A Trusted Computing Framework for Cloud Data Security using

Role-based Access and Pattern Recognition

Gyanapriya Pradhan

Madhukrishna Priyadarsini

Due to the digitization of data and the dynamic requirements of the users, cloud computing is one of the most
used technologies in the present scenario. Cloud computing provides a platform to store, process, and share
data remotely for heterogeneous users and provides services according to the requests generated by those
users. However, its rapid growth has led to one of the major challenges in the environment; the security and
privacy of the data. To address the security and privacy concerns, in this paper, our major contribution is a
trusted computing framework namely SFBRA (Secure Framework using Behavior and Role Analysis) for
cloud data security. The framework utilizes user log monitoring data, pattern recognition algorithms, and
role-based access mechanisms to detect malicious and suspicious activities of different users. Our proposed
framework provides two levels of security for cloud users. In Level-1, we calculate the trust value of the
logged-in users by analyzing the existing log table and pattern of request access. In Level-2, we calculate the
trust of the request (storage, processing, sharing) data packet using behavior analysis of the user and a role-
based access mechanism and finally detect the malicious activities. The efficacy of our proposed framework is
demonstrated through experimentation, where we compare our framework with existing research works.
The results show 95% accuracy in potential attack detection and prevention,approximately 8 Mbps
throughput, and 0.003% packet drop on average.

Cloud computing, Security, Attack Detection, Behavior Analysis, Role-based Access, Pattern Recognition, Trust
Calculation.

Introduction
In the last decade, cloud computing has grown exponentially, due to the revolution in data
digitization i.e., resource allocation, data storage, and processing, computing power
utilization, etc.. Cloud computing provides a highly flexible and scalable platform where
users can utilize the services of digitization platforms as a pay-per-use model and on-
demand requests. The distributed nature of cloud computing platform makes it an easy
target for attackers who exploit the vulnerabilities by injecting multiple attacks such as
denial of service (DoS), distributed denial of service (DDoS) , IP spoofing, tampering,
information disclosure, elevation of privilege, etc. Researchers have been provided multiple
solutions to detect and prevent attack types in the cloud such as intrusion detection
systems (IDS) , machine learning and AI-based techniques, behavior-based detection,
anomaly detection, signature-based detection, role-based access control (RBAC),
homomorphic encryption, etc. In the face of sophisticated attackers, conventional security
measures like firewalls and encryption are no longer adequate. Although intrusion
detection systems (IDS) are essential for spotting and stopping security breaches, they
frequently have trouble spotting new and complicated threats. The identification and
prevention of harmful actions is one of the most important security concerns in cloud
computing. In addition, end-to-end security is an essential requirement in the cloud
platform, where the security is provided from the login of the users to the cloud
environment to the storage , processing, and sharing of the data and to the signout of the
users from the platform. To safeguard sensitive data and guarantee the integrity of the
cloud computing environment, it is essential to build strong security perimeters in the
constantly changing landscape of cyber threats and the possibility of unauthorized access .
The above-mentioned challenges need to be addressed by designing an end-to-end security
framework that provides user authentication and authorization and data security and
privacy after logging into the cloud platform. We are motivated by the existing challenges
and the requirements to design a security framework that will be implemented in real-life
cloud platforms such as Google Docs, Microsoft 365, etc where login authentication and
authorization are necessary. In addition, the designed framework can be used to provide
security in the cloud storage sharing environment such as Dropbox, Google Drive, One
Drive, i cloud, Egnyte, etc. where data security and privacy of each logged-in user are
important.
In this research, we design a trusted computing framework; a Secure Framework using
Behavior and Role Analysis (SFBRA) for end-to-end data security in the cloud environment.
Our framework leverages the wealth of user log monitoring data available in cloud systems,
combined with advanced techniques such as pattern recognition and role-based access
mechanisms, to effectively detect and differentiate malicious and suspicious users, and to
provide security to the cloud platform. The combination of behavior and role analysis are
important innovations of our proposed framework. Here, we detect abnormal behavior of
malicious users that may lead to unauthorized access or suspicious intentions. Our
designed framework’s accuracy and effectiveness are increased by the role-based
threshold calculation module, which also enables us to customize the detection procedure
for individual users by their unique roles and privileges. We collect and analyze process
logs from both legitimate and malicious users to evaluate the effectiveness of our proposed
SFBRA framework. The results of our experiments demonstrate that our proposed
framework successfully detects malicious activities, and discards the requests or blocks the
users. The effectiveness of our framework is shown by comparing it with state-of-the-art
security solutions in the cloud environment.
The major contributions of this paper are as follows:
1. We identify multiple security attacks in the cloud platform.

1. We design a trusted computing framework namely SFBRA (Secure Framework using

Behavior and Role Analysis) for end-to-end security in the cloud as an integration of
two levels of security (Level-1 and Level-2).

2. In Level-1, we calculate the trust of each cloud user trying to log in to the cloud
platform using pattern recognition and previous log values. We set a threshold value
for trust. For the users whose calculated trust value is less than the trust threshold,
the cloud provider blocks them for a specified time period. In this step, we identify
the malicious user and prevent them from login to the cloud platform.
 3. In Level-2, We calculate the trust and role of each logged-in user according to their
request for access and role change. Here, we again set another trust threshold. The
packets whose trust value is less than the set trust threshold, those packets are
discarded. In this step, we identify the malicious data packet and discard them, so
that they can not access further mechanisms in the cloud.

4. The SFBRA is evaluated through extensive experimentation for varying attack

patterns. Comparing the results with six existing attack detection strategies
demonstrates 95% accuracy in detecting attacks. SFBRA is also accurate in detecting
coordinated attacks from multiple attackers in Level-2 yet maintaining the
performance metrics, e.g., throughput, packet drops, and delay.

