Securing the Cloud: Threats, Attacks and Mitigation Techniques
This paper is aimed to present information about the most current threats and attacks on cloud computing, as well as security measures. The paper discusses threats and attacks that are most effective on cloud computing such as data breach, data loss, service traffic hijacking..etc. The severity and effect of these attacks are discussed along with real-life examples of these attacks. The paper also suggests mitigation techniques that can be used to reduce or eliminate the risk of the threats discussed. In addition, general cloud security recommendations are given.
Keywords: cloud, cloud computing, security, threats, attacks, SaaS, PaaS, IaaS.
R. Buyya, J. Broberg, and A. M. Goscinski, Cloud Computing: Principles and Paradigms. New Jersey, USA: Wiley, 2011.
IETF, "RFC 2828," IETF, California, Standard 2000.
William Stallings, Cryptography and Network Security, 5th ed. Newyork, USA: Prentice Hall, 2011.
Richard Hill, Laurie Hirsch, Peter Lake, and Siavash Moshiri, Guide to Cloud Computing: Principles and Practice. London: Springer, 2012.
Top-Threats-Working-Group, "The Notorious Nine: Cloud Computing Top Threats in 2013," Cloud Security Aliance, 2013.
Microsoft Corp., "Multi-Tenant Data Architecture," June http://msdn.microsoft.com/en-us/library/Aa479086. [Online]. http://msdn.microsoft.com/en-us/library/Aa479086
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart, "Cross-VM side channels and their use to extract private keys," in ACM conference on Computer and Communications Security (CCS'12), Newyork, 2012, pp. 305-316.
Dan Godin, "Zeus bot found using Amazon’s EC2 as C&C Server. The Register," December http://www.theregister.co.uk/2009/12/09/amazon_ec2_bot_control_channel/. [Online]. http://www.theregister.co.uk/2009/12/09/amazon_ec2_bot_control_channel/
Dan Godin, "Amazon purges account hijacking threat from site. The Register," April http://www.theregister.co.uk/2010/04/20/amazon_website_treat/. [Online]. http://www.theregister.co.uk/2010/04/20/amazon_website_treat/
Talal H. Noor, Quan Z. Sheng, Sherali Zeadally, and Jian Yu, "Trust Management of Services in Cloud Environments: Obstacles and Solutions," ACM Computing Reviews, vol. 46, no. 1, pp. 12:1-12:30, October 2013.
Sören Bleikertz, Anil Kurmus, Zoltán A. Nagy, and Matthias Schunter, "Secure Cloud Maintenance: Protecting workloads against insider attacks," in Proceedings of ASIACCS ’12, Seoul, 2012.
Daniele Catteddu and Giles Hogben, "Cloud Computing: Benefits, risks and recommendations for information security, 2009a," European Network and Information Security Agency (ENISA), Cete, 2009.
Shui Yu, Distributed Denial of Service Attack and Defence. London, UK: Springer, 2014.
Mike Lenon. (2014, February) CloudFlare Infrastructure Hit With 400Gbs NTP-Based DDoS Attack. [Online]. http://www.securityweek.com/cloudflare-infrastructure-hit-400gbs-ntp-based-ddos-attack
N. Kumar and S. Sharma, "Study of intrusion detection system for DDoS attacks in cloud computing," in Proceedings of the Tenth International Conference on Wireless and Optical Communications Networks (WOCN) , Bhopal, 2013.
Mohd Nazri Ismail, Abdulaziz Aborujilah, Shahrulniza Musa, and AAmir Shahzad, "Detecting flooding based DoS attack in cloud computing environment using covariance matrix approach," , Kota Kinabalu, 2013.
Huan Liu, "A New Form of DOS Attack in a Cloud and Its Avoidance Mechanism," in Proceedings of the 2010 ACM workshop on Cloud computing security workshop, Chicago, 2010.
Harkeerat Singh Bedi and Sajjan Shiva, "Securing Cloud Infrastructure Against Co-Resident DoS Attacks Using Game Theoretic Defense Mechanisms," in Proceedings of the International Conference on Advances in Computing, Communications and Informatics , CHENNAI, 2012.
