Google - Cybersecurity

profiledidosld
CybersecurityPortfolio.pdf

CYBER SECURITY PRIMER

CYBER SECURITY PRIMER

A brief introduction to cyber security for students who are new to the field.

Network outages, data compromised by hackers, computer viruses and other incidents affect our lives in ways that range from inconvenient to life-threatening. As the number of mobile users, digital applications and data networks increase, so do the opportunities for exploitation.

WHAT IS CYBER SECURITY? Cyber security, also referred to as information technology security, focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction.

WHY IS CYBER SECURITY IMPORTANT? Governments, military, corporations, financial institutions, hospitals and other businesses collect, process and store a great deal of confidential information on computers and transmit that data across networks to other computers. With the growing volume and sophistication of cyber attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security.

During a Senate hearing in March 2013, the nation's top intelligence officials warned that cyber attacks and digital spying are the top threat to national security, eclipsing terrorism.

CYBER SECURITY GLOSSARY OF TERMS Learn cyber speak by familiarizing yourself with cyber security terminology.1

Access − The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains or to control system components and functions.

Active Attack − An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data or its operations.

Blacklist − A list of entities that are blocked or denied privileges or access.

Bot − A computer connected to the Internet that has

Information Assurance − The measures that protect and defend information and information systems by ensuring their availability, integrity and confidentiality.

Intrusion Detection − The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.

Key − The numerical value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification.

Malware −

been surreptitiously/secretly compromised with malicious logic to perform activities under the remote command and control of a remote administrator.

Cloud Computing − A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Critical Infrastructure − The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment or any combination of these matters.

Cryptography − The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication and data origin authentication.

Cyber Space − The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.

Data Breach − The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.

Digital Forensics − The processes and specialized techniques for gathering, retaining and analyzing system- related data (digital evidence) for investigative purposes.

Enterprise Risk Management − A comprehensive approach to risk management that engages people, processes and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization's ability to achieve its objectives.

Software that compromises the operation of a system by performing an unauthorized function or process.

Passive Attack − An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system but does not attempt to alter the system, its resources, its data or its operations.

Penetration Testing − An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system.

Phishing − A digital form of social engineering to deceive individuals into providing sensitive information.

Root − A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges and conceal the activities conducted by the tools.

Software Assurance − The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner.

Virus − A computer program that can replicate itself, infect a computer without permission or knowledge of the user and then spread or propagate to another computer.

Whitelist − A list of entities that are considered trustworthy and are granted access or privileges.

International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 06, November 2013

www.ijcit.com 1029

Malware Detection from a Virtual Machine Correlating Unusual Keystrokes, Network Traffic, and Suspicious Registry Access

Nathaniel Amsden

Department of Computer Science

Sam Houston State University

Huntsville, TX, USA

Cihan Varol

Department of Computer Science

Sam Houston State University

Huntsville, TX, USA

Email: cxv007 {at} shsu.edu

Abstract—Current anti-virus malware detection methods focus

on signature-based methods. Recent research has introduced

new, effective methods of malware detection. First, recent

research including cloud-based monitoring and analysis, joint

network-host based methods, feature ranking, machine learning

and kernel data structure invariant monitoring are reviewed.

Second, virtual machine based malware detection is proposed.

This method combines network traffic analysis through

keystroke analysis and registry anomaly detection to detect

malware. It correlates suspicious network activity with suspicious

registry accesses in order to detect malware with a higher

confidence and lower false positives.

Keywords-keystroke analysis; malware detection; registry

analysis; traffic analysis; virtual machine

I. INTRODUCTION

Current home and corporate malware detection primarily focus on anti-virus signature-based methods. Recent research in the field of malware detection has introduced new methods such as cloud-based analysis, machine learning, joint network- host methods and feature ranking. One network-host based method involves analyzing keystrokes to determine when malware is attempting a network connection. Registry anomaly detection utilizes machine learning to compare registry changes against a normal baseline to detect malicious changes. Both setups are computationally expensive, but, if improved, could be implemented in a virtual machine set up.

Virtual machines (VM) have been used in a variety of malware detection projects. VMs separated from the host operating system (OS) offer a level of protection from malware trying to subvert anti-virus programs. Also, as VMs are separated from the host OS, a client-server relationship between the two can be established. This eliminates the need for a second computer in solutions requiring a client-server set up. Lightweight OSs running in a virtual machine decrease host system resource requirements, run faster, and are potentially more secure than normal-sized OSs.

Running keystroke analysis and registry anomaly detection programs in a virtual machine protect them from malware and offer additional advantages. The VM can be trimmed down, using the bare minimum of required resources and components to successfully run the detection solution without harming

performance. In this research, we propose correlating suspicious network traffic generated by unusual keystrokes with suspicious registry accesses in order to detect malware with a higher degree of accuracy and with a lower false positive rate.

II. EXISTING ALGORITHMS

A. Detection of kernel-level invariants

Kernel data structures are often modified by rootkits in an attempt to hide their execution from detection methods. Kernel data structures include control data such as the system call table, jump tables and function pointers. They also include non-control data such as linked lists used for bookkeeping and pseudorandom number generators. Gibraltar [1] automatically generates kernel data structure integrity specifications known as data structure invariants. Invariants are properties that must hold for the lifetime of the data structure. Gibraltar’s inference phase creates a baseline of the kernel data structures. During the rootkit detection phase, invariants are compared against the baseline. Any deviation is assumed to indicate the presence of a rootkit. Gibraltar resides on an external computer and captures snapshots of the target system’s kernel memory via an external PCI card and reconstructs the kernel data structure. It utilizes Daikon, an invariant inference tool, to infer invariants on the kernel data structures. Gibraltar successfully detected 23 of 23 rootkits during experiments.