The rest of the paper is organized as follows. Section 2 provides a comprehensive review of
related work in cloud security using attack detection, behavior analysis, and pattern
recognition. Section 3 Proposes a trusted computing framework namely SFBRA (Secure
Framework using Behavior and Role Analysis) for cloud data security highlighting the key
components and the functionalities. Section 4 describes the experimental setup including
data collection and evaluation metrics and comparison with existing solutions. Finally, we
conclude in Section 5 with a summary of our contributions and potential future research
directions.

Related Works
Numerous researchers have examined various classifiers and strategies in the area of
intrusion detection in the cloud environment to improve accuracy and recognize both
identified and unidentified threats.
Servin et al. presented a multi-agent reinforcement learning (MARL) system and explored
the difficulties of applying reinforcement learning. Decision agents (DA) and heterogeneous
sensing agents (SA) made up the Q-learning-based MARL system.
Deep reinforcement learning is proposed as part of a cloud IDS deployment architecture in
the related study by Kamalakanta et al. . The IDS consists of a host network, agent network,
and administrator network. For increased security, the agent network is segregated using a
VPN. System calls made by VMs to the hypervisor are examined by the IDS, which extracts
useful log data for intrusion detection. Utilizing system calls gives intrusion detection
systems an edge. However, relying on precise and comprehensive log data may create
performance, scalability, and resilience issues against different types of assaults in real-
world cloud systems.
The research study by Chien et al. suggests a framework for identifying abnormal user
behavior in cloud systems by regularly mining patterns and applying anomaly detection
methods. It used a lightweight agent to gather data about system operations and convert it
into profiles of user behavior. High detection rates, user discrimination, and real-life
implementation are all demonstrated by the framework. Future research may concentrate
on enhancing accuracy, security testing in abnormal situations, and tackling further
security challenges.
In a study, M. Mdini et al. proposed Watchmen Anomaly identification (WAD), a successful
method for real-time anomaly identification in network monitoring systems. To discover
anomalies and resolve resource limitations and periodic changes, WAD uses pattern
recognition techniques and an unsupervised algorithm. Potential drawbacks include
separating false positives and identifying unique abnormalities without prior training data.
The future scope includes scaling and adaptation.
To increase data security and regulate access in the cloud, K.Sethi et al. suggested an
architecture that combines role-based access control (RBAC) and homomorphic
cryptography. The framework overcomes difficulties with computing encrypted data and
makes data sharing based on user authorization. Role initiation, user management, data
storage, and trust value evaluation are among the trust management components it has.
This architecture has better data protection, regulated access, and multi-granular operating
rights. However, there are no thorough analyses or experimental findings in the study. The
framework may be improved upon in the future, as well as performance testing and
scalability issues in large-scale cloud settings.
K.Sethi et al , suggested a parallel homomorphic encryption method for safe cloud data
storage. It presents a useful approach that permits parallel calculations on encrypted data
to increase efficiency. With an improvement of 80% over sequential techniques, the system
shows promise. Future development will focus on real-time applications and enabling
floating-point maths. For the RBAC system, S. Chakraborty presented a trust model that
takes users’ trust into account by giving users different trust degrees. These trust ratings
are based on a variety of variables, including user credentials, past conduct, and user
recommendations. The responsibilities are matched to trust levels. Extensions, a policy
language, and the construction of a permissions management system are all future
ambitions. The article by Fujun et al.,, describes the Trust and Context-Based Access
Control (TCAC) paradigm, which improves the conventional Role-Based Access Control
(RBAC) system by combining trust and context information. According to contextual
circumstances and trustworthiness, users are given roles in the TCAC model, allowing them
to exercise the relevant permissions. To calculate user trust in distributed systems, the
study proposes a trust evaluation technique using local and global reputation. However,
they do not include in-depth implementation details and empirical validation, allowing
space for future studies to assess the effectiveness, scalability, and application of the TCAC
model.
All of these trust models solely take into account user trust in an RBAC system. The
confidence that data owners have in the RBAC system as a whole, determines the trust of
the roles in the RBAC system with whom they desire to engage, is not addressed in any of
these research works. For cloud storage solutions to work, data owners must be trusted.
The SP-DPM model stands out as a significant addition to the field of safeguarding data
generated by the Internet of Things. By utilizing effective encryption and data partitioning,
SP-DPM is excellent at improving security and privacy. Because of its adaptability, it may be
applied to a wide range of industries, including cloud computing, healthcare, businesses,
and multimedia data. Notably, through extensive experimentation and comparisons with
existing models, SP-DPM demonstrates its effectiveness with excellent outcomes for
accuracy, precision, recall, and F1-score. The model’s strength is its strong methodology,
which places a strong emphasis on security. Its possible shortcomings include resource
intensiveness and possible implementation problems.
The Differential and TriPhase adaptive learning-based Privacy-Preserving Model (DT-PPM)
stands out among the models available for protecting patient privacy when it comes to
medical data stored in the cloud. By utilizing MFNN for analysis, k-anonymization, and
noise injection through the Laplace mechanism, DT-PPM attains a strong 87.03% accuracy,
guaranteeing trustworthy data analysis. Though acknowledged for improving overall
security, privacy, and usefulness, its implementation difficulty and a minor decrease in the
use of data are points to take into account .
The suggested MLPAM (Machine Learning and Probabilistic Analysis based Model)
combines machine learning and strong encryption to improve security while pursuing safe
and effective data sharing in cloud environments. By providing distinct keys for each data
owner, MLPAM guarantees safe sharing and outperforms previous efforts by up to 186%.
Its effectiveness is highlighted by notable improvements in Detection Accuracy, Precision,
Recall, and Specificity. The favorable aspects of MLPAM position it as a major contribution
to furthering safe data management in cloud contexts, even though the conclusion doesn’t
specifically list any drawbacks.
When it comes to differential privacy models, the Privacy-Preserving Model based on the
Differential approach (PPMD) performs exceptionally well since it uses many machine
learning algorithms for cloud-based classification, partitions data for privacy, and
introduces noise. With an accuracy rate of up to 93.75%, PPMD is notable for its
effectiveness and security. Nevertheless, there are several drawbacks, such as the model’s
incapacity to safeguard the classification model and possible scalability issues, in addition
to worries about computation time, accuracy in specific situations, and decreased data
utility.
Our proposed framework offers enhanced efficiency through the integration of static and
dynamic analysis techniques. It boasts a high accuracy rate of 92% in detecting potential
attacks and malicious behavior, surpassing existing papers in both effectiveness and
precision. Table [tab:3] shows the existing security solutions methodologies, outcomes, and
drawbacks. It also lists our proposed solution, the secure framework using behavior and
role analysis (SFBRA), proposed in this paper.

