI) on the difference between the two means: [9.551, 13.827].

128 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Table 9.8 presents the T-Test for the Two Paired Sample Data (Single Tier and Three Tiers). Table 9.8. T-test for Two Paired Sample Data (Single Tier and Three Tiers). Difference

11.689

t (Observed value)

10.865

|t| (Critical value)

1.987

DF

89

P-Value (Two-tailed)

< 0.0001

ALPHA

0.05

Table 9.9 illustrates the browser throughput for both the tiers - Single Tiers and Three Tiers. Table 9.9. Browser Throughput for Single Tiers and Three Tiers. Browser Throughput (rpm) Attack#

Network Defense

Application Defense

Three Tier Architecture

Attack#1

1753.23

1586.08

1787.85

Attack#2

1272.42

1191.75

957.58

Attack#3

1269.67

1216.67

1001.83

Attack#4

1285.75

1175.00

978.92

Attack#5

1273.75

1201.50

974.17

Attack#6

1283.58

1216.42

980.25

Attack#7

1278.58

1199.33

940.67

T-Test Summary for Browser Throughput Parameters Table 9.10 presents the T-Test Summary for browser throughput. Table 9.10. T-Test Summary for Browser Throughput. Variable Observations

Missing Data

Not missing Minimum Maximum Data

Mean

Standard Deviation

1800

90

0

90

1203.000

1856.000 1339.233

169.120

1775

90

0

90

850.000

1887.000 1080.478

287.208

95% Confidence interval (CI) on the difference between the two means: [228.425, 289.086].

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 129

Table 9.11 presents the T-test for Two Paired Sample Data (Single Tier and Three Tiers). Table 9.11. T-test for Two Paired Sample Data (Single Tier and Three Tiers). Difference

258.756

Observed value (t)

16.951

Critical value (|t|)

1.987

DF

89

Two-tailed P-value

< 0.0001

The ALPHA

0.05

Test Interpretation H0: the difference between two means = 0 Ha: the difference between the two means ≠ 0 P-value is lower than the significance-level-alpha (0.05) – which infers that H0 – the null hypothesis can be rejected, and the alternative hypothesis (Ha) is accepted.

5.4. T-Test Summary for Application Server Response Parameters Table 9.12 presents the application server response for single tiers and three tiers. Table 9.12. Application Server Response for Single Tiers and Three Tiers. Application Server Response (ms) Attack#

Network Defense

Application Defense

Three Tier Architecture

Attack#1

1659.92

1639.38

1616.38

Attack#2

1180.67

1090.50

801.75

Attack#3

1139.92

1108.25

780.83

Attack#4

1151.33

1065.83

805.83

Attack#5

1155.08

1066.67

819.75

Attack#6

1145.83

1097.17

797.83

Attack#7

1127.00

1108.00

810.17

130 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

5.5. T-Test Summary for Application Server Response Parameters Table 9.13 presents the T-Test summary for application server sesponse. Table 9.13. T-Test Summary for Application Server Response. Variable Observations

Missing Data

Not missing Minimum Maximum Data

Standard Deviation

Mean

1636

90

0

90

1001.000

1833.000 1221.733

196.171

1528

90

0

90

701.000

1692.000

286.449

913.744

95% confidence interval on the difference between the means: [276.857, 399.120]. Table 9.14 presents the T-test for two paired sample data for single tier and three tiers. Table 9.14. T-test for Two Paired Sample Data (Single Tier and Three Tiers). Difference

307.989

Observed value (t)

19.657

Critical value (|t|)

1.987

DF

89

Two-tailed P-value

< 0.0001

The ALPHA

0.05

Test Interpretation H0: the difference between two means = 0 Ha: the difference between the two means ≠ 0 P-value is lower than the significance-level-alpha (0.05) – which infers that H0 – the null hypothesis can be rejected, and the alternative hypothesis (Ha) is accepted. CONCLUSION With the Network firewall configured on the first tier and the Web Application Firewall (WAF) configured on the second tier, the authors find network and application attack trends and real user monitoring graphs display a positive response for the three-tier design as compared to the single-tier design when

Single-Tier And Three-Tier

New Age Cyber Threat Mitigation for Cloud Computing Networks 131

comparing ICMP TTL, Browser throughput, Page load response, and the Application response. DISCLOSURE “Part of this chapter has previously been published in Comparing Single Tier and Three Tier Infrastructure Designs against DDoS Attacks, in International Journal of Cloud Applications and Computing, 2017, vol. 07, no. 03, pp 59-75”. CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

M. Lone, Lonea, D. E. Popescu, O. Prostean, and H. Tianfield, “Evaluation of experiments on detecting distributed denial of service (ddos) attacks in eucalyptus private cloud. Soft Computing Applications, 2013, pp. 367-379.

[2]

A. Bakshi, and Y.B. Dujodwala, "Securing cloud from DDOS attacks using intrusion detection system in virtual machine", Second International Conference on Communication Software and Networks, 2010. [http://dx.doi.org/10.1109/ICCSN.2010.56]

[3]

H. Li, and Q. Wu, "A distributed intrusion detection model based on cloud theory", IEEE 2nd International Conference on Cloud Computing and Intelligence Systems, 2012. [http://dx.doi.org/10.1109/CCIS.2012.6664443]

[4]

P. Shamsolmoali, and M. Zareapoor, "Statistical-based filtering system against DDOS attacks in cloud computing", International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2014. [http://dx.doi.org/10.1109/ICACCI.2014.6968282]

[5]

L. Ya-Dong, "Study on detection algorithm of ddos attack for cloud computing", Fifth International Conference on Intelligent Systems Design and Engineering Applications, 2014. [http://dx.doi.org/10.1109/ISDEA.2014.210]

[6]

T. Vissers, T.S. Somasundaram, L. Pieters, K. Govindarajan, and P. Hellinckx, "DDoS defense system for web services in a cloud environment", Future Gener. Comput. Syst., vol. 37, pp. 37-45, 2014. [http://dx.doi.org/10.1016/j.future.2014.03.003]

[7]

A. Girma, M. Garuba, J. Li, and C. Liu, "Analysis of ddos attacks and an introduction of a hybrid statistical model to detect ddos attacks on cloud computing environment", 12th International Conference on Information Technology - New Generations, 2015. [http://dx.doi.org/10.1109/ITNG.2015.40]

[8]

H.S. Bedi, and S. Shiva, "Securing Cloud infrastructure against co-resident DOS attacks using game

132 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

theoretic defense mechanisms", Proceedings of the International Conference on Advances in Computing, Communications and Informatics - ICACCI ’12, 2012. [http://dx.doi.org/10.1145/2345396.2345473] [9]

V. Tzeremes, and H. Gomaa, "Xana: An end user software product line framework for Smart Spaces", 49th Hawaii International Conference on System Sciences (HICSS), 2016. [http://dx.doi.org/10.1109/HICSS.2016.721]

[10]

R. Birke, Z. Qiu, J.F. Perez, and L.Y. Chen, "Defeating variability in cloud applications by multi-tier workload redundancy", IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2016. [http://dx.doi.org/10.1109/INFCOMW.2016.7562127]

[11]

X.-hui Zeng, X.-ge Peng, M.-hua Li, H.-qi Xu, and S.-yao Jin, “Research on an effective approach against ddos attacks,” 2009 International Conference on Research Challenges in Computer Science, 2009.

[12]

V. Durcekova, L. Schwartz, and N. Shahmehri, “Sophisticated denial of service attacks aimed at application layer,” 2012 ELEKTRO, 2012. [http://dx.doi.org/10.1109/ELEKTRO.2012.6225571]

[13]

M.A. Akbar, Z. Tariq, and M. Farooq, "A comparative study of anomaly detection algorithms for detection of SIP flooding in IMS", 2nd International Conference on Internet Multimedia Services Architecture and Applications, 2008. [http://dx.doi.org/10.1109/IMSAA.2008.4753934]

[14]

S.U. Rehman, and S. Manickam, "Rule-based mechanism to detect denial of service (dos) attacks on duplicate address detection process in ipv6 link local communication", 4th International Conference on Reliability, Infocom Technologies and Optimization (ICRITO) (Trends and Future Directions), 2015. [http://dx.doi.org/10.1109/ICRITO.2015.7359243]

[15]

A. Bhandari, A.L. Sangal, and K. Kumar, "Destination address entropy based detection and TRACEBACK approach against distributed denial of service attacks", International Journal of Computer Network and Information Security, vol. 7, no. 8, pp. 9-20, 2015. [http://dx.doi.org/10.5815/ijcnis.2015.08.02]

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 133-151

133

CHAPTER 10

Security Challenges Infrastructure

For

Cloud-Based

Email

Abstract: To stay connected and interact with global peers, friends, co-workers, and corporate employees, use email communication technology to perform business with customers and communicate with each other globally. Emails are the best and simplest way of cyber communication. Email is often the first thing we do when entering the office as well as the last thing we do when going to bed. With Cloud-based services providing email servers and infrastructure hosted over the Internet, Security assumes a significantly high level of priority in today’s cyber world. This chapter reviews the academic literature published on security challenges faced by Email Infrastructure over Cloud, discusses the limitations of Email protocols, and compares using cloud-based email infrastructures and on-premises email servers.

Keywords: Email Infrastructure, Email Cloud Service, Exchange Server, SMTP, POP3, IMAP. 1. INTRODUCTION Over the last few years, the recognition and acceptance of Cloud-based applications have gained a lot of momentum. Commercial applications that were initially installed inside corporate on-premises server rooms are now hosted on cloud infrastructures. Software applications are provided in the form of commercial services, which are accessible anytime, anywhere. Cloud-based solutions also eliminate the need for regular maintenance-related activities, unnecessary downtimes or outages, attention to backups, or regular infrastructure upgrades. Moreover, new Unified Communications and other Office Productivity applications can also be integrated with existing Cloud-based solutions. This ensures efficient, lean, and effective business processes as compared to an onpremises solution. Cloud-based email infrastructure systems like Google’s Gmail, Microsoft’s Office 365, and Amazon’s Simple Email Service are no exception to this Cloud advantage, and these solutions have also witnessed a huge increase in usage and user base globally. Cloud-based email infrastructure resolves operation cost issues, revenue loss, business disruption, scalability, employee productivity, and IT support complexities which are typically associated with an on-premises Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

134 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

email server. However, mitigating Cloud-based security risks involves the service providers and corporate users adopting a universal approach for ensuring the right-fit solution is in place, especially when the application services over insecure Internet bring forth new threat vectors and cyber-attacks. Given the high usage of cloud applications and more so for Email applications, it is no surprise that Cloud-based email solutions tend to be the primary target of cyber-attacker. The intent is to disrupt corporate email operations, which cause business disruptions, financial impact, and reputation loss, or even seek to acquire confidential information from email servers. Email infrastructure systems have to deal with security threats as mentioned below, as referenced from the SANS white paper [1]: ● ● ● ●

●

●

●

●

Credential Phishers and Sender Impersonations Spam, Ransomware, and Virus payload attachments Typosquatting or URL hijacking via DNS exploitation Internal employee data leakage and insider threats Cyber attackers gain access to user accounts and mailboxes in the belowmentioned ways, as referenced from the SANS white paper: Repeated brute-forcing combinations of user/passwords using automated tools and keywords Spoofed emails directing employees to a hacking link, enticing them to enter Email Id and passwords Embedded malicious attachments in emails to allow access to the network servers or systems Use of Social Engineering and human error by sending a direct request from a trusted source

2. LIMITATIONS OF EMAIL PROTOCOLS Like any Cloud or Network-based service, email systems need to provide the following five services for security reasons: ●

●

Message Confidentiality: It promotes privacy, that is, the message transfer between sender and receiver is secure, and no one can read or track the message while transferring. Message Integrity: It says that the same message/data should arrive at the receiver end as it can be sent by the sender. No alteration intentionally or accidentally takes place during transfer.