Benchmarking utilities determined Gibraltar added a one- half percent runtime monitoring overhead, a very minimal amount. It successfully detected rootkits that modified both control and non-control data structures with an average detection time of twenty seconds. Gibraltar works well in a client-server setting. One server running Gibraltar can manage malware detection on multiple clients.

Gibraltar has downsides as well. It requires a second, observer computer to monitor the target computer. Gibraltar cannot be deployed on the target computer. It also has a long startup time. It requires twenty five minutes to take snapshots of kernel memory followed by thirty one minutes to infer invariants. This is a total of fifty six minutes every time the target computer boots up before Gibraltar is ready to monitor it. However, the researchers determined invariant inference can be completed in parallel while the system takes the next snapshot

International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 06, November 2013

www.ijcit.com 1030

of kernel memory. Gibraltar also infers 236,444 or more invariants. Each of these invariants is very precise. There currently is no way to group the invariants together e.g. broader rules that encompass multiple invariants. The invariants are not portable and are system-specific. Each target must be analyzed every time the system boots. False invariants may be inferred and refined to reduce spurious alerts. Gibraltar also cannot detect transient attacks, that is, rootkits that modify an invariant and revert it back between kernel snapshots.

B. Cloud based malware detection

Cloud anti-virus servers [2] offer enhanced detection of malware. Cloud servers require an analysis engine to scan for malware. Multiple anti-virus programs and detection algorithms can be loaded on the cloud server. A forensics archive serves as a database with which the analysis engine compares malware against. Client computers require an isolated host that interfaces to the cloud server and the system memory or physical disk. An isolated host agent environment allows the host to send requests and provides direct access to host storage. Two prototypes are proposed. The first is based on the Intel Active Management Technology (AMT) combined with the Intel vPro. The second is based on a Virtual Memory Monitor.

Cloud-based anti-virus servers reduce the amount of storage and computational resources required on the client due to the fact no anti-virus resources must be installed on the client. It simplifies management of signature files, as only the information on one computer, the server, must be configured. Also, since servers are typically more powerful than individual workstations, more advanced, sophisticated and computationally expensive heuristics can be employed to determine threat profiles.

Disadvantages include the fact that host agents still require mechanisms to detect and prevent agents that have been disabled or subverted. The first prototype based on Intel AMT uses a blacklist approach. Only 192KB of a blacklist can be stored. This is a very small amount of storage for an ever- increasing amount of malware. Scan frequency is also low. Additionally, attackers can compromise the host operating system or the virtual machine monitor itself, thereby circumventing the detection mechanisms.

C. Joint network-host based malware detection

Joint network-host based malware detection with information theoretic tools [3] detects deviations from a behavioral model baseline derived from a benign data profile. A baseline of keystrokes is determined against which data is compared. This algorithm analyzes perturbations in the distribution of keystrokes used to create network connections. Keystroke entropy increases and session-keystroke mutual information decreases when an endpoint is compromised by self-propagating malware. If both host and network features are correlated, malware detection is increased. The last input from a keyboard or mouse hardware buffer is correlated with every new network session. Only outgoing unicast traffic is analyzed, as firewalls block incoming traffic.

This algorithm attains an almost one hundred percent detection rate with a low false-positive rate. Instead of comparing malware to known signatures, it works based on behavioral analysis. This allows the algorithm to detect previously unknown malware.

Joint network-host based malware detection can be defeated by mimicry attacks. Malware utilizing mimicry attacks hide its traffic in benign traffic. This effectively hides its network traffic from the detection system allowing it to avoid detection. Ill-defined security policies and user privileges pose problems for this detection system. Malware can circumvent the policies and exploit user privileges, allowing it to gain system level privileges and disable the detector.

D. System function call analysis

Rather than employing traditional reverse engineering or debugging techniques, this algorithm extracts malware behavior by observing all system function calls [4]. It controls various parameters of a sandboxed virtual execution environment and analyzes the interaction of malware on the system. It computes similarities and distances between malware behaviors in order to classify malware behaviors. A phylogenetic tree, a type of branching diagram, tracks evolution of malware features and implementations. It shows inferred relationships between entities based upon similarities and differences in characteristics.

This method requires research and analysis work to be performed on known malware before the algorithm can be employed against suspected malware. Malware must first be introduced to the virtual machine sandbox environment for analysis and classification. Once malware has been classified and the phylogenetic tree built, unknown executables can be compared against the tree. Zero-day exploits can be detected based on similar operating characteristics.

E. Feature ranking and machine learning

Computer virus detection can be enhanced via feature ranking and machine learning [5]. This is a combination of the information gain and voted perceptron detection methods. Test and training data are fed into a portable executable (PE) parser. The PE parser extracts windows API calls and converts them into thirty two bit global IDs as features of the training data. Features are then selected based on the information theoretical concept of entropy. The distinguishing power of each feature is then derived by computing its information gain (IG) based on frequencies of appearances in the malicious class and the benign class. A voted perceptron classifier constructs the malware detection classifier. This model was tested with known malware downloaded from an online malware database.

Test results demonstrated a ninety nine percent true positive rate, a ninety nine percent detection rate and a ninety nine percent precision rate. These rates are four to nine percent higher than analysis using either the information gain or voted perceptron respectively.

International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 06, November 2013

www.ijcit.com 1031

The algorithm must first be trained and fed test data to build a sample signature database of called APIs. However, once built, it could detect zero-day malware based on similar API calls and behavioral analysis. As signatures are added to the database, the system learns and increases its detection capabilities.