Model Methodology Outcomes Drawback

MARL for - Agents learn - Scales -Relies on a
intrusion hierarchy, effectively for a simple RL
detection interpreting large number of strategy with a
local states and agents. - Enables straightforward
communicating collaboration Q-update
upward - Utilizes among diverse function. -
distributed RL agents for Limited
for cooperative detecting DDoS exploration of
detection of attacks. more complex
Model Methodology Outcomes Drawback
faults, attacks, RL techniques
and abnormal for enhanced
states. performance
Deep - Utilizes Deep - Demonstrates - Computational
reinforcement Reinforcement higher accuracy cost challenges. -
learning-based Learning (DRL) in intrusion Limited
adaptive cloud with Q-learning detection - exploration of
IDS architecture. and deep Maintains a DRL in the
learning for balance between context of cloud
autonomous and high accuracy network
adaptive and low false security.
intrusion positive rates
detection. (FPR)
FP Outlier - Scanning the Framework -System in early
Detection memory of detects all development,
running virtual malicious indicating
machines and activities with < potential
employing a 4.6% false limitations. -
Bayesian positives. - Long-term
inference-based Profiles identify datasets needed
trust mechanism 86% suspicious to address issues
along with a behaviors across like "concept
frequent pattern users with < 1% drift" in user
outlier factor. false positives. behaviors.
Watchmen - WAD processes - Enhances - Faces issues
Anomaly data in real-time, productivity and with tolerance
Detection (WAD) highlighting troubleshooting band and
abrupt changes. - efficiency. - parameter
Creates Provides instant configuration. -
reference alerts, reducing Requires
patterns, and manual checks improvements
detects for automatic
anomalies by parameter
measuring gaps. computation
RBAC with - Integration of - Enhances - Potential
Homomorphic RBAC and security by increased
Cryptosystem Homomorphic enabling computational
Integration Cryptosystem encrypted data complexity (not
using trust and computations explicitly
role hierarchy. - without stated). -
Trust value decryption. - Effectiveness
calculated based Provides fine- depends on
on user count grained access accurate trust
Model Methodology Outcomes Drawback
and feedback for control through value
role-based role-based calculations,
access. permissions. which may vary.
Homomorphic - Design of - Over 80% - The current
cryptosystem for parallel improvement in system handles
secure cloud algorithms for execution time only integer
data storage encrypted file for parallel representation,
operations with implementations not floating-
multi-threading . - Provides point arithmetic.
and "cipher-text practical, secure - Future work is
refresh" at KGS. data storage needed for
without function-level
compromising encryption to
data security. enhance
security.
TrustBAC - Extends RBAC - Integrates - Possible need
by introducing RBAC for additional
trust levels advantages with credential-based
based on user a multi-level evaluations. -
factors. - Users trust model. - Acknowledges
assigned trust Enhances access ongoing work,
levels determine control by indicating
access privileges.considering user potential
behavior and limitations.
recommendation
s.
TCAC (Trust and - Role - Flexible and - Approaches do
Context-Based assignment scalable for not consider
Access Control) based on user dynamic geo-social
trustworthiness distributed information.
and context systems. -
information. - Dynamic role
Trust evaluation assignment
using local and based on user
global behavior and
reputation. context.
Secure Data - Uses K- - SP-DPM - SP-DPM may
Protection anonymization, secures IoT data introduce
Method (SP- CP-ABE, and a with strong complexities,
DPM) voting classifier partitioning and particularly with
for enhanced IoT encryption - intricate data
data security Suited for structures or
and privacy. - diverse domains diverse
Model Methodology Outcomes Drawback
Proposes data —healthcare, applications. -
partitioning, enterprises, Security
analysis, and cloud measures might
experiments, computing, demand extra
comparing multimedia. resources,
results with potentially
state-of-the-art impacting
models. system
performance
Differential and - Employs k- - High accuracy -
TriPhase anonymization of 87.03% Implementation
adaptive for privacy by ensures reliable complexity may
learning-based grouping data analysis. - pose challenges -
Privacy- sensitive data. - Enhances overall Noise injection
Preserving Introduces noise privacy, security, could lead to a
Model (DT-PPM) via the Laplace and utility of slight reduction
mechanism and medical data in data utility
utilizes MFNN sharing and
for effective data analysis in cloud
analysis. environments.
Machine - Individualized - Significant - No explicit
Learning and encryption keys improvement, mention of
Probabilistic for secure data up to 186%, over identified cons
Analysis based sharing. - existing works - or limitations in
Model (MLPAM) Integration of Achieved the provided
machine notable information. -
learning and enhancements in Further details
probabilistic Detection on potential
analysis for Accuracy, drawbacks or
enhanced Precision, Recall, challenges are
security and Specificity not specified in
infrastructure compared to the given
and effective prior works. context.
sharing
protocols.
A differential - PPMD ensures - PPMD achieves - It does not
privacy model privacy through up to 93.75% protect the
for sensitive data data accuracy, classification
(PPMD) partitioning, excelling in both model and
injecting accuracy and scalability
statistical noise privacy challenges - High
into sensitive preservation computation
sections. - The compared to time, low
 Model Methodology Outcomes Drawback
model integrates existing accuracy, and
differential methods. - reduced data
privacy and Highlight utility.
deploys machine efficiency,
learning for security, and
cloud-based optimality,
classification. making it
superior for
cloud-based data
sharing
SFBRA (This - Level-1: Trust - Dual-layered -Dependency on
Paper) calculation using security with user log data for
pattern static and behavior
recognition and dynamic analysis. - Future
log values, analysis. - High testing is needed
blocking users accuracy in for coordinated
below the attack detection attacks.
threshold. - and efficient
Level-2: Trust data processing.
and role
calculation
based on access
requests,
discarding
packets below
the threshold.