Email Infrastructure ●

●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 135

Message Authentication: It ensures that message can be received from the sender only or the trusted source. In this receiver must be sure about the identity of the sender. Message Non-repudiation: It ensures that anytime sender should not be able to deny sending the message originally sent by him/her. Entity Authentication: It ensures the identification of the user; the user must be verified before accessing the resources and services. This is done by asking for a login-id and password.

Email security protocols and their limitations are discussed in this section: ●

●

SMTP or Simple Message Transfer Protocol helps exchange servers send out new emails regardless of any protocol being used for retrieving the emails outside the organization over the Internet, this works on ports 25, 2525, or 587. Issues with SMTP range from not being able to encrypt messages. So the communication between SMTP servers is in plain text, so eavesdropping takes place. As also, this protocol can only send messages in NVT 8-bit ASCII format but not for languages like Chinese, Japanese, German or Russian, which don’t support the 7bit ASCII characters. If you are login into the SMTP server using your username and password, that is also passed in plain text, so again anyone stole your information during the transfer. Messages sent through SMTP also contain information about sending computers and software used, which, when captured, can be used for malicious intent. So SMTP lacks privacy concerns. SMTP does not have any mechanism to authenticate the source. It also does not have the functionality to check message integrity and so it is easy to send phishing attacks. SMTP does not have any mechanism to control repudiation that would make the sender deny sending of emails. The messages are stored on SMTP servers as plain text and their backups are taken. Even if you delete the message they can be residing on the servers/backup servers for years. So anyone who can access the servers can also access or read messages easily. POP3 or Post office Protocol Version 3 allows for the one-way move of new emails from the email server to the client machine running Outlook onto the PST file. This works in either ‘keep’ or ‘delete’ mode on email retrieval over port 110. Issues with POP3 range from deleting an individual item does not remove it from the server, if mail is left on the server, care should be taken that there is sufficient capacity allowed before senders encounter a bounce-back message being informed that the “mailbox is full – try again later”. Each ESP sets its own rules regarding how many emails can be stored for each account. Sending an email that ultimately gets saved in the “Sent Items” folder is available locally only – not on the server. That means that any messages sent via Device #1 will not be accessible via Device #2. Contacts, calendars, and tasks

136 New Age Cyber Threat Mitigation for Cloud Computing Networks

●

●

Akashdeep Bhardwaj

are local to the specific machine. Those items are not stored on the server regardless of what capabilities exist with your WebMail interface IMAP4 or Internet Mail Application Protocol Version 4 is similar to POP3 but far more complex and powerful. This protocol allows client applications to become email-enabled for a two-way move of emails between the client system and Microsoft Exchange Servers. This supports Message Transports, Directories, and Message Store facilities. This allows email folder creation (unlike POP3) to synchronize and mirror the email server mailbox with the client mailbox. This allows for viewing and synching of the same email contents across multiple systems and devices. This works on ports 143 and 993. Issues with IMAP4 are that since POP and IMAP pull protocols, a Request is sent to the mail server to access the mailbox, and for that, logging in using a username and password is required. These details are not encrypted before sending unless SSL is used. So our confidential information is at stake. Like POP3 must ensure that your ESP provides sufficient capacity to store all the email items you want to maintain on the server over time. Like POP3 contacts, the IMAP protocol does not handle calendars and tasks. This information is either stored locally when created by the email client or on the server via the Webmail interface. EAS or Exchange ActiveSync is the protocol to synch Microsoft Exchange servers, supporting contact, calendar, and tasks. EAS has a limitation on the EAS protocol. Outlook.com “Contact Groups” are created with the use of “categories,” whereas Contact Groups created in Outlook (the desktop client) are created as special contact item types with a specific Message Class (IPM.DistList), making it compatible with all earlier versions of Outlook using the MAPI interface via the Hotmail Outlook Connector. In short, you cannot synchronize Contact Groups using an EAS Outlook.com account and Outlook 2013.

3. LITERATURE SURVEY A secure certificate-less cryptography emailing system was proposed by Balakrishnan et al. (2016) [2]. For implementing public key exchange, the email system utilized Domain Name System infrastructure for user authentication, when accessing the system, secure key token fingerprint authentication was utilized. For each email, the message payload was encrypted by the system. This involved a symmetric key that was generated from the secret value and the keys (public and private) of senders and receivers. After analysis of the proposed email system, it was found to be secure as compared to standard email security models. Unger et al. (2015) [3] compared existing messaging solutions and proposed a framework to enhance security, ease-of-adoption properties, and usability. The

Email Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 137

framework included commercial email solutions and security solutions from academia. This paper proposed three unique methods. First, the trust establishment approach was offered for security and privacy, but from the usability and adoption perspective, this offered a low-performance rating even as hybrid email security options that are not included in academic literature, offered better performances instead. Second, the conversation security usually lacks good security solutions for large email groups, although this worked fine for two or fewer email user groups. Finally, transport privacy which is the trickiest issue to resolve did not offer any significant performance impact. A comprehensive design document for the Dark Internet Mail Environment (DIME) was presented by Ladar Levison (2014) [4]. This paper included elements required for successfully implementing DIME and details for protocols and message format specifications. An analysis of email security attack vectors was presented along with mitigation techniques. Herbosa et al. (2008) [5] evaluated the architecture design and workflow of existing email infrastructures and the security protocols implemented for secure communications and their limitations. The paper proposed the use of email Forensics as a viable process for analyzing email, including the mail content, header information, transit path, and sender and receiver information. This paper also proposed collecting relevant specifications as evidence against email offenders and also discussed a few common forensic investigation techniques and tools for email investigation. An analysis was performed to determine the difference between X.509 and PGP certificates on the Usage, Creation, Revocation, and Authentication procedures presented by Housley et al. (1999) [6]. An analysis highlighted the differences between the two certificate systems. The conclusion illustrated that PGP’s distribution process of public keys is the biggest drawback, while in comparison, the X.509 was considered more flexible and advanced. In X.509, responsibility and decision-making are equally distributed to every stakeholder, further enhancing personal privacy and security parameters. Babrahem et al. (2015) [7] introduced various techniques to enhance the security of email systems. The two main security enhancements proposed are email user identity authentication and confidentiality and privacy during email transformation. These two enhancements vastly improved the performance and achieved the required level of security. A summary was presented between the proposed systems as per the level of security and limitations of each system for future research.

138 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

A one-way authentication key agreement scheme was proposed by Hongfeng et al. (2015) [8] based on multi-server architecture. The paper presented security proof and analysis that the proposed key agreement scheme was not only efficient and unique but also resilient against various attacks and achieved forward security. Mushtaq et al. (2015) [9] presented an all-purpose illustration of various cryptographic parameters and methods. The paper proposed that each method and calculation was unique in its particular terms. As per this paper, three parameters, namely Private Key, Quantum Cryptography, and Crypto Steganography, are the best methodologies exhibiting a high level of security standards. An email alias service called Email Cloak was proposed by Dacosta et al. (2014) [10]. This email service had Public Key Encryption features which reduced the load of email encryption requirements since it relied on a privacy-respecting third-party encryption system. The Email Cloak workflow involves the inbound and outbound emails by the user to be automatically encrypted with the public key. This process happens before the emails are forwarded to or stored by the email system. This process, although looks straightforward, has multiple security benefits as this simplified the key management, has selective and automatic email encryption, allows for advanced deployment options, and displays transparency for third-party applications. The evaluation illustrated that the overhead is sufficient for all email communications, and the Email Cloak implementation was made publicly available as well. Nemavarkar et al. (2015) [11] proposed a secure, online picture-based model to remove the requirement for content passwords for online email systems and files. For implementing this model, a novel multi-level email security design was proposed. This design implements three levels of security in the form of picture confirmation via example matching, pressure, and cryptography. A detailed evaluation of the inherent weakness in email infrastructure and existing methodologies was presented by Choukse et al. (2012) [12]. The paper further suggested options to improve the overall email infrastructure security as well as the recommended practices and weakness of email infrastructure designs. Bai et al. (2016) [13] reasoned that traditional email servers send data in plain text format over the Internet when sending across domains to other servers. Since emails are a very important aspect of information infrastructure, more attention needs to be awarded to email security by the users. Email vulnerability results in information disclosure and misuse risks. The authors reckoned that by applying cryptographic technologies, this issue can be mitigated. They proposed an identity-based cryptographic, independently controllable email system and

Email Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 139

compared the email systems proposing three unique solutions and providing an academic theory for securing and upgrading the email systems. Malatras et al. (2016) [14] proposed an affordable, lightweight, energy-efficient free email system infrastructure based on Raspberry Pi. Email service consumers typically utilize either free webmail options like Yahoo, Gmail, or Live, while corporate employees use hosted email services. These email services are hosted over the Internet and users lack full control and flexibility for their communications. Email data tends to be vulnerable to unauthorized access resulting in privacy threats. The authors implemented the Pi-Mail using Raspbian OS, Postfix message transfer agent, Clam Antivirus, and Anti-Spam Assassin. The Pi-Mail system was found to be fully capable of providing email services and the first of its kind to individual users as well as small and medium-sized corporates. Ya-Dong et al. (2014) [15] conducted a study to determine how an average user thinks about or can be made to understand the tradeoffs of using encryption model properties to ensure end-to-end encryption. This process was proposed as one of the ways to protect digital messages. While the respondents confirmed that the security was better for the less convenient exchange models, but also confirmed that the security of the proposed model was appropriate for everyday purposes. Emails involve sending and receiving private and personal information over the insecure Internet. Hamed et al. (2014) [16] presented the privacy and security risks in worldwide email communications requiring the highest attention and consideration. A set of real-time countermeasures were proposed, based on existing standards, to mitigate the risks. The authors also suggested technical recommendations to be implemented by email service providers. The results displayed enhanced security and, at the same time, preserved compatibility in the ecosystem. Anuradha et al. (2016) [17] proposed email security using an Open PGP certificate in Grid Framework. The system implemented an email encryption standard using X.509 certificates. The issue illustrated by this paper was that after issuing the certifications, the certification authority (CA) that was certified by different organizations was fine for self-use certificates. However, in a distributed grid infrastructure system, this process becomes insecure. Man-in-the-middle attacks during sending of alerts to IT teams and admins were possible. This was shown to be mitigated by the use of a framework that uses open PGP in grid computing environments. A literature survey on social engineering phishing and techniques to detect such attacks was performed by Gupta et al. (2016) [18]. The primary objective of this

