Journal of Network and Computer Applications 71 (2016) 11–29

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

Review

A survey of security issues for cloud computing

Minhaj Ahmad Khan
Bahauddin Zakariya University Multan, Pakistan

art ic l e i nf o a b s t r a c t

Article history: High quality computing services with reduced cost and improved performance have made cloud com-
Received 6 July 2015 puting a popular paradigm. Due to its flexible infrastructure, net centric approach and ease of access, the
Received in revised form cloud computing has become prevalent. Its widespread usage is however being diminished by the fact
12 February 2016
that the cloud computing paradigm is yet unable to address security issues which may in turn aggravate
Accepted 14 May 2016
Available online 21 May 2016
the quality of service as well as the privacy of customers' data.
In this paper, we present a survey of security issues in terms of security threats and their remedia-
Keywords: tions. The contribution aims at the analysis and categorization of working mechanisms of the main se-
Cloud security curity issues and the possible solutions that exist in the literature. We perform a parametric comparison
Cloud computing
of the threats being faced by cloud platforms. Moreover, we compare various intrusion detection and
Denial-of-service
prevention frameworks being used to address security issues. The trusted cloud computing and me-
Security threats
Intrusion detection systems chanisms for regulating security compliance among cloud service providers are also analyzed. Since the
security mechanisms continue to evolve, we also present the future orientation of cloud security issues
and their possible countermeasures.
& 2016 Elsevier Ltd. All rights reserved.

Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2. Cloud computing security: taxonomy and categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1. Categorization of attacks based on cloud components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.1. Network based attacks (A1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.2. VM based attacks (A2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.3. Storage based attacks (A3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.4. Application based attacks (A4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2. Implications of attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3. Comparative analysis of attacks and countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1. Network based attacks and countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2. VM based attacks and countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3. Storage based attacks and countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.4. Application based attacks and countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4. Automated cloud protection using intrusion detection and prevention systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.1. ACARM-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2. Suricata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3. OSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.4. Snort. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.5. NIDES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.6. eXpert-BSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.7. Fail2ban . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.8. Prelude-OSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.9. Sagan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.10. Samhain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

E-mail address: [email protected]

http://dx.doi.org/10.1016/j.jnca.2016.05.010
1084-8045/& 2016 Elsevier Ltd. All rights reserved.
12 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

4.11. Bro-IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5. Securing cloud execution environment through trusted cloud computing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6. Regulating cloud security compliance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.1. Common criteria compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.2. Trusted computing compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.3. Privacy acts compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.3.1. Privacy of health related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.3.2. Privacy of electronic data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.3.3. Privacy of financial data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7. Cloud security issues in the future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.1. Trusted execution environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.2. Protocol vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.3. Federated identity interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.4. Open standards compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

1. Introduction purposes ranging from backup of contacts to the execution of

complex applications through computation offloading (Sanaei
Cloud computing has gained wide acceptance for organizations et al., 2014; Kumar et al., 2013). Moreover, the reduced cost of
as well as individuals by introducing computation, storage and services and an assurance regarding quality make it an attractive
software based services. It is used to address the resource scarcity solution for mitigating the issue of constrained resources. Since a
issues of its clients by providing them with on-demand pay-per- cloud computing platform provides services by sharing valuable
use services (Buyya et al., 2011). It incorporates a centralized col- resources, an adequate usage of these resources may be achieved
lection of resources called a cloud connected through a high speed by ensuring that the platform is able to counter security threats
network. The global availability of high performance resources, which may otherwise deteriorate its performance and reliability.
support of a large number of services, and ability to store large An overview of a public cloud computing platform is shown in
amount of data have made it ubiquitous. Even with the modern Fig. 1. The cloud platform is usually equipped with high perfor-
smartphones, the cloud computing is able to serve multiple mance server machines, high speed storage devices and an

Fig. 1. Cloud computing architecture with cloud users connecting to a public cloud platform through internet.
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 13

efficient network. The cloud users having mobile phones, laptops contrast to these contributions, we present a comprehensive sur-
or modern desktops connect to the cloud platform through in- vey with a parametric analysis of cloud security issues, counter-
ternet. Since the server machines are connected using an internal measures, and security frameworks (intrusion detection and pre-
network, an attack on the network may produce a detrimental vention systems) in this paper. We employ a component based
impact in the form of communication delays or even the network categorization in terms of the network, VM, storage and applica-
being inaccessible (McMillan, 2009; InfoSecurity, 2009). Likewise, tions executing on a cloud platform. Various solutions to trusted
the attacks on virtual machines and hypervisors being used to run cloud computing are also analyzed together with compliance is-
virtual machines have shown to severely breach the security for sues in terms of prevailing standards, Acts and regulations. We
malicious purposes (Grobauer et al., 2011; Liu et al., 2014; Zhang also present succinctly the future orientation of security chal-
et al., 2012; Zhou et al., 2011). Similarly, the cloud services are also lenges and their possible solutions.
prone to security threats as this layer contains software which has The remaining part of this paper is organized as follows. Sec-
always been vulnerable to hacks and security attacks (Gruschka tion 2 describes a categorization of security threats and their im-
and Iacono, 2009). These attacks may cause violation of data plications. A comparative analysis of security threats and their
protection or even unavailability of services for all the clients. countermeasures is given in Section 3. Section 4 presents a com-
As the cloud computing hinges on the traditional architecture, parison of the intrusion detection and prevention systems aimed
it is becoming more vulnerable to security breaches. The Cloud at providing security for the clouds. An analysis of various ap-
Security Alliance report (Ko et al., 2013) reveals a manifold in- proaches used for trusted cloud computing is given in Section 5.
crease in the frequency of cloud outage taking place within recent Various Acts and official rules used for regulating cloud computing
years. A large number of vulnerability incidents occurred with security issues are discussed in Section 6. The future challenges
threats already known to exist. Similarly, as per threat report and issues together with the suggestions to cope with these issues
published by Symantec (2015), there has been a 91% increase in are discussed in Section 7 before concluding the paper in Section
targeted attacks with 1 out of 3 Symantec.cloud customers being 8.
targeted by spear-phishing attacks in year 2013. To cope with the
increasing number of security threats, there has been a parallel
advancement of countermeasures. For attacks emerging due to 2. Cloud computing security: taxonomy and categorization
network such as botnet and stepping-stone attacks (McMillan,
2009; InfoSecurity, 2009), various countermeasures (Lin and Lee, Cloud computing offers services using the Infrastructure as a
2012; Kourai et al., 2012; Wu et al., 2010) are able to detect and fix Service (IaaS), Platform as a Service (PaaS) and Software as a Ser-
them. The risk of violation of data protection attacks (Ashford, vice (SaaS) models (Buyya et al., 2011) as shown in Fig. 2. Cloud
2015; Ristenpart et al., 2009) has been mitigated using crypto- users have access to servers and virtual machines through the IaaS
graphic techniques (Wang et al., 2009; Wylie et al., 2001). The VM service model. The hypervisors execute on the servers to provide
and hypervisor based vulnerabilities (Aviram et al., 2010; Hlavacs virtualization of physical resources. Similarly, using the PaaS ser-
et al., 2011) are tackled using authentication mechanisms (Godfrey vice model, the cloud platform provides support of operating
and Zulkernine, 2013; Osvik et al., 2006). Similarly, the attacks systems, runtime systems, databases or web servers. The SaaS
related to denial or theft-of-service (Riquet et al., 2012; Zhou et al., service model provides support of pay-per-use software. The di-
2011) may be coped with the intrusion detection systems (Scar- versity of these service delivery models makes the cloud com-
fone and Mell, 2007; Roesch, 2014; Hay et al., 2008). For the puting platforms more vulnerable to attacks than any other com-
threats resulting in disclosure of information to third party, the puting platform. Its vulnerability may be exposed through any of
privacy Acts such as ECPA and HIPAA (DHS, 2013; U.D. of Health & its core components: network, virtual machines, storage and ap-
Human Services, 2007) have been deployed. plications, which are used as a basis for categorization of attacks
Various contributions presenting a survey of cloud security is- and their implications.
sues and challenges have been made recently. A classification of
security issues while mapping threats to countermeasures is de- 2.1. Categorization of attacks based on cloud components
scribed in Khalil et al. (2014), Hashizume et al. (2013), Ashktorab
and Taghizadeh (2012), and Shankarwar and Pawar (2015). Simi- For performing comparative analysis, we categorize attacks on
larly, corresponding to the infrastructure, platform and software
layers of the cloud computing model, a layer-wise categorization
of security threats is presented in Subashini and Kavitha (2011).
Another classification of attacks on clouds using attack surfaces
comprising the users, services and clouds with six possible inter-
faces is described in Gruschka and Jensen (2010). Bisong and
Rahman (2011), Khorshed et al. (2012), and Srinivasamurthy et al.
(2013) discuss major cloud security threats as identified by Cloud
Security Alliance (2010), whereas the confidentiality, integrity,
availability, audit and control are described as major cloud security
issues together with data privacy Acts in Zhou et al. (2010).
Shahzad (2014) discusses malicious insider based denial-of-service
attacks together with the attacks on data while using Amazon Web
Services (AWS) as a case study. A brief survey given in Curran and
Carlin (2011) describes the scalability of cloud and compliance
regulations as major cloud security issues. The authors urge the
need to build confidence of cloud customers by revealing im-
plementation details and ensuring security compliance. The sur-
vey contribution (Modi et al., 2013) discusses various intrusion
detection techniques, whereas a security analysis of open source
cloud software platforms is provided in Popovic et al. (2011). In Fig. 2. Cloud service delivery architecture.
14 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

a cloud platform based on its components: network (A1), virtual from security violations may be used (Wei et al., 2009; Reimer
machines (A2), storage (A3) and applications (A4) as elaborated et al., 2008; Fernandez et al., 2013).
below. VM migration and rollback attacks (A2c): When an active VM is
being migrated from the host physical machine to another physical
2.1.1. Network based attacks (A1) machine, the contents of the VM files become vulnerable to var-
The cloud machines existing within a cloud platform are con- ious attacks (Oberheide et al., 2008b; Garfinkel and Rosenblum,
nected through a network which also provides connections with 2005). For example, the log of execution state being maintained
the machines outside the cloud platform. An intruder may attack a for implementing a rollback may become accessible during mi-
cloud system through its network which may in turn deteriorate gration. An effective configuration of security policies or proper
the quality of cloud services and may even put data privacy/con- suspend/resume activities may render the VM migration to be
fidentiality at risk. For our analysis, we consider three types of more secure (Xiaopeng et al., 2010; Santos et al., 2009; Zhang
network based attacks as elaborated below. et al., 2008; Szefer and Lee, 2012).
Port scanning (A1a): A port on a server may be probed to check VM scheduler based attacks (A2d): A few vulnerabilities of
the status of a service executing on the target machine. The port scheduler may result in resource stealing or theft-of-service (Zhou
scanning requires access to the network hosting the target ma- et al., 2011; Rong et al., 2013). For example, a VM may be sched-
chine. It is used to expose vulnerabilities of the target machine uled to run after a specific time while retaining the credit balance
resulting in the denial-of-service (Riquet et al., 2012). The intru- of the VM execution time slice. Modified versions of scheduler
sion detection systems or firewalls (Scarfone and Mell, 2007; (Zhou et al., 2011; Gruschka and Jensen, 2010) may improve se-
Roesch, 2014; OWASP, 2015a; Debar et al., 2007) may be used to curity of hypervisors while maintaining fairness and efficiency.
detect and hinder such attacks.
Botnets (A1b): A botnet may be used to steal data from a host 2.1.3. Storage based attacks (A3)
machine and communicate it to a bot-master. A command and An attacker from outside or even a malicious insider may steal
control system is established with a bot-master and several ma- private data stored on some storage device (Stefanov and Shi,
chines can act as stepping-stone to steal private information. 2013; Li et al., 2013; Jung et al., 2013; Cloud Security Alliance,
Several incidents have shown to incorporate clouds as command 2012). With access to sensitive information, a large number of
and control servers (McMillan, 2009; InfoSecurity, 2009). The vulnerabilities may be exploited by manipulating data if a strict
techniques to counter botnet attacks mainly attempt to track the monitoring mechanism is not implemented. For analysis, we
botmaster by interpreting the communication or filtering the consider two types of storage based attacks on clouds as elabo-
packets (Lin and Lee, 2012; Kourai et al., 2012). rated below:
Spoofing attacks (A1c): The spoofing attacks in a network im- Data scavenging (A3a): While erasing data from a storage device,
personate entities for malicious purposes. An IP spoofing attack the file systems do not remove data completely. Consequently, the
may replace the IP address in a network packet with a forged removed data may be recovered by attackers which is referred to
source IP address. Similarly, a DNS spoofing attack may cause a as data scavenging (Hashizume et al., 2013; Jansen, 2011; Ertaul
DNS server to return an incorrect IP address thereby redirecting et al., 2010; Grobauer et al., 2011; Sen, 2013; Townsend, 2009).
network traffic to an attacker's system. A virtual network may be a Various techniques to counter data scavenging are reported in
victim of ARP spoofing (Wu et al., 2010) thereby causing an at- AWS (2014).
tacker VM to access packets of other VMs. The cloud based anti- Data deduplication (A3b): With data deduplication being per-
virus (Oberheide et al., 2008a) or intrusion detection systems formed for minimizing storage and bandwidth requirements, it
(Scarfone and Mell, 2007; Roesch, 2014; OISF, 2015) may be used becomes possible to identify the files and their contents (Harnik
to cope with these attacks. et al., 2010). It may even make it possible to create communication
channel for access to a malicious software. The deduplication ex-
2.1.2. VM based attacks (A2) ploitation risk may be mitigated by ensuring the deduplication to
On a cloud system, the VM based attacks exploit vulnerabilities occur only if there is a specific number of copies of the file (Kaa-
in the virtual machines to violate data protection and affect the niche and Laurent, 2014).
cloud services. Multiple virtual machines being hosted on a system
cause several security risks. Moreover, various stages of VM 2.1.4. Application based attacks (A4)
management may be used to launch a large number of cloud at- The applications running on a cloud may be exposed to various
tacks. For our analysis, we consider four types of VM based attacks attacks by injecting code which may trace execution paths and
as described below: exploit this information for malicious purposes. Similarly, the
Cross VM side channel attacks (A2a): The VM based side channel protocols implemented to provide services on a cloud system are
attacks are able to extract information regarding resource usage, vulnerable to attacks and any running applications may use them
cryptographic keys and other information from a target VM which as a source of intrusion. Moreover, on a cloud system, the archi-
is residing on the same physical machine as that of the attacker tectural components being shared may be exploited by an appli-
VM (Tandon et al., 2014; Zhang et al., 2012; Ristenpart et al., 2009; cation as a source for performing malicious activities. Overall, we
Hlavacs et al., 2011). These attacks may exploit timing information consider three types of application based attacks as described
from resources such as cache and shared memory. The counter- below:
measures for side channel attacks use authentication mechanisms, Malware injection and steganography attacks (A4a): A malicious
cryptographic algorithms or deterministic execution to mitigate code may be inserted in an application if a cloud platform allows
the risk of side channels (Godfrey and Zulkernine, 2013; Osvik for an insecure interface for application development (Ko et al.,
et al., 2006; Zhang et al., 2012; Aviram et al., 2010; Wang and Lee, 2013; Owens, 2010). With a steganography attack, the attackers
2007). embed malicious code within files being transmitted over network
VM creation attacks (A2b): A malicious code can be placed inside (Mazurczyk and Szczypiorski, 2011). The transmission of malicious
a VM image which is then replicated during creation of virtual code may then be ignored by security systems for which it seems
machines (Grobauer et al., 2011; Morsy et al., 2010; Garfinkel and as if a normal file is being sent. The schemes like StegAD (Liu et al.,
Rosenblum, 2005). In this regard, virtual image management 2011) may be used to identify the files and possible locations of
system providing filters and scanners for detecting and recovering injected code in steganographied files.
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 15