Proposed Secure Architectural Framework for Cloud

In this section, we present our proposed secure framework for end-to-end security in the
cloud environment, named Secure Framework using Behavior and Role Analysis (SFBRA).
The SFBRA framework integrates two levels of security, Level-1, and Level-2, to address
multiple security attacks in the cloud platform. Figure 1 shows the overall workflow of the
proposed framework and the flow of data through different layers.
Workflow of the Proposed Secure Architectural Framework for Cloud

Workflow of the Proposed Secure Architectural Framework for Cloud

The operational flow of SFBRA is discussed as follows: the users try to log in to the cloud
platform by providing their user ID and password. The server first checks the
trustworthiness of the user using behavior analysis methodology and calculates the trust of
the user, where it considers the log monitor data of the same user in Level-1. Once the user
is termed as trusted then, the server allows the user to send its request packet to the cloud
for accessing the storage or processing of data. Otherwise, the server suspends the user
login for a particular period. Here, we consider only two request packets by the user i.e.,
storage request and processing request. Once the user sends its request packet, the cloud
again calculates the trustworthiness of the sent packet request using another module trust
and role calculation before processing it. This module takes the input as the log monitor
data for the same user inside the cloud. In the next step, the role of the user is calculated,
and if the role is trusted, then the cloud grants access to the same user otherwise the
request packet is discarded.
The trustworthiness is calculated in the two levels because malicious users can try to
access the cloud using the legitimate user’s login ID and password. In the Level-1 security
which is checked inside the cloud server, the framework calculates the trust of users by
analyzing their historical behavior and real-time factors such as access requests, process
requests, IP address, and vulnerability score. This evaluation helps in identifying suspicious
patterns and determining the trustworthiness of users. Level-2 security in the cloud
focuses on calculating the trust and role of logged-in users, considering elements such as
user identification, password, timestamp, access requests, process requests, IP address,
and vulnerability score. By integrating static and dynamic analysis techniques and
considering various factors, the SFBRA framework provides a robust approach to
evaluating user trust, preventing unauthorized access, and analyzing role behavior,
ultimately enhancing the overall security of cloud platforms.
The next subsections describe Level-1 and Level-2 security frameworks in detail. The
details of the parameters used in Level-1 and Level-2 are summarized in Table 1.
Notations used in the proposed SFBRA Framework
Notation Description
Sequence of user behavior
Behavior of each sequence
Number of cloud users
Behavior set of N cloud users
Behavior matrix
Trust value for static analysis
Trust value for dynamic analysis
Overall trust value
Access request
Process request
National vulnerability database
Time stamp
Vulnerability Score
Magnitude of each role
Weight parameters
Level-1 Security: Trust Calculation and User Blocking
In Level-1 of our security framework, our focus is on behavior analysis to determine the
trustworthiness of each cloud user attempting to log in to the cloud platform. The analysis
is carried out in two essential steps: Static Analysis and Dynamic Analysis.
Log File Creation and Storage in Central Log Server for Cloud Users

Log File Creation and Storage in Central Log Server for Cloud Users

Static Analysis
In the Static Analysis phase, we detect and analyze the timestamps of user activities using a
log monitor. By examining the user’s historical behavior, including login patterns and
various activities, we aim to identify any suspicious patterns or anomalies. This step allows
us to gain insights into the user’s past actions, helping us assess their overall
trustworthiness. We can detect whether the user has previously engaged in any suspicious
activities or exhibited unusual behavior during login sessions. The static analysis is carried
out using two steps as follows;
Step 1: Log File Creation and Storage in Central Log Server for Cloud Users In the first
step, we are converting unstructured log data into a well-organized format, because, raw
log files are not arranged in order fashion and parsing is required before they can be
utilized effectively. Here, we choose the XML format for log file structuring. We extract vital
details from the raw log data, such as; event name, event ID, associated process or thread
ID, opcode, and timestamp. Let is the XML format with behaviors defined as =
where is one behavior entry, and is the sequence of behavior.