Kazi Zunnurhain, "FAPA: A Model to Prevent Flooding Attacks in Clouds," in Proccedings of ACMSE'12, Tuscaloosa, 2012.
Tarun Karnwal, Sivakumar Thandapanii, and Aghila Gnanasekaran, "A Filter Tree Approach to Protect Cloud Computing against XML DDoS and HTTP DDoS Attack," in Proceedings of the International Symposium on Intelligent Informatics ISI’12, Chinnai, 2012.
Vikas Chouhan and Sateesh K. Peddoju, "Hierarchical Storage Technique for Maintaining Hop-Count to Prevent DDoS Attack in Cloud Computing," in Proceedings of International Conference on Advances in Computing, Karnataka, 2012.
Sanchika Gupta and Padam Kumar, "VM Profile Based Optimized Network Attack Pattern Detection Scheme for DDOS Attacks in Cloud," in Proceedings of the International Symposium of Security in Computing and Communications, Mysore, 2013.
Dipen Contractor and Dhiren R. Patel, "Computing, Trust Management Framework for Attenuation of Application Layer DDoS Attack in Cloud," in Proceedings of the 6th IFIP WG 11.11 International Conference, IFIPTM 2012, Surat, 2012.
Shui Yu, Distributed Denial of Service Attack and Defense. London: Springer, 2014.
Edward Ray and Eugene Schultz, "Virtualization Security," in Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies , Knoxville, 2009.
CERT, "Vulnerability Note VU#649219," CERT, Pittsburgh, 2012.
Jakub Szefer, Eric Keller, Ruby B. Lee, and Jennifer Rexford, "Eliminating the Hypervisor Attack Surface for a More Secure Cloud," in Proceedings of CCS’11, Chicago, 2011.
S. Manavi, S. Mohammadalian, N.I. Udzir, and A. Abdullah, "Hierarchical secure virtualization model for cloud," in Proceedings of the International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), Kuala Lumpur, 2012.
J. Szefer and R.B. Lee, "A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing," in Proceedings of 2011 31st International Conference on Distributed Computing Systems Workshops (ICDCSW), Minneapolis, 2011.
Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee, "Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers," in Proceedings of the 2013 international workshop on Security in cloud computing, Hangzhou, 2013.
Venkatanathan Varadarajan, Thawan Kooburat, Benjamin Farley, Thomas Ristenpart, and Michael M. Swift, "Resource-Freeing Attacks: Improve Your Cloud Performance (at Your Neighbor’s Expense)," in Proceedings of the 2012 ACM conference on Computer and communications security , Raleigh, 2012.
YongBin Zhou and DengGuo Feng, "Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing," Cryptology ePrint Archive, Report 2005/388 2005.
Yinqian Zhang, A. Juels, A. Oprea, and M.K. Reiter, "HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis," in Proceedings of 2011 IEEE Symposium on Security and Privacy (SP), Berkeley, 2011.
Yunjing Xu et al., "An exploration of L2 cache covert channels in virtualized environments," in Proceedings of the 3rd ACM workshop on Cloud computing security workshop, Chicago, 2011.
Michael Weiss, Benedikt Heinz, and Frederic Stumpf, "A Cache Timing Attack on AES in Virtualization Environments," in 14th International Conference on Financial Cryptography and Data Security (Financial Crypto 2012), Kralendijk, 2012.
Amittai Aviram, Sen Hu, Bryan Ford, and Ramakrishna Gummadi, "Determinating Timing Channels in Compute Clouds," in Proceedings of the 2010 ACM workshop on Cloud computing security workshop , Chicago, 2010.
Robert Martin, John Demme, and Simha Sethumadhavan, "TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks," in Proceedings of the 39th Annual International Symposium on Computer Architecture, Portland, 2012.
Jicheng Shi, Xiang Song, Haibo Chen, and Binyu Zang, "Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring," in Proceedings of 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W), Hong Kong, 2011.
Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz, "STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud," in Proceedings of the 21st USENIX conference on Security symposium , Berkeley, 2012.
Deian Stefan et al., "Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling," in Proceedings of 18th European Symposium on Research in Computer Security, Egham, 2013.