Shared architectures (A4b): On a shared architecture, the ex- present respectively a comparative analysis of attacks based on the
ecution path of a victim's application can be traced. It can be fur- network, VM, storage and application categories. The comparison
ther used to detect victim's activities and hijack his account is performed in terms of the attack categories, mechanisms, im-
(Zhang et al., 2014). To detect the possibility of being exploited by plications, vulnerable components and contributions for relevant
shared architectures, the application binary code may be analyzed countermeasures.
(Doychev et al., 2013).
Web services & protocol based attacks (A4c): The web services 3.1. Network based attacks and countermeasures
use various protocols such as SOAP whose message header can be
manipulated to contain invalid requests (Gruschka and Iacono, Through network based attacks, the botnets have been suc-
2009). The security policies and validation mechanisms may be cessful in exploiting the cloud infrastructure for malicious pur-
implemented to ensure valid requests for smooth running of ser- poses. For instance, the well known Zeus botnet was revealed to be
vices. To cope with possible website based threats, application using Amazon's Elastic Computing Cloud (EC2) as command and
firewalls may be used to identify and block the attacks (OWASP, control server (McMillan, 2009). The Zeus botnet is a malware
2015a). which is able to steal passwords. Its variants have been reported to
be used for illegal bank transactions. Similarly, the Google cloud
2.2. Implications of attacks platform AppEngine has been used as a botnet to communicate
with the infected computers (InfoSecurity, 2009).
An attack on a cloud may have one or more implications which A distributed denial-of-service attack (Riquet et al., 2012) per-
may deteriorate the provision of data and services on a cloud forms a distributed portscan which is very difficult to be detected
platform. These implications are categorized as follows: by an Intrusion Detection System (IDS) (Scarfone and Mell, 2007).
Violation of data protection: Data protection is violated when For simulation of the attack, two configurations of a cloud plat-
data becomes accessible to users other than owners of data. A form secured by the Snort IDS (Roesch, 2014) and a United Thread
large number of threats may violate data protection through dif- Management firewall respectively are used. The configurations
ferent techniques such as data deduplication or third-party clouds also use various parameters including the number of attacking and
(Somani et al., 2010a; Tebaa et al., 2012; Xiao and Gong, 2010; target hosts for evaluation. For 100 targeted ports, the sequential
Townsend, 2009; Winkler, 2011). and parallel distributed portscans are used with multiple scanners.
Malicious manipulation of data: On cloud computing platforms, For the sequential portscan, a scanner is selected to scan ports, and
the communication between the user and the cloud services in- when detected by the IDS, another scanner is then selected to
terface involves protocols such as HTTP & SOAP together with continue the portscan. For parallel portscan, the targets and ports
scripting languages which are vulnerable to a large number of are distributed among scanners whose steps are then synchro-
threats (OWASP, 2015b; Fong and Okun, 2007; Karnwal et al., nized. The distributed mechanism works successfully to scan ports
2012; Gruschka and Iacono, 2009; Zhang et al., 2014). Conse- despite the presence of firewalls. The experimental results show
quently, an attacker may exploit loopholes in these mechanisms that for 64 targets, the parallel portscan achieves an average suc-
which may result in malicious manipulation of website data. cess rate of 84% and continues to perform better than sequential
Denial-of-service: An attacker may target the cloud platform to portscan even for small number of targets.
hinder the services being provided to customers (Riquet et al., An ARP spoofing based attack (Wu et al., 2010) allows to im-
2012; Karnwal et al., 2012). For instance, it is possible for a mal- personate ARP messages on the network. It results in providing
icious insider to occupy the resources so that the requests by other access of target VMs' packets to an attacker VM. The attacker VM
users are responded with unavailability of resources. can access private data as well as perform malicious activities. To
Theft-of-service: A few vulnerabilities in scheduler may result in cope with this attack, a framework as the countermeasure to
theft-of-service attacks. For example, an attacker may target the control communication among virtual machines on a cloud plat-
scheduling policy to be able to steal resources or obtain cloud form is also described. The framework addresses the issue of
services without proper billing (Zhou et al., 2011). sniffing and spoofing virtual networks linking VMs. It incorporates
multiple layers for routing, sharing and securing the network. The
routing layer uses unique tags to monitor the packets, whereas the
3. Comparative analysis of attacks and countermeasures shared network layer requires VMs of the same organization to
share the network. The firewall layer restricts communication of a
A cloud computing platform provides services using its service VM to the outside world and also blocks packets which attempt to
delivery model. The attacks on a cloud platform may exploit var- modify the routing table.
ious components at every layer of its service model in order to A technique for detecting botnets in cloud is described in Lin
violate data protection and deteriorate the quality of service for and Lee (2012). The approach initially determines the crypto-
malicious purposes. This section discusses and analyzes research graphic keys being used for botnet communication between bots
work contributing towards revealing attacks on clouds and their and Command & Control servers. The attack traffic is decrypted by
countermeasures. For a parametric evaluation, Tables 1, 2 , 3 and 4 first identifying patterns of regions that may contain the keys. An

Table 1
Comparison of network based attacks on clouds.

Attack Ref. Attack Mechanism Implications Vulnerable Countermeasures

category Components

McMillan (2009) A1b Botnet using Amazon cloud as Violation of data pro- Cloud network Lin and Lee (2012), Kourai et al. (2012), Wu
command and control server tection (IaaS) et al. (2010), Scarfone and Mell (2007)
Wu et al. (2010) A1c ARP spoofing by VM Violation of data pro- Virtual network Wu et al. (2010), Scarfone and Mell (2007)
tection (IaaS)
Riquet et al. A1a Distributed port scanning Denial-of-Service (IaaS Cloud network Scarfone and Mell (2007), Karnwal et al. (2012)
(2012) and SaaS)
 16
Table 2
Comparison of VM based attacks on clouds.

M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

Attack Ref. Attack Mechanism Implications Vulnerable Countermeasures
category Components

Morsy et al. (2010) A2b VM creation Violation of data protection (IaaS VM image Wei et al. (2009), Reimer et al. (2008), Fernandez et al. (2013), Ha-
and SaaS) shizume et al. (2011)
Tandon et al. (2014) A2a Cross-VM Cache based side channel attacks Violation of data protection (IaaS) Shared caches Liu et al. (2014), Hashizume et al. (2011), Ranjith et al. (2012), Su
(2013), Tandon et al. (2014)
Rong et al. (2013) A2d Timed scheduling using hypervisor Theft-of-Service (SaaS) VM Scheduler Zhou et al. (2011), Wang and Jiang (2010), Murray et al. (2008)
Grobauer et al. (2011) A2b VM replication Violation of data protection (IaaS VM image Wei et al. (2009), Reimer et al. (2008), Fernandez et al. (2013)
and SaaS)
Zhang et al. (2012) A2a Cross-VM Cache based side channel attacks Violation of data protection (IaaS) Shared caches Liu et al. (2014), Hashizume et al. (2011), Ranjith et al. (2012), Su
(2013), Tandon et al. (2014)
Rocha and Correia (2011) A2d, A2a VM image access and relocation with insecure Violation of data protection, Mal- VM image, Stolfo et al. (2012), Murray et al. (2008), Rueda et al. (2008), Dawoud
hypervisor icious manipulation of data (IaaS) Hypervisor et al. (2010), Owens (2009), Zhou et al. (2011), Wang and Jiang (2010),
Murray et al. (2008)
Zhou et al. (2011) A2d Timed scheduling using hypervisor Theft-of-Service (SaaS) VM Scheduler Zhou et al. (2011), Wang and Jiang (2010), Murray et al. (2008)
Garfinkel and Rosenblum A2b VM creation Violation of data protection (IaaS VM image Wei et al. (2009), Reimer et al. (2008), Fernandez et al. (2013), Ha-
(2005) and SaaS) shizume et al. (2011)
Ristenpart et al. (2009) A2a VM side channel attack Violation of data protection (IaaS) Time shared caches Liu et al. (2014), Hashizume et al. (2011), Ranjith et al. (2012), Su
(2013)
Oberheide et al. (2008b) A2c Communication for VM migration and memory Violation of data protection, De- Hypervisor and Xiaopeng et al. (2010), Zhang et al. (2008), Szefer and Lee (2012)
access nial-of-Service (IaaS, PaaS and network
SaaS)
Jasti et al. (2010) A2d VM escape and VM hopping to access in- Violation of data protection, De- VM and hypervisor Wei et al. (2009), Szefer and Lee (2012), Hashizume et al. (2011), Su
formation of other VMs and impact hypervisor nial-of-Service (IaaS, PaaS and (2013), Liu et al. (2014), Wang and Jiang (2010)
execution SaaS)
Hlavacs et al. (2011) A2d Energy consumption logs to detect VMs being Violation of data protection (IaaS) VM and storage Wei et al. (2009), Szefer and Lee (2012), Hashizume et al. (2011), Su
hosted (2013), Stolfo et al. (2012)
Table 3
Comparison of storage based attacks on clouds.

Attack Ref. Attack Mechanism Implications Vulnerable Countermeasures

category Components

Harnik et al. (2010) A3b Tracing of files/contents through data deduplica- Violation of data protection, Denial- Cloud storage and Kaaniche and Laurent (2014), Wu et al. (2014), Somani et al. (2010b)
tion and communication covert channel of-Service (PaaS and SaaS) network

M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

Grobauer et al. A3a Data scavenging Violation of data protection (IaaS and Cloud storage Wei et al. (2009), Reimer et al. (2008), Fernandez et al. (2013),
(2011) SaaS) Leandro et al. (2012), Chadwick (2009), Sanchez et al. (2012)

Table 4
Comparison of application based attacks on clouds.