Behavioural Pattern Matching

Behavioural Pattern Matching

Step 2: Behavioural Pattern Matching In this Step, we do behavior matching and review
the findings from the log files to produce a structured file for more operation on the user
information. We can identify significant patterns and trends in the log data. We separate
particular behavioral aspects and characteristics using behavior extraction techniques,
which helps to gain a better knowledge of how the system functions and interacts. The next
step is behavior matching, where we contrast the discovered behavioral patterns with
established standards/patterns. This process enables us to effectively identify
abnormalities, possible risks, or anomalous system activity.
The methodical process of behavior pattern matching, behavior extraction, and behavior
matching provides a thorough examination of log data, producing insightful information
and trustworthy results. These findings provide insight into the system’s operation and
possible weak points, and they considerably improve the overall security and
dependability of the system. Our research study seeks to significantly influence the fields of
system analysis and cybersecurity through the use of a strict methodology.
Process of Behaviour Extraction

Process of Behaviour Extraction

The behavior extraction from structured data is done through the following procedures; we
embark on further refining the structured data by undertaking sequence ID extraction and
subsequent encoding. This crucial stage allows us to construct a comprehensive behavior
matrix, which serves as the foundation for behavior extraction. Through a meticulous and
systematic approach, we extract relevant sequence IDs from the structured data, enabling
us to encode and represent the intricate relationships among various events and activities.
By employing advanced encoding techniques, we transform the sequence IDs into a
coherent and analyzable behavior matrix. This matrix captures the underlying patterns and
interactions within the system, providing valuable insights into the system’s behavior and
performance. The behavior extraction process in this step plays a pivotal role in our
research, as it facilitates a deeper understanding of the system’s dynamics and aids in
identifying potential anomalies or irregularities that may impact its overall functioning.
Figure 2, 3, 4 show the steps and methods used in the behavior extraction process. Let =
be the set that contains behavior of cloud users. When the behavior entry
matches the behavior , the entry in the behavior matrix will be =[ ,
,...., ], where will be set as 1 and others are set as 0. Finally, the generated behavior

matrix is represented as = = $\begin{bmatrix} e_{i,1}^1$…$e_{i,1}^N \\

\vdots \\ e_{i,m}^1$…$e_{i,m}^N \end{bmatrix}$. This matrix is the behavior matrix

of a cloud user . Let be the trust value in static analysis which is calculated as

Dynamic Analysis
The Dynamic Analysis phase involves pattern detection using specific neural network-
based algorithms such as the Feed-Forward Backpropagation neural network (FFBPNN).
Here, we consider various factors, including the user’s access request, process request, IP
address, and vulnerability score (NVD score). Each of these factors contributes to
calculating a dynamic trust value for the user. To calculate the dynamic trust value, we
assign appropriate weights ( ) to the factors, based on their significance in
determining user trust. The Feed-Forward Backpropagation neural network (FFBPNN)
algorithm processes the relevant data to derive a numerical value representing the user’s
trustworthiness at that moment. During the training of the neural network, it takes the
input pattern from the behavior matrix defined in the previous step and defines
corresponding class labels, which are used to train the neural network. Then, it adjusts the
weights ( ) and biases through backpropagation to minimize the difference
between its predictions and the actual labels. The output of the FFBPNN typically has the
class of labels in the recognition task. The final testing is done when the input contains a
new pattern. Let be the trust value in the dynamic analysis process and is calculated as

Overall Trust Value Calculation

The overall trust value for the user in Level-1 is calculated by combining the trust values of
both static analysis and dynamic analysis and is denoted as:

User Validation and Access Control

Here, we compare the calculated overall trust value with a predefined trust value, typically
assumed to be 0.5. If the calculated trust value exceeds the predefined threshold, the user is
allowed further access to the cloud environment. In this case, the user is considered
trustworthy enough to utilize the cloud resources without restrictions.
However, if the calculated trust value is less than the predefined threshold, it indicates
potential malicious behavior or insufficient trustworthiness. Consequently, the system will
block the user from accessing the cloud platform or discard their login request, effectively
preventing unauthorized access and maintaining the security of the cloud environment.

Level-2 Security: Trust and Role Calculation

In the Level-2 security of our proposed framework SFBRA, we focus on calculating the trust
and role of each logged-in user based on their access requests and role changes. This level
provides an additional layer of security to prevent malicious data packets from accessing
further mechanisms in the cloud. The details regarding the trust and role calculation are
presented in the following subsections.

Trust Calculation
The trust calculation in Level-2 incorporates various elements, including user identification
(ID), password, timestamp, access request, process request, IP address, and vulnerability
score (NVD score). To ensure an accurate assessment of trust, we employ two calculation
methods as follows:
1. Vulnerability Calculation: To assess the vulnerability of a packet, we introduce the
vulnerability calculation, which considers the product of the timestamp and the
vulnerability score (NVD score). The National Vulnerability Database is a repository
of information about software vulnerabilities maintained by NIST. It provides
details on vulnerabilities, severity ratings, and references to patches and advisories.
It helps organizations and individuals stay informed about vulnerabilities and take
necessary actions to secure their systems. Mathematically, this can be expressed as:
  Here, is the time stamp of the packet at time and is the vulnerability score
of the packet at time .

 National Vulnerability Database (NVD ) Score

 NVD Score  Protocol
  TCP
  UDP
  DNS
  ICMP
  ARP
  IGMP
  IPv4
  IPv6
 This equation quantifies the vulnerability of a packet based on the combination of
its arrival time and the severity of potential security risks indicated by the
vulnerability score. Table 2 shows the vulnerability score of various protocols.

1. Exposure Calculation: To determine the exposure level of a packet, we utilize the

exposure calculation method. The exposure calculation shown in equation [eq:2]
takes into account the sum of the access request, process request, and the
timestamp. The packet request is dropped if the resulting value is less than the
predetermined threshold. The exposure calculation can be represented as:

 Here, is the access request by packet at time , is the process request by

packet at time , and is the timestamp of packet at time . By incorporating
the timestamp and assessing the proportion of access and process requests, this
equation provides an estimation of the exposure level of a packet. It enables the
system to deny further processing if the exposure surpasses the defined threshold.