140 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

review survey was to perform phishing and convince the user to reveal their data over email. The paper also discussed the impact on users of the social engineering attack. The paper discussed various types of phishing attacks like Email spoofing, Tab napping, and Trojan horse as well as methods to detect and prevent these social engineering attacks. Shukla et al. (2016) [19] proposed a secure, transparent Email client framework to mitigate email security issues in webmail environments. Currently, email security involved the use of encryption for email contents. While this approach was inconvenient for the user, it also increases the size of emails. The authors illustrated that the proposed solution was customizable and not integrated into any of the existing email servers. The proposed solution was more secure and displayed better results. Fowdur et al. (2016) [20] proposed an HTTPS webmail anti-spoofing system. The application was designed and coded using PHP with NetBeans IDE. The system provided a web-based, user-friendly interface and worked on a real-time basis, and actively detected, monitored, and controlled email spoofing. Once the spoofing message was detected, an alert was triggered, and the spoofed email moved to the spoof folder. The intended user also received an intimation over SSL with an option to notify the sender and block the email. The authors contested that most existing spam systems did not provide the email users with a higher degree of control and information regarding the spoofed attack emails. To evaluate email security, virus, and spam issues, Khanji et al. (2016) [21] performed a case study and presented solutions to mitigate the issues. The authors configured two SMTP servers and evaluated six different scenarios. Different Antispam and Filtering techniques were also analyzed for reporting and analytics features which could help Email Administrators to better control and monitor SMTP server systems. Pawar et al. (2015) [22] evaluated email security issues related to anti-spam filtering by utilizing machine learning systems. The authors performed an extensive security evaluation of anti-spam systems by use of a pattern classifier and analyzed the performance of the email systems during spam attacks becoming degraded and also presented a model that simulated spam attack scenarios. Instead of investigating the end-user mail client security or end-to-end email encryption, Baumgaertner et al. (2015) [23], analyzed the ciphers suites and certificates involved (Certificate authorities and analyzed the response of email service provider systems during interactions with an improperly secured email server. The authors focused on connections between the provider’s SMTP servers relying on transport layer security. The authors also presented recommendations

Email Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 141

to mitigate email security issues in existing email systems deployed on the Internet. Table 10.1 illustrates the summary of the various email security-related mechanisms that have been reviewed in this research. Table 10.1. Summary of Email Security related research. Year

Reference

Proposed Email Security Methodology

2016 Balakrishnan et al.

Public Key Exchange, Symmetric-key encryption

2015

Unger et al.

Email Security Framework

2015

Ladar Levison

Darknet Email Security

2015

Chhabra et al.

Email forensic investigation process

2015

Fatima et al.

Public Key Exchange using PGP

2015

Afnan et al.

Authentication of User & Email Privacy

2015

Hongfeng et al.

Authenticated way Key agreement

2015

Mushtaq et al.

Private Key, Quantum Cryptography, Crypto Steganography

2014

Dacosta et al.

Public Key Encryption

2015 Nemavarkar et al.

Visual Cryptography

2012

Choukse et al.

Conducted Literature Survey

2016

Xuan et al.

Identity-based cryptography

2015

Hameed et al.

Lightweight Email system with anti-spam, anti-virus features

2017

Bai et al.

Conducted Evaluation Survey

2016

Anuradha et al.

PGP certificates

2016

Gupta et al.

Conducted Literature Survey

2016

Shukla et al.

Transparent email security framework

2016

Fowdur et al.

HTTPS-based anti-spoofing design

2016

Khanji et al.

Conducted Literature Survey and proposed a secure design

2015

Pawar et al.

Conducted Evaluation Survey

2015 Baumgaertner et al.

Certificate related analysis

4. RESEARCH PERFORMED The authors conducted two surveys; the first involved a detailed evaluation of 12 Email Service Providers regarding security features provided to users, and the second survey involved 500 users for email security practices and to determine user confidence levels regarding email security.

142 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

4.1. Survey of Email Service Providers The authors analyzed twelve commercial email service providers to evaluate security features and test the effectiveness of the security protocols installed on them against spoofed emails. The investigation was done by initially creating test user accounts on the email servers and then verifying the security and usability service options offered by each email provider. To analyze the Spam and Spoofing features, the test user email accounts were subjected to spoofed emails from those domains which display legacy security standards or do not follow any security standards. Typically, all email services offer a bulk email option that is theoretically capable of determining the spoofed email Sender ID along with the return path. Regarding spoofed emails, most email servers continued to accept spoofed emails, either in user name only, in both user names, and from domains that do not use anti-spoofing protocols. Although email header signatures did indicate the email had been sent from a domain that did not follow any compatible security protocol standard. An evaluation of the twelve email services regarding the spoofed Sender ID and Spoofed e-mails from non-DKIM/SPF compliant domains is illustrated in Table 10.2. Table 10.2. Treatment of Sender Spoofed E-mails by Commercial E-mail Service Providers. Accepts Spoofed mail Email Services

Classifies Spoofed emails as Displays SPAM name in Username & Email Listing Username Only Domain

Username Only

Username & Domain

Office 365

Yes

Yes

Yes

Yes

Yes

Yahoo Mail

Yes

Yes

No

Yes

Yes

Gmail.com

Yes

Yes

Yes

Yes

Yes

Inbox.com

Yes

Yes

Yes

No

No

Mail.com

Yes

No

Yes

No

No

Live.com

Yes

No

Yes

Yes

No

Zoho Mail

Yes

Yes

No

No

Yes

Outlook.com

Yes

Yes

No

No

No

Mail.com

Yes

Yes

No

No

No

GMX Mail

Yes

Yes

Yes

No

No

Fast Mail

Yes

No

No

No

No

Hush Mail

Yes

No

No

No

No

Email Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 143

Survey Results for Survey#1 The summary for the evaluated email services is illustrated below. Positive aspects regarding the Email systems are presented as follows: Email service providers in this research study have security protocols in place. Before delivery of the spoofed email, those email domains which are Domain Key Identified Mail complaint can correct the ‘From’ address field in emails, while those domains which follow Sender Policy Framework and Sender ID do not accept spoofed emails at all. Email service providers respond and provide security information and analysis if requested by the mail users for the respective email portals. Use of SSL and HTTPS for accessing emails through Webmail programs is in place Email service providers provide relevant security options for analyzing header analysis, inbuilt Custom Signature, Vocational response, and inbuilt Spam guard with customizable blacklisting of sender emails. ❍

❍

❍

❍

❍

Email systems lacked or fall short on the following security issues as mentioned below: ●

●

● ● ● ●

Customizable message filtering or the ability to add filtering rules for the email user A detailed security tutorial on the email portals is missing for the email providers Current attacks or Email security information to create user awareness Best practices for email usage and security are not available Enhanced security features like detailed header analysis Emails having a human-friendly name yet are forged, misleading, and from spoofed Sender IDs

4.2. Survey of Email Practices by Users The author validated the above email provider survey by conducting another study on email users regarding email security practices and security protocol knowledge of the email service users. About 500 respondents were evaluated in this survey, which involved users with commercial email service accounts. The results are presented in Table 10.3 below.

144 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Table 10.3. User E-mail Practice and Awareness of Security Protocols. Evaluation Parameters

Results

Email Users perspective of Security Practices Use Webmail Programs

85%

Installed Anti-Virus, Anti-Spam, and Anti-Malware

48%

Keep anti-virus, anti-spam, or anti-malware updated

25%

Use Encryption/Authentication Protocols (S/MIME, PGP)

15%

Headers Analysis for Authentication

>1%

Results Email User Knowledge Awareness Virus, Spam, Ransomware

88%

Filtering classification errors

55%

Spoofed emails

21%

Transparent Security Protocols (SPF, DKIM)

19%

Non-Transparent Security Protocols (S/MIME, PGP)

25%

Non-frequently used Email headers

12%

Email Delivery over the Internet is not secure

82%

Email Delivery to destination is not guaranteed

76%

Survey Results for Survey#2 This survey revealed some interesting facts, as mentioned below: ●

●

●

●

● ●

Most email users access emails via Webmail interfaces for sending and reading their emails. The ‘anytime anywhere access is the reason, along with no cost involved to access emails as compared to buying Client licenses if using an email client application. The expectation is that the Service provider caters to user email security. User awareness and knowledge regarding viruses, spam, or ransomware, along with filtering errors, were very high. Very few users kept their virus, spam, or spyware updated or utilized encryption for email usage. Header analysis is being offered by the email systems, but only a handful know and utilize the feature for tracking the email source. Spoofing is not known to most users and has been experienced at times. Some users are aware of security protocols like DKIM, SPF/Sender ID, and S/MIME, but very few are aware of all e-mail headers.

Email Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 145

4.3. Survey of Email User Awareness Along with the above survey, the authors also determined the confidence levels of email users regarding email security. The respondents were questioned if the Email Service Providers made them aware of the email security and privacy issues and also if the email service providers trained the service consumers on the use of security protocols and header analysis features offered by email service providers. The results of their confidence in the e-mail system in terms of security and usability of security protocols before and after training are presented in Table 10.4. Table 10.4. User Confidence in E-mail Communication. Awareness/Confidence Level

Initially on joining

After Orientation

Highly secure

23%

85%

Mildly secure

31%

82%

Low security

41%

91%

Use S/MIME and PGP

15%

88%

Utilize SPF and DKM

9%

35%

Utilize Header Analysis

2%

15%

Survey Results for Survey#3 Initially, very few users knew or utilized encryption and authentication protocols like S/MIME or PGP to secure their emails. This also reveals the following: ● ● ●

●

●

Most Email users have little or limited knowledge of email security Existing security protocols are not used by most email users User confidence tends to rise after simple security orientation, which is initially poor. Results of the training were encouraging as the confidence level of users, on average improved considerably in each parameter. Most emails understand that Email information transmitted is not only insecure but also the delivery of e-mail is not guaranteed. The usability of security protocols and options is limited.

