I. J.

Computer Network and Information Security, 2017, 4, 10-21

Published Online April 2017 in MECS (http://www.mecs-press.org/)
DOI: 10.5815/ijcnis.2017.04.02

Anomaly Detection System in Secure Cloud

Computing Environment
Zhengbing Hu
School of Educational Information Technology, Central China Normal University, Wuhan, China
E-mail: [email protected]

Sergiy Gnatyuk, Oksana Koval, Viktor Gnatyuk and Serhii Bondarovets

National Aviation University, IT-Security Academic Dept, Kyiv, Ukraine
E-mail: [email protected], [email protected], [email protected], [email protected]

Abstract—Continuous growth of using the information Signature Detection, Data Center, Cloud Computing,
technologies in the modern world causes gradual Vulnerability, Security, Technology Architecture, Threat
accretion amounts of data that are circulating in Model.
information and telecommunication system. That creates
an urgent need for the establishment of large-scale data
storage and accumulation areas and generates many new I. INTRODUCTION
threats that are not easy to detect. Task of accumulation
Anomaly detection is one of the most important
and storing is solved by datacenters – tools, which are
able to provide and automate any business process. For concepts of data analysis. Information object is
now, almost all service providers use quite promising considered as an anomaly if it is significantly differs from
normal data behavior in some sphere. In general, it means
technology of building datacenters – Cloud Computing,
that object is not like the others in a particular data array
which has some advantages over its traditional opponents.
Nevertheless, problem of the provider’s data protection is [1]. It is important to detect these objects in order to
so huge that risk to lose all your data in the ―cloud‖ is consider them from a different angle and use other
detection methods. During the anomaly detection process
almost constant. It causes the necessity of processing
researchers deal with such problems: as determing of
great amounts of data in real-time and quick notification
of possible threats. Therefore, it is reasonable to normal area that might be presented in adequate form is
implement in data centers’ network an intellectual system, often a difficult task; boundary between normal and
anomaly behavior is not always clear; exact anomaly
which will be able to process large datasets and detect
detection is different depending on field of application;
possible breaches. Usual threat detection methods are
based on signature methods, the main idea of which is availability of relevant data for training or checks; data
comparing the incoming traffic with databases of known can contain noise; normal behavior is dynamic and
constantly evolving.
threats. However, such methods are becoming ineffective,
Anomaly detection methods are widely used in the
when the threat is new and it has not been added to
database yet. In that case, it is more preferable to use following areas: cloud-computing environment, fraud
intellectual methods that are capable of tracking any detection in banking and mobile areas, monitoring of
information systems hardware, network’s intrusions
unusual activity in specific system – anomaly detection
detection system, processing CCTV images, detection of
methods. However, signature module will detect known
threats faster, so it is logical to include it in the system suspicious web-site etc.
too. Big Data methods and tools (e.g. distributed file From this point of view the aim of this paper is to
develop an anomaly detection system in secure cloud
system, parallel computing on many servers) will provide
computing environment. To achieve this aim should be
the speed of such system and allow to process data
dynamically. This paper is aimed to demonstrate solved such tasks:
developed anomaly detection system in secure cloud
computing environment, show its theoretical description  Developing of secure cloud data center model;
and conduct appropriate simulation. The result  Developing of anomaly detection system for
demonstrate that the developed system provides the high Cloud Computing protected environment;
percentage (>90%) of anomaly detection in secure cloud  Big Data concept analysis;
computing environment.  Experimental research of anomaly detection
module in developed system for Cloud Computing
Index Terms—Anomaly Detection, Big Data, secure environment.
Information Security, Data Analysis, Machine Learning,

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
 Anomaly Detection System in Secure Cloud Computing Environment 11

