Hierarchical detection of insider attacks in cloud computing systems ...

Int. J. Information and Computer Security, Vol. 9, Nos. 1/2, 2017

Hierarchical detection of insider attacks in cloud computing systems Omar M. Al-Jarrah*, Moath Al-Ayoub and Yaser Jararweh Jordan University of Science and Technology, Irbid, 22110, Jordan Email: [email protected] Email: [email protected] Email: [email protected] *Corresponding author Abstract: Cloud computing has emerged as a new computing paradigm with enormous benefits that have attracted many businesses and service providers. As a result, it is critical to ensure highly available and resilient cloud system that continues to operate correctly under different circumstances. This is endangered by risks of cloud insider attacks. In this work, we propose an artificial intelligence based system to detect cloud insider attacks. A hierarchical detection system is used to ensure high detection accuracy and speed. In the first layer, we use a simple expert system to classify the insider as a normal, an attacker, or a probable attacker. The system reacts accordingly by allowing normal insiders to continue their work, blocking attackers, and performing further investigation on probable attackers in the second layer using a decision tree. Simulation results show that our system is able to detect insider attacks with 99.67% detection accuracy. Keywords: insider attacks; behaviour monitoring; cloud computing; decision tree; hierarchical detection; cloud security. Reference to this paper should be made as follows: Al-Jarrah, O.M., Al-Ayoub, M. and Jararweh, Y. (2017) ‘Hierarchical detection of insider attacks in cloud computing systems’, Int. J. Information and Computer Security, Vol. 9, Nos. 1/2, pp.85–99. Biographical notes: Omar M. Al-Jarrah is a Professor of Computer Engineering at Jordan University of Science and Technology (JUST), Irbid, Jordan. He received his BSc in Electrical Engineering from JUST in 1991, MSc and PhD in Electrical and Computer Engineering from Ohio State University in 1994 and 1996, respectively. His research interests include artificial intelligence, computer networks, and eLearning. He has published 66 technical papers in well-reputed international journals and conferences. During his career, he has supervised more than 100 graduate and undergraduate students. Moath Al-Ayoub received his BSc and MS in Computer Engineering from Jordan University of Science and Technology (JUST), Irbid, Jordan. His research interests include artificial intelligence, security, computer networks, and cloud computing. Yaser Jararweh received his PhD in Computer Engineering from the University of Arizona in 2010. He is currently an Associate Professor of Computer Science at Jordan University of Science and Technology, Jordan. He has Copyright © 2017 Inderscience Enterprises Ltd.

85

86

O. Al-Jarrah et al. co-authored many technical papers in established journals and conferences in fields related to cloud computing, HPC, SDN and Big Data. He is the General Co-chair in IEEE International Workshop on Software Defined Systems SDS-2014 and SDS 2015. He is also chairing many IEEE events such as ICICS, SNAMS, BDSN, IoTSMS and many others.

1

Introduction

Cloud computing has emerged as a new computing paradigm in academia, governments and industry. It enables a metered on-demand provisioning of computational and storage resources. Cloud computing is built around a self-service approach, which enables a convenient, on-demand network access to a shared pool of configurable computing resources with minimal management effort and service provider interaction. Cloud computing comes with many benefits including efficiency, scalability, availability, and cost reduction. On the other hand, these benefits are coupled with many challenges that need to be solved to make this computing model a convincing tool for users. Security and confidentiality are among the top list of challenges. Customers’ data and computational tasks should be kept confidential from any unauthorised cloud provider staff, other customers, and external users. Confidentiality remains as one of the greatest concerns for users due to the fact that they outsource their data and computational tasks to a cloud service provider who controls and manages the cloud system (Rindos et al., 2014). The insider is a current, a former employee, a contractor, or a business partner. Hence, it is hard to detect insider attacks especially in cloud computing where the adversary and the victim might be on the same physical machine but on different virtual machines. It is hard to detect the insider attack due to its knowledge of the cloud system, network structure, and the security policy imposed. A malicious insider intentionally exceeds or misuses its authorised access in a manner that negatively impacts the confidentiality, integrity, privacy, and/or the availability of cloud services. Insiders have the greatest potential threat to the cloud system because they understand cloud systems, user’s behaviours, the network structure, and the security policy. Therefore, they have access to extraordinary information on a very large scale and they constitute a great threat that might hinder the growth of a trustworthy cloud computing. Consequently, in this work, we investigate possible techniques for insider attacks detection in cloud computing. Insider threats are very dangerous due to their good knowledge about the environment in the cloud computing system and their ability to cause severe damage to the system and the quality of service. Insiders are able to access privileged regions and unprivileged regions without leaving any evidence. To the best of our knowledge, there is no unified technique or approach to solve insider threats in cloud computing systems. The lack of a unified technique or approach to solve insider threats in cloud computing problem has motivated us to tackle this important problem. In this work, we aim to develop an efficient defense system that detects insider attacks and prevents them as accurate and fast as possible. Real life security screening has motivated us to use a layered approach to gain speed, detection rate, precision, and accuracy.