146 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

5. SECURITY ADVANTAGES OF CLOUD-BASED EMAIL SOLUTIONS Cloud-based Email solutions like Office 365 or Google Apps, along with other cloud-based productivity solutions, are transforming the way IT departments deliver emails, apps, and services to their users, and adoption of these solutions is continuing to grow. The authors compared the security advantages of Office 365 with an in-house hosted email system in this section. Apart from offering geographic site resilience, Cloud providers offer enhanced security in the form of automatic network encryption, multi-layered anti-spam and anti-malware protection, and message protection policy. Secure SMTP for email communication with PGP, SPF/Sender ID, S/MIME, and DKIM in the form of encryption security to ensure the secrecy and integrity of emails. Fig. (10.1) describes Automatic Network Encryption for office 365 email flow.

TLS

SSL

FTLS

Cloud Exchange servers (Office 365) Client to Server: Secure Socket Layer

Exchange Server to Servers: Transport Layer Security

Destination Server: Forced TLS

Fig. (10.1). Automatic Network Encryption.

First, Office Message Encryption (OME) runs a service on the Exchange Azure server, which allows sending encrypted emails inside and outside an organization using Office 365. Second, Information Right Management (IRM) service applies usage restrictions to email messages to prevent sensitive information from being printed, copied, or forwarded in an unauthorized manner. Third, certificate-based S/MIME encryption solutions allow encryption and digital signatures for emails that address sender authentication. Message Protection provides for messaging policy and compliance to manage email data and provide audit reports as well as has message flow transport rules for organization-specific email policies in the form of Conditions, Exceptions, Actions, and Properties. Email Connectors provide control over routing and email flow, this also allows integration of the cloud server with third-party security systems for enhanced encryption and data leak prevention.

Email Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 147

Anti-Spam and Anti-Malware protection offers multiple virus scan engines and highly accurate spam filtering servers. These offer multiple layers of protection for content filtering based on internal or blacklisted IP lists, protocol filtering for individual mailbox users, and content filtering based on words and phrases scanned from an internal listing as well as an automated analysis scan. Fig. (10.2) below illustrates the Online Exchange email spam process for inbound emails and attachments, passed through multiple filtering and scanners before being routed to the mailbox servers and finally reaching the intended user mailbox.

Inbound Emails from Internet

Exchange Mailbox Store 1. Filter connection for Email 2. Filter protocol 3. Filter email content

Block malicious attachments Block Spam and Junk emails

Deliver to User Mailbox Fig. (10.2). Spam and Malware Scan Flow.

Table 10.5 below illustrates the advantages & disadvantages of on-premises Email systems. Table 10.5. On-Premises Email Systems. Advantages

Disadvantages

• Full control on each activity or configuration • Security, Reliability, and Uptime need constant monitoring as the email platform is self-owned, like due to new threat vectors. There is a constant need to ensure Mailbox size, WebMail, Acti- Synch, Public training and skills for the IT team as issues need to be folders Transport policy rules. resolved by them. • Flexibility for customizing third-party integrations

• Hardware needs constant up-gradation, and Licensing costs take up high investments

• Full control of Email Data and backup achieving.

• In case of disaster and no backup contingency plan, all data and hardware can be lost.

148 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Table 10.6 below illustrates the advantages & disadvantages of Cloud-based Email systems. Table 10.6. Cloud-based Email Systems. Advantages

Disadvantages

• Attain scalability to cater to the number of users, 50GB Mailbox size without spending extra on licenses of hardware

• Lack of Root or Administrative level control of hosted provider’s servers

• Choose subscription plans as required for Mailbox, Unified • Rolling back to an on-premises option is communication (Skype, Lync, OCS), and Office Suite (Word, unknown and uncertain once the system has Excel, PowerPoint), as well as SharePoint, OneDrive, Sway). moved to the cloud • Reduced risk of data loss as backup and availability is the provider’s responsibility

• Migrating from one service provider to another can be a hassle

• Online infrastructure offers the latest, patched solutions with • Lack of flexibility to integrate with thirdoptions for adding enhancements and innovations to increase party applications or legacy systems user productivity

CONCLUSION Add-on e-mail security protocols use encryption, PKI-based cryptographic techniques, IP address verification, and DNS-based domain validation to provide security against spoofing and other e-mail threats. However, no protocol independently provides all required security features. Further, domains that are not compatible with security protocols continue to pose security threats by allowing the transmission of spoofed e-mails that are not detected by receiving domains using security protocols. Spoofed e-mails from some domains that do not support add-on security protocols can be detected by analyzing the trace header field, which is not currently done by receiving domains. E-mail users are losing confidence in e-mail security because they have insufficient awareness of security protocols, and only some users use them to secure their emails. There is a need to undertake a major educational campaign to inform e-mail users of email security issues and train them in using security protocols and procedures. DISCUSSIONS AND RECOMMENDATION An ideal Email security solution needs to integrate most, if not all, of the following: ● ● ●

Multi-factor authentication for accessing email when outside the office Network and Application level DDoS Automated screening of each outbound email prevents data loss & proactively eliminates human error.

Email Infrastructure ●

●

● ●

● ●

●

New Age Cyber Threat Mitigation for Cloud Computing Networks 149

Protection of business confidential data – by classifying attachments, documents, or email body information as sensitive where ever it is appropriate. Send alerts to the Security team, Management stakeholders to acknowledge before an outgoing email message has any sensitive information and data. Ability to handle compliance needs regardless of user platform or email device. Automate Key Management – including key generation, rotation, discovery, and validation Encrypt and sign email messages to ensure confidentiality Ensure the Email Infrastructure is resilient to Advanced Persistent Threats (APTs) Minimize exposure to Email Metadata

DISCLOSURE “Part of this chapter has previously been published in Security challenges for cloud-based email infrastructure, in Network Security, 2017, vol. 2077, no. 11, pg 8-15”. CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

Accessed 17th May 2017, SANS White Paper 2016, sans.org/reading-room/whitepapers/email/emai-security-threats-1540

[2]

S. Balakrishnan, and R. Jagathy, "‘Practical Implementation of a Secure Email System Using Certificateless Cryptography and Domain Name System’", Int. J. Netw. Secur., vol. 18, no. 1, pp. 99107, 2017.

[3]

N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, "Sok: Secure messaging", IEEE Symposium on Security and Privacy, 2015. [http://dx.doi.org/10.1109/SP.2015.22]

[4]

Accessed 17th May 2017, Ladar Levison. ‘Dark Internet Environment: Architecture and Specifications. National Security Agency’, darkmail.info/downloads/dark-internet-mail-environmnt-december-2014.pdf

[5]

R. Herbosa, G. Diaz, and M. Castro, "Securing the email services - new system for secure managing the organization’s mail service", Proceedings of the International Conference on Security and Cryptography, 2008. [http://dx.doi.org/10.5220/0001915804690472]

150 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

[6]

R. Housley, and W. Polk, (1999). Internet X.509 public key infrastructure representation of Key Exchange Algorithm (KEA) Keys in internet x.509 public key infrastructure certificates. [http://dx.doi.org/10.17487/rfc2528]

[7]

A.S. Babrahem, E.T. Alharbi, A.M. Alshiky, S.S. Alqurashi, and J. Kar, "Study of the security enhancements in various e-mail systems", J. Inf. Secur., vol. 6, no. 1, pp. 1-11, 2015. [http://dx.doi.org/10.4236/jis.2015.61001]

[8]

Z. Hongfeng, Z. Yifeng, and Z. Yan, ‘A One-Way Authentication Key Agreement Scheme with User Anonymity Based on Chaotic maps towards Multi-Server Architecture’. J. Inf. Hiding Multimed. Signal Process. 2015, Vol. 6, no. 2.

[9]

S. Mushtaq, I. Rafiq, and M. Sirshar, "Quality Analysis of Network Security Using Cryptographic Techniques", Int. J. Comput. Commun. Sys. Eng, vol. 2, no. 2, pp. 246-254, 2015. [IJCCSE].

[10]

I. Dacosta, A. Put, and B.D. Decker, "Emailcloak: A practical and flexible approach to improve email privacy", Ninth International Conference on Availability, Reliability and Security, 2014. [http://dx.doi.org/10.1109/ARES.2014.39]

[11]

A. Nemavarkar, and R.K. Chakrawarti, "A uniform approach for multilevel email security using image authentication, compression, OTP & Cryptography", International Conference on Computer, Communication and Control (IC4), 2015. [http://dx.doi.org/10.1109/IC4.2015.7375661]

[12]

D. Choukse, U.K. Singh, L. Laddhani, and R. Shahapurkar, "Designing secure email infrastructure", Ninth International Conference on Wireless and Optical Communications Networks (WOCN), 2012. [http://dx.doi.org/10.1109/WOCN.2012.6335534]

[13]

W. Bai, D. Kim, N. Moses, Y. Qian, P. Gage Kelly, and M. Mazurek, "Most of us trust our email provider”: Balancing security and usability in encrypted email", IEEE Internet Comput., p. 1, 2017. [http://dx.doi.org/10.1109/MIC.2017.265103059]

[14]

A. Malatras, I. Coisel, and I. Sanchez, "Technical recommendations for improving security of email communications", 39th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2016. [http://dx.doi.org/10.1109/MIPRO.2016.7522355]

[15]

L. Ya-Dong, "Study on detection algorithm of ddos attack for cloud computing", Fifth International Conference on Intelligent Systems Design and Engineering Applications, 2014. [http://dx.doi.org/10.1109/ISDEA.2014.210]

[16]

S. Hameed, M.A. Asif, and F.K. Khan, "Pimail: Affordable, lightweight and energy-efficient private email infrastructure", 11th International Conference on Innovations in Information Technology (IIT), 2015. [http://dx.doi.org/10.1109/INNOVATIONS.2015.7381561]

[17]

A. Anuradha, and A. Chopra, "Securing and preventing man in middle attack in grid using Open pretty good privacy (PGP)", Fourth International Conference on Parallel, Distributed and Grid Computing (PDGC), 2016. [http://dx.doi.org/10.1109/PDGC.2016.7913249]

[18]

S. Gupta, A. Singhal, and A. Kapoor, "A literature survey on social engineering attacks: Phishing attack", International Conference on Computing, Communication and Automation (ICCCA), 2016. [http://dx.doi.org/10.1109/CCAA.2016.7813778]

[19]

R. Shukla, O. Prakash, and P. Phanibhusan, "Open PGP based secure web email", 3rd IEEE International Conference on Computing for Sustainable Global Development (INDIACom), 2016. New Delhi, India

[20]

T.P. Fowdur, and L. Veerasoo, "An email application with active spoof monitoring and Control", International Conference on Computer Communication and Informatics (ICCCI), 2016. [http://dx.doi.org/10.1109/ICCCI.2016.7480002]

Email Infrastructure

New Age Cyber Threat Mitigation for Cloud Computing Networks 151

[21]

S. Khanji, R. Jabir, L. Ahmad, O. Alfandi, and H. Said, "Evaluation of linux SMTP server security aspects - A case study", 7th International Conference on Information and Communication Systems (ICICS), 2016. [http://dx.doi.org/10.1109/IACS.2016.7476120]

[22]

K. Pawar, and M. Patil, "Pattern classification under attack on Spam Filtering", IEEE International Conference on Research in Computational Intelligence and Communication Networks (ICRCICN), 2015. [http://dx.doi.org/10.1109/ICRCICN.2015.7434235]

[23]

L. Baumgaertner, J. Hochst, M. Leinweber, and B. Freisleben, (2015). HOW TO MISUSE SMTP over TLS: A study of the (in) security of email server communication. 2015 IEEE Trustcom/BigDataSE/ISPA. [http://dx.doi.org/10.1109/Trustcom.2015.386]

152

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 152-166

CHAPTER 11

Efficient Fault Tolerance in Cloud Environments Abstract: With mission-critical web applications and resources being hosted on cloud environments, and cloud services growing fast, the need for having a greater level of service assurance regarding fault tolerance for availability and reliability has increased. The high priority now is ensuring a fault-tolerant environment that can keep the systems up and running. To minimize the impact of downtime or accessibility failure due to systems, network devices, or hardware, the expectations are that such failures must be anticipated and handled proactively, quickly and intelligently. This chapter discusses the fault tolerance system for cloud computing environments and analyzes whether this is effective for Cloud environments.