Role Calculation (Role Identified Behavior Analysis)

The role calculation mechanism focuses on determining the total number of role requests
and analyzing the changes in roles over time. In this calculation, we consider three crucial
elements: weight, frequency, and magnitude. The role of each logged-in user is calculated
as follows:
Here, is the weight of each role, is the magnitude of each role, and is the time
stamp for role . The weight represents the weightage assigned to each role, indicating its
importance or level of access. This weightage is a constant value associated with each role.
Frequency measures the number of role changes for a particular user within a specific
period. It tracks the frequency with which a user’s role is modified, allowing the system to
identify potential anomalies or suspicious activities. Magnitude assesses the impact of role
changes by considering factors such as the level of access granted or revoked. It quantifies
the significance of each role change in terms of its effect on the overall system security. The
timestamp parameter denotes the time at which the role calculation is performed. It
enables the system to track and analyze the changes in roles over time, facilitating the
identification of patterns or trends in role behavior. The role indicates the current role of
the user, providing the baseline value for the role calculation. By integrating these
elements, the role calculation formula evaluates the behavior of users concerning role
changes and their influence on the system’s security. The overall SFBRA framework
solution is shown in Algorithm [algo:1]. In Algorithm [algo:1], step-5 to step-9 can be
performed in time, and step-15 to step-31 can be performed in time. So, the time
complexity of the proposed algorithm is . The space complexity is as step-5 and
step-6 take space to generate and store the behavioral matrix .

, = GenerateStructuredLogData() Generate = div(no.of 1’s in , total

entries in ) = sum( , , ) = +

, TrustCalculation() Find( ) = multiply( , ) Find( ) = multiply(

, , ) = divide( , ) Trust= add( , ) Goto RoleCalculation Goto end
procedure RoleCalculation() = multiply( , , ) = divide( , )

Security Analysis of Proposed SFBRA Framework

In this section, we analyze our proposed SFBRA framework’s correctness using logic. The
security property we want to prove is that the proposed framework ensures the
privacy/confidentiality of sensitive data which is presented as follows:
1. Proposed SFBRA Framework: The framework ensures the confidentiality/privacy of
sensitive user data in the cloud environment. The proposed framework relies on a
dynamic access control algorithm that considers factors such as user roles, behavior
patterns, and the log data of the logged-in user.

1. Security Property: Confidentiality/Privacy - Ensuring that unauthorized users

cannot access sensitive user data in the cloud.
2. Assumptions: 1. The proposed security solution algorithm is correctly implemented
and cannot be tampered with.
2. User roles and behavior patterns are accurately represented in the system.

3. Formalization: Let represent the confidentiality level assigned to user for

data . Let represent the role of user . Let represents the behavior
pattern of user . Let represent the sensitivity classification of data .The
access decision can be formalized as follows:

4. Logical Reasoning and Formal Proofs:

a. Role Based Access: Each user is accessing a particular role at a certain

timestamp and is calculated as using equation [eq:3]. So,
. If other users try to access the authenticated data then the
timestamp , magnitude , and the weight are modified and it will
notify user regarding its change in role. For all user and data if is
authorized for .

a. Behavior Pattern: If there is any adversarial attack on the authenticated user

data then the entries in the behavior matrix will be changed and so will
the static trust value . Simultaneously, it affects the weights of
the feed-forward backpropagation neural network (FFBPNN) and the
dynamic trust value . So, the overall trust value will be different for user
in a certain timestamp , which is not valid, and the system detects the
adversarial attack on the sensitive data.
For all user and data if deviates significantly from the usual pattern,
then is adjusted.
Deviation in

b. Sensitivity Classification: If there is no change in the overall trust value or

user in a certain timestamp , then the access decision will be 1, which
demonstrates the mentioned in step-4, otherwise it is
classified as 0 and the user request is blocked.
For all user and data , if is not authorized for data and is 1,
then .
is not authorized for data is 1 .
Working of Proposed SFBRA Framework with an Example
Here, we demonstrate our proposed SFBRA framework’s operation considering the two-
level security. Two example use cases are explained for legitimate and malicious users’
overall trust calculation.
Example 1: Legitimate user trust calculation When a legitimate user logs in to the cloud,
at the Level-1 security its behavior is analyzed to check the trustworthiness. Using the
static analysis phase the unstructured log data is converted into organized XML format
with event name, event ID, process ID, Opcode, and timestamp information of the user. Let
is the XML format with behaviors defined as = where
is one behavior entry, and is the sequence of behavior. The behavior matrix is calculated
as

The dynamic analysis phase involves pattern detection using specific machine-learning
algorithms. Here, we consider various factors, including the user’s access request, process
request, IP address, and vulnerability score (NVD Score). To calculate the dynamic trust
value, we assign appropriate weights ( , , ) to the factors. The weight values are
experimental and chosen according to the priority of the factors.

The overall trust value is calculated as

For user validation, here we compare the calculated overall trust value with a predefined
trust value of 0.5 (assumed considering various experimental results), If the calculated
trust value is more, then the user is allowed for Level-2 security, otherwise blocked.
Once the user has been entered into the Level-2 security layer, the framework calculates
the trust and role of each logged-in user based on their access request and role changes.
The vulnerability values are calculated as:

To determine the exposure level of a packet, we utilize the exposure calculation. If the
resulting value exceeds the predetermined threshold, the packet request is dropped.
Next for role calculation, we consider three crucial elements: weight, frequency, and
magnitude. The role of each logged-in user is calculated as follows:

The calculated trust is more than the predefined threshold value and the role value is more,
so the cloud provides access to the legitimate user.
Example 2: Malicious user trust calculation When a malicious user logs into the cloud,
Level-1 security focuses on behavior analysis to check the trustworthiness. Let is the
XML format with behaviors defined as = where is one
behavior entry, and is the sequence of behavior. The behavior matrix is calculated as

In dynamic analysis, the pattern is detected using specific machine-learning algorithms.