F. Registry anomaly detection

Analyzing registry changes facilitates malware detection [6]. Creating a baseline of normal registry changes allows the algorithm to compare registry changes against that baseline. Anything out of the ordinary, e.g. malicious, triggers an alert. The Registry Anomaly Detector (RAD) requires three components. These components include a Registry Basic Auditing Model (RegBAM), a Model Generator, and an Anomaly Detector.

The RegBAM monitors registry reads and writes. Initially, this data is fed into a database for the model generator. After the baseline registry changes model is created, the RegBAM feeds data into the anomaly detector.

The model generator takes data gathered by the RegBAM and builds a normal usage model. This model represents normal registry usage and can be easily distributed to new machines. This is especially desirable in a large IT enterprise where standard desktop configurations are the norm. Normal registry usage should be similar from computer to computer.

The anomaly detector receives live data from the RegBAM. The detector compares data to the normal usage model and generates a score based on the anomalies in the registry. A user-defined threshold signifies when the anomaly detector should trigger an anomalous event.

One disadvantage is the amount of traffic generated by registry reads and writes. The researchers measured a load of approximately 50,000 registry accesses per hour. The three RAD components can be configured on different machines. The downside to this approach is the increase in network traffic. The tradeoff is network traffic vs. host machine resources.

III. METHODOLOGY

A. Bell-LaPadula model for the host and virtual machine

The foundation of this solution lies in the ability to modify a virtual machine to directly access the host operating system. Virtual machines are currently completely separated from the host OS and have no direct access to its internals. Allowing VMs to directly monitor the host OS is an area of on-going research.

The host and virtual machine shall follow the Bell-

LaPadula security model [7]. The virtual machine shall be

designated a higher security level than the host it resides on.

The host shall follow the simple security property, i.e. the host

shall not read up to a higher security level, the VM. The VM

shall follow the star property, i.e. the VM shall not write down

to a lower security level, the host. We caveat this by explicitly

specifying which data the host may write up to the VM. The

host shall only feed network packets to the VM for analysis.

All other writes to the VM from the host shall be disallowed.

Four components, shown in figure 1, comprise the solution.

This includes a network traffic monitor, a keystroke analyzer,

a registry anomaly detector, and a correlator. The VM shall

read keystrokes and registry changes on the host machine.

The details of these components will be discussed in Sections

III.C - III.E.

Figure 1. Four components of the malware detection scheme.

Figure 2 below describes data flow between the virtual machine, the host OS, and applications running on the host. Label 1 shows network traffic. The host sends network traffic to the virtual machine for analysis and correlation. This data is then sent back out through the host’s network adapter, as the VM contains only a virtual network adapter. The VM does not write any data to the host. Label 2 shows keystroke and registry data flowing to the VM. This data is read from the host by the VM and is not written to the VM by the host.

Figure 2. System data flow.

Host OS

Apps VM

1 2

Network

Adapter

Registry

Anomaly

Detector

Network

Traffic

Monitor

VM

Correlator

Keystroke

Analyzer

International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 06, November 2013

www.ijcit.com 1032

B. Virtual machines to guard malware detection systems

Malware developers usually create their software with

stealth in mind. Avoiding detection by antivirus programs,

users, and administrators is key. For this reason, malware

authors employ a variety of methods to hide their malicious

programs. Malware can subvert and disable anti-virus

programs and other malware detection methods. It is important

to protect anti-malware programs from malware. If malware

fails to detect the anti-malware programs, it cannot disable

them.

Virtual machines add a level of protection to security

solutions. Programs running in a virtual environment are not

detectable by anything on the host operating system. The only

thing the host OS knows is a virtual machine is running. Any

malware that infects the host machine will not be able to

attack programs running in the VM.

What does this mean for anti-malware programs? Running anti-malware in a VM prevents any malware that infects the host machine from undermining the anti-malware software. As long as the VM is not infected, malware detection programs will run. Additionally, if VMs directly monitor host internals without installing any software on the host, malware cannot block, terminate, or otherwise disable software the anti- malware solutions depend on. All software resides in the VM.

Secondly, VMs are typically large and resource intensive. Creating a trimmed down, lightweight VM will consume less host processing power and memory. Only the bare minimum of drivers and services needed to run the VM and the four detection components are required. Non-essential elements must be removed. In addition to consuming fewer resources, removing components creates a more secure environment. Fewer components mean less vulnerability.

Multiple lightweight operating systems (including Windows and Linux) that can run in a VM have been created. One example is Damn Small Linux (DSL), a 50mb Linux installation. DSL requires a minimal amount of processor and memory resources. However, DSL contains unnecessary packages, such as Pac Man, that can be removed. Several lightweight Windows installations have been created. nLite allows the user to trim down a Windows installation disk, customizing the installation so only selected components are installed.

Additionally, research has shown trusted virtual machine monitors can boot individual programs into separated, individual virtual machines [8]. These VMs boot directly into the program, without any user interfaces or shells.

C. Correlating keystrokes to network connections in a virtual machine

Of the four components in this solution, correlating keystrokes to network connections requires two of the components. A network traffic analyzer and a keystroke monitor are required. As described in [3], keystrokes are correlated to corresponding network traffic. Their solution uses a joint network-host based approach. We propose feeding

network traffic through the virtual machine for analysis and correlation before transmission to the internet.

Virtual machines and their host share a virtual network as shown in Figure 3 below.

Figure 3. Virtual network between a VM and the host.

Remember in Figure 2 that network traffic flows from the host to the virtual machine. We specifically state that all network traffic must flow through the virtual machine before transmission to the internet. Outbound packets can be forwarded to the VM for analysis by the network traffic monitor. Once routed through the network traffic monitor, the packets are sent to their intended destination.