Hierarchical detection of insider attacks in cloud computing systems

87

The rest of the paper is organised as follows. In Section 2 a detailed background review is given. The system model is discussed in Section 3. Section 4 provides the methodology and the simulation results. Finally the conclusion and future work is given in Section 5.

2

Related work

The importance of the cloud insider attacks problem motivates many researchers to propose different techniques and methods to tackle efficiently this problem; we are presenting some of these techniques. The author in Eom et al. (2011) presented a framework of a defense system to prevent malicious insider’s behaviour. It is a framework of a defense system for detecting and preventing any malicious behaviour or sophisticated threat of insiders. This framework applies attack tree and misuse monitor mechanisms. It builds an insider profile for each user where the process execution and the pattern of the program is almost the same every day. The insider profile can identify the insider threat that has access to run a program and a process by comparing the expected pattern of the current profile with the attack tree. The framework has a positive characteristic and can prevent any in-depth insider threat that is critical or dangerous to the system or to any sensitive data according to prevention mechanisms. The fog computing technique which aims to mitigate the insider data theft attacks in the cloud for securing business and personal data in the cloud is presented in Zissis and Lekkas (2012). It uses the concept of profiling a user’s behaviour to monitor the data access patterns to decide when a malicious insider is gained an unauthorised access to different users’ documents in a cloud service. This approach uses decoy documents, which is stored in the cloud along with users’ data. In addition, it works as sensors to detect any suspicious access. When an unauthorised access is suspected, it will be verified using a challenge question for each instance. The system attaches bogus information to the malicious insider to dilute the user’s real data. Cloud computing can provide marvellous security in social networks that tackles those attacks that rely on disinformation technology. A hybrid high-order Markov chain model was proposed by Furht and Escalante (2010). A Markov chain is a discrete-time stochastic process. The main purpose of the approach is to identify a signature behaviour for a user depending on commands sequence that the user executed. This approach uses a mixture transition distribution (MTD) to model the transition probabilities which overcomes the high-dimensionality. A novel technique was proposed recently to use the knowledgebase models in preventing insider threats in both the system level and the database level insiders. The knowledgebase technique was extended to cloud computing systems. It aims to achieve advance detection of possible insider threats (Yaseen et al., 2013, 2016; Althebyan et al., 2015).

3

The proposed system models

Our proposed system uses artificial intelligence technique to detect insider attacks in cloud computing. The system starts by monitoring insiders for possible malicious behaviours. In the second step, the indicators are extracted and analysed to determine the most important indicators of a malicious insider. A hierarchical detection system is

88

O. Al-Jarrah et al.

developed that insures detection accuracy and speed. In the first layer, we use as a simple expert system based on decision trees which classifies the insider as an attacker, not an attacker, or a probable attacker. The system behaves according to the class of the insider: if not an attacker, it will allow the insider to continue its work. However, if the result is an attacker, the system blocks the insider. Finally, if the class is a probable attacker, the system sends the indicators for further follow up in the second detection layer where more processing is performed to properly classify the insider. Figure 1 shows the system architecture. Figure 1

System architecture

3.1 Indicators extraction model There are many types of indicators that determine whether an insider is a malicious or not. In our system, we use a number of known indicators and we define a new set of indicators.

3.2 Known indicators These indicators are divided into two main types: socio or technical indicators. The main categories of the technical indicators are as follow (Stolfo et al., 2012): a

Deliberate markers: sometimes attackers leave deliberate markers in a purpose of making a ‘statement’. Markers can be clear and magnitude. Finding the less obvious and smaller markers sooner before the ‘big attack’ happens is an important goal of the security team who try to detect insider attacks.

b

Meaningful errors: Attackers are human being so they definitely make mistakes during their attacks. The attackers delete any evidence by deleting the command history and the relevant log files.

c

Preparatory behaviour: There are many behaviours of an attacker or a preparatory. He/she needs to gain as much information as possible about the victim environment. This information can be gained by using some commands like ping, nslookup, finger, whois and rwho.