The dynamic value is calculated as:

The overall trust value is calculated as:

For user validation, here we compare the calculated overall trust value with a predefined
trust value of 0.5. The calculated trust value determines that this user is not a legitimate
user, terminates all the access requests, and blocks the user for further execution.

Experimental Results and Evaluation

Identification of similar and dissimilar patterns using the mentioned behavioral pattern
matching method in Level-1 security

Identification of similar and dissimilar patterns using the mentioned behavioral pattern
matching method in Level-1 security
In this section, we present the experimental results and evaluation of our proposed
framework, SFBRA (Secure Framework using Behavior and Role Analysis), for cloud data
security. The experiments are performed on a machine equipped with Intel (R) Core (TM)
i5-4210U CPU @ 1.70GHz clock speed. The computing machine runs Ubuntu 64-bit and has
8 GB of main memory RAM. Python 2.7.15 programming language is used. We compare the
performance of SFBRA with four state-of-the-art research papers Chakraborty, S. et al. ,
Feng, F. et al. , Ma, W et al. , A. Servin et al. , considering multiple network parameters such
as attack detection, throughput, and packet drop. The experiments were conducted using
various datasets and metrics to assess the effectiveness and accuracy of our framework.
The results are taken from the continuous simulation run over 10 minutes.

Attack Detection
We used a synthetic data set of 15000 user logins and ran studies to assess the
effectiveness of SFBRA in attack detection. The dataset comprised several attack types,
including denial of service (DoS), distributed denial of service (DDoS), IP spoofing, data
manipulation, and information leaking. We contrasted SFBRA’s performance with the four
state-of-the-art research papers Chakraborty, S. et al. , Feng, F et al. , Ma, W et al. , A. Servin
et al. each of which used a different strategy for attack detection.
The result analysis of attack detection is shown in Figure 6. In comparison to the other
frameworks, the SFBRA has a reduced failure rate and bypass rate. A larger percentage of
possible threats were successfully identified and stopped, hence boosting the cloud
platform’s security. In particular, our approach outperformed the other frameworks when
it came to identifying possible assaults, achieving an astounding accuracy of 95%.
Attack packet detection comparison of proposed SFBRA framework with state-of-the-art
research proposals

Attack packet detection comparison of proposed SFBRA framework with state-of-the-art

research proposals
The integrated strategy used by SFBRA, which combines behavior analysis, role-based
access control, and pattern recognition algorithm- Feed-Forward Backpropagation neural
network (FFBPNN), is responsible for its exceptional performance in attack detection. A
higher degree of security for cloud platforms is provided by SFBRA, which efficiently
detects aberrant activity and identifies malicious users by taking into account user log
monitoring data and examining user behavior.

Throughput
We have done one experiment on a user login database of 15000 users to gauge the
performance of our framework. The system’s performance was tested in the trials under
numerous circumstances, including diverse protocols and vulnerability levels. The pace at
which the system processes data packets is known as throughput, and it reflects the
effectiveness and performance of the cloud platform. A remarkable throughput accuracy of
92% was attained (approx. 8 Mbps) by SFBRA, according to the testing findings,
demonstrating effective data processing and system performance. We contrasted SFBRA’s
throughput with that of the four state-of-the-art research works we chose, where each used
a distinct set of data-processing methods and algorithms. The throughput comparison
results of our proposed SFBRA framework with state-of-the-art research proposals are
shown in Figure 7.
Throughput and packet drop comparison of proposed SFBRA framework with state-of-the-
art research proposals

Throughput and packet drop comparison of proposed SFBRA framework with state-of-the-art
research proposals
Due to its streamlined processing processes, effective role-based access control, and use of
pattern recognition algorithms, SFBRA has good throughput performance. The SFBRA
guarantees seamless and fast data processing, resulting in increased system performance
and user experience by precisely analyzing user requests and behavior.

Packet Drop
We have compared the effectiveness of our framework, SFBRA, with the four state-of-the-
art research papers Chakraborty, S. et al. , Feng, F et al. , Ma, W et al. , A. Servin et al. for
packet drop. The percentage of data packets deleted or rejected by the system during
processing is referred to as packet drop. Reduced packet drops mean more dependable and
effective data processing, reducing data loss, and maintaining smooth communication on
the cloud platform.
According to the results of our experiments shown in Figure 7, SFBRA has a lower packet
loss (0.003% on average) rate than the other frameworks (approximately 10%). This
shows that a larger proportion of data packets were correctly handled by our system,
guaranteeing dependable communication and reducing data loss.
The strong data processing methods, effective role-based access control, and precise
pattern recognition are responsible for SFBRA’s remarkable performance in minimizing
packet loss. To guarantee reliable data transmission, avoid excessive packet dropouts, and
enhance system performance, SFBRA manages and prioritizes data packets properly.
In terms of attack detection, throughput, and packet loss, the test findings generally
confirm the usefulness and superiority of our suggested framework, SFBRA. The
comparisons with the chosen research works reveal SFBRA’s exceptional performance,
showing more accuracy, increased system performance, and improved data security. These
findings highlight the usefulness of SFBRA in securing cloud data and preserving the
reliability of cloud platforms, confirming its potential for use in real-time applications.