Necessary aspect of data center design is using a

II. THE ANALYSIS OF EXISTING RESEARCH AND PROBLEM multilevel approach is a basic aspect of data center design,
DEFINITION because it improves scalability, performance, flexibility,
resiliency, and maintenance [8]. Designing a flexible
In order to solve problems described in Section I it is
architecture that has the ability to support new
needed to analyze next issues: modern type of data
applications in a short time can lead to a significant
centers; Cloud Computing technology; modern data competitive advantage. Such design requires solid initial
centers models; Big Data conception; anomaly detection planning and thoughtful consideration in the areas of port
methods.
density, access layer uplink bandwidth, true server
A. Modern Type of Data Centers capacity, and oversubscription [9]. Fig. 1 shows the basic
layered design.
Today data centers provide large number of services,
which specific depends on the data center type. There are B. Cloud Computing Technology
several types of data centers [25, 27, 29]: private cloud
In fact, Cloud Computing is a providing on-demand
providers; scientific computing centers; co-location data computing resources (all from applications to data centers)
centers; in-house data centers; wholesale data centers; to customers over Internet-based payment [5]. Cloud
dedicated hosting; shared hosting; managed hosting.
Computing exhibits the following key characteristics [23]:
Important data center characteristic is a set of
self-service on-demand; wide network access; resource
components, namely Tier, which is an attribute of what it pooling; rapid elasticity; measured service.
can offer to customer, for example, physical The NIST's definition of cloud computing defines the
infrastructure, cooling system, supply system and
service models as follows [26].
expected uptime level. All these characteristics define the
Software as a Service (SaaS). The capability provided
redundancy of all infrastructures. There are four data to the consumer is to use the provider’s applications
center tiers, each of which includes previous and has running on a cloud infrastructure [18].
bigger uptime level [10, 12].
Platform as a Service (PaaS). The capability provided
Co-operation between data center components depends
to the consumer is to deploy onto the cloud infrastructure
on its architecture. Typical architecture includes utility consumer-created or acquired applications created using
system, security system, IT-infrastructure and monitoring programming languages, libraries, services, and tools
system, that controls other system [24].
supported by the provider [16].
General specification of data center tiers is shown in
Infrastructure as a Service (IaaS). The capability
Table 1. provided to the consumer is to provision processing,
storage, networks, and other fundamental computing
Table 1. Data Center Tiers
resources where the consumer is able to deploy and run
Tier 1
Non-redundant capacity components (single uplink and arbitrary software, which can include operating systems
servers) and applications.
Tier 2 Tier 1 + Redundant capacity components Moreover, there are various cloud computing
Tier 3 Tier 1 + Tier 2 + Dual-powered equipments and deployment models:
multiple uplinks
Tier 1 + Tier 2 + Tier 3 + all components are fully fault-
Tier 4 tolerant including uplinks, storage, chillers, HVAC 1) Private Cloud is infrastructure operated solely for
systems, servers etc. Everything is dual-powered a single organization, whether managed internally
or by a third-party, and hosted either internally or
externally [20];
2) Public Cloud when the services are rendered over
a network that is open for public use[6];
3) Hybrid Cloud is a composition of two or more
clouds (private, community or public) that remain
distinct entities but are bound together, offering
the benefits of multiple deployment models [13].

Requirements for information security in ―cloud‖ data

centers based on the reference model architecture that is
described in ―Security Recommendations for Cloud
Computing Providers (CPS)‖ by Federal Agency for
German Information Security (BSI). This reference
architecture (Fig. 2) approximately indicates components
common to many cloud computing platforms [11, 17, 19, 28].
Fig.1. Basic Layered Design

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
12 Anomaly Detection System in Secure Cloud Computing Environment

Symbolic notation: ―+‖ – match the criteria; ―–‖ no

compliance with the criteria; ―?‖ – lack of information in
open sources; С – confidentiality; I – integrity; A –
availability.
All studied data centers in table 2 are built on one or
combine several technologies (services of models). Set of
components corresponds to highest Tier levels, what
means that infrastructures are almost or completely
failsafe, support systems have backup components, and
the expected uptime more than 99%.
There were analyzed monitoring and ensuring data
Fig.2. Reference Architecture for Cloud Computing Platform protection system for each data center and how it is
shown in Table 2 only three data centers have reliable
and official data related to information security
C. Modern Data Center Models (BEMOBILE, Tulip Data Center and Switch Super NAP).
Table 2 shows comparative analysis of data centers
models in terms of architecture and information security.

Table 2. Analysis of the Known Implemented Data Centers Models

Lack of
Data center model Technology Set of components C I A vulnerabilities
Volia Data Center SaaS Tier 2/Tier 3 + ? + –
Data Center DataGroup SaaS Tier 3 ? + + –
BEMOBILE SaaS Tier 3 (communication Tier 4) + + + –
Amazon Data Center SaaS, PaaS, IaaS Tier 4 + ? + –
Google Data Center SaaS, PaaS, IaaS Tier 3+ ? ? ? –
Yandex Data Center SaaS Tier 3 + ? + ?
Tulip Data Center IaaS Tier 3+ + + + +
Lakeside Tech. Center IaaS Tier 4 ? + + ?
Microsoft Data Center SaaS, PaaS Tier 4 + ? + –
Range International IG PaaS, IaaS Tier 4 ? ? + ?
Switch Super NAP SaaS, IaaS Tier 3/ Tier 4 + + + ?
DuPont Fabros Tech. SaaS, PaaS, IaaS Tier 4 + ? + +
Utah Data Center SaaS Tier 3/ Tier 4 ? ? ? –