Keywords: Fault Tolerance, Replication, Redundancy, High Availability. 1. INTRODUCTION The growth of the internet and cloud computing has transformed business opportunities globally. The availability of computing resources and IT services have risen from a low 90% to 99.999% for both corporate and non-business users. As more and more virtual business applications are being delivered over the internet to end-users and corporate enterprise employees, the cloud computing environment is evolving to deliver efficient services through innovative cloud models, multiple high-availability devices, and virtualized systems (Vishwanath et al., 2010) [1]. These also include multiple layers of abstraction, which turn the applications and infrastructure more distributed and complex than ever before. On the other hand, end-users have come to expect a high level of fault tolerance and availability with swift and flawless execution of the hosted applications. Cloud providers and data center infrastructure management teams constantly strive to maintain this high level of availability and fault tolerance. Some of these methods are the use of Application Performance Monitoring (Armbrust et al., 2010) [2], having multiple devices connected in high availability (HA) mode by overprovisioning devices, having a hot-swap Disaster Recovery (DR) site or Network Monitoring system to provide better fault tolerance in case of any downtime. Users expect their computing systems to have the ability to handle gracefully any Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

Efficient Fault Tolerance

New Age Cyber Threat Mitigation for Cloud Computing Networks 153

unexpected system or application programming malfunction and provide seamless availability, which in IT jargon is termed fault tolerance, as described below. ●

●

●

Fault Tolerance means that the loss of service (the network itself, some host, or some critical software running on a host) is tolerated by the system (Yu et al., 2016) [3]. Usually, it means that there are enough other instances of that service available that the system can use those other resources without a significant impact on the system's overall responsiveness. Load Balancing means that a large workload is shared among many instances, as presented by Zhao et al. (2010) [4] of a service (or many hosts, or even many instances of the service on many hosts) but doesn't guarantee fault tolerance, though it can help (Chen et al., 2010) [5]. If one of the available participants in the load-balanced cluster fails, odds are that there are enough resources available to continue satisfying requests. However, if the load balancer itself fails, the cluster might become useless. The load balancer itself might need to be faulttolerant - there might need to be two load balancers. High Availability ensures that a resource is available, even as the resource may suffer from some amount of minor downtime, Fault Tolerance (FT) can be defined as not losing (Kumar et al., 2011) [6] that in-memory session state in an event of a failure like having a host server crash or a network device failure rather than the service failing.

2. FAULT TOLERANCE FOR CLOUD ENVIRONMENTS Fault Tolerance aims to ensure systems can deliver in case of one or more failures of the unit’s components. Fault Tolerance [7] is system resource availability and reliability not being affected in case any of the preceding component or execution devices (Pandi et al., 2016) [8] fail or there are multiple failures for the hosted application system or infrastructure devices (Mohammad et al., 2016) [9]. Usually, systems, devices, or resources are often over-provisioned or purposely underutilized to ensure that even if the application performance might be affected during an outage, the systems continue to perform possibly at a reduced level, rather than falling within predictable and acceptable bounds. Fault tolerance is mostly implemented in high-availability life-critical system environments. Providing fault-tolerant design for every single component is, however, not an effective solution. The associated redundancy and over-provisioning [10] bring several parasitic penalties: increase in weight, cost, power, size, consumption, as well as time to design, verify and test before delivering the service. The following options are taken into account when determining how and why the computing components should be fault-tolerant:

154 New Age Cyber Threat Mitigation for Cloud Computing Networks ●

●

●

Akashdeep Bhardwaj

How critical is that component? In a data center, having a spare catalyst running idle is good to have but not critical, with a low failure rate Catalyst switch would be low on fault tolerance while an extra Supervisor management module would be great to have. How likely is the component expected to fail? Some components, like disk drives in SAN or Power supply in servers a car, are likely to fail, so fault tolerance is needed. How expensive will it be to make fault-tolerant components? Having redundant SAN would be too expensive both economically and in terms of commercials, weight, and space, to be considered.

Fault tolerance mechanisms can be subdivided into Hardware, Software, and systems. ●

●

●

Hardware Fault Tolerance involves provisioning of secondary backup hardware components like CPU, Hard disks, Memory, and Power Supply. This type of fault tolerance delivers hardware support only by ensuring the availability of basic hardware backup components. This can, however, not mitigate error detection, accidental interferences among applications, or system program errors. In this stage, mechanisms that can perform hardware-related faults are used in which partitioning of a node into smaller units can in turn, perform as a fault control unit. Each such node is in turn, backed up with a secondary redundancy to inculcate the failure of one of the modules, then the other redundant modules can act or take up the function. Software Fault Tolerance: requires the use of a special application that is designed to take into account faults and errors originating from software and programming. This utilizes static and dynamic redundancy methods which are similar to the hardware fault mechanism. N-version programming approach, which provides static redundancy and Design Diversity and adds hardware and software fault tolerance, is used in this mechanism. System Fault Tolerance: This system stores not only the checkpoints but also errors detected in the applications. When a fault or an error occurs, the system provides a correcting mechanism.

3. LITERATURE SURVEY A review of existing literature on Fault Tolerance for Cloud environments is presented in this section. Heli Amarasinghe et al. (2017) [11] introduced a fault-tolerant IaaS resource management framework for networked cloud Infrastructure. Distributed multiple

Efficient Fault Tolerance

New Age Cyber Threat Mitigation for Cloud Computing Networks 155

cloud provider sites and data centers are interconnected with the software-defined network. Both data centers and resources are allocated by formulating and solving integer linear programming-based virtual network embedding problems. Two reactive traffic engineering network failure restoration algorithms have been added to the framework along with an SDN-based monitoring scheme to dynamically identify and recover from unexpected link failures. The authors implemented the framework on an emulated SDN testbed and evaluated the performance of the aforementioned algorithms with multiple link failures. Experimental results demonstrate the tradeoffs of proposed approaches and their applicability in different application scenarios. Large-scale virtualized datacenters require considerable automation in infrastructure management to operate efficiently. Automation is impaired, however, by the fact that deployments are prone to multiple types of subtle faults due to hardware failures, software bugs, misconfiguration, crashes, performancedegraded hardware, etc. Existing Infrastructure-as-a-Service (IaaS) management stacks incorporate little to no resilience measures to shield end users from such cloud provider-level failures and poor performance. Mukil Kesavan et al. (2017) [12] proposed and evaluated extensions to IaaS stacks that mask faults in a faultagnostic manner while ensuring that the overheads can be proportional to observed failure rates. The authors also demonstrated that infrastructure automation services and end-user applications can use service-specific knowledge, together with our new interface, to achieve better outcomes. Cuong Pham et al. (2016) [13] introduced a novel approach to automating failure diagnostics in distributed systems by combining fault injection and data analytics. The authors used fault injection to populate the database of failures for a target distributed system. When a failure is reported from the production environment, the database is queried to find “matched” failures generated by fault injections. Relying on the assumption that similar faults generate similar failures, we use information from the matched failures as hints to locate the actual root cause of the reported failures. To implement this approach, the authors' introduced techniques for (i) reconstructing end-to-end execution flows of distributed software components, (ii) computing the similarity of the reconstructed flows, and (iii) performing precise fault injection at pre-specified executing points in distributed systems. The authors also evaluated the proposed approach using an OpenStack cloud platform, a popular cloud infrastructure management system. Experimental results showed that this approach is effective in determining the root causes, e.g., fault types and affected components, for 71-100 percent of tested failures. Furthermore, it can provide fault locations close to actual ones and can easily be used to find and fix actual root causes. This technique was also validated by localizing real bugs that occurred in OpenStack.

156 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Philip Stahl et al. (2017) [14] presented the implementation of a platform for providing mobility and reliability to computational tasks that are executed in the access cloud. The platform is primarily aimed at providing an experimental tool for further studying sophisticated techniques for task scheduling, placement, and migration policies. In its current form, the platform supports streaming services but can be extended with support for synchronization between computational tasks. The implementation builds on the Calvin platform developed by Ericsson. Being designed for the implementation of services for IoT applications and written in Python, the platform provides excellent flexibility and is easy to extend at the cost of limitations to the task sizes that can be supported with stringent migration time limits. The authors presented the platform and its main functions and presented experimental results, which show how the platform performs as the task sizes increase. Cloud computing provides support for hosting clients' applications. Cloud is a distributed platform that provides hardware, software, and network resources to both execute consumer applications and also to store and manage users' data. Cloud is also used to execute scientific workflow applications that are generally complex when compared to other applications. Since the cloud is a distributed platform, it is more prone to errors and failures. In such an environment, avoiding failure is difficult and identifying the source of failure is also complex. Due to this, fault tolerance mechanisms are implemented on the cloud platform. This ensures that even if there are failures in the environment, critical data of the client is not lost and the user's application running on the cloud is not affected in any manner. Fault tolerance mechanisms also help in improving the cloud's performance by proving the services to the users as required on demand. Pratiba et al. (2017) [15] performed a survey of existing fault tolerance mechanisms for the cloud platform are discussed. This paper also discussed the failures, faulttolerant clustering methods, and fault-tolerant models that are specific for scientific workflow applications. Executing clustered tasks has proven to be an efficient method to improve the computation of Scientific Workflow on clouds. However, clustered tasks are more likely to suffer from failures than a single task. Therefore, fault tolerance in cloud computing is extremely essential while running large-scale scientific applications. In this paper, K Vinay et al. (2017) [16] proposed a new heuristic called the Cluster-based Heterogeneous Earliest Finish Time algorithm to enhance the scheduling and fault tolerance mechanism for workflows in highly distributed cloud environments proposed. To mitigate the failure of clustered tasks, this algorithm uses idle time of the provisioned resources to resubmit failed clustered tasks for the successful execution of workflows. Experimental results show that the proposed algorithm has a convincing impact on these workflow executions