Conclusion
The proposed Secure Framework using Behavior and Role Analysis (SFBRA) is a thorough
and cutting-edge solution to the immediate security issues in cloud computing. SFBRA
offers a comprehensive solution for protecting cloud platforms from potential threats by
seamlessly integrating static and dynamic analysis methodologies, behavior monitoring,
role-based access control, and advanced pattern recognition algorithms. The dual-layered
design of SFBRA, which includes Level-1 and Level-2 security measures, demonstrates its
flexibility and efficiency in a range of security circumstances. The empirical analyses
conducted in this study demonstrate the efficacy of SFBRA over existing approaches,
highlighting its exceptional accuracy in attack detection, effective data processing
throughput, and low packet drop rates. SFBRA ultimately offers itself as a crucial asset in
the ongoing growth of cloud security due to its capacity to simultaneously secure data
integrity and user privacy while retaining operational efficiency. The proposed SFBRA
framework can reinvent the rules of data protection and safe cloud-based operations in the
future as the use of cloud platforms continues to influence current data management.
One of the limitations of the proposed framework is that it depends on user log data for
behavior analysis. Due to unavoidable circumstances such as log maintenance failure if the
data is not available then it won’t be able to calculate the trust value of the user. In the
future, we would like to eliminate the limitation mentioned above and test coordinated
attacks on our proposed framework to check its efficacy.
A. Servin and D. Kudenko, "Multi-agent Reinforcement Learning for Intrusion Detection,”
Proceedings of the 5th, 6th and 7th European Conference on Adaptive and Learning Agents
and Multi-agent Systems: Adaptation and Multiagent Learning, 2008.
Kamalakanta et al., "Deep Reinforcement Learning based Intrusion Detection System for
Cloud Infrastructure." 12th International Conference on Communication Systems & Networks
(COMSNETS), 2020.
Chien-Yi Chiu, Chi-Tien Yeh, and Yuh-Jye Lee. "Frequent Pattern-based User Behavior
Anomaly Detection for Cloud System." Conference on Technologies and Applications of
Artificial Intelligence, 2013.
M. Mdini, A. Blanc, G. Simon, J. Barotin, and J. Lecoeuvre, "Monitoring the Network
Monitoring System: Anomaly Detection using Pattern Recognition," Proceedings of the
International Conference on Network and Service Management (CNSM), 2017.
Sethi, K., Chopra, A., Bera, P., & Tripathy, B. K., "Integration of Role Based Access Control
with Homomorphic Cryptosystem for Secure and Controlled Access of Data in Cloud", In
Proceedings of Security of Information and Networks, 2017.
Sethi, K., Majumdar, A., & Bera, P., "A Novel Implementation of Parallel Homomorphic
Encryption for Secure Data Storage in Cloud", International Conference on Cyber Security
and protection of Digital Services, 2017.
Chakraborty, S., & Ray, I., "TrustBAC - Integrating Trust Relationships into the RBAC Model
for Access Control in Open Systems", In Proceedings of the ACM Symposium on Access
Control Models and Technologies, 2008.
Feng, F., Lin, C., Peng, D., & Li, J., "A Trust and Context-Based Access Control Model for
Distributed Systems", 10th IEEE International Conference on High-Performance Computing
and Communications, 2019.
Ma, W., Zhou, Q., Hu, M., and Wang, X. "A Deep Learning-Based Trust Assessment Method
for Cloud Users", Security and Communication Networks, 2021.
Teni, C., Nawale, A., "A Comprehensive Review on Cloud Computing Security". Vidhyayana -
An International Multidisciplinary Peer-Reviewed E-Journal, 2023.
Tian, Y., & Romero Nogales, A. F., "A Survey on Data Integrity Attacks and DDoS Attacks in
Cloud Computing". IEEE 13th Annual Computing and Communication Workshop and
Conference (CCWC), 2023.
Butt, U. A., Amin, R., Mehmood, M., Aldabbas, H., Alharbi, M. T., & Albaqami, N., "Cloud
Security Threats and Solutions: A Survey", Wireless Personal Communications, 2023.
Attou, H., Guezzaz, A., Benkirane, S., Azrour, M., & Farhaoui, Y., "Cloud-Based Intrusion
Detection Approach Using Machine Learning Techniques", Big Data Mining and Analytics,
2023.
Akbar, H., Zubair, M., and Malik, M. S., "The Security Issues and Challenges in Cloud
Computing", International Journal for Electronic Crime Investigation, 2023.
Kumar, U. V., and Reddy, E. M., "Preventing Unauthorized Users from Accessing Cloud
Data", Available online at: https://ssrn.com/abstract=4448543, 2023.
National Vulnerability Database (NVD). Available on: https://nvd.nist.gov/vuln/search.
Accessed on June 2023. Gupta, R., Gupta, I., Singh, A.K., Saxena, D. and Lee, C.N., 2022. An
iot-centric data protection method for preserving security and privacy in cloud. IEEE
Systems Journal. Gupta, R., Saxena, D., Gupta, I. and Singh, A.K., 2022. Differential and
triphase adaptive learning-based privacy-preserving model for medical data in cloud
environment. IEEE Networking Letters, 4(4), pp.217-221. Gupta, I., Gupta, R., Singh, A.K.
and Buyya, R., 2020. MLPAM: A machine learning and probabilistic analysis based model
for preserving security and privacy in cloud environment. IEEE Systems Journal, 15(3),
pp.4248-4259. Singh, A.K. and Gupta, R., 2022. A privacy-preserving model based on
differential approach for sensitive data in cloud environment. Multimedia Tools and
Applications, 81(23), pp.33127-33150.