The absence of known vulnerabilities is also an However, drawbacks uniting all of the above methods
important criterion [7, 24]. According to Table 2 almost are following:
for all data centers there were recorded different, from
powerful lightning strike to the building of the data center  Unprotected state of the information system, while
or multiple network attacks. The only data centers for anomaly detection system is learning and building
which vulnerabilities were not detected (or information normal profile;
about them is hidden) – are Tulip Data Center and  If malicious activity corresponds to normal profile,
DuPont Fabros Technology. there will be no alert about anomaly;
D. Anomaly Detection Methods  High false-positive rate;
 Notifications and warnings about anomalies can
The analysis of modern anomaly detection methods contain not enough information for the further
allowed to make their comparison (table 3) by following analysis because of aggregation of big amount of
criteria [3]: data and abstraction from particular information
for moving to mathematical modeling [2].
 Low demand on computing resources (LDCR);
 Lack of need in particular data distribution Signature databases did not manage to update intime,
(LNDD); that’s why we propose to use a system, which combines
 Simplicity of implementation (SI); detection of new anomalies and tracking existing, using
 Little amount of false-positive rate (LAFPR); signature methods and available databases. To increase
 Unsupervised learning (UL). the speed of such system, it is recommended to use Big
Data methods and instruments.
According to the analysis, Decision Tree method is one
of the best bases for developing anomaly detection
system.

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
 Anomaly Detection System in Secure Cloud Computing Environment 13

Table 3. Мulticriterial Analysis of Modern Anomaly Detection Methods

Criteria
Method
LDCR LNDD SI LAFPR UL
Neural networks + + +/– + –
Bayesian networks + + +/– + –
Support Vector Machine + + +/– + –
Decision Tree + + + + –
K-nearest neighbor – +/– + +/– +
Relative density – +/– + +/– +
Clusterization +/– + + – +
Parametric methods + – – +/– +

Non-parametric methods + – – +/– +

Kolmogorov complexity +/– + +/– +/– +

Entropy +/– + +/– +/– +
PCA – +/– +/– +/– +

architecture using industry-standard technologies that

III. THE PROPOSED SOLUTION provide interoperability and investment protection.
Fig. 3 shows technological architecture, which
The research proposes an anomaly detection system in represent next generation data center based on cloud
secure cloud computing environment. Designed system
computing. The diagram shows only examples of blocks
contain of secure cloud data center model in which there
for the data center. In total over architecture includes not
was implement anomaly detection system based on Big only structure components but also it is governed by
Data concept. different types of service and regulatory requirements.
A. Development of the secure data center model based There are 9 network layers in architecture (Fig. 3):
on Cloud Computing application software; virtual machine, VSwitch; storage,
SAN; compute; access; aggregation; core; peering; IP-
The first stage of model development is using NGN backbone.
technological architecture that includes three main Each layer is connected to the previous with a specific
―building‖ blocks. connection type. From application software layer to
1) 10 Gigabit Ethernet Virtual machine & VSwitch layer there is App to
HW/VM connection type. Than application data come to
A cloud data center is designed with the high density distributed virtual switches VSwitch.
of virtual machines coupled with a high processor core After that data from SAN and application data from
count. From a networking perspective, the increase in VSwitch transfer to computing layer via 4G FC
virtual machine and processor core density promotes a (fibrechanel) and VSwitch to HW. Computing result
transition to 10 Gigabit Ethernet as the required transfers to access layer via 4G FC, 10G FCoE
mechanism for attaching servers. Specific benefits (FibreChanneloverEthernet) and 1G Ethernet, and after
include: real-time policy-based configuration; mobile that data is transmitted to aggregation layer via 10G
security and network policy; nondisruptive management Ethernet. On this layer it is possible to control app,
model, aligning management and operations services and establish firewall services (IDS, SSL, anti-
environments for virtual machines and physical server DDoS).
connectivity in the data center. The next layer is core, where procedures of global
2) Unified Fabric positioning and intrusion detection are also applying.
Peering layer is responsible for secure domain routing.
This block gives all servers (physical and virtual) The last layer is Internet, where 10G Ethernet connection
access to the LAN, SAN, and IPC networks, allowing is used.
more to be consolidated in the customer’s network for Along with the technological architecture of data
greater efficiency and costs savings. centers an important place also occupies question of
3) Unified Computing confidence in cloud computing infrastructure model. Fig.
4 shows structure of secure cloud data center from the
It enables a fully virtualized cloud data center with perspective of security, for example threat model and
pools of computing, network, and storage resources. The measures to be taken to minimize risks. Structure also
Unified Computing bridges the silos in the classic data represents full control, compliance and SLA.
center, enabling better utilization of infrastructure in a
fully virtualized environment, and creates a unified

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
14 Anomaly Detection System in Secure Cloud Computing Environment

Fig.3. Technology Architecture of Data Center Based on Cloud Computing

The main idea of this model is that information 5) Network Security; 6) Secure Encryption system and
security should not be secondary part of overall security. Key Management System.
It must be applied and implemented at all levels of Fig. 5 shows relation between levels of cloud data
architecture. center protection and their interaction.