Hierarchical detection of insider attacks in cloud computing systems

89

d

Correlated usage patterns: there are some patterns which are consistent in most of the systems. Such patterns are not noticeable because they are most likely the same and preparatory intents to use such patterns to perform attacks.

e

Verbal behaviour: a verbal behaviour can be written or spoken, is very helpful to indicate attacks. The technical verbal behaviour is related to dominance, aggression, and some other factors.

e

Personality traits: a previous point implies that personality traits factors (particularly introversion) can be very helpful in predicting insider attacks.

3.3 The used indicators First of all, the system divides the users based on their personal traits by checking their personnel profiles. A user can be one of three types: trusted, normal, and a suspected user. The system builds a library of indicators that are to be matched with the actual incidents of the user’s behaviour. Here is a list of the indicators: 1

Sending spy emails: When a user sends an email to another user in the system that contains malicious software that can spy on his/her system including emails, activities, etc. (Nguyen et al., 2014).

2

Spy on cookies: When a user tries to spy on another user’s cookies by retrieve them or sniffing them to perform more attacks (Vinay and Rajarshi, 2014).

3

Sending trojan: When a user sends a malicious software such as a Trojan that tries to harm the victim’s machine, this can be done by directly sending this software to the victim (Gupta and Badve, 2016).

4

Obtaining back-door access to the company data: When a user tries to use back-door access, which is an application that accesses a cloud user’s operating system remotely, it plays a crucial role in making an attack. It is also used in the point of entry or in the command-and-control C&C stage of the attacking process. These back-doors enable threats to get a command and control of their victim cloud user (Wang et al., 2010).

5

Entering wrong password: When a user tries to access something and is asked to enter a password, the user might enter a wrong password. This indicator has three values, the number of wrong entered passwords is one or two, the number of wrong entered passwords is three to six times, or the number of wrong entered passwords is more than six times (Wang et al., 2010).

90 6

O. Al-Jarrah et al. Access outside normal work hours: When a user tries to access the system outside the normal work hours, the system checks of the user’s work schedule and his/her position. If the user is an administrator or a normal user, then it looks for the user’s categorisation which can be: suspected, recommended or normal (Wen-Hua and Yehuda, 2001).

7

Abnormal search patterns: When a user searches for holes and vulnerabilities to attack, the user uses abnormal search pattern to look for such things. This indicator can have the extended values: abnormal directories, abnormal locations or allowed directories (Wang et al., 2010).

8

Acquiring unknown access paths: Insiders can get a new access path to the system by acquiring an unknown access path. For instance, insiders install a back-door account to steal shared passwords. The critical issue is that the system does not know about all the access paths of the insiders to the critical system. This indicator has the extended values: known path within the company, path outside the company or unknown path (Guo and Perreau, 2010).

9

Using strings and grep, virsh, and dump commands: The grep command can be used in some attacks such as to gain information about a specific virtual machine. An insider can apply virsh and dump to dump the memory region that has the victim VM’s information. With a prepared dictionary, the attack is completed by performing the grep command to get specific information. The extended values of this indicator are: virsh command, dump command or string command (Baig and Binbeshr, 2013).

10 Using the exportfs command: The exportfs command can be used by an insider to perform an attack such as in the case of public templates which are usually stored in a secondary storage. Using exportfs command finds the mounted partition of the secondary storage. Template folders usually has ‘template.properties’ file which describes the template file. The information is extracted from the ‘template.properties’ file using the grep command. The insider then deploys the template in a new virtual machine and then he/she creates a back-door daemon for sniffing a tenant’s password or a packet’s information. Then the insider exports the template back into the secondary storage. The extended values are: grep template.properties files, checking the template files or others (Baig and Binbeshr, 2013). 11 Access denied: When an insider tries to access something in the cloud system and the system denies the access because the user is not authorised to access. The extended values of these indicators are: access denied attempts number is one to three, three to six, or more than six times (Wang et al., 2010).