Bhanu C. Vattikonda, Sambit Das, and Hovav Shacham, "Eliminating fine grained timers in Xen," in Proceedings of the 3rd ACM workshop on Cloud computing security workshop, Chicago, 2011.
Yulong Zhang, Min Li, Kun Bai, Meng Yu, and Wanyu Zang, "Incentive Compatible Moving Target Defense against VM-Colocation Attacks in Clouds," in Proceedings of 27th IFIP TC 11 Information Security and Privacy Conference, Crete, 2012.
M. Godfrey and M. Zulkernine, "A Server-Side Solution to Cache-Based Side-Channel Attacks in the Cloud," in Proceedings of 2013 IEEE Sixth International Conference on Cloud Computing (CLOUD), Santa Clara, 2013.
A.C. Atici, C. Yilmaz, and E. Savas, "An Approach for Isolating the Sources of Information Leakage Exploited in Cache-Based Side-Channel Attacks," in Proceedings of 2013 IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), Gaithersburg, 2013.
Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, "Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds," in Proceedings of the 16th ACM conference on Computer and communications security , Chicago, 2009.
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart, "Cross-VM Side Channels and Their Use to Extract Private Keys," in Proceedings of the 2012 ACM conference on Computer and communications security, Raleigh, 2012.
Taher ElGamal, "A public key cryptosystem and a signature scheme based on discrete logarithms," in Proceedings of CRYPTO 84 on Advances in cryptology , New York, 1984.
Taher ElGamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," IEEE TRANSACTIONS ON INFORMATION THEORY, vol. 31, no. 4, pp. 469-472, July 1985.
Isabel Del C. Leguías Ayala, Manuel Vega, and Miguel Vargas-Lombardo, "Emerging Threats, Risk and Attacks in Distributed Systems: Cloud Computing," in Proceedings of International Joint Conferences on Computer, Information, and Systems Sciences, and Engineering (CISSE 2011), Bridgeport, 2011.
Vijay Varadharajan and Udaya Tupakula, "Counteracting security attacks in virtual machines in the cloud using property based attestation," Journal of Network and Computer Applications, August 2013.
Talal H. Noor, Quan Z. Sheng, and Abdullah Alfazi, "Detecting Occasional Reputation Attacks on Cloud Services," in Proceedings of the 13th International Conference on Web Engineering (ICWE), Aalborg, 2013.
Ahmed Patela, Mona Taghavia, Kaveh Bakhtiyaria, and Joaquim Celestino Júniorc, "An intrusion detection and prevention system in cloud computing: A systematic review," Journal of Network and Computer Applications, vol. 36, no. 1, pp. 25–41, January 2013.
T. H. Noor, Q. Z. Sheng, S. Zeadally, and Y. Jian, "Trust management of services in cloud environments: Obstacles and solutions," ACM Computing Surveys, vol. 46, no. 1, October 2013.
Axel Buecker, Koos Lodewijkx, Harold Moss, Kevin Skapinetz, and Michael Waidne, "Cloud Security Guidance," IBM, IBM Redpaper 2009.
Neil Robinson, Lorenzo Valeri, Jonathan Cave, and Tony Starkey, "The Cloud: Understanding the Security, Privacy and Trust Challenges," RAND, 2010.
Lifei Weia et al., "Security and privacy for storage and computation in cloud," Information Sciences, vol. 258, pp. 371-386, February 2014.
Xiangjian He, Thawatchai Chomsiri, Priyadarsi Nanda, and Zhiyuan Tan, "Improving cloud network security using the Tree-Rule firewall," Future Generation Computer Systems, vol. 30, January 2014.
S. Koushik and Annapurna P. Patil, "Open Security System for Cloud Architecture," in ICT and Critical Infrastructure: Proceedings of the 48th Annual Convention of Computer Society of India, Vishakapatnam, 2014.
Vic (J.R.) Winkler, Securing the Cloud: Cloud Computer Security Techniques and Tactics. Waltham: Elsevier, 2011.
Hu Xiangyi, Ma Zhanguo, and Liu Yu, "The Research of the Cloud Security Architecture," in Proceedings of 2011 International Conference on Instrumentation, Measurement, Circuits and Systems, Hong Kong, 2011.