Efficient Fault Tolerance

New Age Cyber Threat Mitigation for Cloud Computing Networks 157

and also drastically reduces resource waste compared to existing task replication techniques. A trace-based simulation of five real workflows shows that this algorithm can sustain unexpected task failures with minimal cost and timespan. With the rise of cloud computing and the virtualization of resources, cloud management systems are becoming a key differentiator for the quality of service offered by cloud providers. OpenStack is considered the de-facto open-source cloud management system at the infrastructure as a service layer. Despite the efforts to harden the high availability of OpenStack, its fault tolerance during the provisioning of resources is yet to be proven. In this paper, Ali Kanso et al. (2017) [17] presented a testing framework for the fault tolerance of OpenStack. The authors exposed the limitations of OpenStack by injecting runtime failures into a highly available OpenStack environment. The testing results reveal inconsistencies in the behavior of OpenStack in the presence of failures that were addressed by proposing this solution to harden its fault tolerance. Al-Zain et al. (2015) [18] presented a practical data management model in a public and private multi-cloud environment. The proposed model BFT-MCDB incorporates Shamir's Secret Sharing approach and Quantum Byzantine Agreement protocol to improve the trustworthiness and security of business data storage, without compromising performance. The performance evaluation is carried out using a cloud computing simulator called CloudSim. The experimental results show significantly better performance in data storage and retrieval than other common cloud cryptographic-based models. The performance evaluation based on CloudSim experiments demonstrates the feasibility of the proposed multi-cloud data management model. Stergiou et al. (2017) [19] presented a survey of IoT and Cloud Computing with a focus on the security issues of both technologies. The authors combined Cloud Computing and IoT technologies to examine the common features and discover the benefits of their integration. Experimental results showed that Cloud Computing technology improves the function of the IoT. The authors also surveyed the security challenges of the integration of IoT and Cloud Computing. Memos et al. (2016) [20] described the IoT network architecture and its security challenges. The authors initially analyzed the important research on media security and privacy in wireless sensor networks. Subsequently, an Efficient Algorithm for a Media-based Surveillance System was proposed in the IoT network for Smart City Framework. This framework merged two algorithms introduced by other researchers for packet routing and security. Experimental results displayed the efficacy of the proposed scheme in terms of users’ privacy, media security, and sensor node memory requirements. It was also illustrated that

158 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

this scheme could also be integrated into the IoT network of upcoming Smart City concepts. In today’s world of sharing social media data and videos, mobile clients have limited capabilities. However, these users need to share videos seamlessly without sacrificing integrity and quality. Hossain et al. (2017) [21] proposed a cloudbased framework for secure video transmission and sharing. After the video is captured by a smartphone, the keyframes are detected by applying a genetic algorithm. A discrete wavelet transform-based watermarking algorithm is used to insert the watermark into the keyframes. Using a two-layer protection mechanism based on error-correcting codes, the signature is applied to confirm the identity of an individual and generating the watermark. This is inserted into the video to protect it from any transmission loss, distortion, or attacks. Watermarked videos are then transmitted to the cloud. The watermark is also shared with several clouds in a space-efficient and secret-robust way. To check the integrity of the video, the original user can at any time download the video, extract the watermark, and verify it. To test the quality of the watermarked video, an imperceptibility analysis is carried out, and a structural similarity index is measured. The experiment results demonstrate that the watermarking algorithm does not degrade the quality of the video. Gou et al. (2016) [22] discussed the developments, security issues, and challenges associated with the Cloud computing environment. The authors analyzed existing solutions that deal with similar security threats and provided a comparative analysis of these approaches. This research provided an understanding of the various security problems associated with the cloud, current solution space, and future research scope to deal with such attacks in a better way. 4. RESEARCH WORK 4.1. Fault Tolerance Assessment Algorithm Applying the Fault Tolerance assessment for each node, the authors proposed an assessment algorithm for Fault Tolerance. Initially, the Fault Tolerance is set to 1 with an adaptability factor of n (always > 0). This algorithm takes into account RF, Maximum Fault Tolerance, and Minimum Fault Tolerance from the node’s configuration, as shown in the FT Assessment algorithm in Table 11.1.

Efficient Fault Tolerance

New Age Cyber Threat Mitigation for Cloud Computing Networks 159

Table 11.1. Fault Tolerance Assessment Algorithm Begin Step 1: Initial Fault_Tolerance=1, n=1 Step 2: Configuration Input RF, Max_ Fault_Tolerance, Min_ Fault_Tolerance Step 3: Input node_status Step 4: if node_Status = Pass Fault_Tolerance = Fault_Tolerance + (Fault_Tolerance * RF) Check Threshold_Level Step 5: if n > 1 then n = n-1 else if node_Status = Fail Fault_Tolerance = Fault_Tolerance – (Fault_Tolerance * RF * n) Check Threshold_Level n = n+1 if Fault_Tolerance >= Max_ Fault_Tolerance Fault_Tolerance = Max_ Fault_Tolerance Check Threshold_Level if Fault_Tolerance < Min_ Fault_Tolerance Node_Status = Dead Call_proc: Remove_Node and Call_proc: Add_New_Node End

4.2. Fault Tolerance Case Evaluations The authors created test cases and performed experiments on cloud environments scenarios for analyzing fault tolerance results concerning different cases displaying errors on cloud consumer requests. The following metrics are considered when evaluating Fault tolerance for Clouds Environments and a schematic design is presented in Fig. (11.1) below concerning Fault Tolerance and Dependency services provided by cloud operators for cloud service consumers. ● ● ● ● ● ●

Response Time: Time is taken to respond (should be low) Throughput: number of tasks executed and completed (should be high) Scalability: increase in nodes not affecting a system’s capacity to perform Performance: effectiveness of a system to respond to execution tasks Availability: uptime and reliability of a system under execution scenario Usability: the extent to which the system is used with defined effectiveness, efficiency, and user satisfaction

160 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Cloud User API Requests Æ Cloud Manager Æ Resource Manager Æ Fault Tolerance Manager Attempt Asynchronous Execution Get-Thread-moreMem(1023) Æ PoolSize(3) queue(): Success Get-Thread-moreVideo(8709) Æ PoolSize(7) execute(): Failed

Dependency A (10 threads)

Backend Fault Tolerance Service

Dependency B (5 threads)

Backend Fault Tolerance Service Saturated

Dependency M (12 threads)

Get-thread-moreRating(7513) Æ Poolsize(12) execute(): Success

Backend Fault Tolerance Service

Fig. (11.1). Fault Tolerance Cloud Architecture.

FT Case #1: End-user client unable to reach the cloud portal Solution: Despite being able to connect to the Cloud API and access SaaS Cloud, the user is unable to log in and access the web application. This can be due to the server being down, the Server has changed its access parameters due to a network connection, or being in the process of virtual migration. The use of an exception handler is an effective solution, and this can interrupt runtime faults, forward the user request to another backup application server and handle the user request immediately. This is, however, dependent on the programming language used. For network-related issues, a clean, spare bandwidth is essential, as shown in Fig. (11.2). Fault Tolerance Case # 1 400

7

Response 380

9, 359 360

10, 364

8, 347 7, 339

5

340

6, 319 320

5, 307

4

4, 295

300

3, 284 280 260

6.2 5.6

2, 268 4.8

1, 256 3.9

5.8

3

5.1

4.1

2

3.1

240

2.6 2.1

1

220 0

200 1

2

3

4

5

6

REQUESTS

Fig. (11.2). Fault Tolerance Case#1.

7

8

9

10

RESPONSE

THROUGHPUT

6

Efficient Fault Tolerance

New Age Cyber Threat Mitigation for Cloud Computing Networks 161

FT Case #2: End client request to cloud app server is lost Solution: Web browsers send requests to web servers; latency on the network can be a major reason for this. The use of a timeout parameter to ensure the waits for the reply and then has a re-send or reload can be an efficient solution in this case. However, if multiple user requests appear to be getting lost, then it could point to a much larger issue. Safety-bag checks: In this scenario, system commands are blocked from getting executed if they do not meet the safety properties defined for the Cloud system as per Fig. (11.3). Fault Tolerance Case # 2 400

9

Response

Thruput

380 360 360

362

367

349

7

335 6

322 320

310 5

300

292 7.8

275

280

4

RESPONSE

340

THROUGHPUT

8

7.1

259

5.8

260

5.1

6.2

3

5.3

4.6 2

240 2.7

220

2.2

1

1.4 0

200

1

2

3

4

5

6

7

8

9

10

REQUESTS

Fig. (11.3). Fault Tolerance Case#2.

FT Case #3: Server crash after receiving the client request Solution: The probability of such a crash is high when receiving large data streams and packages from application users, which are bigger than the standard 32 bytes. If the application is unable to confirm the inbound request has been carried out for client requests, then the server may stop before or after finishing the requestor, sending an acknowledgment to the user. Migrating the faulty machine job to another server is a viable solution in this case, or having algorithms to automatically determine faults and migrate applications within the virtual environment system inside the datacenters. Another option is having selfhealing application instances running on different virtual machines; then individual failure instances can be handled automatically, as illustrated in Fig. (11.4).

162 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

Fault Tolerance Case # 3 10

400 Thruput

380

9

360

8

340

7

320

10, 310

300

5

9, 291

9.1

8, 284

280 3, 264

4, 266

6, 271

5, 269

7, 273

4

7.9 7.3

6.7

2, 258

260

6

RESPONSE

THROUGHPUT

Response

1, 250

3

5.8

5.6 5.1 4.1

240

220

2

2.3

1.9

1

0

200 1

2

3

4

5

6

7

8

9

10

REQUESTS

Fig. (11.4). Fault Tolerance Case#3.

FT Case # 4: End User client loses Server reply Solution: End-user client can set a threshold or timer; in case of no reply, it can be assumed that the server is down, the user request is lost, or the server has crashed while processing the requests. To perform efficient task-level faulttolerance on long-running or big applications, Checkpoint can be utilized in this test case. In case of a failure, instead of starting a job from the beginning, the job is restarted from the last saved checked pointed state. Another option is retrying the failed task on the same instance or resubmitting the runtime task to execute on the same or different computing resources, as illustrated in Fig. (11.5). Fault Tolerance Case # 4 10

400

Thruput

Response

380

380

9 366

360

8

352 345 338

7

331 315

320

6

301 5

300 288 280

9.4

278

8.3

RESPONSE

THROUGHPUT

340

4

7.5 6.7 3

260 4.9 240

3.9

5.3

4.3

2

3.2 2.5 1

220

0

200 1

2

3

4

5

6

7

8

9

10

REQUESTS

Fig. (11.5). Fault Tolerance Case#4.