Hierarchical detection of insider attacks in cloud computing systems

91

12 Meaningful error: Since attackers are human, they definitely make mistakes during their attacks. The attackers delete any evidence by deleting the command history and the relevant log files. The extended values of these indicators are: no log files found, no command history found or normal error (Stolfo et al., 2012). 13 Use of commands such as ping, nslookup, finger, whois and rwho: There are many behaviours for the attacker or preparatory. He/she needs to gain as much information as possible about the victim environment. This information can be gained by using some commands like ping, nslookup, finger, whois and rwho. The extended values of these indicators are; the target is within the company or the target is outside the company (Baig and Binbeshr, 2013). 14 Normal behaviours These indicators belong to users performing normal tasks in the cloud system such as: tasks which are allowed, authorised, and not sabotaging any other user in the cloud system (Zhifeng and Yang, 2011).

3.4 The expert system model After extracting the required incidents, the incidents are processed in a rule-based model. The indicators are divided into three possible results; an attack, not an attack or a probable attack. The rule-based model decides if this incident is an attack or not. But if it cannot decide on whether it is an attack or not, it calls it a probable attack; then it gets a further investigation in the next layer which we will describe later. The indicators/incidents are divided into three categories according to the obtained result which are: an attack, not an attack or a probable attack as follows. a

The attack indicators: 1 sending spy emails 2 spy on cookies 3 sending trojans 4 obtaining back-door access to the company data.

b

The probable attack indicators: •

entering wrong password

•

access outside normal working hours

•

abnormal search patterns

•

acquiring unknown access paths

•

using strings and grep commands

•

using the exportfs command

•

access denied

•

meaningful error

•

use of commands such as ping, nslooku, finger, whois and rwho.

92

O. Al-Jarrah et al.

Where the ‘not an attack’ incidents are the rest of normal incidents that any ligament cloud user does. After running this layer, the system will be able to determine if the incident is an attack or not unless it belongs to the probable attack list. These specific indicators go to the decision tree.

3.5 The decision tree model Decision tree learning (DTL) is a type of inductive learning task with the following goal: use a training dataset of examples to create a hypothesis which gives general conclusions (Velte et al., 2009). Learning decision tree is used to classify the probable attacks. As discussed earlier, there are three possible results: an attack, not an attack or a probable attack. If the incident is a probable attack, it will be sent to the decision tree for classification. These incidents have extended indicators with more values (attributes); where the target attributes values is an attack or not an attack (yes/no). The information gain measures the expected reduction in entropy due to splitting an attribute A Gain( S , A) = Entropy ( S ) −

| Sv | Entropy ( Sv ) |S| v∈Values ( A)  

∑

The average disorder is just the weighted sum of the disorders in the branches (subsets) created by the values of A (Velte et al., 2009). The Entropy measures the disorder of a set S containing a total of i examples and is given by: k

Entropy ( S ) =

| Si |

∑ − | S | log i =1

2

⎛ | Si | ⎞ ⎜ |S|⎟ ⎝ ⎠

Large gain is intended and small average disorder is created (Velte et al., 2009). After applying the decision tree on any probable attack, it will be able to decide if the incident is an attack or not. Then a suitable action is taken. Table 1 shows an example of a learning dataset of our defense system. Table 1 User ID

The learning dataset # of wrong passwords

Access outside normal work hours

# of Access denied

Indicator ID […]

Attack?

0

1–2

Suspected

1–3

-

No

0

1–2

Suspected

4–6

-

Yes

0

1–2

Suspected

>6

-

Yes

0

1–2

Recommended

1–3

-

No

0

1–2

Recommended

4–6

-

No

0

1–2

Recommended

>6

-

No

0

1–2

Normal

1–3

-

No

0

1–2

Normal

4–6

-

No

0

1–2

Normal

>6

-

Yes

Hierarchical detection of insider attacks in cloud computing systems Table 1 User ID

93

The learning dataset (continued) # of wrong passwords

Access outside normal work hours

# of Access denied

Indicator ID […]

Attack?