The second component of this portion is the keystroke analyzer. The keystroke analyzer resides on the VM and requires direct access to the host. It reads down to the host to monitor keystrokes. Each keystroke shall be logged and stored for correlation to a network packet. The solution described in [3] correlates the keystrokes and packets through the use of timestamps. Timestamps are more important when the monitors reside in the VM. The generated packets will retain the same timestamp. Additional delay between the VM and host may cause keystroke timestamps to be slightly later than the actual time. Careful testing of timing is necessary to determine timing delays introduced by the components being inside a virtual machine. It is possible that the additional time for the network packets to arrive at the network traffic monitor could result in it being correlated to the wrong keystroke.

D. Monitoring the host registry from a virtual machine

The third component of this solution is the registry anomaly detector. The authors of [6] propose storing the system behavior model in the registry. This allows the RAD to monitor the baseline model, securing it from malicious changes. The training data gathered for the model comprised 500,000 records, which, when added to the registry, would greatly increase the size. Moving the RAD to a virtual machine would keep the host registry at a normal size, while retaining the desired security.

The main requirement is to directly access the host OS’s registry. The RAD proposed in [6] allows the components to

Host

Network

Adapter

VM

Virtual Switch

International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 06, November 2013

www.ijcit.com 1033

be split among systems, with, at a minimum, the RegBAM remaining on the computer being monitored. We propose putting all components in the virtual machine and allowing the RegBAM direct access to the host’s registry.

Additionally, the RegBAM needs to be modified to include timestamps. Each registry read or write requires an associated timestamp. The RAD works in real time to detect registry changes, but all changes require a timestamp to allow correlation with suspicious network traffic.

E. Putting it all together

We propose correlating suspicious network traffic with suspicious registry accesses. The probability of detecting malicious software will increase while simultaneously lowering false positive rates through correlation of potentially malicious traffic and potentially malicious registry accesses. If a suspicious network connection is made following an unusual keystroke corresponds to a recent abnormal registry access, the likelihood of malware activity increases. Both components showed high success rates of detection. Correlating both to each other will further increase detection rates and confidence. A lower confidence registry access when correlated to a suspicious network connection may signify the presence of malware that would otherwise fall below detection thresholds.

The RAD, keystroke analyzer, and network traffic monitor looks for specific portions or products of the host. The final component of the virtual machine is the correlator. The correlator works in two parts. As shown in Figure 4, the algorithm consist of two main parts in VM. The first part correlates keystrokes to network traffic. The second part correlates results of part one with output from the RAD.

Figure 4. High Level Design Diagram

The authors of [3] already correlate keystrokes with network traffic. Due to the fact the components are in a VM, the algorithm will most likely need to be modified to account for timing delays as information is transferred to the virtual machine. Timestamps from suspicious registry accesses will be correlated to network traffic and keystrokes. The correlator can be triggered by either a suspicious RAD report or a suspicious network traffic report. Once triggered, it polls the other for recent activity with a similar timestamp. Reports are

analyzed and a confidence assigned based on how malicious the activity appears.

IV. CONCLUSION

Recent advances in non-signature-based malware detection have proven effective in research and testing. We have shown how virtual machines can be used to provide a secure environment for anti-malware solutions, helping to protect them from malware that attempts to disable or otherwise harm detection methods. We expand upon the work of [3], [6], and [7] to correlate suspicious network traffic generated by unusual keystroke patterns with suspicious registry accesses. By correlating these together, we theorize a resulting higher detection rate with a lower amount of false positives.

V. FUTURE WORK

We plan further research to support and test our hypotheses. A key component of future research is to create a connection between the host operating system and the virtual machine. This connection needs to act as a diode, allowing the virtual machine to monitor the host’s registry and keystrokes, but disallowing all interaction with the VM initiated by the host. We need to trim down a virtual machine to determine the best balance between host performance and algorithm speeds. The more we trim the virtual machine and its operating system, the more efficient the host should run, but the longer it may take our solution to process.

We also plan to gather data regarding actions of malware. We intend to find out the percentage of malware that generates network traffic and the percentage of malware that modifies the registry. This information will allow us to calculate the overall improvement in the ability to detect malware by correlating network traffic with registry accesses.

Timestamps and network delay need additional research. By running our solution in a virtual machine, we’d like to find the answer to see if there are any timing delays introduced that may cause the wrong keystrokes to be correlated to network packets? We also intend to determine timing correlation between malicious registry changes and start of network traffic flow.

REFERENCES

[1] A. Baliga, V. Ganapathy, and L. Iftode, “Detecting kernel-level rootkits using data structure invariants,” IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 2, pp. 670-685, Sept-Oct, 2011.

[2] C. Rozas, H. Khosravi, D. K. Sunder and Y. Bulygin, “Enhanced detection of malware,” Intel Tech. Jour., vol. 13, no. 2, pp. 6-15, Jun, 2009.

[3] S. Khayam, A. Ashfaq and H. Rahda, “Joint network-host based malware detection using information-theoretic tools,” Jour. Compute. Virology, vol. 7, no. 2, pp. 159-172, May, 2011.

[4] G. Wagener, R. State and A. Dulaunoy, “Malware behaviour analysis,” Jour. Compute. Virology, vol. 4, no. 4, pp. 279-287, Nov, 2008.

[5] A. Altaher, S. Ramadass and A. Ali, “Computer virus detection using features ranking and machine learning,” Australian Jour. Basic & Applied Sciences, vol. 5, no. 9, pp. 1482-1486, 2011.

[6] F. Apap, A. Honig, S. Hershkop, E. Eskin and S. Stolfo, “Detecting malicious software by monitoring anomalous windows registry accesses, 5th International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, 2002.