After performing experiments on the four test case scenarios, Case#3 “Server crash after receiving client request” has the lowest throughput and best response.

Efficient Fault Tolerance

New Age Cyber Threat Mitigation for Cloud Computing Networks 163

The authors analyzed the latency response of the Cloud Application, the results are obtained to point to a rise in latency of the Cloud Applications as the number of requests increases. This is seen in a regular increase across all four test cases. 4.3. Reliability for Cloud Models The authors evaluated two hardware reliability modeling options for Cloud-based systems regards to Series and Parallel modeling system designs, calculating the reliability % for real-time accuracy and efficiency. ●

Series Model: failure of any component 1 … N leads to system failure. If component i has reliability Ri, then the system reliability can be represented as:

R = R1 * R2 * R3 *…* Rn For Series Model Design: the authors considered a data center system with 100 components, with the caveat that the failure of any single component can cause the cloud system failure. Assuming each component to have a reliability of 0.999, then the system reliability for all the components can be calculated as R = R1 * R2 *…* R100 = (0,999)*100 → 99.9% (Real-time accuracy for series model) ●

Parallel Model: the system works unless all components fail. The main difference between the models is this property of the parallel model. Connecting components in parallel provides system redundancy reliability enhancement. If R = reliability, Q=Unreliability, the system unreliability is:

Q = Q1 * Q2 * Q3 *...* Qn = (1- R) = (1 – R1) * (1 – R2) * (1 – R3) * (1 – Rn) The authors designed a cloud application system consisting of three components with reliability as C1=0.9, C2=0.95, and C3=0.98, and by connecting components in parallel with the reliability as mentioned, then the overall system reliability is calculated as R = 1-(1-.9)*(1-.95)*(1-.98) = 1-0.1*0.05*0.02 = 1-0.0001 or 0.99990 → 99.999% (Real-time accuracy for parallel model) CONCLUSION Fault tolerance is one of the main challenges and critical issues in cloud computing. Ensuring Cloud service availability is one of the essential features in Cloud computing for Cloud service users. This relates to ensuring the fault

164 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

tolerance techniques to enable the web and cloud applications to tolerate faults arising in the system after deployment during operations. The authors displayed this using four different fault tolerance cases by performing tests on them with increasing cloud user requests and measuring the throughput. While there are mechanisms available for fault tolerance, the number of challenges however is far greater. The main focus of fault tolerance for the cloud should be on including more fault tolerance parameters to improve the overall availability of cloud computing systems and nodes during failures. As more and more complex cloud applications and systems are being designed and built, fault tolerance and the next generation of hardware need to evolve to be able to resolve any design-related tolerance issues. Unlike fault tolerance practiced in any other field, the necessity to be able to design fault tolerance into the system for design faults and unexpected circumstances has never been greater. Reliability will continue to be a key factor in achieving dependable system performance and achieving high Fault Tolerance. Future research will need to address innovative techniques for measuring failures and predicting the dependability of high availability and least FT-intensive systems. Opportunities continue to exist for synergy between fault tolerance and engineering design research in this domain. FUTURE SCOPE The four test cases evaluated here can be integrated and combined with the proposed algorithm to have the cloud service provider offer a better, more efficient, and resilient fault tolerance support for servicing the cloud consumption requests and proving seamless resource availability. The proposed solution will improve the overall resilience of the Cloud service offering, and future work can be focused on measuring the strength of fault tolerance options and having an indepth analysis of Availability, cost, and support benefits for the stakeholders involved. Future research work can explore more use of a standard protocol-based FT Architecture design across all cloud providers, which can integrate to provide a reliable, cost-effective, self-recovery fault tolerance mechanism technology. Barriers and limitations to implementing Fault tolerance involve high-level requirements, which include computing power, networking, and systems as well as the use of a large number of nodes and licensing. Examples are the use of vSphere FT, which would need multiple clusters of CPUs, host machines that are compatible with vSphere vMotion, and supporting hardware virtualization. Another downside is the increase in the number of testing challenges and components. These, in turn, increase the cost, and project weight and lead to complex designs. Another limitation is the acceptance of inferior nodes and components, which can lead to high support and maintenance costs.

Efficient Fault Tolerance

New Age Cyber Threat Mitigation for Cloud Computing Networks 165

DISCLOSURE “Part of this chapter has previously been published in Efficient Fault Tolerance on Cloud Environments, in International Journal of Cloud Applications and Computing, 2018, vol. 8, no. 3, pg 20-31 and in Solutions for Securing End User Data over the Cloud Deployed Applications, in Cybersecurity Breaches and Issues Surrounding Online Threat Protection, 2017, pp. 1030-1046”. CONSENT FOR PUBLICATION Not applicable. CONFLICT OF INTEREST The authors declare no conflict of interest, financial or otherwise. ACKNOWLEDGEMENT Declared none. REFERENCES [1]

K.V. Vishwanath, and N. Nagappan, "Characterizing cloud computing hardware reliability", Proceedings of the 1st ACM Symposium on Cloud Computing - SoCC ’10, 2010. [http://dx.doi.org/10.1145/1807128.1807161]

[2]

M. Armbrust, R. Fox, and R. Griffit, "A View of Cloud Computing", Commun. ACM, vol. 53, no. 4, pp. 50-58, 2010.

[3]

M., Y. A survey of Cloud Computing Fault Tolerance: Techniques and implementation. Int. J. Comput. Appl, 138(13), 34–38 2016. [http://dx.doi.org/10.5120/ijca2016909055]

[4]

W. Zhao, P.M. Melliar-Smith, and L.E. Moser, "Fault tolerance middleware for cloud computing", IEEE 3rd International Conference on Cloud Computing, 2010. [http://dx.doi.org/10.1109/cloud.2010.26]

[5]

G. Chen, H. Jin, D. Zou, B.B. Zhou, W. Qiang, and G. Hu, "Shelp: Automatic self-healing for multiple application instances in a virtual machine environment", IEEE International Conference on Cluster Computing, 2010. [http://dx.doi.org/10.1109/cluster.2010.18 ]

[6]

Fault tolerance. (n.d.). The International Series in Engineering and Computer Science, 119–143. [http://dx.doi.org/10.1007/0-306-47055-1_6]

[7]

S. V. Pandi, "Fault tolerance avoidance in cloud computing software applications", Int. J. Comput. Trends Tech., vol. 43, no. 3, pp. 166-169, 2017. [http://dx.doi.org/10.14445/22312803/ijctt-v43p126]

[8]

B. Mohammed, M. Kiran, I-U. Awan, and K.M. Maiyama, "Optimising Fault Tolerance in real-time Cloud computing iaas environment", IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), 2016. [http://dx.doi.org/10.1109/ficloud.2016.58]

[9]

Y. Zhang, Z. Zheng, and M.R. Lyu, "BFTCloud: A byzantine fault tolerance framework for voluntary-

166 New Age Cyber Threat Mitigation for Cloud Computing Networks

Akashdeep Bhardwaj

resource cloud computing", IEEE 4th International Conference on Cloud Computing, 2011. [http://dx.doi.org/10.1109/cloud.2011.16] [10]

P. Kumar Patra, H. Singh, and G. Singh, "Fault tolerance techniques and comparative implementation in cloud computing", Int. J. Comput. Appl., vol. 64, no. 14, pp. 37-41, 2013. [http://dx.doi.org/10.5120/10705-5643]

[11]

H. Amarasinghe, A. Jarray, and A. Karmouch, "Fault-tolerant iaas management for Networked Cloud Infrastructure with SDN", IEEE International Conference on Communications (ICC), 2017. [http://dx.doi.org/10.1109/icc.2017.7996342]

[12]

M. Kesavan, A. Gavrilovska, and K. Schwan, "Fault-scalable virtualized infrastructure management", IEEE 37th International Conference on Distributed Computing Systems (ICDCS), 2017. [http://dx.doi.org/10.1109/icdcs.2017.85]

[13]

C. Pham, L. Wang, B. Tak, S. Baset, C. Tang, Z. Kalbarczyk, and R. Iyer, "Failure diagnosis for distributed systems using Targeted Fault Injection", IEEE Trans. Parallel Distrib. Syst., pp. 1-1, 2016. [http://dx.doi.org/10.1109/tpds.2016.2575829]

[14]

P. Stahl, J. Broberg, and B. Landfeldt, "Dynamic fault-tolerance and mobility provisioning for services on Mobile Cloud Platforms", 5th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud), 2017. [http://dx.doi.org/10.1109/mobilecloud.2017.7]

[15]

S. Prathiba, and S. Sowvarnica, "Survey of failures and fault tolerance in cloud", 2nd International Conference on Computing and Communications Technologies (ICCCT), 2017. [http://dx.doi.org/10.1109/iccct2.2017.7972271]

[16]

K. Vinay, and S.M. Dilip Kumar, "Fault-tolerant scheduling for scientific workflows in Cloud Environments", IEEE 7th International Advance Computing Conference (IACC), 2017. [http://dx.doi.org/10.1109/iacc.2017.0043]

[17]

A. Kanso, N. Deixionne, A. Gherbi, and F.F. Moghaddam, "Enhancing openstack fault tolerance for provisioning computing environments", IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), 2017. [http://dx.doi.org/10.1109/hase.2017.27]

[18]

M.A. AlZain, A.S. Li, B. Soh, and E. Pardede, "Multi-cloud data management using Shamir’s Secret Sharing and Quantum Byzantine Agreement Schemes", Int. J. Cloud Appl. Comput., vol. 5, no. 3, pp. 35-52, 2015. [http://dx.doi.org/10.4018/ijcac.2015070103]

[19]

C. Stergiou, K.E. Psannis, B-G. Kim, and B. Gupta, "Secure integration of IOT and cloud computing", Future Gener. Comput. Syst., vol. 78, pp. 964-975, 2018. [http://dx.doi.org/10.1016/j.future.2016.11.031]

[20]

V.A. Memos, K.E. Psannis, Y. Ishibashi, B-G. Kim, and B.B. Gupta, "An efficient algorithm for media-based Surveillance System (eamsus) in IOT Smart City Framework", Future Gener. Comput. Syst., vol. 83, pp. 619-628, 2018. [http://dx.doi.org/10.1016/j.future.2017.04.039]

[21]

M.S. Hossain, G. Muhammad, W. Abdul, B. Song, and B.B. Gupta, "Cloud-assisted secure video transmission and Sharing Framework for smart cities", Future Gener. Comput. Syst., vol. 83, pp. 596606, 2018. [http://dx.doi.org/10.1016/j.future.2017.03.029]