Attack Ref. Attack Mechanism Implications Vulnerable Countermeasures

category Components

Owens (2010) A4a, A4b Fine-grained access for application develop- Violation of data protection, Denial- Insecure APIs and Oberheide et al. (2008a), Liu and Chen (2010), Martignoni et al.
ment, Storage access for shared architectures of-Service (IaaS, PaaS and SaaS) shared storage (2009), Liu et al. (2011)
Mazurczyk and Szczypiorski A4a Steganography attack through network for Malicious manipulation of data, De- Cloud network and Liu et al. (2011), OWASP (2015a), Martignoni et al. (2009),
(2011) data and malicious code nial-of-Service (IaaS and SaaS) storage Oberheide et al. (2008a), Liu and Chen (2010), Scarfone and
Mell (2007)
Grobauer et al. (2011) A4c Protocols vulnerabilities Violation of data protection (IaaS and Network Protocols Gruschka and Iacono (2009), Scarfone and Mell (2007)
SaaS)
Gruschka and Iacono (2009) A4c SOAP message manipulation Denial-of-Service, Theft-of-Service Web Services and Gruschka and Iacono (2009), Scarfone and Mell (2007)
(PaaS and SaaS) protocols
Zhang et al. (2014) A4b Shared cache based side channel attack Violation of data protection (PaaS) Shared caches Doychev et al. (2013), Coppens et al. (2009), Zhang et al. (2014)

17
18 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

entropy search is then performed to identify the keys. Subse- management. For obtaining passwords, the attack incorporates the
quently, the communication taking place between the botmaster access to the memory image of the VM machine using the xm
and the victims through stepping-stone machines is also captured. command. The passwords can then be retrieved from the memory
It is accomplished by spreading Pebbleware, an executable code image by using Linux based utilities. Similarly, to obtain private
that identifies the host machines. After reaching the botmaster, it keys the tool rsakeyfind can be used which finds out the key from
reveals the IP address of the botmaster. The technique of tracing the memory image of the target VM. For extracting confidential
the botnet server is shown to work successfully for the well- information, the attacker creates a logical disk volume, searches
known Zeus botnet. for all the existing volumes, and can mount them to copy the in-
For protecting clouds against stepping-stone attacks, a VM in- formation or files. Another attack that relocates virtual machine
trospection based mechanism is provided in Kourai et al. (2012). can be performed on a cloud. To accomplish this attack, the mal-
The mechanism suggests the use of a packet filter architecture icious user first ensures that an integrity-protected hypervisor
called xFilter, which runs in a VMM. The xFilter code obtains in- (Vasudevan et al., 2010) is executing. The integrity-protected hy-
formation regarding the process IDs and user IDs from guest op- pervisor uses special parameters which make it secure against any
erating systems. Upon intercepting a packet, xFilter matches the possible modifications. A verification process is performed through
sender and receiver user IDs with its filtering rules in order to the key certificates obtained from the TPM of a secure server to
accept or reject the packet. The filtering rules are dynamically make it seem as if the configuration of an insecure hypervisor
updated upon detecting new attacks. A decision cache is also in- based machine is the same. The VM is then relocated to the ma-
corporated in xFilter which makes it possible to reuse previous chine with insecure hypervisor thereby making it possible to steal
decisions thereby reducing the overhead of VM introspection. The confidential data.
suggested filtering approach works with almost 13% of perfor- The research work in Zhou et al. (2011) describes a vulner-
mance degradation of web based communication. ability in the scheduler of the Xen hypervisor. As the cloud systems
The instrusion detection systems (Scarfone and Mell, 2007) are use virtualization, the tasks are executed on virtual machines
able to secure a cloud network by analyzing the packets flowing which contain virtual CPUs. The main objective of the scheduler is
through the network. In contrast to firewalls, the intrusion de- to determine the mapping between virtual and physical CPUs.
tection systems analyze traffic pattern through payload informa- Each VCPU is given credits that are debited after scheduling the
tion. The intrusion detection systems may provide traffic mon- VCPU. When a virtual CPU goes to sleep state due to I/O call, it
itoring at individual host or network level and alert the adminis- retains its credits which cause it to enter the BOOST state on
trators regarding suspicious activities. Similarly, the intrusion waking up and subsequently preempt other virtual CPUs. To ex-
prevention systems are able to discard packets based on the traffic ploit the vulnerability, the scheduler is set to schedule the attacker
pattern in addition to analyzing packets. A detailed categorization VM after every 10 ms, let the VM run for a small instance, and go
of these systems is given in Section 4. idle subsequently. It ensures that other VM runs for a small time
The research work in Karnwal et al. (2012) targets distributed whose credits are therefore reduced. Since the attacker VM wakes
denial-of-service (DDoS) attacks. The approach initially matches in BOOST state, the running VM is preempted and the attacker VM
the IP address of the client with already stored IPs. Subsequently, a resumes execution, however, the credit balance of the attacker VM
cloud defender is incorporated to identify suspicious messages and never decreases. The experiments performed on an Intel based
restrict access to avoid DDoS attacks. The cloud defender counts processor show that the attacker VM can utilize almost 98% of a
the numbers of requests corresponding to a single IP and filters if a CPU core's cycles, and on the Amazon EC2 based setup, the attack
large number of requests arrive from the same IP. It then matches is able to utilize 85% of the CPU resources. Similarly, a Time-Stealer
the hop-count value and IP frequency of similar request messages attack (Rong et al., 2013) is described for a recent version of Xen
and marks them suspicious. Similarly, the HTTP DDoS attack is scheduler. The cycle stealing approach works by analyzing the
handled by using client puzzles which is a part of a WSDL file. The source code. The suggested approach is shown to successfully
solution of the puzzle is embedded within the header of the SOAP acquire 96.6% CPU cycles independent of the number of virtual
message. The puzzle is sent back to the IP address, and if the machines executing on the same processor.
puzzle is not resolved by the client machine, the message is dis- While replicating a virtual machine, the private data together
carded. Moreover, a signature is generated while keeping a few with cryptographic keys may be exposed (Grobauer et al., 2011).
parameters twice in the signature, and later added to the SOAP The private data and keys are supposed to be private to a parti-
header for XML protection. cular host. However, with a new copy of VM, the exposed data may
become public. The data leakage due to VM replication may then
3.2. VM based attacks and countermeasures be used for malicious activities.
An approach of stealing private information on the cloud due to
The security of a virtual machine being copied to create another sharing of physical resources is given in Ristenpart et al. (2009).
VM may be compromised by modifying its executable code (Gar- The approach works in different steps and is based on the fact that
finkel and Rosenblum, 2005). The worms/viruses may be injected VMs for different cloud customers may be executed on the same
in the original VM before creating a copy of the VM (Morsy et al., server. The attacker VM can use side-channel attacks to violate
2010). A compromised virtual machine which also contains the data protection of the target VM. To accomplish that, the malicious
state of the guest operating system thus results in exposing the user initially attempts to be co-resident on the same system as
newly created VM to security threats. Moreover, it is difficult to that of the target VM by probing the network while targeting the
trace the origin of the vulnerability for the newly created VM. port numbers 80 and 443. The web servers are then traced using
A cross-VM side channel attack may cause a malicious VM to DNS based probing. When the exposed parameters are used for
extract Advanced Encryption Standard (AES) encryption key from launching a new instance, it becomes co-resident with the victim
a target VM (Tandon et al., 2014). The attack exploits the shared VM. The time shared caches are then used to detect the workload
cache by analyzing its access pattern and cache indices when the of instances of target VMs and launch other attacks. For example,
victim VM executes the AES algorithm. the cryptographic keys can be extracted by using side-channel
In Rocha and Correia (2011), various approaches of stealing attacks. Moreover, by finding the keystroke timings, the passwords
confidential data in the cloud are described. The approach as- being entered by the target users can also be recovered.
sumes a malicious insider who has administrative access to VM Various classes of live VM migration attacks are described in
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 19

Oberheide et al. (2008b). The control plane class attacks target measures against the attacks.
communication for initiating and managing the overall VM mi- Two strategies for avoiding cache based side channel attacks
gration process. The data plane class attacks may target the data targeted at extracting AES keys are described in Tandon et al.
for leakage of private information. Similarly, the migration module (2014). The AES encryption performs various mathematical op-
class attacks may gain illegitimate control of the VMM and the erations which are very expensive. Consequently, table lookups are
guest operating systems. The suggested framework Xensploit used as a replacement for these operations. An attacker can ana-
makes use of the fragroute framework to exploit various vulner- lyze various patterns of the cache to reveal the indices of lookup
abilities such as modifying memory page of a process during table which have not been accessed. The attacker detects the ex-
transmission, manipulating keys for sshd authentication and stack/ ecution of the AES encryption as there is a large number of clock
integer overflow issues. cycles. It finds the affected cache sets and performs brute-force
An attack to access cryptographic keys using the concept of method to extract encryption key. The attack can be avoided if the
side-channel attack is given in Zhang et al. (2012). The attack cache is flushed before applying AES algorithm or the lookup table
works for two separate DomU VMs by assuming that the attacker access is made random.
can access a copy of the software executing on the target VM. The An approach of reducing the possibility of cross-VM side
time taken by cache sets of instruction caches is determined. After channel attacks using a modified version of scheduler is given in
measuring timings, cache patterns are classified and possible er- Liu et al. (2014). The suggested approach adds new parameters
rors called noise are subsequently reduced. Different mathematical corresponding to threshold for overlapping of two VMs and noise
operations of a cryptographic algorithm are determined through to be inserted. The threshold for overlapping of two VMs can be
pattern classification. These sequences of operations are re-con- adjusted so that the VMs may overlap execution within the
structed to extract the cryptographic key from a victim's machine. threshold limit. As the VMs execution overlapping time ap-
The experimentation shows a successful implementation of ex- proaches the threshold limit, a noise is injected by the scheduler to
tracting ElGamal (2006) decryption key from the victim's machine. interrupt the transmission through the side channel. The proto-
Different types of attacks in multi-tenant clouds are discussed type implementation is shown to successfully mitigate the cross-
in Jasti et al. (2010). The first attack VM hopping may occur when VM side channel attacks with a very small performance overhead.
two VMs are set to execute on a single host machine. An attacker Similarly, in Su (2013), the concept of a VM Police is proposed to
on a virtual machine can monitor the traffic of other VMs and prevent side channel attacks. The Police VM is launched by a host
subsequently modify their configuration for any malicious activ- and contains software components as anti-attack units. The
ities. The VM Escape attack causes the attacker to access the hy- scheduling of Police VMs is controlled through several parameters
pervisor which in turn may be used to affect other running VMs. such as load, security and performance requirements.
The attack monitors the CPU and memory utilization and can even A mechanism to avoid data leakage using network covert
cause the hypervisor or VMs to stop executing. channels is given in Ranjith et al. (2012). A timing covert channel
The energy consumption logs may be used as a side channel to uses delays during communication for encoding and decoding
recognize the VMs being hosted on a cloud platform (Hlavacs et al., information. Similarly, a network covert channel works when a
2011). The energy consumption traces are first sampled followed user types some information in a VM. A keylogger then logs the
by computation of probability function for combination of VMs. A information and leaks it through the network covert channel to
statistical analysis is then used to determine the likelihood of VM attacker. The solution of these covert channels is to define custo-
states. mized rules for communication between VMs which can be im-
An approach for improvement of security of the Xen hypervisor plemented by incorporating a firewall based on VMM. Another
is suggested in Murray et al. (2008). The trusted computing base covert channel uses the table mapping that corresponds to phy-
(TCB) of the Xen hypervisor contains the VMM, a privileged virtual sical and virtual machine frames. The mapping may be modified to
machine Dom0 and other tools which may in turn be used to communicate with other virtual machines. It can be restricted by
create other VMs. Since the tools may contain user software, the dividing the table so that only the corresponding virtual machine
size of the TCB may run out of bounds. Moreover, the adminis- can access it.
trator can execute any privileged code which may even impact the To secure data theft attack from a malicious insider, an analysis
functionality of the Xen hypervisor. The suggested approach re- to detect access patterns is suggested in Stolfo et al. (2012). The
moves the Dom0 user space and keeps only the Dom0 kernel in the approach detects anomalies in data access patterns. For an un-
TCB. Consequently, the size of the TCB is reduced and the security authorized access, the user is returned with decoy information
and integrity of the Xen hypervisor improves significantly. which may not be identified by any user other than owner of the
An approach called hypersafe to secure hypervisors with control data.
flow integrity is given in Wang and Jiang (2010). The proposed An architecture with flexible enforcement of security policies is
approach performs memory lockdown to secure code and data. It described in Rueda et al. (2008). The architecture proposes a
ensures the pages to be unlocked for modifying even if it is re- configuration phase and a policy enforcement phase. The config-
quired by the hypervisor itself. Any other code brought for ex- uration phase loads a new VM for a specific web application and
ecution in hypervisor space is rejected. To protect control data, a the enforcement phase ensures authorization of requests from the
technique called restricted pointer indexing is proposed. It uses VMs for end-to-end access control. The architecture establishes
control-flow graph to determine the flow of control and generate secure channels at multiple layers using the given configurations.
pointer indexes from control data. The targets in the control flow For a web application, the security policies are downloaded and
are found and their access is restricted to pointer indexes. The the browser VM is updated before being loaded. On a URL request,
approach works efficiently as it incurs less than 5% of overhead for a security label is generated which is then forwarded to the VMM
protection of code and data. for authorizing the communication as per system security policy
For tackling various VM based attacks, the misuse patterns are and sending it to web server for processing.
proposed in Hashizume et al. (2011). The misuse patterns describe For IaaS environments, a security infrastructure is proposed in
the environment, conditions and sequences of cloud based attacks Dawoud et al. (2010). The proposed model contains a secure
including those caused by co-residence of virtual machines and configuration policy (SCP) to ensure a secure configuration of IaaS
manipulation of virtual machine images. The misuse patterns act components. Another component called Secure Resource Man-
as a repository which may then be used by developers for security agement Policy (SRMP) manages the access rules for IaaS
20 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

