Skip to Main content Skip to Navigation

User-centric security monitoring in cloud environments

Amir Teshome Wonjiga 1, 2
2 MYRIADS - Design and Implementation of Autonomous Distributed Systems
Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Migrating to the cloud results in losing full control of the physical infrastructure as the cloud service provider (CSP) is responsible for managing the infrastructure including its security. As this incites tenants to rely on CSPs for the security of their information system, it creates a trust issue. CSPs acknowledge the trust issue and provide a guarantee through Service Level Agreement (SLA). The agreement describes the provided service and penalties for the cases of violation. Almost all existing SLAs only address the functional features of the cloud and thus do not guarantee the security aspect of tenants’ hosted services. Security monitoring is the process of collecting and analyzing indicators of potential security threats, then triaging these threats by appropriate action. It is highly desirable for CSPs to provide user-specific security monitoring services which are based on the requirements of a tenant. In this thesis we present our contribution to include user-centric security monitoring terms into cloud SLAs. This requires performing different tasks in the cloud service life-cycle, starting before the actual service deployment until the end of the service. Our contributions are presented as follows : we design extensions to an existing SLA language called Cloud SLA (CSLA). Our extension, called Extended CSLA (ECSLA), allows tenants to describe their security monitoring requirements in terms of vulnerabilities. More precisely, a security monitoring service is described as a relation between user requirements as vulnerabilities, a software product having the vulnerabilities and an infrastructure where the software is running. To offer security monitoring SLAs, CSPs need to measure the performance of their security monitoring capability with different configurations. We propose a solution to reduces the required number of evaluations compared to the number of possible configurations. The proposed solution introduces two new ideas. First, we design a knowledge base building method which uses clustering to categorize a bunch of vulnerabilities together in groups using some heuristics. Second we propose a model to quantify the interference between operations of monitoring vulnerabilities. Using these two methods we can estimate the performance of a monitoring device with few numbers of evaluations compared to the naive approach. The metrics used in our SLA terms consider the operational environment of the security monitoring devices. In order to consider the non-determistic operational environment parameters, we propose an estimation mechanism where the performance of a monitoring device is measured using known parameters and the result is used to model its performance and estimate it for unknown values of that parameter. An SLA definition contains the model, which can be used whenever the measurement is performed. We propose an in situ evaluation method of the security monitoring configuration. It can evaluate the performance of a security monitoring setup in a production environment. The method uses an attack injection technique but injected attacks do not affect the production virtual machines. We have implemented and evaluated the proposed method. The method can be used by either of the parties to compute the required metric. However, the method requires cooperation between tenants and CSPs. In order to reduce the dependency between tenants and CSPs while performing verification, we propose to use a logical secure component. The proposed use of a logical secure component for verification is illustrated in an SLA addressing data integrity in clouds. The method uses a secure trusted and distributed ledger (blockchain) to store evidences of data integrity. The method allows checking data integrity without relying on the other party. If there is any conflict between tenants and CSPs the evidence can be used to resolve the conflict.
Document type :
Complete list of metadata

Cited literature [244 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Tuesday, May 12, 2020 - 10:49:09 AM
Last modification on : Friday, October 23, 2020 - 5:02:48 PM


Version validated by the jury (STAR)


  • HAL Id : tel-02570591, version 1


Amir Teshome Wonjiga. User-centric security monitoring in cloud environments. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. ⟨NNT : 2019REN1S080⟩. ⟨tel-02570591⟩



Record views


Files downloads