Fig.5. Levels of Secure Cloud Data Center Architecture from the

Perspective of Information Security

B. Anomaly detection system based on Big Data

It is proposed to implement anomaly detection system
based on Big Data concept using data center resources.
Common structure of such system is shown on fig.6.
Input data arrives at two modules in parallel, then
Fig.4. Structure of Secure Data Center Based on Cloud Computing Master Node start working in each of them, distributing
load between Slaves, where two-step MapReduce method
Construction of secure cloud data center architecture is implemented. The output is useful data, which is
includes the implementation of six levels security: 1) checking by conditions and resulting in either normal
Physical Protection; 2) Server Protection; 3) Data data, or classified threat, or unknown activity.
Protection; 4) Protection of Application and Platforms; Hybrid system logic is presented in Table 4.

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
 Anomaly Detection System in Secure Cloud Computing Environment 15

module, which is based on building ―decision tree‖. That

Table 4. Common Hybrid System Logic tree contains nodes (internal and terminal) and branches.
Anomaly Misuse Explanation Internal nodes are the ones that split into two children.
Detection Detection Each internal node corresponds to one of the input
0 0 Normal data features; there are edges to children for each of the
1 0 Threat detected possible values of that input feature.
Check
Threat detected and
0 1
classified
A terminal node has a class label associated with it,
Threat detected and such as observations that fall into the particular terminal
1 1 node are assigned to that class. To use a decision tree, a
classified
feature vector is presented to the tree. If the value for a
As Misuse Detection module it is recommended to use feature is less than a defined number, then the decision is
open-source application Snort, which works on both moves to the left child. Otherwise – moves to the right
Windows and Linux operating system. one.
Snort – is intrusion detection system (IDS), which is an Process continues, until it reaches one of the terminal
extremely powerful tool, even compared with commercial nodes and the class label that corresponds to the terminal
IDS. Many users share their security rules in Snort node is the one that is assigned to the pattern.
community, what is useful when it is necessary to have Decision tree induction algorithms are functioning
the most recent rules. recursively:
Snort can be used in 4 modes:
 First, a feature must be selected as a root node;
 Sniffer mode – reading of network’s traffic and  In order to create the most efficient (the smallest)
displaying it on the screen; tree, the root node must effectively split the data.
 Packet logger mode – writing network’s traffic in Each split attempts to pare down a set of instances
file; (the actual data) until they all have the same
 IDS mode – network’s traffic which is classification. The best split is the one that
corresponding to rule is written; provides what is termed the most information gain.
 IPS mode – modified version of previous mode. It
accepts packets from firewall, compares them with The tree grows by recursively splitting each node using
signature rule and marks them as ―Discard‖ if they the feature which gives the best information gain until the
respond the rule [22]. leaf is consistent.

We use Decision Tree Method as Anomaly Detection

INPUT
DATA

MISUSE DETECTION ANOMALY DETECTION

Master Master
Node Node

Slave Slave Slave Slave Slave Slave Slave Slave Slave Slave

Map() Map()

Reduce() Reduce()

Useful Data Useful Data

Normal YES YES Normal

Data? Data?

NO NO

Known Data is Unknown

Threat normal Threat

Fig.6. Hybrid Anomaly Detection System Structure

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
16 Anomaly Detection System in Secure Cloud Computing Environment

Four next steps are used to calculate information gain: I .G.(S , A)  H (S )  H (S | A) .