resources. The third component Security Policy Monitoring & Au- services are described. The first attack makes it possible for the
diting (SPMA) is able to monitor and track the entire system life attacker to identify the uploaded files. The second attack allows to
cycle. Moreover, the restriction level can be varied depending determine the contents of a file stored on a cloud server. Similarly,
upon the service provider and requirements. the third attack allows to create a covert channel for malicious
A cloud security architecture for server virtual machines using activities. The channel can make communication possible between
policy and threat management services is given in Owens (2009). a malicious software and a control server.
This architecture is a part of Savvi's general security architecture. With elastic clouds, the data scavenging may occur when the
The policy management contains various elements including the resources allocated to a user are re-allocated to another user
identity management, Single-Sign-On (SSO), security configura- (Grobauer et al., 2011). Despite a new allocation, the data and
tion, vulnerability management and reporting. Each VM is as- storage of previous user may become accessible to the new user.
signed a unique identity which is then used to monitor for any The violation of data protection may therefore occur due to data
vulnerabilities throughout the VM lifecycle. scavenging.
The framework Mirage proposed in Wei et al. (2009) includes a A mechanism for detecting covert channels in clouds using a
mechanism for sharing VM images in a secure manner. It contains framework called C2Detector is provided in Wu et al. (2014). A
filters to remove private information or malicious code from the covert channel can be used to violate data confidentiality provided
VM image and also contains a mechanism for tracking operations by a cloud platform. To cope with the covert channels of CPU load,
applied to the VM image. After publishing the image, the frame- memory and cache based, an automaton having four states is in-
work may also be used for scanning and fixing of viruses or mal- corporated. To detect the covert channels, change pattern of
icious software. Similarly, a special VM image storage format shared resources is matched with the Markov model. A match of
(Reimer et al., 2008) is proposed to secure images by exploiting the pattern implies the transfer of confidential information
semantic information in the images. It makes use of a manifest through the covert channel. Similarly, for operation sequences,
corresponding to an image and a store to contain image data Bayesian model is incorporated, which takes input from the Mar-
which may be converted to the original image form. In Fernandez kov detector. A deviation from the Bayesian model implies a covert
et al. (2013), a repository is incorporated to secure the VM images channel to exist in the cloud. The C2Detector successfully detects
in a cloud. It uses a monitor to scan images, an authenticator to covert channels with a small number of false positives.
authenticate the legal users and an auditor to track access to For securing data during transmission, a mechanism using di-
image. gitized signatures is described in Somani et al. (2010b). The sug-
A framework for providing life-cycle protection of VM and gested approach performs digital signatures using RSA. A hash
virtual network called VNSS is provided in Xiaopeng et al. (2010). function is initially applied to generate a message digest which is
The framework contains a controller and multiple agents as subsequently encrypted. The encrypted text can then by decrypted
components for securing virtual computing environments. The for verification. Similarly, the approach given in Kaaniche and
controller component loads VM configuration and calls an agent to Laurent (2014) proposes a mechanism to share data on a public
create an instance of the virtual machine. Another agent for gen- cloud using deduplication. The approach works in a secure manner
erating security policies is then invoked by the controller. Simi- by encrypting data and encapsulating rights in a separate file. The
larly, for VM migration, the controller uses the VM migration agent decryption of data can be performed only by authorized users.
together with the agents for security context migration and se- The VM image access control mechanisms (Wei et al., 2009;
curity policy migration. The VM destruction phase is carried out by Reimer et al., 2008; Fernandez et al., 2013) discussed in the pre-
the controller by destroying the VM instance and removing the vious section may also be applied to secure data scavenging.
security policies. The experimental results show a successful life- With multiple organizations sharing user information, a fed-
cycle implementation with uninterrupted execution and secure erated identity management system can be incorporated. Leandro
migration for FTP applications. et al. (2012) present a federated identity based authorization
For secure migration of VMs, a framework called PALM is de- scheme which deploys the Shibboleth authentication and au-
scribed in Zhang et al. (2008). The framework works for Xen VMM thorization system (Chadwick, 2009) for management of iden-
and makes use of different modules for protection during migra- tities. It supports Single-Sign-On (SSO) mechanism so that multi-
tion. The data protection module performs encryption and de- ple organizations within a federation may share identity in-
cryption of data related to protected processes. The migration formation. Consequently, a user is not required to login repeatedly
manager controls the overall migration process, whereas other to access resources multiple times. Similarly, Sanchez et al. (2012)
modules manage the transmission of metadata and protect it from describe an identity management system. Their approach employs
various security vulnerabilities. With the PALM framework, there is the Security Assertion Markup Language (SAML) (Ragouzis et al.,
a small performance degradation in comparison with the live 2008) adapted for dynamic cloud federation. The SAML language
migration by Xen hypervisor. uses XML for communicating data required for authentication and
A virtual machine executing on a cloud may be temporarily authorization between organizations. The proposed model is then
suspended for maintenance activities and resumed later on. While used to provide access to cloud resources while retaining the user
suspending it is possible to save the current state of disk, memory privacy.
and CPU. This feature may be used to perform malicious activities
as it becomes possible to perform multiple attempts for login, and 3.4. Application based attacks and countermeasures
then rollback the VM to its previous state. The countermeasures
for these attacks work by using the log of VM activities or enfor- Various security challenges faced due to elasticity of clouds are
cing the features of suspend/resume operations to work with user described in Owens (2010). A main challenge is provision for a
input (Szefer and Lee, 2012). fine-grained access in a cloud environment. Moreover, an elastic
model has to cope with the time and context parameters for re-
3.3. Storage based attacks and countermeasures straining various actions. Similarly, the data on a shared archi-
tecture may not be secure due to environment access to other
Storage services of a cloud make use of data deduplication in users.
order to keep a single copy of data. In Harnik et al. (2010), different For steganography attacks, secret data called steganogram can
attacks related to data deduplication in clouds providing storage be embedded within normal data exchange which may not be
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 21

detected by third parties. The secret data may contain malware overhead of executing a large part of the code on the end users'
code which may result in security breach (Mazurczyk and Szczy- system and transfers it to a resource rich cloud.
piorski, 2011). For steganography attacks in cloud storage systems, a StegAD
The data protection may be violated due to the protocol vul- scheme is described in Liu et al. (2011). The scheme incorporates
nerabilities (Grobauer et al., 2011). The protocols being used for two algorithms for detecting the affected files and determine the
access to cloud data and services are described as an insecure hidden places respectively. The scheme is shown to successfully
entity which may become potential threats for cloud computing. work for audio files based attacks on cloud storage. Similarly, for
For access to cloud infrastructure, Web Services are used by securing web applications and thwarting malware injections
cloud providers. The vulnerability of these services for cloud in- through networks, the application firewalls (OWASP, 2015a) may
frastructure is exposed in Gruschka and Iacono (2009). The ser- be incorporated together with intrusion detection systems (Scar-
vices make use of Simple Object Access Protocol (SOAP) messages fone and Mell, 2007).
for cloud requests. A SOAP message can be manipulated by inter- The timing information leakage using shared resource based
cepting it and modifying the request. The SOAP message header attacks may be tackled through a transformation called if-conver-
contains signatures which are kept unchanged together with Body sion (Coppens et al., 2009). The suggested approach works for
wsu:Id, while the message body is replaced with a new bogus control-flow based side channels in which program execution is
request. An invalid request validated by the cloud provider makes traced by finding the path followed during execution of the pro-
the entire cloud vulnerable. This attack can be restricted by vali- gram. The transformation of code for conditional execution pro-
dating XML schema which ensures that multiple occurrences with tects against the control flow based side channel attacks. Likewise,
the same Id do not occur. Moreover, the security policy validation a framework to analyze cache based side channel attacks is de-
mechanism may be improved to counter such attacks. scribed in Doychev et al. (2013). A binary file and cache parameters
For PaaS environments, a framework to perform side-channel are input to the framework for analysis and detection of attacks.
cache-based attacks is given in Zhang et al. (2014). The control The framework uses the parser and iterator components together
flow graph of an executable is used to detect memory chunks that with abstract domains to analyze the attacks.
are monitored for the attack. Subsequently, an NFA with states
corresponding to memory chunks is constructed. The execution of
a victim's application is traced and a malicious instance of the 4. Automated cloud protection using intrusion detection and
attacker code is co-located with the application. The malicious prevention systems
code can then extract information from the application by making
use of cross-site requests. The suggested approach is shown to An Intrusion Detection System (IDS) analyzes the packet header
successfully reveal information regarding a user's shopping items and payload to compare it with any anomalies found in compar-
on a victim website, resetting passwords of users on a website and ison with the normal traffic. This is in contrast to a firewall which
breaking XML encryption. filters the network traffic by examining the packet headers flowing
For securing cloud computing platforms, the antivirus software through the network ports. For anomalous traffic, an IDS attempts
may be of great significance as it may monitor and hinder any to identify the pattern against common threats, and alerts the
malicious code to impact the cloud. In Oberheide et al. (2008a), the network administrator. An Intrusion Prevention System (IPS)
architecture of an antivirus CloudAV is described. The antivirus works just like an IDS, however it may also reject the packets or
supports in-cloud detection of malicious code by incorporating terminate the connection. Since the backbone of a cloud based
multiple detection engines. These engines execute in parallel and platform is usually a high-speed network, it must be protected by
can analyze the files being transferred. A host agent runs on host a fully automated intrusion detection/prevention system. A net-
systems to send suspicious files to network for analysis. The net- work intrusion detection/prevention system (NIDS/NIPS) attempts
work service analyzes the code to identify threats. A forensic to secure all computer systems in a network, whereas a host-based
analysis is also used to track information related to file access and intrusion detection/prevention system (HIDS/HIPS) attempts to
extract the actions performed by malicious code. Using multiple secure a single host. A highly scalable intrusion detection system is
detection engines, detection coverage of the CloudAV antivirus able to provide support for efficient utilization of modern high
increases significantly and achieves almost 94% of average detec- performance architectures.
tion rate. Two different types of detection models have been in-
A mechanism incorporating the detection of malware using corporated in intrusion detection systems: Statistical or Signature-
historical information is described in Liu and Chen (2010). The based (Scarfone and Mell, 2007). The statistical model maintains
approach makes use of logs corresponding to writing or creation of profiles regarding users, hosts, applications and connection (ports,
executable files in the Portable Executable (PE) format. With a devices and protocols). It then compares current activity with the
lightweight log collector, any changes made to PE files by malware attributes of the profile for any anomalies. In contrast, a signature-
code are captured. The logs are processed by using MapReduce based model compares the traffic against a collection of signatures
which performs file indexing and relation indexing, to represent or threat patterns.
the locations and relationships of PE files respectively. The ex- Table 5 provides a comparative analysis of the main intrusion
perimental results show 83% accuracy for detecting malware. detection/prevention systems in terms of category, intrusion de-
A framework for dynamic analysis of malware and suspicious tection model, main components, technical complexity, scalability
code is given in Martignoni et al. (2009). The approach effectively and open source support parameters.
utilizes the resources of the cloud as well as the end users or cli-
ents who may be victims of malware. It causes the clients to send 4.1. ACARM-ng
malware programs to a cloud for analysis on its behalf. The sus-
picious code is executed on the cloud except the environment The Alert Correlation, Assessment and Reaction Module-next
independent system calls which are executed on the users' sys- generation system (Balcerek et al., 2012; WCSS, 2010) is able to
tems, and their output is then submitted to the cloud. The output generate alerts and correlate them. For intrusion detection, it can
of the code is analyzed thoroughly to determine whether there is work for networks as well as for individual hosts. It gets input in
any malicious activity performed by the suspicious code. This Intrusion Detection Message Exchange Format (IDMEF) (Debar
approach works efficiently to detect malware as it mitigates the et al., 2007), a standard format for communicating with IDS. Its
22 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

architecture makes use of filters (for joining and correlating at-

Technical complexity Scalability Open source

tacks), triggers (for reactions to attacks) and a database (for storing
alerts and state of the application).

Yes

Yes

Yes

Yes

Yes
Yes
Yes
Yes
Yes
No

No
4.2. Suricata

Medium
High The Suricata intrusion prevention system (OISF, 2015) is a rule

High

High
High
Low

Low

Low

Low

Low

Low
based engine that supports intrusion detection and prevention by
monitoring network traffic. It generates alerts for the system ad-
ministrator if any suspicious activity is performed in the network.
On high performance architectures, it can scale efficiently by ex-
ploiting multi-threading feature on multiple processors or cores.
Its detection system can identify protocols thereby making it easy
Medium

Medium

Medium

Medium
Medium
for users to obtain security based on protocols instead of ports.
High

High

High

High
Low
Low 4.3. OSSEC
Network Intrusion detection, prevention and monitoring en-

Packet sniffer, pre-processor, detection engine and logger

The Open Source SECurity intrusion prevention system (Hay

et al., 2008; OSSEC, 2015) monitors the network for individual
hosts. Its implementation uses several daemons to perform spe-
Inference engine, knowledge base and analyzer

cialized tasks such as forwarding logs to servers, analyzing logs

and generating alerts. It uses a central manager (to retrieve in-
Manager, correlator and log file manager

Integrity checker, log server and console

formation from syslog), agents and databases to generate alerts on

Correlation daemon, database engine

a real-time basis. The manager stores the rules and the config-
Script interpreter and event engine

uration parameters together with the system logs and events.

Analyzer, resolver and archiver
File integrity and log checkers
gines, analyzer and logger

4.4. Snort
Event and log analyzer
Client, Server and Jails
Major components

Snort (Roesch, 2014) is a network intrusion prevention system

which provides support of packet sniffing and packet logging
modes in addition to analysis in NIDS mode. Through packet
sniffing, the packet stream is captured and displayed to the user,
whereas through packet logging, the packets may be stored on a
backup storage device. To generate alerts, it uses the components
of packet sniffer, pre-processor, detection engine and logger. The
Profile-based model to support NIDS, NIPS, HIDS and

Signature-based and profile-based model to support

Signature-based model and profile-based model to

Signature-based model and profile-based model to

packet logging may speed up using fast mode which makes the
Signature-based model to support NIDS and NIPS

logger write logs efficiently in binary form.

NIDS and NIPS

4.5. NIDES
HIDS
Profile-based model to support NIDS

NIDS
NIDS

NIDS

The Next Generation Intrusion Detection Expert System (NIDES)

support
support
support
support
support

(Anderson et al., 1995) executes on a host to analyze user activities

on a collection of target computers. It is able to perform real-time
monitoring for suspicious behaviors. It uses analyzers for statis-
support HIDS and HIPS

support NIDS and NIPS

to
to
to
to
to

tical and rule-based analyses to detect unusual behavior and

model
model
model
model
model
Category Detection model

match with known intrusion types. Subsequently, the alerts are

reported to relevant users. The NIDES system also includes a re-
Profile-based
Profile-based
Profile-based
Profile-based
Profile-based

solver to filter the alarms for security officer and an archiver to

Comparison of major intrusion detection/prevention systems.

store alerts together with analysis results.

