Skip to Main content Skip to Navigation

Évaluation et analyse des mécanismes de sécurité des réseaux dans les infrastructures virtuelles de cloud computing

Thibaut Probst 1
1 LAAS-TSF - Équipe Tolérance aux fautes et Sûreté de Fonctionnement informatique
LAAS - Laboratoire d'analyse et d'architecture des systèmes
Abstract : Over the last few years, the development of the Internet contributed to the rise of the cloud computing model, wherein providers offer computing resources as services to clients. These resources, generally hosted by the provider, can be infrastructures, development and execution platforms or applications. The goal is to boost the reduction of the deployment and operation costs of resources traditionally hosted on-premises. In the Infrastructure as a Service (IaaS), clients can create and administrate entire virtual infrastructures hosting their information system or a part of it. Beside the benefits of the cloud model, security concerns arise, as in any distributed computing system. Mixing the diversity of the actors with the variety of technologies in the cloud implies a great number of threats and makes the securing of data more complex. In order to prevent and detect attacks, network security mechanisms are deployed in the cloud. We are interested in network access control and network intrusion detection, respectively carried out by firewalls and intrusion detection systems. It is not yet easy for administrators to correctly deploy security tools while not disturbing the cloud. Therefore, it is essential to look for weaknesses, discrepancies or inconsistencies in their deployment on a regular basis. In this manuscript, we describe the thesis in which we propose an approach for the automated evaluation and analysis of network security mechanisms in cloud computing virtual infrastructures. Our objective is to allow, in an experimental fashion, the audit of network access controls and network intrusion detection systems protecting virtual infrastructures. To work around the problems due to the implementation of such an approach, we divided it in three phases. The first phase consists in creating a copy of the infrastructure to analyze, to avoid disturbing the client’s business during the audit operations. The second phase is about the analysis of access controls, where the goal is to determine network communication paths between the virtual machines. We allow a static analysis, conducted from configuration information, and a dynamic analysis, performed by injecting network traffic. The interest in achieving two different types of analysis is to identify potential discrepancies in the results. In the third phase, the discovered communication paths are utilized to execute network attack campaigns based on evaluation traffic we replay using models we defined. Then, the reaction of intrusion detection systems is studied to generate evaluation metrics. The developed approach resulted in a prototype for VMware cloud solutions. It has been experimented on a mock-up platform in order to validate the methods we designed as part of our approach. The experimental results we obtained are encouraging and build confidence in the elaboration of new extensions and research perspectives. Résumé
Document type :
Complete list of metadata

Cited literature [106 references]  Display  Hide  Download
Contributor : Arlette Evrard <>
Submitted on : Friday, October 16, 2015 - 3:09:11 PM
Last modification on : Thursday, June 10, 2021 - 3:05:41 AM
Long-term archiving on: : Monday, January 18, 2016 - 6:04:42 AM


  • HAL Id : tel-01216609, version 1


Thibaut Probst. Évaluation et analyse des mécanismes de sécurité des réseaux dans les infrastructures virtuelles de cloud computing. Systèmes embarqués. INP Toulouse, 2015. Français. ⟨tel-01216609⟩



Record views


Files downloads