A Secure Management Scheme Designed in Cloud Peng-yu Wang
Ming-quan Hong
Department of Information Technology HUAFU SECURITIES CO., LTD Fuzhou, China
[email protected]
Forecast Center Seismological Bureau of Fujian Province Fuzhou, China
[email protected]
Abstract—At present, the security has become an important issue in the field of cloud computing. The importance and urgency of the problem cannot be ignored. The popularization and application of cloud computing is a great challenge and opportunity in the field of information security in recent years. It can be seen that cloud computing security is changing to a hot spot for technology and academic research in cloud computing. This paper is aim to solve the problem of Cloud Security. According to the unique properties of cloud computing security, it proposes a secure management scheme in cloud computing. This scheme is used to detect the hacker attacks, illegal operation, potential threats and other security events in time based on big data. There are three main sections in the scheme: vulnerability scan, system log collection, correlation analysis. They are simply introduced and analyzed in this paper. Vulnerability scan: regular using of Nikto, Sandcat or other security tools for the cloud system to carry out the vulnerability scanning, regular network security self-testing, and building an extremely detailed scan report. System log collection: Using of Splunk, Nagios or other tools to collect the system log, also building a detailed log report. Correlation analysis: through the correlation analysis or canonical correlation analysis is used on the system log reports and vulnerability scanning reports, the attacker's attack will be found and the system will be issued a warning in time. At last, the scheme was built in the company's test environment, then the test environment was attacked by penetration test which is to simulate the act of hacking, the feasibility and function of it are verified by the testing. Keywords—Cloud computing; Cloud security; Secure Management Scheme; Vulnerability scan; Correlation analysis;
I. INTRODUCTION Cloud computing [1][2] represents the trend of the intensive, large-scale and specialization development in IT field, and is undergoing profound change in the field of IT However, it can improve the work efficiency, which brings great impact and challenge to the realization of the security and privacy protection of the user's information assets. At present, the security has become an important issue in the field of cloud computing, the importance and urgency of the problem cannot be ignored. The popularization and application of cloud computing is a great challenge and opportunity in the field of information security in recent years. It will lead to another important technological changes in the field of information security. This paper analyzes the challenges of cloud computing in the field of information security, such as technology, standards, supervision and other aspects, and puts forward a kind of cloud computing security
management framework and the main research contents and implementation methods. The main contributions in this paper are three points: 1) A secure management scheme is proposed, and framework of it is introduced in detail; 2) The working methods and procedures of the scheme are introduced in detail; 3) Through testing and experiment to demonstrate the effectiveness of this scheme. The structures of the rest of this paper is as follows: the first part is an introduction of the concept of cloud computing security, and some features of it are listed; the second part is propose secure management scheme; the third part is experiment; the last part is the summary. II. CLOUD COMPUTING SECURITY CONCEPT The National Institute of standards and Technology (NIST) defines the cloud computing as "a ubiquitous, convenient, ondemand, and on-demand network access model for a shared resource (e.g., network, server, storage, application and service), which is capable of supplying and releasing computing resources through the minimal management or interaction with service providers" [3]. Cloud computing and security are closely related, so the concept of cloud security proposed. For cloud security, there is no clear definition. However, cloud security can be understood from two aspects: firstly, the cloud computing security is often referred to cloud computing security [4][5], mainly for cloud computing has its own security risks, study the corresponding safety protection measures and solutions, cloud computing security architecture, cloud computing security application services, cloud computing environment data protection and security of cloud computing is an important prerequisite for healthy and sustainable development of the cloud computing; Secondly, cloud computing application in the field of information security for secure cloud computing scale, mainly the use of cloud computing architecture, the cloud service model, the security service or the unified security monitoring and management. CSA (Cloud security alliance) is a non-profit organization announced at the 2009 RSA conference, is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-
specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA identified 15 focus areas of cloud computing security, and gave the specific recommendations for each field, and developed standards for the selection of more important areas [6]. CAS proposed a kind of SecaaS (Software as a Service) framework, which provided a unified reference model for cloud computing security research [7]. Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. It is sometimes referred to as "on-demand software”. SaaS is typically accessed by users using a thin client via a web browser. SaaS has become a common delivery model for many business applications, including office and messaging software, payroll processing software, DBMS software, management software, CAD software, development software, gamification, virtualization, accounting, collaboration, customer relationship management (CRM), management information systems (MIS), enterprise resource planning (ERP), invoicing, human resource management (HRM), talent acquisition, content management (CM), antivirus software, and service desk management. SaaS has been incorporated into the strategy of all leading enterprise software companies. Security consultancy the Ponemon Institute also gives the Cloud Computing Security Research Report [8], and in the report detailing the possible security problems in cloud computing, as well as the source of each kind of security problem distribution. Cloud computing security research has become one of the hot research fields, T. Jaeger et al provides some suggestions for the security challenges and improvements of cloud computing [9], although they do not introduce specific technology implementation, however it provide us the study of cloud security which needs to consider. Roschke S. et al conducted the research on the intrusion detection method in cloud environment [10]. Yong Xiao et al put forward a trusted computing environment model in cloud architecture [11]. The security of community cloud was introduced in [12]. From the literature above, it can be seen that cloud computing security has become a hot spot for technology and academic research in cloud computing. Due to the unique properties of cloud computing resources virtualization and service, cloud computing security has some new features compared with the traditional security: The traditional security boundary disappears. In the traditional security, it can clearly define the boundary by dividing the security area in the physical and logical. However, due to the use of virtual technology and multi-tenant model, the traditional physical boundaries are broken, and the protection mechanism based on physical security boundary is difficult to be applied in cloud computing environment;
Dynamic. In cloud computing environment, the number and classification of users are different, the
change frequency is high, with the characteristics of dynamic and mobile, and its security needs to be adjusted accordingly;
Service security. Cloud computing uses interactive service, involving the design, development and delivery of services, and need to protect the entire life cycle of services, to ensure the availability and confidentiality of services;
Data security. In the cloud computing data do not in the local storage, data encryption, data integrity, data recovery and other data security protection method for privacy and data security is more important;
Third party supervision and audit. Because of the cloud computing model, the service provider has a huge right, leading to the user's rights may be difficult to guarantee, how to ensure and maintain the balance between the user and the service provider, so the third party supervision and audit is need.
Because of the new features of cloud computing security, so we propose a secure management scheme for cloud computing security. III. SECURE MANAGEMENT SCHEME The security management of cloud computing system can solve this problem by using the large amount of data from the cloud computing. With the rapid development of the technology and tools needed for large data analysis, cloud computing security policy is mainly from the following several aspects:
To prevent APT (Advanced Persistent Threat) attack. With large data processing technology, for the APT security attack concealment, long-term potential, attack path and channel uncertainty, etc., design with realtime detection capability and the ability to deal with the whole flow audit program, to remind the hidden virus applications;
User access control. Large data cross platform transfer applications in a certain range will bring the inherent risk. According to the data of dense degree and the different needs of the user, data and user set different levels of permissions, and strictly control access permissions. Moreover, through the single point of the unified identity authentication and access control technology, to strictly control user access, and effectively ensure the safety of large data applications;
Integrating tools and processes. By integrating tools and processes to ensure that large data applications are at the top of the big data system. At the same time, the integration points parallel to the existing connection, reduce the output of the SIEM tool to the large data warehouse, to prevent the data sets that are preprocessed by exposure algorithm and overflow processing;
Real-time data analysis engine. The real-time data analysis engine combines multiple areas, such as,
cloud computing, machine learning, semantic analysis, and statistics. Through the real-time data analysis engine dig out the hacker attacks, illegal operation, potential threats and other security events at the first time, and issuing a warning response. According to the characteristics of the security policy, a security management scheme is designed. Firstly, the system is vulnerability scanned regularly to obtain a large amount of security information security, and patch the vulnerability. Secondly, the system log is fully collected, and a large amount of log data is obtained. Finally, the security information and log files are analyzed in real time to detect the hacker attacks, illegal operation, potential threats and other security events. Simple process flow of security management scheme is shown in Fig. 1.
Cloud system is scanned using the vulnerability scanning tool (Nikto, Sandct)
After the scan, the scan results are generated and processed into standardized log files
Using Splunk and Nagios and other tools to collect the entire system log
Processing the log real time to generate the standard log file
Based on correlation analysis of big data to evaluate the safety of the system and security incident detection
If analysis results is anomaly (scanned or attacked), then to send out a warning.