International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 06, November 2013

www.ijcit.com 1034

[7] D.E. Elliot and L. J. LaPadula, “Secure computer systems: a mathematical model,” MITRE Corp., Bedford, MA, Tech. Rep. 2547, May 31, 1973.

[8] T. Garfinkle, B. Pfaff, J. Chow, M. Rosenblum and D. Boneh, “Terra: a virtual machine-based platform for trusted computing,” 19th Symposium on Operating Systems Principles, Bolton Landing, NY, 2003, pp. 193- 206.

A Comprehensive Study of Phishing Attacks

Dr. M. Nazreen Banu S. Munawara Banu

Professor, Department of MCA Assistant Professor, Department of IT M.A.M College of Engineering Jamal Mohamed College(Autonomous)

Tiruchirappalli Tiruchirappalli

Abstract- Now a days one of the highly used techniques to pursue online stealing of data and to do fraudulent transactions is phishing. Phishing is a form of online identity theft that aims to steal sensitive information such as online passwords and credit card information. It is affecting all the major sectors of industry day by day with a lot of misuse of user credentials. To stop phishing many detection and prevention techniques has been made with their own advantages and disadvantages respectively, but phishing has not been eradicated completely yet. In this paper , we have studied phishing and its types in detail and reviewed some of the phishing and anti phishing techniques. Keywords- Phishing, Anti-phishing, Malware, Web spoofing.

I. INTRODUCTION Phishing is a form of online identity theft that aims to steal sensitive information such as online passwords and credit card information[1]. Phishing attacks use a combination of social engineering and technology spoofing techniques to persuade users into giving away sensitive information that the attacker can used to make financial profit. Normally phishers hijack a banks web pages and send emails to the victim in order to trick the victim to visit the malicious site in order to collect the victim bank account information and card number. The information flow is depicted in Fig 1.

Fig 1: Information Flow in phishing

A complete phishing attack involves the roles of phisher. Firstly mailers send out large number of fraudulent e-mails which directs uses to fraudulent websites. Secondly collector set up fraudulent websites which actively prompt users to provide confidential information. Finally cashers use the confidential information to achieve a payout. Goal of this paper is to present on extensive overview of the phishing

attacks. The paper is organized as follows. The section II will have an outline of the types of phishing. The section III deals with the theoretical aspects of the phishing techniques. The section IV describes the categories of anti-phishing techniques. Finally conclusion given in section V.

II. TYPES OF PHISHING Phishing has spread beyond e-mail to include VOIP, SMS, Instant messaging, social networking sites and even multiplayer games. Below are some major categories of phishing. A. Clone phishing Clone phishing is a type of phishing attack where hacker tries to clone a web site that is victim usually visits. The clone web site usually asks for login credentials, mimicking the real websites. This will allow the attackers to save these credentials in a text file, database record on his own server, then the attacker redirects his victim to the real websites as a authenticated user[2]. Fig 2 depicts how the hackers clone the face book profiles.

Fig 2: Clone phishing in Facebook profiles

B. Spear phishing Spear phishing targets at specific group. So instead of casting out thousands of e-mails randomly spear phishers target selected groups of people with something in common[3]. For example, people from same organisation. Spear phishing is represented in Fig 3.

M. Nazreen Banu et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 4 (6) , 2013, 783-786

www.ijcsit.com 783

Fig 3: Spear phishing

C. Phone phishing This type of phishing refers to messages that claim to be form a bank asking users to dial a phone number regarding problems with that bank accounts. SMS phishing is a variation for phone phishing. The end-users receives sms telling him that he has successfully subscribed to a service[4]. If he wants to unsubscribe the service he should visit the website now the end users visit the websites and provide sensitive information. Fig 4 represents how an attacker gets the user details from the user by SMS.

Fig 4: Phone phishing

D. DNS-Based Phishing (Pharming) Pharming is an attack aiming to redirect a website traffic to another bogus site. Pharming interfere with the resolution of domain name to an IP address so that domain name of genuine web site is mapped onto IP address of rogue website[6]. DNS based phishing is depicted in Fig 5.

Fig 5: DNS Based phishing

If we are typing the domain name www.barclays.co.uk in the address bar, it is redirected to www.google.co.uk. It is shown in the following Fig 6.

Fig 6: Website redirection

E. Man-in-the-middle-attack A man-in-the-middle attack often refers to an attack in which an attacker secretly intercepts the electronic messages given between the sender and receiver and then capture, insert and modify message during message transmission[7]. A man-in-the-middle attack uses Trojan horses to intercept personal information. It is shown in Fig 7.

Fig 7: Man-In-The-Middle Attack

III. THEORETICAL ASPECTS OF PHISHING TECHNIQUES

Various techniques are developed to conduct phishing attacks. The phishing techniques are described as follows. A. Email spoofing Email spoofing is used to make fraudulent emails appear to be from legitimate senders so that recipients are more likely to believe in the message and take actions according to its instructions. Email spoofing is possible because Simple Mail Transfer Protocol does not include an authentication mechanism. To send spoofed emails sender inserts commands in headers that will alter message information[5]. It is possible to send a message that appears to be from anyone anywhere saying whatever the sender wants it to say. Fig 8 shows the example for e-mail spoofing.

M. Nazreen Banu et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 4 (6) , 2013, 783-786

www.ijcsit.com 784

Fig 8: Email Spoofing

B. Web spoofing A Phisher could forge a website that looks identical to a legitimate website so that the victims may think this is the genuine site and enter the personal information which is collected by the phisher. Web spoofing creates a shadow copy of the World Wide Web[8]. The shadow copy is funnelled through attackers’ machine. Fig 9 shows how does the attacker work.