1. Calculate entropy at node A (Fig.7): Decision tree is a greedy algorithm that grows the tree
top-down. At each node it selects the features that best
classifies the local training samples. This process
A
continues until the tree perfectly classifies the training
samples, or all features have been used [2].
C. Big Data concept
To process big amounts of data, a set of special
methods is used. One of the examples is MapReduce [1].
MapReduce – is software framework for distributed
computing, which uses ―divide and conquer‖ method for
a b splitting big data’s difficult problems into the small
blocks of work and processing them in parallel mode.
Fig.7. Model Example MapReduce contains two steps: step ―Map‖ – data
from the master node splitting into great amount smaller
subproblems. Worker nodes process some subsets under
 M   M   N   N  the JobTracker’s control and save the result in the local
H (S )      log 2     log 2  ,
M N M N N M  N M  file system. Step ―Reduce‖ - analyses and perform
operation of merge the input data from the previous step.
where M – quantity of anomaly data in the node A, N A large number of Reduce-step is possible in order to
– quantity of normal data in the node A, H ( S ) - value of execute processes of merge in parallel mode, so these
tasks are also performed on worker nodes under the
entropy before the split.
JobTracker’s control.
Another method is Hadoop. Hadoop contains
2. The data set is split into two branches by different
distributed file system; platforms for data analysis and
feature; the entropy for each branch is calculated:
storage; parallel computing management level;
configurations administrations.
H a  H (m, n); One more utility is Apache Spark. Spark – is cluster-
 m   m   n   n  computing engine, which provides extremely fast data
Ha      log 2     log 2  ,
 mn  mn  nm nm processing and reliability. It has software interface, which
are based on different programming languages: Java,
Python, and Scala.
Hb  H (M  m, N  n), It supports in-memory computing, which allows access
 M m   M m  to data and process requests much faster, compared to
Hb      log 2  
 ( M  m)  ( N  n )   ( M  m)  ( N  n )  disk-based system (i.e. Hadoop).
In general, Spark is progressive and very useful update
 N n   N n 
   log 2  , for Hadoop, aimed at improvement of real-time analysis.
 ( N  n )  ( M  m)   ( N  n)  ( M  m)  The main advantages of Apache Spark:

where m – quantity of anomaly data in the node a, n –  The fastest engine for processing big arrays of
quantity of normal data in the node a. data;
 Worker processes are identified using
3. The entropy for each branch is added proportionally MapReduce-style, which simplifies its
to get total entropy for the split: implementation along with Hadoop;
 Simple installation;
H (S | A)  Pa  H a  Pb  H b ,  Spark is written in Scala, modern object-oriented
 mn   ( M  m)  ( N  n)  programming language, which has many resources
H ( S | A)     Ha     Hb and active community;
M N  (M  N )   Many platforms is supporting Spark and its
technology stack (MapR, Cloudera, Databricks);
where Pa – ratio between the quantity of node’s а  Spark’s reliability can be proved by Intel
elements and the quantity of node’s A elements, Pb – ratio recommendation to use it in healthcare solutions;
between the quantity of node’s b elements and the  One of the most used Spark features – capability
quantity of node’s A elements. to consolidate data sets from a few incompatible
sources [8].
4. The resulting entropy is subtracted from the entropy
before the split and the result is the information gain
or decrease in entropy:

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
 Anomaly Detection System in Secure Cloud Computing Environment 17

IV. SIMULATION AND RESULT

In this section, several experiments are carried out on
the developed system to check the security level and
check the classification effectiveness of chosen anomaly
detection method.
A. Experiment 1
The aim of the experiment: check the security level of
cloud data center.
CloudSim simulation system
CloudSim platform is a generic and scalable simulation
tool that allows a complete modeling and simulation of
cloud computing systems and infrastructures, including
the construction of cloud data centers. It is an extension Fig.8. Scheme of Modeling Process
of the basic functionality GridSim platform, enabling
simulation data stores, web services, the distribution of A complete model of secured data center based on
resources among virtual machines. Cloud Computing is constructed by connection the base
The model of secure data center is implemented on data center model with different levels of protection, for
CloudSim platforms as follows: example: protection against malicious software;
configured firewall; remote management using SSH,
1) Set up of service and Internet provider for data TLS / SSL, IPSec; multifactor authentication; use of
storage and using of cloud services in cloud regular backup copying; use of virtual machines policies
computing environment; and more.
2) Launch of time analysis and resource usage There were conducted three experiments to study the
module; developed system (Fig. 9). Comparison results of
3) Use of heuristic algorithm for task scheduling and simulations on a platform CloudSim is given in Table 6:
real-time modeling;
Table 6. Comparing the results of the simulations
4) Effective provision of resources and measure
productivity on the basis of the algorithm; № Security Detected and
Efficiency
5) Cloudsim use Green Computing, which allows to levels neutralized attacks
achieve energy efficiency and power utilization; 1 100% 99,89% 99,65%
2 <50% 67,23% 45,78%
6) Important place is taken by hypervisor security in 3 0% 0,0% 0,0%
the cloud;
7) Including of cloud computing security modules The experimental results indicate that while connected
by using simulation tools for distributed denial all levels of protection efficiency (which refers to the
attack infrastructure and impact analysis tool for ―performance + data security‖) and the level of detected
DDoS attacks; and neutralized attacks is almost 100%; during the second
8) Use of proposed in 2.1 hierarchical data center experiment with at least 50% of connected layers of
model by phased connection of different layers of security shows that efficiency and detected and
architecture; neutralized attacks dropped almost in half; and during the
9) Application of security policies from protected third experiment, when the level of protection does not
virtual machines policy to location monitoring connected, the efficiency and the level of detected and
system. neutralized attack is zero.
Table 5 shows characteristics of designed data center OPNET IT simulation system
model based on cloud computing from the perspective of OPNET IT (Riverbed Modeler) platform is tool for
architecture. creating and modeling of infrastructures scripts using
cloud computing. The designed model was implemented
Table 5. Characteristics of Designed ―DCM‖ Data Center Model Based
on Cloud Computing using this simulation system from the perspective of
technological architecture, with connecting some built-in
Data- Set of protection components: the ―cloud‖ servers, client.
Technology Cloud model
center components
DCM IaaS, SaaS Tier 3 Гібридна Simplified technological model carried over to the
platform OPNET IT is shown in Fig. 10.
Fig. 8 shows a diagram of data center simulation on Using the built-in properties of the components of
CloudSim platform, which is realize in real-time mode. OPNET IT lets connect security levels. Unfortunately,
not all security levels see 2.1 can be included, given the
specific platform OPNET IT.