NIDS
HIPS

4.6. eXpert-BSM
IDS, IPS

IDS, IPS

IDS, IPS

IDS, IPS

IDS, IPS

IDS, IPS

The eXpert-BSM software (Lindqvist and Porras, 2001) is a host-

IDS

IDS

IDS
IDS
IDS

based intrusion detection system which uses a knowledge base to

OSSEC (Hay et al., 2008; OSSEC, 2015)

detect intrusions and generate alarms on a Sun-Solaris based

system. It performs an analysis of audit trails by making use of
eXpert-BSM (Lindqvist and Porras,
ACARM-ng (Balcerek et al., 2012;

inference engine and knowledge base rules. Its expert system can
NIDES (Anderson et al., 1995)

monitor the system for suspicious network activities and traffic

flowing through the user-configured ports.
Fail2ban (Jaquier, 2013)
Prelude-OSS (CS, 2015)

Bro-IDS (Paxson, 1999)

Suricata (OISF, 2015)

Snort (Roesch, 2014)

4.7. Fail2ban
WCSS, 2010)

Samhain (2006)
Sagan (2015)
Framework

The Fail2ban software (Jaquier, 2013) uses log files and detects
2001)

patterns which may correspond to intrusion efforts. After identi-

Table 5

fying the break-in attempts, it may add rule to firewall and gen-
erate an alarm for the system administrator. It uses a server
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 23

component to listen to ports, a client component to send com- For trusted computing, a field-programmable gate array (FPGA)
mands to server and a jail component to represent combination of can be deployed to securely identify a computation implemented
filters and actions. Corresponding to a filter, one or more actions in the logic fabric (Ken and Ramarathnam, 2012). A symmetric
such as adding firewall rule, getting information of attacker and encryption key is stored on FPGA memory. The FPGA can then be
sending alert to administrator may be performed. installed in a cloud server. A trusted authority in the cloud can
encrypt and sign applications with the keys of FPGAs. Conse-
4.8. Prelude-OSS quently, the application can process data in a secure manner.
A trust overlay network suggested in Hwang and Li (2010) uses
The Prelude-OSS intrusion detection system (CS, 2015) is an distributed hash tables to provide support of intrusion detection
open source version of the Prelude software to provide support of and prevention to DDoS attacks. A distributed security mechanism
security event management. The open source version works for is incorporated while making use of cloud resources. A data object
small organizations to provide the basic functionality of intrusion in the cloud environment is protected by using data coloring based
detection. It makes use of several modules for accessing database, watermarking. Different security levels are represented by data
receiving and storing events, correlating alerts and log manage- colors whose characteristics are known only to owners and cannot
ment. The intrusion events occurring in a network are displayed be detected by cloud providers or other users without having
through a graphical interface. known the characteristics.
A trust management module is deployed for establishing secure
4.9. Sagan communication between cloud users and cloud providers (Takabi
et al., 2010). The approach uses a trust integrator for maintaining
The Sagan software (Sagan, 2015) can perform a real-time trust between service providers and between users and service
analysis of intrusion events. For better scalability, it has a multi- providers. The trust integrator works by discovering service pro-
threaded architecture for event and log analysis. It provides sup- viders, negotiating parameters and generating groups for services.
port of detecting and managing intrusion events in a standard To accomplish the task, the service integrator contains different
manner which makes it compatible for correlating log events with modules to support security, trust and service management. For
other intrusion detection systems. The events and alerts may also diverse policies of service providers and identity management, an
be written to a database. Moreover, it uses diverse output formats ontology based heterogeneity management module is proposed
for event detection, firewall support and real-time alert together with a user-centric identity management mechanism.
management. To secure runtime environment of a cloud, a watermark based
approach (Fu et al., 2010) is suggested. Different algorithms of
4.10. Samhain watermark have been incorporated to secure Java programs.
Moreover, for execution of the watermarked Java programs, the
The Samhain intrusion detection system (Samhain, 2006) is a JVM is also customized to recognize and extract watermarks. For
host-based IDS which may perform file integrity checking, port securing watermark recognition, the watermark is concealed in
scanning and log analysis. With a client/server based architecture, the JVM. Upon a mismatch, the watermark may not be extracted
it uses the components of integrity checker, log server and a web- for the Java program being executed on the cloud. Consequently,
based console. It also provides support for central logging and the program terminates with an error message that is subse-
storage in database. Its web-based console allows to view client/ quently communicated to the cloud provider to restrict execution
server activities and analysis reports. of such Java program. The proposed approach results in secure
execution of Java programs on cloud platforms.
4.11. Bro-IDS A mechanism for developing a trusted third-party is described
in Zissis and Lekkas (2012). The trusted third-party ensures a se-
The Bro network analyzing framework (Paxson, 1999) can be cure communication and transactions b/w two parties (Castell,
used to detect intrusions through real-time monitoring. It contains 1993). The suggested solution implements confidentiality through
an interpreter to execute policy scripts, an event engine to manage IPSEC and SSL for communication b/w machines. The authentica-
events and libpcap (Tcpdump, 2015) to monitor packet streams. tion process includes usage of digital signatures together with
The event engine obtains packet stream and ensures that the Single-Sign-On (SSO) and Lightweight Directory Access Protocol
packets are well-formed. Similarly, a checksum on IP headers is (LDAP) which is used to access information regarding users and
also performed. An invalid packet is then discarded and an event is resources on a network. Moreover, security domains are created to
triggered to communicate the problem. The interpreter executes make federated clouds which represent clouds communicating
the event handlers, generates new event notifications and logs through standard interfaces. For privacy of data, hybrid crypto-
data to disk. graphy employing both symmetric and asymmetric encryption
mechanisms is proposed. Similarly, an attribute based authoriza-
tion using certificates is proposed to be implemented for a trusted
5. Securing cloud execution environment through trusted third-party.
cloud computing An integrity model for management of different parameters of
virtual machines is presented in Jansen et al. (2008). The prototype
Trusted cloud computing enables the cloud service providers to model is implemented using the Xen hypervisor. It uses the con-
ensure a secure and confidential execution environment while cept of Trusted Platform Module (TPM) (Trusted Computing
maintaining integrity of its data and computations. In this section, Group, 2011) to work for virtual machines. The module works for
we analyze various contributions aimed at securing cloud com- the enforcement of security policies and guarantee compliance
puting environment through trusted computing. Table 6 provides while attaching new devices to virtual machines. It stores a log of
a parametric comparison of research contributions aimed at system history in terms of policies and configurations. The attes-
trusted computing based security for cloud computing platforms. tation and sealing/unsealing mechanisms are then implemented
The comparison is performed in terms of mechanism, major to enforce access restriction. Consequently, the security policy may
components, cloud layers, automation level and encryption/certi- not be modified for unauthorized usage.
ficates used in the approach. A collaborative model to support trusted cloud computing
 24
Table 6
Comparison of trusted computing based cloud computing security.

M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

Reference Mechanism Major Components Cloud Layer Automation Level Encryption/Certificates

Ken and Ramarathnam (2012) TPM on FPGA Trusted Authority, TPM and FPGA SaaS High RSA, SHA, AES
Shen et al. (2010) Role-based access using Trusted Computing Platform (TCP) Trusted Platform Support Service with TPM IaaS, PaaS and Low Generic with X.509 certificates
integration with Trusted Platform Support Service (TSS) SaaS
Hwang and Li (2010) Distributed hash table based overlay networks for protecting Trust overlay network and hash tables IaaS, PaaS and Low RSA and watermarking
objects using data coloring and watermarking SaaS
Takabi et al. (2010) Discovery of services, Role-based access, trust and identity Service integrator having modules for security, IaaS, PaaS and Low Generic
management trust and service management SaaS
Fu et al. (2010) Watermarking Java program, Recognition and extraction of Watermark embedder, JVM generator and de- SaaS High Watermark-based
watermark by JVM ployment modules
Santos et al. (2009) A trusted platform using trusted VMM to securely execute TPM, Trusted VMM and Coordinator IaaS Low Generic
guest VMs and attest the cloud infrastructure providers
Jansen et al. (2008) Security policies for virtual machines using TPM Compartment, Integrity and Secure virtual de- IaaS High Generic for VM image and Network
vice managers configuration
Zissis and Lekkas (2012) Trusted third-party using IPSEC, SSL, SSO and LDAP Certificate, data, authentication, LDAP and da- IaaS, PaaS and Low IPSEC, SSL, SSO and LDAP
tabase servers SaaS
Alhamad et al. (2010) Designing SLA parameters, selecting cloud service provider and SLA agent and services directory SaaS Low SLA-based
monitoring
Li et al. (2010) Multi-tenancy trusted computing environment Third-party auditor, TPM and SLA IaaS High Generic
Yang et al. (2010) Collaborative trust model using trust domains, trust tables and Trust domains and trust tables IaaS Medium Generic
historical data to compute trust values
Manuel et al. (2009) Trust model using security, feedback and reputation evaluators Resource broker and evaluators IaaS Medium Kerberos and PERMIS based
to find trust values authentication
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 25

using firewalls is given in Yang et al. (2010). The model works for grades of security assurance. The cloud related products are also
environments where cloud service providers have diverse policies. evaluated and certified if they comply with the security require-
The model is organized into nodes and the collection of nodes ments. For instance, the VMWare ESXi, vCloud Networking & Se-
called domains. A trust table is deployed in the model to maintain curity (VMWare, 2015), Citrix Xen Server (CESG, 2012), z/VM (IBM-
trust values corresponding to nodes. Upon a user request, the Inc., 2015) and the KVM hypervisor (RedHat-Inc., 2015) all are
domain agents send the message to the neighborhood agents to Common Criteria certified.
communicate with the firewall. A digital signature is required by
the cloud service provider for initial connection before allocating 6.2. Trusted computing compliance
resources to users. The trust values are updated dynamically based
on the history of transactions. The Trusted Computing Group is a non-profit group of com-
A trusted cloud computing environment for IaaS model using a panies formed for promoting trust and security in computing
2-level hierarchy is given in Li et al. (2010). The environment in- platforms (TCG, 2015a). The group has developed a Trusted Plat-
corporates a third-party auditor to verify the trustworthiness of form Module (TPM) specification to support trusted computing.
cloud service providers. The cloud platform is attested through a Using TPM, the cryptographic information is stored on hardware
policy based attestation model. To check conformance of the cloud to protect it from software based attacks. The cloud based servers
service provider, the proposed model requires security parameters can be easily secured by using a TPM (TCG, 2015b). Moreover, the
to be agreed upon through the service level agreement (SLA). encryption and authentication standards developed by TCG are
A trusted computing platform (TCP) can be integrated into a implemented for securing data storage and data communication
cloud environment for trusted cloud computing (Shen et al., 2010). on a cloud platform respectively.
A TCP is based on TPM and may be used for authentication and
role based access. A user logs on to a cloud using TCP and obtains a
6.3. Privacy acts compliance
trusted certificate from the cloud. For secure communication, the
client uses the certificate and information regarding the role.
Governmental organizations as well as private institutions or
Moreover, the data security is ensured using the keys generated
individual customers may store their data or public data on clouds.
with TPM.
The privacy and confidentiality of data needs to be ensured by
For clouds and grids, a trust management system is proposed in
cloud service providers due to legal implications as mentioned in
Manuel et al. (2009). The suggested model calculates trust values
different governmental rules and statutes.
using different evaluators corresponding to security, feedback and
reputation parameters. The security evaluator uses the authenti-
6.3.1. Privacy of health related information
cation and authorization types for assigning different trust values.
The Health Insurance Portability and Accountability Act (HI-
The feedback evaluator obtains input from the user to assign trust
PAA) (U.D. of Health & Human Services, 2007) describes a set of
values. Similarly, the reputation evaluator takes into consideration
privacy rules to provide support of confidentiality and security of
the capability of cloud or grid based system in terms of its re-
sources. A trust manager then accumulates the trust values which health related information. In addition to protecting data during
is then communicated to other components for execution of the transmission, the personal health information must be protected
user request. while being maintained in any form. Even it requires the data to be
A trusted cloud computing model based on SLA is proposed in protected against threats and malicious software. Moreover, the
Alhamad et al. (2010). The proposed architecture uses SLA agent data backup and disaster recovery plans need to be implemented.
for defining SLA metrics, selecting cloud service providers and The information disclosure without obtaining a patient's consent
monitoring the business activities. The trust management model is allowed only when mandated by law. Several cloud storage
takes input from the cloud service providers, users and SLA agents providers including the CareCloud (2015), FireHost (2015), Sym-
to rank the cloud providers for selection. Moreover, a directory of form (2014) and Carbonite (2015) claim to be HIPAA compliant by
cloud services is suggested to store information regarding cloud ensuring implementation of its standards.
providers and their services. The mechanism of trust establish-
ment requires the cloud services to be advertised, followed by the 6.3.2. Privacy of electronic data
selection of cloud providers. The SLA agreement is communicated The Electronic Communications Privacy Act (ECPA) (DHS, 2013)
to the user requesting the resources. Further communication with describes rules and restrictions regarding protection during
the cloud provider takes place if the user agrees to the SLA transmission of electronic data. It encompasses rules for access to
agreement. private data in stored form as well as interception of data during
communication. An unauthorized access is prohibited if data is
stored on third-party storage devices, however ECPA allows official
6. Regulating cloud security compliance issues access to data without informing the owner thereby reducing the
confidence of customers on cloud providers. A coalition called
Various regulatory bodies have defined rules and regulations to Digital 4th is currently working to recommend modification to
ensure security of data and allowing disclosure under permissible ECPA for making it more appropriate for the cloud computing
circumstances. The rules defined by these regulatory bodies en- platforms (Digital 4th Coalition, 2015).
compass a wide range of applications and practices as detailed
below. 6.3.3. Privacy of financial data
The Fair Credit Reporting Act (FCRA) (FTC, 2015) describes rules
6.1. Common criteria compliance for privacy of user credit information. For a credit reporting agency
storing credit data of customers on a cloud, it becomes compulsory
Common criteria (CC-Portal, 2015) has become a global stan- to ensure its security through FCRA compliance. Similarly, some
dard for evaluation of security products. It makes use of protection safeguard rules are described in the Gramm–Leach–Bliley (GLB)
profiles which specify security requirements in an implementation Act (GPO, 2015) for financial bureaus to ensure confidentiality of
independent manner. It assigns different Evaluation Assurance data. The financial institutions are required to only select the
Levels (EALs) ranging from EAL1 to EAL7 to represent different service providers who are able to implement the safeguard rules.
26 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

the diversity of protocols, conformance requirements and archi-

tectures makes it complicated for deployment among multiple
organizations (Maler and Reed, 2008). The open source identity
stack based implementations (Craig et al., 2014) may be beneficial
for addressing interoperability issues.