Fig 9: Web spoofing

Modern web browsers have built in security indicators that can including domain name highlighting and HTTPS indicators as shown in Fig 10. They are often neglected by careless users. Modern web browsers display a padlock icon when visting an HTTPS web site of Hyper Text Transfer Protocol and HTTPS, Transport Layer Security, provides encryption and identification through public key infrastructure.

Fig 10: Padlock icon in HTTPS

Web browsers examined the certificate presented by the web browser. The certificate considered as invalid if any of

the following situations occurs, the certificate is expired, the certificate is not signed by root CA, the certificate is revoked by CA otherwise the website host name does not match the subject name in the certificate. Fig 11 shows the warning message provided by web browsers. At this moment the browser display a warning and the address bar would turn red.

Fig 11: Certificate Verification

C. DNS Cache Poisoning DNS cache poisoning attempts to feed the cache of local DNS resolves with incorrect records. DNS runs over UDP and easy to spoof the source address of the UDP packet[9]. For example, attacker wants his IP address returned for a DNS query, when the resolver ask NS1.google.com for www.google.com. The attacker could reply first, with its own IP. Fig 12 shows the DNS poisoning attacks.

Fig 12: DNS Cache poisoning

D. Malware Malware is a software used to distrupt computer operation gather sensitive information. It can appear in the form of code, scripts, active content and other software. Malware includes viruses, worms, trojan horses, key loggers, spyware, adware. Client security products are able to detect and remove malware and other potentially unwanted programs. But phishers can make malware undetectable[10]. Key strokes, screen shots, clipboard contents and program activities can be collected and send this information to phishers by e-mail, ftp server or IRC channel. Malware detection is represented in Fig 13.

M. Nazreen Banu et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 4 (6) , 2013, 783-786

www.ijcsit.com 785

Fig 13: Malware Warning

IV. ANTI-PHISHING TECHNIQUES

AntiPhish is based on the premise that for inexperienced, technically unsophisticated users, it is better for an application to attempt to check the trustworthiness of a web site on behalf of the user. Unlike a user, an application will not be fooled by obfuscation tricks such as a similar sounding domain name[11]. AntiPhish is an application that is integrated into the web browser that is depicted in Fig 14. It keeps track of a user’s sensitive information and prevents this information from being passed to a web site that is not onsidered “trusted”.

Fig 14: Anti-phishing integration in Browser

In general anti-phishing techniques can be classified into following four categories[12]. Content Filtering- In this methodology ontent/email are filtered as it enters in the victim’s mail box using machine learning methods, such as Bayesian dditive Regression Trees or Support Vector Machines. Black Listing- Blacklist is collection of known phishing Web sites/addresses published by trusted entities like google’s and Microsoft’s black list. It requires both a client & a server component. The client component is implemented as either an email or browser plug-in that interacts with a server component, which in this case is a public Web site that provides a list of known phishing sites. Symptom-Based Prevention- Symptom-based prevention analyses the content of each Web page the user visits and

generates phishing alerts according to the type and number of symptoms detected. Domain Binding- It is an client’s browser based techniques where sensitive information is bind to a particular domains. It warns the user when he visits a domain to which user credential is not bind.

V. CONCLUSION

Phishing attacks are still successful because of many inexperienced and unsophisticated internet users. The last years have brought a dramatic increase in the number and sophistication of such attacks. This paper provides a broad survey of various phishing types which are used by attackers to steal the sensitive information. This study clearly shows that phishing techniques enables the attackers to steal the information efficiently. Our future work is to compare various types of anti-phishing techniques and choose the best one for further research.

REFERENCES [1] Antonio San Martino, Xavier Perramon, “Phishing Secrets: History,

Effects, and Countermeasures”, International Journal of Network Security, Vol.11, No.3, PP.163–171, Nov. 2010.

[2] Clone Phishing - Phishing from Wikipedia, the free encyclopedia, http://en.wikipedia.org/wiki/Phishing

[3] Bimal Parmar, Faronics, “Protecting against spear-phishing”, http://www.faronics.com/assets/CFS_2012-01_Jan.pdf

[4] Phone spoofing From Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Phishing#Phone_phishing

[5] Email spoofing From Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Email_spoofing

[6] John, “ DNS-Based Phishing Attack in Public Hotspots” [7] Mattias Eriksson, “An Example of a Man-in-the-middle Attack Against

Server Authenticated SSL-sessions” [8] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach,

“Web Spoofing: An Internet Con Game” [9] Joe Stewart, “DNS Cache Poisoning – The Next Generation” [10] Malware from Wikipedia, the free encyclopedia

http://en.wikipedia.org/wiki/Malware [11]Engin kirda, Christopher Kruegel, “Protecting users against Phishing

attacks”, The Computer Journal Vol. 00, No. 0, 2005 [12] Gaurav, Madhuresh Mishra, Anurag Jain, “ Anti-Phishing Techniques:

A Review”, International Journal of Engineering Research and Applications ISSN: 2248-9622, Vol. 2, Issue 2,Mar-Apr 2012, pp.350- 355

M. Nazreen Banu et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 4 (6) , 2013, 783-786

www.ijcsit.com 786

International Journal of Computer Trends and Technology (IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 52

Aligning Cloud Computing Security with Business Strategy

Hany Mohamed Hassan El-Hoby 1, Mohammed A. F. Salah 2, Prof. Dr. Mohd Adam Suhaimi3

1(Information System,, ICT/ IIUM, Malaysia), 2(IS, ICT/ IIUM, Malaysia), 3(IS, ICT/ IIUM, Malaysia)

ABSTRACT : These days, the technological growth in the IT sector is rapid. Cloud computing is also one of the new technologies that have both benefits and limitations. This paper gives an overview of how cloud computing can be helpful for an enterprise. It emphasizes on how cloud computing can be adopted in the IT sector. The paper also discusses the security issues of cloud computing. This article also highlights the issue of data leakage in this technology which face the cloud computing clients. The authors have designed a model to solve this issue through data isolation. A business value will be achieved through the proposed model by aligning the cloud computing security with the business strategy and increase the security procedures to verify the authenticated users through the virtual system.