0

3–6

Suspected

1–3

-

No

0

3–6

Suspected

4–6

-

Yes

0

3–6

Suspected

>6

-

Yes

0

3–6

Normal

>6

-

Yes

0

>6

Suspected

1–3

-

Yes

0

>6

Suspected

4–6

-

Yes

0

>6

Suspected

>6

-

Yes

0

>6

Recommended

1–3

-

No

1

1–2

Suspected

1–3

-

No

1

1–2

Suspected

1–3

-

Yes

1

1–2

Suspected

1–3

-

Yes

4

Simulation results and evaluation

4.1 Tools and methodology We have used CloudExp (Nguyen et al., 2014) simulator to simulate our hierarchical detection approach. The extension of CloudExp provides a free cloud environment where the implementer can develop his/her approach or build his/her project; while in physical systems the user needs to pay. It allows the customers to test their services for free in this controllable simulation environment before they deploy their services on physical clouds. Cloud providers can evaluate their services before providing them which aids the providers to optimise their resource access cost relatively to improve their gain. CloudExp is written in Java language and it has fundamental classes such as VMs, data centres, tasks and hosts. We modified on these classes and developed new classes to provide our detection system. A class named IndicatorsConfig was created to configure the system and get it ready to work. Each user has a unique ID and this user can be a normal, a suspected or a trusted user depending on its policy record due to the importance of the personal treats. During the simulation run the system monitors each incident of each user. These incidents are stored in a linked list. Meanwhile, the expert system decides on which incident is an attack or not an attacker based on the matched incident/indicator. The probable attacks are sent to the decision tree for further investigation and classification. Out system was able to detect attacks and prevent them with excellent detection rate, precision, recall rates, and false positives ratio.

4.2 Simulation results and discussion We have used a computing machine with a 64-bit Windows 7 operating system, processor Intel(R) core(TM) CPU at 2.3 GHz, RAM of 4 GB. The simulation environment configuration that was used in CloudExp simulator is as follows.

94

O. Al-Jarrah et al.

Number of hosts = 50; number of incidents = 1,000; number of indicators = 71; number of virtual machines on each host = 1; task numbers for each VM = 1,000; number of files = 500; task length = 10,000; number of task files = 1; file size = 64 MB; search time = 10,000 s; replica ratio = 2; scheduler type = FIFO; storage bandwidth = 10 GB; storage network latency = 5. The results of the first layer were as follows. The number of all incidents in the system is: 10,000, the number of denied attacks in the system is: 494, with ratio: 0.0494, the number of probable attacks in the system is: 1,015, with ratio: 0.1015, the number of allowed incidents in the system is: 8,491 with ratio: 0.8491. Table 2

Expert system results

Classification/ratio

Number of incidents out of 10,000

Ratio

494

0.0494

Attack Probable attack

1,015

0.01015

Not an attack

8,491

0.08491

The system processes the probable attacks using a decision tree. The tree is trained using a training set that has been built previously based on the indicators and their relevant values. The output of the decision tree is illustrated in Figure 2. Figure 2

The trained decision tree

As shown in Figure 2, the best attribute/indicator to gain information is the wrong password indicator. The second best is out of normal work hour indicator where the access denied indicator comes third. These indicators are used to build the decision tree where the best information gain attribute is the root of the tree.

Hierarchical detection of insider attacks in cloud computing systems

95

The information gain is calculated in terms of the entropy. The results we show in this paper are based on a training set of 600 users which counts as 60% of the total users in the system. The rest of the users (400) are used for testing the system. A sample of the training file set is shown in Figure 3. Figure 3

The training set

The probable attacks data are used as input to the decision tree for classification in the second layer and the output is as follows. Total number of instances is 602, correctly classified instances are 582 with ratio 0.966777, and incorrectly classified instances are 20 with ratio 0.033223. Kappa statistic is 0.933, K&B relative info score is 52,835.6357%, K&B information score is 533.9883 bits with ratio 0.887 bits/instance. Class complexity | order 0 is 600.1927 bits with ratio 0.997 bits/instance and class complexity | scheme is 111.3764 bits with ratio 0.185 bits/instance. Complexity improvement (Sf) is 488.8162 bits with ratio 0.812 bits/instance. Mean absolute error ratio is 0.0415, root mean squared error ratio is 0.144, relative absolute error ratio is 12.5169%, and root relative squared error ratio is 35.4091%. The detailed accuracy by class is shown in Table 3. Table 3

Simulation for the first layer TP rate

Average

FP Rate

Precision

Recall

F-measure

ROC area

0.972

0.04

0.967

0.96

0.028

0.967

0.967

0.034

0.967

0.972

0.97

0.983

No

0.96

0.964

0.983

Yes

0.967

0.967

0.983

Notes: TP rate: rate of true positives (instances correctly classified as a given class) FP rate: rate of false positives (instances falsely classified as a given class) Precision: proportion of class instances that are correctly classified divided by the total instances classified Recall: proportion of instances classified as a given class divided by the actual total in that class (equivalent to TP rate) F-measure: a combined measure for precision and recall calculated as: (2 × Precision × Recall) / (Precision + Recall)