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
18 Anomaly Detection System in Secure Cloud Computing Environment

Fig.10. Adapted to the Simulation Environment Model of a Secure Data

Center
а
The next step is configuration of simulation process;
determine the time during which it will occur, and actual
launch. When you run a simulation it adapts to real time
(e.g. 1:00 the simulation platform OPNET IT really will
be 1 min.). Log Files with simulation results reflect only
general information, progress, speed, time (Fig. 11).

Fig.11. The Result of the Simulation in a Log File

Similar to the methods of simulation in CloudSim

b system there were conducted three experiments with
different conditions, which means that each time we use
different number of levels of protection. After all the
experiments in OPNET IT platform integrated editor
there were built and compared these graphs (Fig. 12):
efficiency server connection conditions and without
protection, the results of the network with the use of
protection and without them, the simulation results
regarding the end user.
Fig. 12 (a) shows server performance curve with use of
all security layers (1), and other curves represent
performance without security layers connection.
Therefore with the use of security means, performance
and security of server are much higher.
Fig. 12 (b) shows network performance curve with use
of all security layers (2), and other curves represent
performance without security layers connection.
Obviously, with the use of protection, efficiency and
security of the network are much higher.
c Fig. 12 (c) shows performance curve described data
Fig.9. Connection to the Base Model, All Security Levels (a) Random center work with end user with use of all security layers
Layers of Security (b) Without Using Any Security Levels (c) (3), and other curves represent performance without

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
 Anomaly Detection System in Secure Cloud Computing Environment 19

security layers connection. Under the conditions of After all relevant simulation results were compared to
inclusion of protective efficiency of the data center with known models of data centers (Table 2) and determined
the end user is higher and is done through a secure that the model of a secure data center lacks identified in
communication. the gap analysis.

1 2
3

а b c
Fig.12. The Graphics Performance Of:Data Center Server (a), Network Data Center (b) Data Center With End User (c)

In order to ensure, that chosen method is precise, the

B. Experiment 2
cross-validation mode was used with splitting dataset into
The aim of the experiment: check the classification 7 parts, 6 of which are the training dataset, and the
effectiveness of chosen anomaly detection method. remaining 1 – test dataset.
Input/output experiment data: input data – 10% of the
KDDCup99 dataset, output data – assorted data (normal 4. Revision of the experiment results: 4.1. Quantity and
or abnormal). KDDCup99 – dataset used for The Third rate of correctly and wrongly determined data
International Knowledge Discovery and Data Mining (fig.13). 4.2. Graphical look of the built tree (fig.14).
Tools Competition.
This database contains a standard set of data to be As a result of experiment, it is determined, that rate of
audited, which includes a wide variety of intrusions: correctly classified data is 99.96% that proves high
DoS-attacks (denial of service); U2R-attacks accuracy and low false positive rate of the chosen
(unauthorized access to local superuser privileges); R2L- algorithm. Also, graphical look of the built tree was
attacks (unauthorized access from a remote machine); considered.
Probing-attacks (port scanning).
Steps of the experiment:

1. Loading the input data into the environment.

2. Choosing the classification algorithm, in that case –
J48 – Java-implementation of decision tree algorithm.
3. Building the decision tree model.
Fig.13. Rate of Correctly and Wrongly Determined Data

Fig.14. Graphic Expression of the Built Tree

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
20 Anomaly Detection System in Secure Cloud Computing Environment