Keywords -: Aligning Business/ IT goal, cloud computing, security, Privacy.

1. introduction Because of serious market competition and a

considerably modifying company environment, cloud computing is considered as an important area for IT. The goal of the practice of computing and that is to make better use of information technology resources, and combine them together to achieve the increase in production and be able to deal with various issues calculation [1]

From a business perspective, companies are progressively trying to move the business processes and to integrate them with the current information system (IS) programs and construct an application based on the internet technologies to exchange with trading associates. [2]

The provider must ensure that customers can continue to have the same protection and privacy management over their applications and services to ensure that their organization and customers are protected and they can meet their

service-level agreements, and show how they can prove compliance to their auditors.

The authentication system seeks to increase the confidentiality of security providers. The Virtualization refers to virtual process that are used to simulate physical resources. Thus great benefit can be derived from cloud computing systems.

Cloud computing is a growing technology that can provide customers with all kinds of accessible alternatives, such as channels, tools, and applications.

This paper proposes a Trusted Platform to ensure accuracy and confidentially in Cloud Computing Security Platform (CCSP) aligned with business strategy.

1. BACKGROUND

1.1. Cloud computing concept The cloud computing is a kind of service

provider that offers all of the application delivered as a service through the Internet and the hardware and software that may be located in the data center. Cloud computing is a new model that provides computing resources with services and applications soft distributed systems and data storage [1]. 1.2. Business Factors in Cloud Computing:

The potency factors of cloud computing ensure a competitive advantage and system agility in business [3].

A business value will be gained from the following factors which will be achieved through the cloud computing service provider.

1.2.1. The business factors of cloud computing:

a- Agility and Competitive Edge: Level to which enhanced agility in

working with competitive markets and customer requirements allowed alignment with cloud.

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 53

b- Cost-Benefits:

Level to which financial concerns allowed alignment with cloud.

c- Executive Involvement of Business Organization(s): Level to which contribution of senior

managers from business enterprise allowed alignment with cloud.

d- Executive Involvement of Information Systems Organization: Extent to which contribution of senior

managers from internal information systems of the organization allowed alignment with cloud.

e- Organizational Change Management: To which extent business change

management procedures allowed alignment with cloud.

f- Participation of Client Organizations: Level to which government or industry

regulating requirements allowed alignment with cloud

g- Regulatory Requirements: To which level government or industry

regulating requirements allowed alignment with cloud.

h- Strategic Planning: To which level business planning allowed

alignment with cloud. [4].

1.3. Threats, Vulnerabilities and Risks in Cloud Computing: Bisong mentioned the risks related with the

cloud processing systems, which may appear as listed below [5]: 1- Cloud computing resources and components

can be used through the unauthorized access 2- Malicious attacks which may appear from

internally 3- The risk which related with shared

information technology systems and IT resources

4- Data can face some trouble such as data loss, leakage and manipulation

5- Data manipulation, leakage and loss. 6- User account hijacking

2. Literature review

2.1. Issues to Clarify Before Adopting Cloud

Computing:

Before adopting cloud computing there are some issue should be considered:

2.1.1. User Access:

Administrators who have privileges to control the information in the cloud computing environment should follow the companies hiring rules and policies.

2.1.2. Regulatory Compliance:

The organization or the company have to be sure that the security certification and external audits are needed to be submitted by the cloud service provider.

2.1.3. Data location:

Cloud computing service provider need to follow the organization request in storing the data in specific locations and these location have to follow the current state rules.

2.1.4. Isolating the data:

Organization should take care about the data isolation and have to investigate if the encryption methods are applied and work effectively.

2.1.5. Disaster Recovery: Organization has to be sure that data

recovery plan is already active for recovering data and information and how long of time it will take in case of disasters.

2.1.6. Long-term Viability: Ask potential suppliers how you would

get your data back if they were to don't succeed or be obtained, and discover out if the data would be in a structure that you could quickly transfer into an alternative program.

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 54

2.2. Cloud Security Requirements: The security architecture of the cloud is

established after the construction of the security policy in the cloud. The creation of the cloud security architecture should be directed by the security policy. Some of the security requirements for the cloud architecture are listed below:[15]

a. Network Time Protocol by synchronizing at the same time helps in the correct working of systems and gives reliable system information records. Clock divergence between system and computers are resulting in errors which may be difficult to identify.

b. The cloud users should be managed and verified in agreement with the lawful requirements and the policies. For example, if the system is compromised in the future, the historical information of the user login can be helpful for further investigations.

c. The access to the cloud infrastructure can

be narrow and limited by identifying the user information through the access control action. Thus, accessing the client’s data and information by the cloud staff should be limited and restricted.

d. Security staff should deliver the important

security alerts on time. So, by identifying, analyzing and investigation these alerts the other related security incident can be controlled. Cloud computing service provider can avoid the critical security incidents by providing specialized systems for intrusion detection. So, by installing these systems in the cloud service it will be applied automatically to the cloud users.

2.3. Security Standards and Policies:

There are a lot of resources are available to help in the enhancement of information security standards and polices. These policies and standards should be analyzed when significant changes

happen in the company or in the IT environment [4].

a. Different people should be granted the roles and responsibilities. Also the policy should be granted the techniques on how to execute the investigation reporting.

b. All infrastructure components, servers, switches, software configuration, and network configurations back up have to be taken care of.

c. Initial and regular testing should be documented.

d. To follow the encryption standard an accepted cryptography algorithms with a key needed to be used

e. Quality of acceptable password should meet the Criterions Comply.