Fig. 1 Process flow of security management scheme
There are three key points in the structure of the security management scheme has three key points: 1) The accuracy and the range of the vulnerability scan; 2) The precision and the breadth of the log collection; 3) Design and implementation of association analysis algorithm. A. Vulnerability scan Vulnerability scanning technology is a kind of important network security technology. It can effectively improve the security of the network with the firewall and intrusion detection system. Through the network scanning, network
administrators can understand the network security settings and operation of the application service, timely detection of security vulnerabilities, objective assessment of network risk level. Network administrators can correct the vulnerabilities of the scan network security and the errors in the system settings, in front of the hacker attack. If the firewall and network monitoring system is a passive means of defense, then security scanning is a kind of active preventive measures, effectively prevent hacker attacks. Regular using of Nikto [13], Sandcat [14] or other security tools for the cloud system to carry out the vulnerability scanning, regular network security self-testing, and building a very detailed scan report. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Sandcat Scanner is a powerful tool for security auditors and system administrators. Features such as SANS Top 20 scan, IDS test, and destructive/non-destructive scan are available from the user interface and as command line parameters, letting you work in the way you feel comfortable. Sandcat Scanner also scans for outdated server software. B. System log collection System log is the information of the hardware, software and system, and it also can monitor the events in the system. Administrators can check the cause of the error, or search for traces left by the attacker. System logs include system logs, application logs, and security logs. Through using of Splunk [15], Nagios [16] or other tools to collect the system log, the log collection is a decisive role in the follow-up analysis. Splunk captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations. Splunk has a mission of making machine data accessible across an organization by identifying data patterns, providing metrics, diagnosing problems and providing intelligence for business operations. Splunk is a horizontal technology used for application management, security and compliance, as well as business and web analytics. As of early 2015, Splunk has over 9,000 customers worldwide. Nagios, an open-source computer-software application, monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. Nagios was originally designed to run under Linux, but it also runs well on other UNIX variants. It is free software licensed under the terms of the GNU General Public License version 2 as published by the Free Software Foundation.
C. Correlation analysis algorithm Correlation analysis [17-20] is a simple and practical analytical technique, which is used to find relevance or correlation existed in a large number of data sets, and to describe a thing certain attributes in the rule and mode at the same time, that is, from a data set found the hidden relationship between the items. Canonical correlation analysis (CCA) [21] is a classical tool in statistical analysis to find the projections that maximize the correlation between two data sets. A generalization of CCA to several data sets is proposed in [22], which is shown to be equivalent to the classical maximum variance (MAXVAR) generalization proposed by Kettenring. The reformulation of this generalization as a set of coupled least squares regression problems is exploited to develop a neural structure for CCA. In particular, the proposed CCA model is a two layer feedforward neural network with lateral connections in the output layer to achieve the simultaneous extraction of all the CCA eigenvectors through deflation. The CCA neural model is trained using a recursive least squares (RLS) algorithm. Finally, the convergence of the proposed learning rule is proved by means of stochastic approximation techniques and their performance is analyzed through simulations. In order to improve the accuracy of the correlation analysis, we can analysis the vulnerability scanning log and system log using eigenanalysis method [23]. At the same time, it improves the speed of correlation analysis using the method in [24]. Correlation analysis will consume a large amount of CPU performance, in order to avoid the waste of CPU resources, we can use the additional GPU to calculate and analyze. A system architecture with high-density general purpose graphic processing unit (GPGPU) is emerging as a promising solution that can offer high compute performance and performance-per-watt for building cluster supercomputers. The raw compute power of these heterogeneous systems greatly exceeds the current prevailing homogenous systems, motivating their rapid adoption. These heterogeneous systems do however increase the complexity of developing parallel applications and there is a need to investigate the compute performances and associated power consumption of common benchmarks and scientific computing applications[25]. Matrix multiplication (MM) is one of the core problems in the high performance computing domain and its efficiency impacts performances of almost all matrix problems. The high-A system architecture with high-density general purpose graphic processing unit (GPGPU) is emerging as a promising solution that can offer high compute performance and performanceper-watt for building cluster supercomputers. The raw compute power of these heterogeneous systems greatly exceeds the current prevailing homogenous systems, motivating their rapid adoption. These heterogeneous systems do however increase the complexity of developing parallel applications and there is a need to investigate the compute performances and associated power consumption of common benchmarks and scientific computing applications[26]. Through the correlation analysis or canonical correlation analysis is used on the system log and vulnerability scanning log, the attacker's attack will be found and the system will be issued a warning in time.