[7] ―Cloud Security‖. [Online]. Available: http://ru.thales-

V. CONCLUSION esecurity.com/solutions/by-business-issue/cloud-computing-
security.
In this paper there were selected and researched data [8] ―Data Center Architecture Overview‖. [Online]. Available:
center models based on Cloud Computing technology, http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/
revealed the problem of information security in almost Data_Center/DC_Infra2_5/DCInfra_1.html.
perfect engineering and infrastructure solutions. [9] ―Data Center Design Models Overview‖. [Online].
Identified deficiencies have been remedied by developing Available:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise
of secure data center model based on Cloud Computing
/Data_Center/DC_Infra2_5/DCInfra_1.html#wp1058588.
technology, which through the use of technology [10] ―Data Center Tiers Explained‖, 2013. [Online]. Available:
architecture, high-speed communications, unified http://webcache.googleusercontent.com/
computing structures and ensures security of the cloud search?q=cache:http://www.thedatacave.com/data-center-
data center and conduct appropriate simulation. The tiers-explained&gws_rd=cr&ei=VEvoVsSR
model can be used to build data centers in different areas. KcL8swG78ZH4 BQ.
In addition, a model was developed for the detection of [11] M. Dodan, ―Architected Cloud Solutions Revealed‖,
anomalies secure environment ―cloud‖ computing based Journal of Object Technology, vol. 9 (2).. pp. 27-36, 2010.
on the concept Big Data. [12] ―Explain: Tier 1 / Tier 2 / Tier 3 / Tier 4 Data
Center‖.[Online]. Available: http://www.cybercitibiz/
Also, there were done the analysis of modern methods
faq/data-center-standard-overview/.
of identifying anomalies and taking into account their [13] ―Hybrid cloud: is it right for your business?‖, 2014.
shortcomings there was developed hybrid system [Online]. Available: http://www.techradar.com/
anomaly detection that by using the method DecisionTree, news/internet/cloud-services/hybrid-cloud-is-it-right-for-
signature module Snort, technology BigData (HDFS, your-business—1261343.
YARN, MapReduce, Spark) and databases KDDCup99 [14] L. Kalinichenko A, I. Shanin and Taraban I ―Methods for
can detect anomalies in traffic secure environment Anomaly Detection: a Survey‖, 16th Russian Conference
―cloud‖ computing; experimentally investigated anomaly on Digital Libraries RCDL Proceedings, 2014, pp. 20-25.
detection module in the application Weka, which proved [15] O. Koval, S. Bondarovets and S. Gnatyuk: Secured data
center model based on Cloud Computing technology‖,
highly accurate algorithm. The practical value is the
Ukrainian Information Security Research Journal, vol. 18,
ability to integrate the developed system anomaly no. 2, pp. 133-143, 2016.
detection in the protected environment of ―cloud‖ [16] ―Models of cloud technologies‖, 2012. [Online].
computing and increasing the percentage of detection Available: http://wiki.vspu.ru/workroom/adb91/index.
through the use of signature module that can detect [17] ―NIST Cloud Computing Reference Architecture‖,
known attacks. [Online]. Available http://collaborate.nist.gov/twiki-
cloud-
ACKNOWLEDGMENT computing/pub/CloudComputing/ReferenceArchitectureT
axonomy/NIST_CC_Reference_Architecture_v1_March_
This scientific work was supported by RAMECS, 30_2011.pdf.
CCNU16A02015 and Young Scientists Association of [18] ―Security as a headache of cloud computing‖, [Online].
National Aviation University (Kyiv, Ukraine). Available: http://www.cnews.ru/reviews/free/saas/
articles/articles12.shtml
[19] ―Security Recommendations for Cloud Computing
REFERENCES
Providers. White Paper‖, Federal Office for Information
[1] A. Ghaffa, R. Soomro, ―Big Data Analysis: Ap Spark Security, GmbH.: Druckpartner Moser Druck, 2011.
Perspective‖, Global Journal of Computer Science and [20] ―Self-Run Private Cloud‖, [Online]. Available:
Technology: Software & Data Engineering, Vol., 15 Iss.1, http://www.gov connection.com/IPA/PM/Info/Cloud-
2015. Computing/Self-Run-Private-Cloud.htm.
[2] Ah. Aljarray and Ab. Almadar, ―Analysis and Detection [21] S. Sagiroglu and D. Sinanc, ―Big Data: A Review‖ IEEE,
of Fraud in International Calls Using Decision Tree‖, 2013.
R&D Office, Libya-Misrata. [22] ―Snort Manual‖ [Online]. Available: http://manual-snort-
[3] V Chandola, A Banerjee and V Kumar, ―Anomaly org.s3-website-us-east-1.amazonaws.com/.
detection: A Survey‖, ACM computing surveys (CSUR), [23] ―The NIST Definition of Cloud Computing.
2009. Recommendations of the National Institute of Standards
[4] S. Bondarovets, O. Koval and S. Gnatyuk, ―Anomaly and Technology‖, 2011. [Online]. Available:
Detection System For Mobile Carrier Based On Big Data http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpub
Concept‖ in Information Technology And Security, vol. 4, lication800-145.pdf.
no. 2, pp. 25-35, 2016. [24] ―Threats of Cloud Computing and methods of their
[5] M. Boniface, ―Platform-as-a-Service Architecture for protection‖, 2015. [[Online]. Available:
Real-Time Quality of Service Management in Clouds‖, https://habrahabr.ru/post/183168/
5th International Conference on Internet and Web [25] ―Understanding the Different Types of Data Center
Applications and Services (ICIW (Barcelona, Spain: IEEE, Facilities‖ [Online]. Available:
2010), pp 155–160. http://www.cyrusone.com/blog/under standing-the-different-
[6] ―Breaking down what's in your cloud SLA‖ [Online]. types-of-data-center-facilities/.
Available: [26] ―What is cloud computing?‖ [Online]. Available:
http://searchcloudcomputing.techtarget.com/essentialguid http://www.ibm.com/cloud-computing/what-is-cloud-
e/Breaking-down-whats-in-your-cloud-SLA. computing.html.