7.4. Open standards compliance

Despite having identified common threats and vulnerabilities

in cloud systems, the requirement for the minimum security needs
to be leveraged by defining open standards. Although currently
various virtualization products comply with the common criteria
Fig. 3. Cloud security contributions.
standards, the compliance of cloud security from different per-
spectives such as services, deployment and interoperability is still
7. Cloud security issues in the future undefined (VMWare, 2015; CESG, 2012; Lewis, 2013).

Together with the growth of cloud services, the cloud vulner-

ability incidents have been on the rise. The IBM statistics (IBM, 8. Conclusion
2014) show that for an organization on average, the number of
cyber security attacks has reached up to 1400 per week. The Cloud computing offers services for consumers through effec-
conventional brute-force, vulnerability scan, web application and tive utilization of shared resources. Despite its effectiveness for
malware/botnet attacks have been reported to dominate in year cloud service providers as well as for the cloud users, its pre-
2014 (AlertLogic, 2014). With the increasing number of attacks, the valence is hindered by various security issues. This paper presents
number of research contributions describing countermeasures to a comprehensive survey of the issues and research contributions
ensure cloud security has also increased significantly. Fig. 3 pre- aiming at cloud security. These issues encompass security of data
sents a year-wise trend with the number of research papers citing and services on cloud platforms. We categorize security threats
the term ‘cloud security’ (Term and Keyword search retrieved from and perform a comparative analysis of security issues and the
the ACM Digital Library). countermeasures suggested in the literature to cope with these
Despite the countermeasures being suggested in research, issues.
many issues seem to pose challenge for securing cloud in the We also survey the main intrusion detection and prevention
future. systems and analyze their effectiveness in terms of working me-
chanism, components and scalability. Moreover, a comparative
7.1. Trusted execution environment analysis of the contributions made for trusted cloud computing is
also presented. We also analyze a large number of standard acts
A cloud service provider must ensure a trusted environment for and regulations required for compliance by the cloud service
its clients. The code and data stored on the cloud storage should providers. In the perspective of future challenges, we discuss the
only be accessible to authentic relevant users. In this regard, main issues related to cloud security and their possible solutions
trusted execution technologies provide a reliable way to verify the
in terms of the trusted execution, protocol vulnerabilities, feder-
integrity of the system (Futral and Greene, 2013; Intel, 2013). Since
ated identity interoperability and open standards compliance.
the integrity of a system may span hypervisor as well as the ap-
plications, management software and security policies, any com-
promise to their integrity may be identified and necessary mea-
References
sures may be taken to protect the system subsequently.

Balcerek, B., Szurgot, B., Uchroński, M., Waga, W., 2012. ACARM-ng: next generation
7.2. Protocol vulnerabilities correlation framework. In: Bubak, M., Szepieniec, T., Wiatr, K. (Eds.), Building a
National Distributed e-Infrastructure – PL-Grid: Scientific and Technical
To access data and services on clouds, the protocols defined for Achievements Science, vol. 7136. Springer, Berlin, Heidelberg, pp. 114–127,
ISBN: 978-3-642-28267-6.
communication have proved to be vulnerable to various attacks. AlertLogic, 2014. Cloud Security Report: Research on the Evolving State of Cloud
For instance, the SOAP message can be manipulated to target cloud Security. URL 〈https://www.alertlogic.com/resources/cloud-security-report/〉,
platform services and violate data protection (Karnwal et al., 2012; May.
Alhamad, M., Dillon, T., Chang, E., 2010. SLA-based trust model for cloud computing.
Gruschka and Iacono, 2009). Similarly, the insecure interfaces and
In: 2010 13th International Conference on Network-Based Information Systems
APIs used to interact with cloud systems have been reported to be (NBiS), pp. 321–324. http://dx.doi.org/10.1109/NBiS.2010.67.
the top threat (Ko et al., 2013). It is therefore necessary to mitigate Anderson, D., Frivold, T., Tamaru, A., Valdes, A., 1995. Next Generation Intrusion
the vulnerability of already existing protocols. Consequently, ei- Detection Expert System (NIDES), Software Users Manual, May.
Ashford, W., 2015. Cyber Criminals Turn their Attention to Cloud Service Creden-
ther a secure implementation of these protocols is required or a tials. URL 〈http://www.computerweekly.com/news/2240241940/Cyber-crim
strong encryption mechanism needs to be incorporated to im- inals-turn-their-attention-to-cloud-service-credentials〉.
prove the security (Karnwal et al., 2012; Mearian, 2013). Ashktorab, V., Taghizadeh, S.R., 2012. Security threats and countermeasures in
cloud computing. Int. J. Appl. Innov. Eng. Manag. 1, 234–245.
Aviram, A., Hu, S., Ford, B., Gummadi, R., 2010. Determinating timing channels in
7.3. Federated identity interoperability compute clouds. In: Proceedings of the 2010 ACM Workshop on Cloud Com-
puting Security Workshop, CCSW '10. ACM, New York, NY, USA, pp. 103–108.
AWS, 2014. Amazon Web Services: Overview of Security Processes, pp. 1–68.
The identity and access management provides support of
Bisong, A., Rahman, S.M., 2011. An overview of the security concerns in enterprise
controlling users' access to shared cloud resources through in- cloud computing. Int. J. Netw. Secur. Appl. 3 (1), 30–45.
dividual user identities. A federated identity management makes Buyya, R., Broberg, J., Goscinski, A.M., 2011. Cloud Computing Principles and Para-
multiple organizations share the identities to support Single-Sign- digms. Wiley Publishing, New Jersey, USA.
Carbonite, 2015. Carbonite Supports HIPAA Compliance. URL 〈http://www.carbo
On mechanism (Leandro et al., 2012; Chadwick, 2009; Sanchez nite.com/online-backup/business/hipaa-compliance-encrypted-backup〉.
et al., 2012). As the federated identity model continues to evolve, CareCloud, 2015. HIPAA-Compliant Cloud Storage – Cloud Security and Data Control
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 27

for Medical Enterprises. URL 〈http://www.carecloud.com/hipaa-compliant- 2524644〉.