The security management scheme will begin to waste the system's performance, with its function more and more powerful and perfect. But the growth of system performance is much greater than that of the scheme wasted. The enterprise computing component trends has been described in [27], the main components of a server are the CPU, memory, interconnects and local storage. Moore’s law and CPU evolution history indicates two trends: higher performance CPU and higher level of System on Chip (SoC) integration. A higher performance CPU trend suggests a higher core count, cache capacity and perhaps clock rate. For instance, top bin Ivy Bridge CPU has 50% more cores and 50% more cache when compared with prior generation Sandy Bridge. Tick Tock is a wide known processor development model, advancing manufacturing technology such as introducing 3D tri-gate transistors with 22nm fab technology. Tock conveys new processor microarchitecture such as video transcoding, encryption and decryption, etc. A conservative extrapolation suggests that by 2020, the mainstream mid bin general purpose CPU will have 40 core and 60MB of cache. So the performance of the scheme wasted can be ignore in the future. IV. EXPERIMENTS AND CONCLUSIONS In order to test the function and performance of the whole scheme, the scheme is built in a test environment of company. There are 136 virtual machines in the test environment, and they make up a private cloud. The private cloud connects the Internet through an enterprise firewall. Apache servers, tomcat servers, database servers, application servers are in the private cloud. The test of the scheme carried out in the private cloud. Firstly, we scan the entire cloud and all the applications. So that we get a very detailed vulnerability scanning report, and tabulate the report. The report shows that 136 host computer, 149 security vulnerabilities, 178 security warning, and 497 security tips. The part of the report is shown in the Table Ⅰ. TABLE I. Host
SCANNING RESULT Result
OS
Content
Type
10.35.100.230
Linux
PORT/TCP: 21, 22, 11 1, 445, 2049
Vulnerability
10.35.100.250
Cisco OS
PORT/TCP: 23
Vulnerability
10.35.100.231
Windows
netbios-ssn (139/tcp)
Vulnerability
10.35.100.231
Windows
RPC/nfs (2049/udp)
Tip
10.35.100.233
Windows
IIshelp
Warning
Second, we collect log files of the system every minute. These log files include the system's log files, the application's log files, the network device's log files, and the file logs organized into a unified format. Part of the logs is shown in the Table Ⅱ. TABLE II. Host
SYSTEM LOG Result
Date
10.35.100.231 10.35.100.231 10.35.100.231 10.35.100.231
2015/10/20 7:47:53 2015/10/20 7:47:53 2015/10/20 7:47:53 2015/10/20 7:47:53
Source
Event ID
ESENT
103
ESENT
327
ESENT
326
ESENT
105
Finally, the vulnerability scanning log and system log in conjunction with the analysis Correlation. In order to guarantee the speed of analysis, the last one minute system log is used to analyze. If the suspicious behavior is found, the more system log is used to determine whether a suspicious behavior is an attack behavior. We use penetration testing tools to simulate the hacker attacks, the experiment results are shown in Table Ⅲ. TABLE III. Tools
EXPERIMENTS RESULT Result
Attack Times
Alarm Times
Alarm Rate(%)
IBM Rational AppScan
100
80
80
Sql2
100
83
83
Domain3.6
100
84
84
X-Scan
100
91
91
Nmap
100
91
91
From the results of the experiment, the whole scheme can work normally, and find most of the attack. However, it cannot discovery 100% of the attack behavior. In the process of experiment, the design of correlation analysis algorithm and rule has great influence on the experiment results, and the design of correlation analysis is the core of the whole scheme V. SUMMARY Design of the entire security management scheme is based on the analysis of large data, through the collection of vulnerability scanning and system log of the cloud system, and analyzed in order to identify potential hazards and hacker attacks and issue security alerts. Therefore, vulnerability scanning, log collection and correlation analysis are core parts of the overall security management scheme, the design level of the three parts, direct impact on the effect of the entire scheme. Afterwards, the three components and functional of the security management scheme will be improved to improve accuracy of detection of potential security risks and attacks.