[22]

Z. Gou, S. Yamaguchi, and B. B. Gupta, (n.d.). Analysis of various security issues and challenges in Cloud computing environment. Identity Theft, 221–247. [http://dx.doi.org/10.4018/978-1-5225-0808-3.ch011]

New Age Cyber Threat Mitigation for Cloud Computing Networks, 2023, 167-171

167

SUBJECT INDEX A Advanced 6, 25, 29, 37, 40, 77, 149 encryption system (AES) 6, 25, 29, 37, 40, 77 persistent threats (APTs) 149 AES 39 encryption algorithms 39 AES key 6 encrypted 6 Amazon 89, 102 cloud services 89 EC2 Cloud 102 Anomaly detector 10 Anti-spam 140, 146 multi-layered 146 systems 140 Anti-virus 11, 144 signature-based 11 Application 7, 34, 62, 63, 68, 70, 99, 121, 123, 124, 125, 130, 134 detection systems 70 layer design 124 server response 63, 68, 121, 123, 124, 125, 130, 134 services 134 software 7, 99 system performance 34 traffic management 62 Architect applications 79 Architectures, designed network 122 Attack(s) 11, 31, 42, 47, 49, 50, 51, 52, 54, 55, 56, 61, 64, 67, 68, 85, 86, 87, 89, 91, 93, 114, 115, 122, 126, 127, 128, 129, 130 amplification 42, 55, 87 application 47, 49, 51, 52, 54, 93, 122 automatic 86, 87 cyber 31, 55 cybercrime 114 dynamic 55 frequency 87 Attack traffic 49, 59, 61, 62

detecting 62 Attack vectors 8, 59, 60, 62 emerging 60 encrypted 62 Attacker(s) 52, 86, 93 scanning 86 flood 93 traffic 52 Attacking vectors granularly 91 Auto-computational process 22

B Bilateral service agreements 111 Black boxes 22 Blocking 22, 52, 66 cyber-attacks 22 DDoS attacks 52 ICMP floods 66 Brute force 34, 114 C Caching devices 23 Clients, mobile 158 Cloud 12, 16, 18, 31, 32, 34, 35, 70, 71, 72, 74, 76, 77, 79, 81, 89, , 97, 98, 99, 100, 102, 104, 106, 107, 108, 110, 112, 133, 156, 158, 161 adoption 112 auto-scaling 18 app server 161 data management interface (CDMI) 79 sandbox system 12 service agreement (CSA) 74, 97, 98, 99, 100, 102, 104, 106, 107, 108, 110, 112 storage systems 77 Cloud applications 50, 72, 116, 163 and services 72 service 50, 116 system 163 Cloud-based 1, 29, 39, 61, 71, 133, 163

Akashdeep Bhardwaj All rights reserved-© 2023 Bentham Science Publishers

168 New Age Cyber Threat Mitigation for Cloud Computing Networks

applications 29, 39, 71, 133 DDoS mitigation services 61 email infrastructure systems 133 malware detection system 1 security services 61 systems 163 Cloud computing 74, 164 encryption techniques 74 systems 164 Communications 16, 20, 22, 23, 29, 30, 33, 72, 133, 135, 137, 139 cyber 133 secure 22, 137 Computational cost for 37, 38 decryption 38 encryption 37 Cryptographic algorithms 29, 30, 31 Cryptography 22, 29, 30, 31, 75, 138 and SIEM log management for analysis 22 resources 75 Crypto 34, 138, 141 process 34 steganography 138, 141 CSA metrics for 104, 105, 106 IaaS services 105 PaaS services 106 SaaS services 104 STaaS services 106 Customer relationship management (CRM) 101 Cyber 7, 17, 24, 42, 56, 69, 70, 114, 134 attackers 134 attacks 24, 56, 70, 114, 134 terrorists 42 threats 7, 17, 69 Cybercriminals 1, 5, 13 Cybersecurity 165

D Dark internet mail environment (DIME) 137 Data encryption process 6 DDoS 52, 55, 59, 93, 114 based attacks 55

Akashdeep Bhardwaj

cyber-attack 114 flood attacks 59, 93 mitigation solution 93 protection 52 service solutions 52 DDoS attack(s) 42, 50, 55, 59, 85 and DDoS Mitigation 85 disrupt services 42, 55 events on gaming industry 50 on Cloud infrastructure and application systems 85 vectors 59 DDoS threats 51, 59, 62 dynamic 51 emerging 59 Denial 44, 70, 84, 87, 117 detecting application layer 117 of service and cloudflare trend 44 traditional network layer 117 Design 17, 66, 67, 68, 131 single-tier 17, 68, 131 single-tier network 66 three-tier network 66, 67 Distributed 42, 43, 51, 56, 84, 88, 93, 114, 115, 116, 117 denial of service (DDoS) 51, 56, 84, 88, 93, 114, 115, 116, 117 denial of service attacks 42, 43, 114 DNS 50, 54, 66, 119, 134 exploitation 134 floods 50 poisoning 66, 119 services 54

E Elastic load balancing (ELB) 91 Encryption 7, 25, 35, 74, 75, 146 policy 25 process 7, 35, 75 security 146 techniques 74 Enterprise information systems 18 Environments, programming language 35

Subject Index

New Age Cyber Threat Mitigation for Cloud Computing Networks 169

F Fault 22, 154, 155, 159, 160, 161, 164 hardware-related 154 interrupt runtime 160 Fault tolerance 109, 152, 153, 154, 156, 157, 158, 164 mechanisms 154, 156 system 152 techniques 164 Filtering techniques 140 Fraudulent resource consumption (FRC) 88 FT-intensive systems 164

G Gaming industry 49, 50

H Hash algorithms 31 Hellinger distance (HD) 90, 117 Hybrid cloud 17, 53, 56, 61, 84, 114 architecture design 17 based Security 61

I ICMP flooding 63, 67 Infrastructure 47, 105 based attacks 47 service 105 system 105 Intellectual property 73, 110 data 73 rights (IPR) 110 Intrusion prevention systems (IPS) 58, 59, 61 IoT and cloud computing 157 IP bandwidth networks 50

M Machine learning systems 140

Machines 5, 42, 50, 86, 99, 136 virtual computing 99 Malicious attacks 1 Malware 1, 3, 5, 6, 11 attacker 6 code analysis 1, 11 encrypts 3 operation 5 Malware behavior 10 analysis 10 processes 10 Malware detection 1, 2, 8, 9, 12, 119 environments 9 system 1 Mechanisms 18, 91, 92, 117, 135, 154, 164 defense mitigation 92 three-layer DDoS defense 117 Media-based surveillance system 157 Microsoft 119, 136 exchange servers 136 windows server 119 Mirage image management system 89 Mitigation techniques 137 Monitoring 53, 77 network traffic 53 virtual network 77 Multi-attribute DDoS attacks 90, 117 MySQL database 115

N Network 152, 157 monitoring system 152 wireless sensor 157 Network firewall 16, 22, 23, 24, 59, 62, 66, 68, 122, 131 defense system 66 Network security 16, 18, 19, 22, 24, 27, 85, 149 attack 85 design 19, 22, 24, 27 systems 18, 24 Network security policy 19, 21, 22, 25 design process 22

170 New Age Cyber Threat Mitigation for Cloud Computing Networks

O Office message encryption (OME) 146 OTP 80, 81 Authentication 80

P PaaS 42, 71, 97, 99, 101, 104, 105, 106 application 99 clients 99 PKI 70, 75, 76, 148 and CA model for better performance 75 based cryptographic techniques 148 framework 75 Protected extensible authentication protocol (PEAP) 25 Public key 70, 75, 81, 141 cryptography 70, 75, 81 encryption 141 Python 156

Q Quantum cryptography 138, 141

R Ransomware 4, 5, 7, 10 attacks 5, 7 detection 10 infection 4 5HVLOLHQFHDSSOLFDWLRQ¶V79

S SaaS 24, 42, 47, 71, 88, 97, 99, 101, 104, 105 based applications 47 cloud-based 24 cloud service 104 Services 104 web services application attacks 88 SaaS applications 53, 62, 63, 66, 102, 119

Akashdeep Bhardwaj

web portals hosting 66 Sandbox system 8 Secure 31, 55 cloud environments 55 data transfer 31 Security 2, 12, 16, 17, 18, 21, 23, 24, 30, 31, 47, 52, 69, 70, 71, 72, 74, 75, 76, 77, 81, 101, 115, 137, 139, 157 anti-malware scanning 2, 12 cyber 69 devices 23, 52 operations center (SOC) 52 policies 16, 17, 18, 21, 75 risks 139 systems 24, 47, 77, 81 Security issues 29, 31, 70, 74, 143, 157, 158 end-users data 70 security algorithms mitigate 29 Service(s) 5, 8, 12, 20, 29, 42, 43, 54, 57, 71, 72, 80, 97, 98, 99, 101, 102, 103, 104, 105, 106, 107, 108, 109, 114, 117, 133, 146, 153, 156 attack 42, 43, 114, 117 automation 71 business 5 cloud-hosted 20, 57 commercial 133 embracing Cloud 54 level agreement (SLA) 97, 98, 99, 101, 102, 103, 105, 107, 108, 109 SIEM log system 21 Single tier architecture 121 attacks 121 Single-tier network architecture 63 SLA 100, 102 dynamic 100 in cloud computing 102 Smart city framework 157 Software 5, 7, 17, 62, 71, 77, 87, 91, 97, 105, 114, 119, 154, 156 defined networking (SDNs) 91, 114 legitimate 5 web browser monitoring 7 SQL database server 119

Subject Index

New Age Cyber Threat Mitigation for Cloud Computing Networks 171

T Target 42, 89 global DDoS attacks 89 web applications 42 Temporal key integrity protocol (TKIP) 25 TGAN 10 discriminator 10 training process 10 Tools for cracking Symmetric encryption 34 Transmission, secure video 158 Transparent Cloud Protection System 89

V Virtual 2, 161 digital cash 2 environment system 161 Virtual machine (VM) 9, 35, 54, 76, 77, 78, 89, 105, 115, 116, 119 behaviors 116 images 89 Virtualization 71, 72, 119, 157 security 72 Visual cryptography 141 Volumetric network attacks 54

W WAN circuit networks 53 Watermarking algorithm 158 Web 50, 63, 98, 161 hosting services 98 servers 50, 63, 161 attacks overload 50 Web application 16, 23, 50, 54, 56, 58, 62, 66, 68, 71, 80, 89, 117, 119, 131, 160 firewall 16, 23, 56, 58, 62, 66, 68, 119, 131 server 80 software 89 Wireless 25 data communication systems 25 Policy 25

Wireshark sniffer for network bandwidth monitoring 10