cloud-storage/〉. Hashizume, K., Rosado, D., Fernndez-Medina, E., Fernandez, E., 2013. An analysis of
Castell, S., 1993. Code of Practice and Management Guidelines for Trusted Third security issues for cloud computing. J. Internet Serv. Appl. 4 (1). http://dx.doi.
Party Services, INFOSEC Project Report S2101/02. org/10.1186/1869-0238-4-5.
CC-Portal, 2015. Common Criteria: Protection Profiles. URL 〈http://www.common Hay, A., Cid, D., Bary, R., Northcutt, S., 2008. In: {OSSEC} Host-Based Intrusion De-
criteriaportal.org/rss/pps.xml〉. tection Guide. Syngress, Burlington, pp. 247–249.
CESG, 2012. Certification Report No. CRP270 – Citrix Xen Server 6.0.2 Platinum Hlavacs, H., Treutner, T., Gelas, J.-P., Lefevre, L., Orgerie, A.-C., 2011. Energy con-
Edition. URL 〈www.commoncriteriaportal.org/files/epfiles/XenApp7-STv1-0. sumption side-channel attack at virtual machines in a cloud. In: 2011 IEEE
pdf〉. Ninth International Conference on Dependable, Autonomic and Secure Com-
Chadwick, D., 2009. Federated identity management. In: Aldini, A., Barthe, G., puting (DASC), pp. 605–612. http://dx.doi.org/10.1109/DASC.2011.110.
Gorrieri, R. (Eds.), Foundations of Security Analysis and Design V, Lecture Notes Hwang, K., Li, D., 2010. Trusted cloud computing with secure resources and data
in Computer Science vol. 5705. Springer, Berlin, Heidelberg, pp. 96–120. coloring. IEEE Internet Comput. 14 (5), 14–22. http://dx.doi.org/10.1109/
Cloud Security Alliance, 2010. Top Threats to Cloud Computing v1.0, pp. 1–14. MIC.2010.86.
Cloud Security Alliance, 2012. Secaas Implementation Guidance, Category 7: Se- IBM, 2014. The 2013 IBM cyber security intelligence index. URL 〈http://www-935.
curity Information and Event Management, pp. 1–33. ibm.com/services/us/en/security/infographic/cybersecurityindex.html〉, April.
Coppens, B., Verbauwhede, I., De Bosschere, K., De Sutter, B., 2009. Practical miti- IBM-Inc., 2015. IBM System z: Linux on System z-Solutions – Security Certification.
gations for timing-based side-channel attacks on modern x86 processors. In: URL 〈http://www-03.ibm.com/systems/z/os/linux/solutions/security_certifica
2009 30th IEEE Symposium on Security and Privacy, pp. 45–60. tion.html〉.
Craig, M., Frost, L., Jang, M., Egloff, A., 2014. Openidm Release Notes Version 3.1.0. InfoSecurity, 2009. Google Cloud Platform Used for Botnet Control. URL 〈http://
URL 〈http://docs.forgerock.org/en/openidm/3.1.0/OpenIDM-3.1.0-Release- www.infosecurity-magazine.com/news/google-cloud-platform-used-for-bot
Notes.pdf〉. net-control/〉.
CS, 2015. Prelude OSS. URL 〈http://www.prelude-siem.com/index.php/uk/products/ Intel, 2013. Building Trust and Compliance in the Cloud with Intel Trusted Execu-
87-products/98-prelude-oss-en〉. tion Technology. URL 〈http://www.hytrust.com/sites/default/files/cloud-com
Curran, K., Carlin, S., 2011. Cloud computing security. Int. J. Ambient Comput. Intell. puting-txt-xeon-twse-whitepaper.pdf〉, October.
3 (1), 14–19. Jansen, W.A., 2011. Cloud hooks: security and privacy issues in cloud computing. In:
Digital 4th Coalition, 2015. A Summary of the Electronic Communications Privacy Proceedings of the 2011 44th Hawaii International Conference on System Sci-
Act (ECPA). URL 〈http://www.digital4th.org/the-problem/〉. ences, HICSS '11. IEEE Computer Society, Washington, DC, USA, pp. 1–10.
Dawoud, W., Takouna, I., Meinel, C., 2010. Infrastructure as a service security: Jansen, B., Ramasamy, H.-G.V., Schunter, M., 2008. Policy enforcement and com-
challenges and solutions. In: 2010 7th International Conference on Informatics pliance proofs for xen virtual machines. In: Proceedings of the Fourth ACM
and Systems (INFOS), pp. 1–8. SIGPLAN/SIGOPS International Conference on Virtual Execution Environments,
Debar, H., Curry, D., Feinstein, B., 2007. The Intrusion Detection Message Exchange VEE '08. ACM, New York, NY, USA, pp. 101–110. http://dx.doi.org/10.1145/
Format (IDMEF). URL 〈https://www.ietf.org/rfc/rfc4765.txt〉. 1346256.1346271. URL 〈http://doi.acm.org/10.1145/1346256.1346271〉.
DHS, 2013. Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. 2510- Jaquier, C., 2013. Fail2ban Manual 0.8. URL 〈http://www.fail2ban.org/wiki/index.
22. URL 〈https://it.ojp.gov/default.aspx?area¼ privacy&page¼ 1285〉. php/MANUAL_0_8〉.
Doychev, G., Feld, D., Köpf, B., Mauborgne, L., Reineke, J., 2013. CacheAudit: a tool for Jasti, A., Shah, P., Nagaraj, R., Pendse, R., 2010. Security in multi-tenancy cloud. In:
the static analysis of cache side channels. In: Proceedings of the 22nd USENIX 2010 IEEE International Carnahan Conference on Security Technology (ICCST),
Conference on Security, SEC'13. USENIX Association, Berkeley, CA, USA, pp. 431– pp. 35–41. http://dx.doi.org/10.1109/CCST.2010.5678682.
446. Jung, T., Li, X.-Y., Wan, Z., Wan, M., 2013. Privacy preserving cloud data access with
ElGamal, T., 2006. A public key cryptosystem and a signature scheme based on multi-authorities. In: 2013 Proceedings IEEE INFOCOM, pp. 2625–2633. http://
discrete logarithms. IEEE Trans. Inf. Theory 31 (4), 469–472. dx.doi.org/10.1109/INFCOM.2013.6567070.
Ertaul, L., Singhal, S., Saldamli, G., 2010. Security challenges in cloud computing. In: Kaaniche, N., Laurent, M., 2014. A secure client side deduplication scheme in cloud
Proceedings of the 2010 International Conference on Security& Management, storage environments. In: 2014 6th International Conference on New Tech-
SAM 2010, July 12–15, 2010, Las Vegas Nevada, USA, 2 vols., pp. 36–42. nologies, Mobility and Security (NTMS), pp. 1–7. http://dx.doi.org/10.1109/
Fernandez, E.B., Monge, R., Hashizume, K., 2013. Two patterns for cloud computing: NTMS.2014.6814002.
secure virtual machine image repository and cloud policy management point. Karnwal, T., Sivakumar, T., Aghila, G., 2012. A comber approach to protect cloud
In: Proceedings of the 20th Conference on Pattern Languages of Programs, PLoP computing against xml ddos and http ddos attack. In: 2012 IEEE Students'
'13. The Hillside Group, USA, pp. 15:1–15:11. Conference on Electrical, Electronics and Computer Science (SCEECS), pp. 1–5.
FireHost, 2015. True ePHI Protection in the Secure Cloud. URL 〈https://www.fire http://dx.doi.org/10.1109/SCEECS.2012.6184829.
host.com/company/contact〉. Khalil, I.M., Khreishah, A., Azeem, M., 2014. Cloud computing security: a survey.
Fong, E., Okun, V., 2007. Web application scanners: definitions and functions. In: Computers 3, 1–35.
Proceedings of the 40th Annual Hawaii International Conference on System Khorshed, M.T., Ali, A.S., Wasimi, S.A., 2012. A survey on gaps, threat remediation
Sciences, HICSS '07. IEEE Computer Society, Washington, DC, USA, p. 280b. challenges and some thoughts for proactive attack detection in cloud com-
Ken, E., Ramarathnam, V., 2012. FPGAs for Trusted Cloud Computing, IEEE. URL puting. Future Gener. Comput. Syst. 28 (6), 833–851.
〈http://research.microsoft.com/apps/pubs/default.aspx?id ¼170502〉. Ko, R., Lee, S.G., Rajan, V., 2013. Cloud Computing Vulnerability Incidents: A Sta-
FTC, 2015. Fair Credit Reporting Act. URL 〈https://www.ftc.gov/enforcement/rules/ tistical Overview. URL 〈https://cloudsecurityalliance.org/download/cloud-com
rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act〉. puting-vulnerability-incidents-a-statistical-overview/〉, March.
Fu, J., Wang, C., Yu, Z., Wang, J., Sun, J.-G., 2010. A watermark-aware trusted running Kourai, K., Azumi, T., Chiba, S., 2012. A self-protection mechanism against stepping-
environment for software clouds. In: 2010 Fifth Annual ChinaGrid Conference stone attacks for iaas clouds. In: 2012 9th International Conference on Ubi-
(ChinaGrid), pp. 144–151. http://dx.doi.org/10.1109/ChinaGrid.2010.15. quitous Intelligence Computing and 9th International Conference on Auto-
Futral, W., Greene, J., 2013. Intel Trusted Execution Technology for Server Platforms: nomic Trusted Computing (UIC/ATC), pp. 539–546. http://dx.doi.org/10.1109/
A Guide to More Secure Datacenters, 1st edition. Apress, Berkely, CA, USA. UIC-ATC.2012.139.
Garfinkel, T., Rosenblum, M., 2005. When virtual is harder than real: security Kumar, K., Liu, J., Lu, Y.-H., Bhargava, B., 2013. A survey of computation offloading
challenges in virtual machine based computing environments. In: Proceedings for mobile systems. Mob. Netw. Appl. 18 (1), 129–140.
of the 10th Conference on Hot Topics in Operating Systems – Volume 10, HO- Leandro, M.A.P., Nascimento, T.J., dos Santos, D.R., Westphall, C.M., Westphall, C.B.,
TOS'05. USENIX Association, Berkeley, CA, USA, pp. 20–20. URL 〈http://dl.acm. 2012. Multi-tenancy authorization system with federated identity for cloud-
org/citation.cfm?id ¼1251123.1251143〉. based environments using Shibboleth. In: Proceedings of the Eleventh Inter-
Godfrey, M., Zulkernine, M., 2013. A server-side solution to cache-based side- national Conference on Networks, pp. 88–95.
channel attacks in the cloud. In: 2013 IEEE Sixth International Conference on Lewis, G., 2013. Role of standards in cloud-computing interoperability. In: 2013
Cloud Computing (CLOUD), pp. 163–170. http://dx.doi.org/10.1109/CLOUD.2013. 46th Hawaii International Conference on System Sciences (HICSS), pp. 1652–
21. 1661. http://dx.doi.org/10.1109/HICSS.2013.470.
GPO, 2015. Gramm-Leach-Bliley Act. URL 〈http://legislink.org/us/stat-113-1338〉. Li, X.-Y., Zhou, L.-T., Shi, Y., Guo, Y., 2010. A trusted computing environment model
Grobauer, B., Walloschek, T., Stocker, E., 2011. Understanding cloud computing in cloud architecture. In: 2010 International Conference on Machine Learning
vulnerabilities. IEEE Secur. Privacy 9 (2), 50–57. and Cybernetics (ICMLC), vol. 6, pp. 2843–2848. http://dx.doi.org/10.1109/
Gruschka, N., Iacono, L., 2009. Vulnerable cloud: soap message security validation ICMLC.2010.5580769.
revisited. In: IEEE International Conference on Web Services, 2009. ICWS 2009, Li, M., Yu, S., Ren, K., Lou, W., Hou, Y., 2013. Toward privacy-assured and searchable
pp. 625–631. http://dx.doi.org/10.1109/ICWS.2009.70. cloud data storage services. IEEE Netw. 27 (4), 56–62. http://dx.doi.org/10.1109/
Gruschka, N., Jensen, M., 2010. Attack surfaces: a taxonomy for attacks on cloud MNET.2013.6574666.
services. In: 2010 IEEE 3rd International Conference on Cloud Computing Lin, W., Lee, D., 2012. Traceback attacks in cloud – pebbletrace botnet. In: 2012 32nd
(CLOUD), pp. 276–279. http://dx.doi.org/10.1109/CLOUD.2010.23. International Conference on Distributed Computing Systems Workshops
Harnik, D., Pinkas, B., Shulman-Peleg, A., 2010. Side channels in cloud services: (ICDCSW), pp. 417–426. http://dx.doi.org/10.1109/ICDCSW.2012.61.
deduplication in cloud storage. IEEE Secur. Privacy 8 (6), 40–47. http://dx.doi. Lindqvist, U., Porras, P.A., 2001. eXpert-BSM: a host-based intrusion detection so-
org/10.1109/MSP.2010.187. lution for sun solaris. In: Proceedings of 17th Annual Computer Security Ap-
Hashizume, K., Yoshioka, N., Fernandez, E.B., 2011. Misuse patterns for cloud plications Conference. IEEE Computer Society, New Orleans, Louisiana, pp. 240–
computing. In: Proceedings of the 2nd Asian Conference on Pattern Languages 251.
of Programs, AsianPLoP '11. ACM, New York, NY, USA, pp. 12:1–12:6. http://dx. Liu, S.-T., Chen, Y.-M., 2010. Retrospective detection of malware attacks by cloud
doi.org/10.1145/2524629.2524644. URL 〈http://doi.acm.org/10.1145/2524629. computing. In: 2010 International Conference on Cyber-Enabled Distributed
28 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29