Class

96

O. Al-Jarrah et al.

As mentioned in Table 3, the target attribute (class) has two possible values, either an attack (yes) or not an attack (no). The true positives rate of the (no) class is approximately higher than the (yes) class. This is because classifying an incident as a normal behaviour is slightly easier than a malicious behaviour. This also occurs in the false positives rate where the false positives rate in the (yes) class is less than the (no) class. Precision and recall rate are almost equal. The confusion matrix provides information about the occurrence of confusion in classes’ classification. The target attribute has two values either an attack or not an attack as shown in Table 4 where (A) refers to an attack and (B) refers to not an attack. Table 4

Confusion matrix

A

B

Classified as

318

9

a = no

11

264

b = yes

Using the first and second layers the average results were with high accuracy. In the first layer, the false positives ratio is 0% because the indicators for this layer are obvious (either an attack or not an attack). But if the expert system is not sure, the probable attack incident is sent to the second layer (the decision tree) for further investigation and classification. The detection accuracy in the expert system is 100% because this layer can classify the incident using obvious pure indicators. All uncertain behaviours are sent to the second layer. Definite pure attacks or definite normal behaviour in real life are not realistic because attacks are probably vague. Hence, the decision tree is needed to investigate more and then classify such indicators to provide the most realistic detection algorithm. In the second layer, the decision tree deals with ambiguous incidents. It checks for more indicators of the same indicator among the list of extended values for each indicator that was provided earlier in the paper. Figure 4

Simulation results for the three approaches

Hierarchical detection of insider attacks in cloud computing systems

97

The expert system sends the probable attack only to the decision tree. In our simulation, we have 10,000 incidents and 1,015 of them were probable attacks. The detection accuracy, precision ratio, and false positives ratio depend on these 1,015 incidents out of the 10,000 total incidents since the expert system has a perfect classification for definite behaviours. We have designed three different detection systems. The first one uses an expert system that gives definite classification even if the incident is vague. The second system uses a decision tree including definite indicators. And the third system is the hierarchical detection system that combines the expert system with the decision tree. Figure 4 shows the results of each system with a comparison. As shown in Figure 4, the hierarchical detection system outperformed the standalone expert system and the standalone decision tree in terms of detection accuracy, precision ratio, and false positives ratio. Combining both vague indicators and definite indicators need two or more layers to get the best performance in terms of detection accuracy, precision, false positives, and time. Detection accuracy in the hierarchical detection system is calculated as follows: DA = DA1 ∗ DA2

where DA

detection accuracy ratio

DA1

first layer detection accuracy ratio

DA2

second layer detection accuracy ratio.

As discussed earlier the detection accuracy of the first layer is 100%, while the detection accuracy of the second layer is calculated as follows: DA2 =

(I −(I T

P

− ( DA2i ∗ I P ) )

)

IT

where DA2

the second layer detection accuracy ratio

IT

the total number of incidents in the system

IP

the number of probable attack incidents

DA2i

the decision tree detection accuracy ratio.

In our experiment, the total number of incidents in the system (IT) is 10,000, the number of probable attack incidents (IP) is 1015, and the decision tree detection accuracy ratio (DA2i) is 96.7%, hence, DA2 =

(10, 000 − (1, 015 − ( 0.967 ∗1, 015)) ) 10, 000

DA2 = 99.67%

The false positives ratio is calculated as follows.

98

O. Al-Jarrah et al. FP2 =

( I P − ( FP2i ∗ I P ) ) IT

where FP2

the second layer false positive ratio

IT

the total number of incidents in the system

IP

the number of probable attack incidents

FP2i

the decision tree false positive ratio.

For a future work, the list of indicators is to be updated with new indicators and more discussions on the processing time will be added.