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
 Anomaly Detection System in Secure Cloud Computing Environment 21

[27] ―What type of data center do you need? [Online]. Ukrainian Scientific Journal of Information Security, Chairman
Available:http://www.compassdatacenters.com/type-data- in Young Scientist Association of NAU. Research interests:
center-need/. Cryptography, Quantum Key Distribution, Network & Internet
[28] ―Whitepaper Cloud Computing Use Cases Version 3.0, Security, Information Security Incident Management,
produced by the Cloud Computing Use Case Discussion Cybersecurity & CIIP.
Group‖ [Online]. Available:
http://opencloudmanifesto.org/cloud_computing_use_case
s_whitepaper-3_0.pdf. Oksana Koval Master's Degree Student.
[29] ―4 types of data centers‖, 2012. [Online]. Available: As a result of the Degree Thesis defense
https://gigaom.com/2012/10/15/4-types-of-data-centers/. ―Secured data center model based on
Cloud Computing technology‖ in 2016 she
received Bachelor's Degree in Information
Security Management from NAU.
Authors’ Profiles Research interests: Information Security,
Data Analysis, Cloud Computing,
Zhengbing Hu PhD, Associate Professor Cybersecurity, Information Security Management Systems.
of School of Educational Information
Technology, Central China Normal
University, M.Sc. (2002), Ph.D. (2006) Viktor Gnatyuk PhD Student (2012-2015),
from the National Technical University of Assistant Teacher (from 2013). In 2012 he
Ukraine ―Igor Sikorsky Kyiv Polytechnic received MSc degree in Economic
Institute‖. Postdoc (2008), Huazhong Cybernetic from Khmelnitsky National
University of Science and Technology, University (Khmelnitsky, Ukraine). He is
China. Honorary Associate Researcher (2012), Hong Kong currently working at NAU in
University, Hong Kong. Major research interests: Computer Telecommunication Systems Academic
Science and Technology Applications, Artificial Intelligence, Department. Research interests: Computer
Network Security, Communications, Data Processing, Cloud Network & Internet Security, Information Security Incident
Computing, Education Technology. Management.

Serhii Bondarovets Master's Degree

Sergiy GnatyukPhD, Associate Professor.
Student. As a result of the Degree Thesis
In 2007 he received MSc degree in
defense ―Anomaly detection system for
information security from National
mobile carrier based on Big Data concept‖
Aviation University (NAU, Kyiv,
in 2016 he received Bachelor's Degree in
Ukraine). He received PhD in Eng degree
Information Security Management from
in information security (quantum
NAU. Research interests: Data Analysis,
cryptography) from NAU in 2011. He is
Cloud Computing, Cryptography and
currently working at NAU in Academic
Cryptoanalysis, Public Key Infrastructure, Cybersecurity.
Department of IT-Security. IEEE Member, Scientific Adviser of
Engineering Academy of Ukraine, Executive Secretary of

How to cite this paper: Zhengbing Hu, Sergiy Gnatyuk, Oksana Koval, Viktor Gnatyuk, Serhii Bondarovets,"Anomaly
Detection System in Secure Cloud Computing Environment", International Journal of Computer Network and
Information Security(IJCNIS), Vol.9, No.4, pp. 10-21, 2017.DOI: 10.5815/ijcnis.2017.04.02

Copyright © 2017 MECS I.J. Computer Network and Information Security, 2017, 4, 10-21
Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.