Computing and Knowledge Discovery (CyberC), pp. 510–517. http://dx.doi.org/ 1653662.1653687. URL 〈http://doi.acm.org/10.1145/1653662.1653687〉.
10.1109/CyberC.2010.99. Rocha, F., Correia, M., 2011. Lucy in the sky without diamonds: stealing confidential
Liu, B., Xu, E., Wang, J., Wei, Z., Xu, L., Zhao, B., Su, J., 2011. Thwarting audio ste- data in the cloud. In: Proceedings of the 2011 IEEE/IFIP 41st International
ganography attacks in cloud storage systems. In: 2011 International Conference Conference on Dependable Systems and Networks Workshops, DSNW '11. IEEE
on Cloud and Service Computing (CSC), pp. 259–265. http://dx.doi.org/10.1109/ Computer Society, Washington, DC, USA, pp. 129–134. http://dx.doi.org/10.1109/
CSC.2011.6138530. DSNW.2011.5958798. URL 〈http://dx.doi.org/10.1109/DSNW.2011.5958798〉.
Liu, F., Ren, L., Bai, H., 2014. Mitigating cross-vm side channel attack on multiple Roesch, M., 2014. Snort User Manual 2.9.7. URL 〈https://www.snort.org/documents/
tenants cloud platform. J. Comput. 9 (4). 1〉, October.
Maler, E., Reed, D., 2008. The venn of identity: options and issues in federated Rong, H., Xian, M., Wang, H., Shi, J., 2013. Time-stealer: a stealthy threat for vir-
identity management. IEEE Secur. Privacy 6 (2), 16–23. tualization scheduler and its countermeasures. In: Qing, S., Zhou, J., Liu, D.
Manuel, P., Thamarai Selvi, S., Barr, M.-E., 2009. Trust management system for grid (Eds.), Information and Communications Security, Lecture Notes in Computer
and cloud resources. In: First International Conference on Advanced Comput- Science vol. 8233. Springer International Publishing, Tainan, Taiwan,
ing, 2009. ICAC 2009, pp. 176–181. http://dx.doi.org/10.1109/ICADVC.2009. pp. 100–112.
5378187. Rueda, S., Sreenivasan, Y., Jaeger, T., 2008. Flexible security configuration for virtual
Martignoni, L., Paleari, R., Bruschi, D., 2009. A framework for behavior-based mal- machines. In: Proceedings of the 2nd ACM Workshop on Computer Security
ware analysis in the cloud. In: Proceedings of the 5th International Conference Architectures, CSAW '08. ACM, New York, NY, USA, pp. 35–44. http://dx.doi.org/
on Information Systems Security, ICISS '09. Springer-Verlag, Berlin, Heidelberg, 10.1145/1456508.1456515. URL 〈http://doi.acm.org/10.1145/1456508.1456515〉.
pp. 178–192. Sagan, 2015. The Sagan Log Analysis Engine. URL 〈http://sagan.quadrantsec.com/〉.
Mazurczyk, W., Szczypiorski, K., 2011. Is cloud computing steganography-proof?. In: Samhain, 2006. The Samhain File Integrity/Host-Based Intrusion Detection System.
2011 Third International Conference on Multimedia Information Networking URL 〈http://www.la-samhna.de/samhain/〉.
and Security (MINES), pp. 441–442. http://dx.doi.org/10.1109/MINES.2011.95. Sanaei, Z., Abolfazli, S., Gani, A., Buyya, R., 2014. Heterogeneity in mobile cloud
McMillan, R., 2009. Hackers Find a Home in Amazon EC2's Cloud. URL 〈http://www. computing: taxonomy and open challenges. IEEE Commun. Surv. Tutor. 16 (1),
computerworld.com/article/2521744/security0/hackers-find-a-home-in-ama 369–392. http://dx.doi.org/10.1109/SURV.2013.050113.00090.
zon-s-ec2-cloud.html〉. Sanchez, R., Almenares, F., Arias, P., Diaz-Sanchez, D., Marin, A., 2012. Enhancing
Mearian, L., 2013. No, Your Data isn't Secure in the Cloud. URL 〈http://www.com privacy and dynamic federation in IdM for consumer cloud computing. IEEE
puterworld.com/article/2483552/cloud-security/no-your-data-isn-t-secure-in- Trans. Consum. Electron. 58 (1), 95–103.
the-cloud.html〉, August. Santos, N., Gummadi, K.P., Rodrigues, R., 2009. Towards trusted cloud computing.
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M., 2013. A survey of In: Proceedings of the 2009 Conference on Hot Topics in Cloud Computing,
intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36 (1), 42–57. HotCloud'09. USENIX Association, Berkeley, CA, USA. URL 〈http://dl.acm.org/ci
Morsy, M.A., Grundy, J., Muller, I., 2010. An analysis of the cloud computing security tation.cfm?id ¼1855533.1855536〉.
problem. In: Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, pp. Scarfone, K.A., Mell, P.M., 2007. Sp 800-94. Guide to Intrusion Detection and Pre-
1–6. vention Systems (IDPS). Technical Report, Gaithersburg, MD, United States.
Murray, D.G., Milos, G., Hand, S., 2008. Improving xen security through dis- Sen, J., 2013. Security and privacy issues in cloud computing, CoRR abs/1303.4814.
aggregation. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International URL 〈http://arxiv.org/abs/1303.4814〉.
Conference on Virtual Execution Environments, VEE '08. ACM, New York, NY, Shahzad, F., 2014. State-of-the-art survey on cloud computing security challenges,
USA, pp. 151–160. http://dx.doi.org/10.1145/1346256.1346278. URL 〈http://doi. approaches and solutions. Proc. Comput. Sci. 37, 357–362, The 5th International
acm.org/10.1145/1346256.1346278〉. Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN-
Oberheide, J., Cooke, E., Jahanian, F., 2008a. Cloudav: N-version antivirus in the 2014)/The 4th International Conference on Current and Future Trends of In-
network cloud. In: Proceedings of the 17th Conference on Security Symposium, formation and Communication Technologies in Healthcare (ICTH 2014)/Af-
SS'08. USENIX Association, Berkeley, CA, USA, pp. 91–106. filiated Workshops.
Oberheide, J., Cooke, E., Jahanian, F., 2008b. Empirical Exploitation Of Live Virtual Shankarwar, M., Pawar, A., 2015. Security and privacy in cloud computing: a survey.
Machine Migration, February. In: Proceedings of the 3rd International Conference on Frontiers of Intelligent
OISF, 2015. Suricata User Guide. URL 〈https://redmine.openinfosecfoundation.org/ Computing: Theory and Applications (FICTA) 2014, Advances in Intelligent
projects/suricata/wiki/Suricata_User_Guide〉. Systems and Computing, vol. 328. Springer International Publishing, Bhuba-
OSSEC, 2015. OSSEC: How it Works. URL 〈http://www.ossec.net/?page_id ¼169〉. neswar, Odisha, India, pp. 1–11.
Osvik, D.A., Shamir, A., Tromer, E., 2006. Cache attacks and countermeasures: the Shen, Z., Li, L., Yan, F., Wu, X., 2010. Cloud computing system based on trusted
case of aes. In: Proceedings of the 2006 Cryptographers' Track at the RSA computing platform. In: 2010 International Conference on Intelligent Compu-
Conference on Topics in Cryptology, CT-RSA'06. Springer-Verlag, Berlin, Hei- tation Technology and Automation (ICICTA), vol. 1, pp. 942–945. http://dx.doi.
delberg, pp. 1–20. org/10.1109/ICICTA.2010.724.
OWASP, 2015a. Web Application Firewall. URL 〈https://www.owasp.org/index.php/ Somani, U., Lakhani, K., Mundra, M., 2010a. Implementing digital signature with rsa
Web_Application_Firewall〉. encryption algorithm to enhance the data security of cloud in cloud computing.
OWASP, 2015b. Vulnerability Scanning Tools – OWASP. URL 〈https://www.owasp. In: 2010 1st International Conference on Parallel Distributed and Grid Com-
org/index.php/Category:Vulnerability〉. puting (PDGC), pp. 211–216. http://dx.doi.org/10.1109/PDGC.2010.5679895.
Owens, K., 2009. Securing virtual compute infrastructure in the cloud. In: White Somani, U., Lakhani, K., Mundra, M., 2010b. Implementing digital signature with rsa
Paper: Cloud Computing. Savvis, Missouri, United States, pp. 1–13. encryption algorithm to enhance the data security of cloud in cloud computing.
Owens, D., 2010. Securing elasticity in the cloud. Queue 8 (5) 10:10–10:16. In: 2010 1st International Conference on Parallel Distributed and Grid Com-
Paxson, V., 1999. Bro: a system for detecting network intruders in real-time. puting (PDGC), pp. 211–216. http://dx.doi.org/10.1109/PDGC.2010.5679895.
Comput. Netw. 31 (23-24), 2435–2463. Srinivasamurthy, S., Liu, D.Q., Vasilakos, A.V., Xiong, N., 2013. Cloud computing
Popovic, O., Jovanovic, Z., Jovanovic, N., Popovic, R., 2011. A comparison and security security: a survey. Parallel Cloud Comput. 2 (4), 126–153.
analysis of the cloud computing software platforms. In: 2011 10th International Stefanov, E., Shi, E., 2013. Oblivistore: high performance oblivious cloud storage. In:
Conference on Telecommunication in Modern Satellite Cable and Broadcasting 2013 IEEE Symposium on Security and Privacy (SP), pp. 253–267. http://dx.doi.
Services (TELSIKS), vol. 2, pp. 632–634. org/10.1109/SP.2013.25.
Ragouzis, N., Hughes, J., Philpott, R., Maler, E., Madsen, P., Scavo, T., 2008. Security Stolfo, S., Salem, M., Keromytis, A., 2012. Fog computing: mitigating insider data
Assertion Markup Language (SAML) V2.0 Technical Overview. URL 〈http:// theft attacks in the cloud. In: 2012 IEEE Symposium on Security and Privacy
www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-over Workshops (SPW), pp. 125–128.
view-2.0-cd-02.pdf〉, March. Su, T.-A., 2013. A mechanism to prevent side channel attacks in cloud computing
Ranjith, P., Priya, C., Shalini, K., 2012. On covert channels between virtual machines. environments. In: 2013 World Congress in Computer Science, Computer En-
J. Comput. Virol. 8 (3), 85–97. http://dx.doi.org/10.1007/s11416-012-0168-x. gineering and Applied Computing.
RedHat-Inc., 2015. Red Hat and IBM Achieve Top Security Certification for KVM Subashini, S., Kavitha, V., 2011. A survey on security issues in service delivery
Hypervisor on Red Hat Enterprise Linux and IBM Servers. URL 〈http://www. models of cloud computing. J. Netw. Comput. Appl. 34 (1), 1–11.
redhat.com/en/about/press-releases/Red-Hat-and-IBM-Achieve-Top-Security- Symantec, 2015. 2015 Internet Security Threat Report. URL 〈http://www.symantec.
Certification-for-KVM-Hypervisor-on-Red-Hat-Enterprise-Linux-and-IBM- com/security_response/publications/threatreport.jsp〉, April.
Servers〉. Symform, 2014. Achieving HIPAA Compliant Cloud Backup. URL 〈http://www.sym
Reimer, D., Thomas, A., Ammons, G., Mummert, T., Alpern, B., Bala, V., 2008. form.com/hipaa-compliance/〉.
Opening black boxes: using semantic information to combat virtual machine Szefer, J., Lee, R.B., 2012. Architectural support for hypervisor-secure virtualization.
image sprawl. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS Interna- SIGARCH Comput. Archit. News 40 (1), 437–450.
tional Conference on Virtual Execution Environments, VEE '08. ACM, New York, Takabi, H., Joshi, J., Ahn, G.-J., 2010. Securecloud: towards a comprehensive security
NY, USA, pp. 111–120. framework for cloud computing environments. In: 2010 IEEE 34th Annual
Riquet, D., Grimaud, G., Hauspie, M., 2012. Large-scale coordinated attacks: impact Computer Software and Applications Conference Workshops (COMPSACW), pp.
on the cloud security. In: 2012 Sixth International Conference on Innovative 393–398. http://dx.doi.org/10.1109/COMPSACW.2010.74.
Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 558–563. Tandon, S., SB, S., Agrawal, V., 2014. Cache-based side-channel attack on aes in
http://dx.doi.org/10.1109/IMIS.2012.76. cloud computing environment. Int. J. Eng. Res. Technol. 3 (10), 1080–1084.
Ristenpart, T., Tromer, E., Shacham, H., Savage, S., 2009. Hey, you, get off of my TCG, 2015. Trusted Computing Group. URL 〈http://www.trustedcomputinggroup.
cloud: exploring information leakage in third-party compute clouds. In: Pro- org/〉.
ceedings of the 16th ACM Conference on Computer and Communications Se- TCG, 2015. Cloud Computing and Security: A Natural Match. URL 〈http://www.
curity, CCS '09. ACM, New York, NY, USA, pp. 199–212. http://dx.doi.org/10.1145/ trustedcomputinggroup.org/〉.
 M.A. Khan / Journal of Network and Computer Applications 71 (2016) 11–29 29

Tcpdump, 2015. Tcpdump & libpcap. URL 〈http://www.tcpdump.org/〉. channel detection framework in cloud computing. Secur. Commun. Netw. 7 (3),
Tebaa, M., El Hajji, S., El Ghazi, A., 2012. Homomorphic encryption method applied 544–557.
to cloud computing. In: 2012 National Days of Network Security and Systems Wylie, J.J., Bakkaloglu, M., Pandurangan, V., Bigrigg, M.W., Oguz, S., Tew, K., Wil-
(JNS2), pp. 86–89. http://dx.doi.org/10.1109/JNS2.2012.6249248. liams, C., Ganger, G.R., Khosla, P.K., 2001. Selecting the right data distribution
Townsend, M., 2009. Managing a security program in a cloud computing en- scheme for a survivable storage system. In: CMU-CS-01-120, pp. 1–23.
vironment. In: 2009 Information Security Curriculum Development Con- Xiao, S., Gong, W., 2010. Mobility can help: protect user identity with dynamic
ference, InfoSecCD '09. ACM, New York, NY, USA, pp. 128–133. http://dx.doi.org/ credential. In: 2010 Eleventh International Conference on Mobile Data Man-
10.1145/1940976.1941001. URL 〈http://doi.acm.org/10.1145/1940976.1941001〉. agement (MDM), pp. 378–380.
Trusted Computing Group, 2011. TPM Main Specification. URL 〈http://www.trus Xiaopeng, G., Sumei, W., Xianqin, C., 2010. VNSS: a network security sandbox for
tedcomputinggroup.org/resources/tpm_main_specification〉. virtual computing environment. In: 2010 IEEE Youth Conference on Informa-
U.D. of Health & Human Services, 2007. Health Information Policy. URL 〈http:// tion Computing and Telecommunications (YC-ICT), pp. 395–398. http://dx.doi.
www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html〉. org/10.1109/YCICT.2010.5713128.
Vasudevan, A., McCune, J.M., Qu, N., Van Doorn, L., Perrig, A., 2010. Requirements Yang, Z., Qiao, L., Liu, C., Yang, C., Wan, G., 2010. A collaborative trust model of
for an integrity-protected hypervisor on the x86 hardware virtualized archi- firewall-through based on cloud computing. In: 2010 14th International Con-
tecture. In: Proceedings of the 3rd International Conference on Trust and ference on Computer Supported Cooperative Work in Design (CSCWD), pp.
Trustworthy Computing, TRUST'10. Springer-Verlag, Berlin, Heidelberg, pp. 141– 329–334. http://dx.doi.org/10.1109/CSCWD.2010.5471954.
165. URL 〈http://dl.acm.org/citation.cfm?id ¼1875652.1875663〉. Zhang, F., Huang, Y., Wang, H., Chen, H., Zang, B., 2008. Palm: security preserving
VMWare, 2015. VMWare Certifications – Common Criteria Security Certification.
vm live migration for systems with VMM-enforced protection. In: Third Asia-
URL 〈https://www.vmware.com/security/certifications/common-criteria〉.
Pacific Trusted Infrastructure Technologies Conference, 2008. APTC '08, pp. 9–
Wang, Z., Jiang, X., 2010. Hypersafe: a lightweight approach to provide lifetime
18. http://dx.doi.org/10.1109/APTC.2008.15.
hypervisor control-flow integrity. In: 2010 IEEE Symposium on Security and
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T., 2012. Cross-vm side channels and
Privacy (SP), pp. 380–395. http://dx.doi.org/10.1109/SP.2010.30.
their use to extract private keys. In: Proceedings of the 2012 ACM Conference
Wang, Z., Lee, R.B., 2007. New cache designs for thwarting software cache-based
on Computer and Communications Security, CCS '12. ACM, New York, NY, USA,
side channel attacks. SIGARCH Comput. Archit. News 35 (2), 494–505.
Wang, C., Wang, Q., Ren, K., Lou, W., 2009. Ensuring data storage security in cloud pp. 305–316. http://dx.doi.org/10.1145/2382196.2382230. URL 〈http://doi.acm.
computing. In: 17th International Workshop on Quality of Service, 2009. IW- org/10.1145/2382196.2382230〉.
QoS, pp. 1–9. http://dx.doi.org/10.1109/IWQoS.2009.5201385. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T., 2014. Cross-tenant side-channel at-
WCSS, 2010. Acarmng User Manual. URL 〈http://www.acarm.wcss.wroc.pl/index. tacks in paas clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on
php?n¼ Acarmng.Doc〉. Computer and Communications Security, CCS '14. ACM, New York, NY, USA, pp.
Wei, J., Zhang, X., Ammons, G., Bala, V., Ning, P., 2009. Managing security of virtual 990–1003. http://dx.doi.org/10.1145/2660267.2660356. URL 〈http://doi.acm.
machine images in a cloud environment. In: Proceedings of the 2009 ACM org/10.1145/2660267.2660356〉.
Workshop on Cloud Computing Security, CCSW '09. ACM, New York, NY, USA, Zhou, M., Zhang, R., Xie, W., Qian, W., 2010. A. Zhou, Security and privacy in cloud
pp. 91–96. computing: a survey. In: 2010 Sixth International Conference on Semantics
Winkler, J.R.V., 2011. Securing the Cloud: Cloud Computer Security Techniques and Knowledge and Grid (SKG), pp. 105–112.
Tactics. Syngress Publishing, Massachusetts, USA. Zhou, F., Goel, M., Desnoyers, P., Sundaram, R., 2011. Scheduler vulnerabilities and
Wu, H., Ding, Y., Winer, C., Yao, L., 2010. Network security for virtual machine in coordinated attacks in cloud computing. In: 2011 10th IEEE International
cloud computing. In: 2010 5th International Conference on Computer Sciences Symposium on Network Computing and Applications (NCA), pp. 123–130.
and Convergence Information Technology (ICCIT), pp. 18–21. http://dx.doi.org/ http://dx.doi.org/10.1109/NCA.2011.24.
10.1109/ICCIT.2010.5711022. Zissis, D., Lekkas, D., 2012. Addressing cloud computing security issues. Future
Wu, J., Ding, L., Wu, Y., Min-Allah, N., Khan, S.U., Wang, Y., 2014. C2detector: a covert Gener. Comput. Syst. 28 (3), 583–592.