5

Conclusions

Due to the increasing number of insider attacks in cloud computing and their severe impacts on the QoS, a defense system against these attacks is needed. In this work, we presented a system based on artificial intelligence to detect insider attacks in cloud computing. The system starts by monitoring insiders for possible malicious behaviours. In the second step, the indicators were extracted and analysed to determine the most important indicators of a malicious insider. A hierarchical detection system was developed to insure a high detection accuracy and speed. In the first layer, we have used a simple expert system based on decision trees that classifies the insider as a normal, an attacker, or a probable attacker. The system acts according to the class of the insider. If the class was normal (not an attacker), it allows the insider to continue his/her work. However, if the result was an attacker, the system blocks the insider. Finally, if the class is a probable attacker, the system sends the indicators for further investigation in the second detection layer where more processing is performed to properly classify the insider. We have used an extended version of the CloudExp simulator to perform a rigorous set of experiments to simulate our hierarchical detection approach. We have evaluated the performance of our system using four main measures: detection rate, precision, recall rates and false positives ratio. Our results show that the proposed system is able to detect insiders threats with high detection rate compared to other techniques.

References Althebyan, Q., Mohawesh, R., Yaseen, Q. and Jararweh, Y. (2015) ‘Mitigating insider threats in a cloud using a knowledgebase approach while maintaining data availability’, 10th International Conference for Internet Technology and Secured Transactions (ICITST), London, pp.226–231. Baig, Z.A. and Binbeshr, F. (2013) ‘Controlled virtual resource access to mitigate economic denial of sustainability (edos) attacks against cloud infrastructures’, 2013 International Conference on Cloud Computing and Big Data (CloudCom-Asia), December, IEEE, pp.346–353. Eom, J.H., Park, M.W., Park, S.H. and Chung, T.M. (2011) ‘A framework of defense system for prevention of insider’s malicious behaviors’, Advanced Communication Technology (ICACT), 13th International Conference on, Seoul, pp.982–987.

Hierarchical detection of insider attacks in cloud computing systems

99

Furht, B. and Escalante, A. (2010) Handbook of Cloud Computing, 1st ed., Springer, USA. Guo, Y. and Perreau, S. (2010) ‘Detect DDoS flooding attacks in mobile ad hoc networks’, International Journal of Security and Networks, Vol. 5, No. 4, pp.259–269. Nguyen, M.D., Chau, N.T., Jung, S. and Jung, S. (2014) ‘A demonstration of malicious insider attacks inside cloud IaaS vendor’, International Journal of Information and Education Technology, Vol. 4, No. 6, p.483. Rindos, A., Vouk, M. and Jararweh, Y. (2014) ‘The virtual computing lab (VCL): an open source cloud computing solution designed specifically for education and research’, International Journal of Service Science, Management, Engineering, and Technology (IJSSMET), Vol. 5, No. 2, pp.51–63. Stolfo, S.J., Salem, M.B. and Keromytis, A.D. (2012) ‘Fog computing: mitigating insider data theft attacks in the cloud’, Security and Privacy Workshops (SPW), 2012 IEEE Symposium on, San Francisco, CA, pp.125–128. Velte, T., Velte, A. and Elsenpeter, R.C. (2009) Cloud Computing, A Practical Approach, 1st ed., McGraw Hill Professional, USA. Vinay, S. and Rajarshi, G. (2014) APIs for Obtaining Device-Specific Behavior Classifier Models from the Cloud, US20140237595 A1, United States Patent and Trademark Office, USA. Wang, C., Wang, Q., Ren, K. and Lou, W. (2010) ‘Privacy-preserving public auditing for data storage security in cloud computing’, INFOCOM, Proceedings IEEE, San Diego, CA, pp.1–9. Wen-Hua, J. and Yehuda, V. (2001) ‘A hybrid high-order Markov chain model for computer intrusion detection’, Journal of Computational and Graphical Statistics, June, Vol. 10, No. 2, pp.277–295. Yaseen, Q., Althebyan, Q. and Jararweh, Y. (2013) ‘Pep-side caching: an insider threat port’, in Information Reuse and Integration (IRI), IEEE 14th International Conference on, August, pp.137–144, IEEE. Yaseen, Q., Althebyan, Q., Panda, B. and Jararweh, Y. (2016) ‘Mitigating insider threat in cloud relational databases’, Security and Communication Networks, Vol. 9, No. 10, pp.1132–1145. Zhifeng, X. and Yang, X. (2011) ‘Accountable MapReduce in cloud computing’, The First International Workshop on Security in Computers, Networking and Communications. Zissis, D. and Lekkas, D. (2012) ‘Addressing cloud computing security issues’, Future Generation Computer Systems, Vol. 28, No. 3, pp.583–592.