Security in the Cloud : an anomaly-based detection framework for the insider threats

Abstract : Cloud Computing (CC) opens new possibilities for more flexible and efficient services for Cloud Service Clients (CSCs). However, one of the main issues while migrating to the cloud is that what once was a private domain for CSCs, now is handled by a third-party, hence subject to their security policies. Therefore, CSCs' confidentiality, integrity, and availability (CIA) should be ensured. In spite of the existence of protection mechanisms, such as encryption, the monitoring of the CIA properties becomes necessary. Additionally, new threats emerge every day, requiring more efficient detection techniques. The work presented in this document goes beyond the state of the art by treating the malicious insider threat, one of the least studied threats in CC. This is mainly due to the organizational and legal barriers from the industry, and therefore the lack of appropriate datasets for detecting it. We tackle this matter by addressing two challenges.First, the derivation of an extensible methodology for modeling the behavior of a user in a company. This abstraction of an employee includes intra psychological factors, contextual information and is based on a role-based approach. The behaviors follow a probabilistic procedure, where the malevolent motivations are considered to occur with a given probability in time.The main contribution, a design and implementation of an anomaly-based detection framework for the aforementioned threat. This implementation enriches itself by comparing two different observation points: a profile-based view from the local network of the company, and a cloud-end view that analyses data from the services with whom the clients interact. This allows the learning process of anomalies to benefit from two perspectives: (1) the study of both real and simulated traffic with respect to the cloud service's interaction, in favor of the characterization of anomalies; and (2) the analysis of the cloud service in order to aggregate data statistics that support the overall behavior characterization.The design of this framework empirically shows to detect a broader set of anomalies of the company's interaction with the cloud. This is possible due to the replicable and extensible nature of the mentioned insider model. Also, the proposed detection model takes advantage of the autonomic nature of a clustering machine learning technique, following an unsupervised, adaptive algorithm capable of characterizing the evolving behaviors of the users towards cloud assets. The solution efficiently tackles the detection of anomalies by showing high levels of clustering performance, while keeping a low False Positive Rate (FPR), ensuring the detection performance for threat scenarios where the threat comes from inside the enterprise
Complete list of metadatas

Cited literature [116 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-02000074
Contributor : Abes Star <>
Submitted on : Friday, February 1, 2019 - 12:31:57 PM
Last modification on : Monday, June 17, 2019 - 5:08:10 PM
Long-term archiving on : Thursday, May 2, 2019 - 12:50:03 PM

File

these_CARVALLO_2018.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-02000074, version 1

Citation

Pamela Carvallo. Security in the Cloud : an anomaly-based detection framework for the insider threats. Networking and Internet Architecture [cs.NI]. Université Paris-Saclay, 2018. English. ⟨NNT : 2018SACLL008⟩. ⟨tel-02000074⟩

Share

Metrics

Record views

168

Files downloads

156