VI. REFERENCES [1] Marinos A, Briscoe G. Community cloud computing [M] Cloud Computing. Springer Berlin Heidelberg, 2009: 472-484. [2] Armbrust M, Fox A, Griffith R, et al. A view of cloud computing [J]. Communications of the ACM, 2010, 53(4): 50-58. [3] Mell P, Grance T. The NIST definition of cloud computing [J]. 2011.
[4] Carlin S, Curran K. Cloud computing security [J]. 2011. [5] Jamil D, Zaki H. Cloud computing security [J]. International Journal of Engineering Science and Technology, 2011, 3(4). [6] Alliance C. Security guidance for critical areas of focus in cloud computing v3. 0[J]. Cloud Security Alliance, 2011. [7] Hussain M, Abdulsalam H. SECaaS: security as a service for cloudbased applications[C] Proceedings of the Second Kuwait Conference on e-Services and E-Systems. ACM, 2011: 8.Ponemon Institute Security of Cloud Computing Providers Study (Research Report). April 2011 [8] Jaeger, T., Schiffman, J., et al. Outlook: Cloudy with a Chance of Security Challenges and Improvements. IEEE Security & Privacy, 2010, 8(1): 77 - 80. [9] Roschke, S., Feng Cheng, Meinel, C.. Intrusion Detection in the Cloud. Dependable, Autonomic and Secure Computing, 2009, Page(s):729734. [10] Xiao-Yong Li,Li-Tao Zhou,Yong Shi,Yu Guo. A trusted computing environment model in cloud architecture. Machine Learning and Cybernetics (ICMLC), 2010 International Conference on Volume 6, 2010, Page(s):2843-2848. [11] Baiardi, F., Sgandurra, D.. Securing a Community Cloud. Distributed Computing Systems Workshops (ICDCSW), 2010, Page(s):32-41 [12] Li H C, Liang P H, Yang J M, et al. Analysis on cloud-based security vulnerability assessment [C]. E-Business Engineering (ICEBE), 2010 IEEE 7th International Conference on. IEEE, 2010: 490-494. [13] Nikto, https://cirt.net/nikto2-docs/ [14] Sandcat, http://www.syhunt.com/?n=Sandcat.Sandcat [15] Carasso D. Exploring Splunk [J]. Published by CITO Research, New York, USA, ISBN, 2012: 978-0. [16] Barth W. Nagios: System and network monitoring [M]. No Starch Press, 2008. [17] Cohen J, Cohen P, West S G, et al. Applied multiple regression correlation analysis for the behavioral sciences [M]. Routledge, 2013. [18] Hansch C, Leo A. Substituent constants for correlation analysis in chemistry and biology [M]. Wiley, 1979. [19] Hardoon D R, Szedmak S, Shawe-Taylor J. Canonical correlation analysis: An overview with application to learning methods[J]. Neural computation, 2004, 16(12): 2639-2664. [20] Shorter J. Correlation analysis of organic reactivity, with particular reference to multiple regression [M]. John Wiley & Sons Incorporated, 1982. [21] Thompson B. Canonical correlation analysis [J]. Encyclopedia of statistics in behavioral science, 2005. [22] Vía J, Santamarí a I, Pérez J. A learning algorithm for adaptive canonical correlation analysis of several data sets [J]. Neural Networks, 2007, 20(1): 139-152. [23] Patterson N, Price A L, Reich D. Population structure and eigenanalysis [J]. 2006. [24] Zhang P, Gao Y, Fierson J, et al. Eigenanalysis-based task mapping on parallel computers with cellular networks [J]. Mathematics of Computation, 2014, 83(288): 1727-1756. [25] Gao Y, Iqbal S, Zhang P, et al. Performance and Power Analysis of High-Density Multi-GPGPU Architectures: A Preliminary Case Study[C] High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conferen on Embedded Software and Systems (ICESS), 2015 IEEE 17th International Conference on. IEEE, 2015: 66-71. [26] Zhang P, Gao Y. Matrix Multiplication on High-Density Multi-GPU Architectures: Theoretical and Experimental Investigations [J]. [27] Fang, Y., Gao Y., and Stap, C. (2014). Future Enterprise Computing looking into 2020. Frontier and Innovation in Future Computing and Communications, p127-134.