2.4. Steps to Cloud Security:

Organizations need to understand the security vulnerability that might be appeared through using the services of cloud computing. By following the steps below enterprises will understand the security paradigm provided by the cloud computing service provider [5],[14]:

a. Understand the cloud

By recognizing how the security of the data received by the cloud can be impacted through the cloud’s loose structure. This can be achieved by looking inside the cloud deeply and knowing the way of transferring data and managing data which done by cloud service.

b. Demand Transparency.

By ensure that the cloud computing service provider is ready to provide information by detailed about the security architecture and the cloud provider is prepared to be ready to consent frequent security audit. The frequent protection audit should be conducted by a separate body or government organization.

c. Reinforce Internal Security.

By ensure that internal protection technologies and techniques containing firewalls and user access

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 55

controls of the cloud computing service provider are powerful and capable with the measurements of cloud security. d. Consider the Legal Implications:

Understanding how the information transmitted to cloud is going to be impacted by the rules. e. Pay attention:

Regularly get the new updates in the technology of cloud computing and examine how it will affect and influence the security of the data.

2.5. What is the challenges in security of cloud

computing and how to handle it:

The challenges of cloud computing are very big. The cloud architecture faced more threats. Like internal and external threats on cloud environments on cloud providers.

 Multi-Tenancy

On one hand, the cloud provider develops its

protection to fulfill at a higher risk customer, and all the customers of low risk and then get better protection than they would have. On the other hand, a customer may come in contact with a higher level of exterior threat because of the business practices of the other subscribers [6]. When you are dealing with information technology within an organization, the threat is mostly for the organization alone to bear.

 Distributed Data Centers

Theoretically, a cloud computing environment

should be less prone to mishaps because suppliers can offer an environment that is distributed geographically. And organizations should participate in the cloud computing services that do not require geographically dispersed provider to initiate the study regularly disaster recovery plan and work. [7]

 Shared Risk If the software as a service provider of

infrastructure needs, it may be best to get those infrastructure of infrastructure as a service provider, rather than build it [8]. And thus is designed layers service provider cloud by SaaS layers on top of IAAS. In this type of multi level order of the service provider, shares of each of the risk of security problems because the threat may have effects on all parties in all classes.

 Coding We inform to every client, the coding had

followed by protected practices in the cloud provider [7]. Also, you must write all the code using a technology standard that is documented and can be demonstrated on the client.  Data Leakage

Must have a cloud computing project the ability to map the structure of the framework of policies to protect customers must comply with, and to discuss this issue. At a minimum, the data should be secured under consideration. Cloud provider needs also to be a strategy that feed the costumer protection occurrence protection policy to deal with any data leakage that can happen [9].

2.6. The major Technology of cloud computing security:

The factors below are supported by Natural Science Foundation of Shandong Province of China (2011)[8]

2.6.1. Trusted Access Control Researchers have more concerned in cloud

computing modules, so It can not completely trust the service providers. So, how we can implement access control with object data access control with non-traditional. Which means to obtain more attention, and which are depend on encryption techniques to manage and easy access, and include: focused on the establishment of key hierarchy and strategy to provide management technique for the disabled; standards-based encryption feature, based on proxy re-encryption method and access

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 56

management technology shrub ensures that the key username or revision and so on.

2.6.2. Retrieval and Processing of the Cipher-

text Some features will be lost when data goes

into cipher text, as a result of the data analysis technique failure. There are many techniques of cipher text to recovery: Depending on the mode index of security and protection through the development of the revision index search phrases, retrieves keyword index exists, this approach will compare every word and confirm if there are the keywords, and their own statistics.

The design of cryptographic secret which depend on homomorphic algorithm. In the beginning of the eighty decade, the homomorphism was suggested from a variety of add or algorithm homomorphism beating , but it turned out the existence of a safety problem , and Follow-up in the event of an interruption in, and there is still a long distance Practically.[8]

2.6.3. Protection of data privacy

The data life cycle have concerned about data privacy protection on the cloud on each level. In the phase of the data generation and computation, the central information , flow control and distinctive privacy protection technology had integrated by Roy, and it has come up with system of privacy, prevented leakage of the Illegality data privacy in the process of computing calculations, and supported the density as a result of the expense by the automatic addition. Mowbray said, Privacy and management tools based on the client, and the introduction of confidence-centric model used to help users to control data storage and use of sensitive information on the cloud.

Munts Mulero shows, Privacy technologies treatment of pre-existing, which containing anonymous, as anonymity, and processing data, that there is a massive problem will be facing, when data had published, and some existing solutions. Rankova proposed, Search provided by Interactive Data Search Engine anonymous. It can make the search an interactive database with each other, and they need to get

aspects, while ensuring that the query search was not known on the versus side.

2.6.4. Virtual Technology Solution

Virtual solution is one of the best techniques to distinguish the cloud computing services. Cloud computing model depends on virtual technology solution on cloud architecture by cloud providers to introduce a security and isolation data to his customers.

Isolation actuators provides by Santhanam based on virtual machines under the grid environment security and performance provides by Raj with realize separation by two of the resource management techniques. first, distribution of basic with cache level, Second, Partitioned cache with page of dyeing.

The writers supports Wei in his insight about the security problem in virtual technology image file. Because of it's have a high level of integrity. It's assist to solve many problems i.e. access control, security breach, source tracking, filtering and it's easy to detect data from attacking.[8]

2.6.5. Trusted technology

Trusted solution has become a big matter into cloud environment where provide IaaS trustworthy manner, nowadays trust has become a hot environment of research because of a lot of security issues.

Santos suggested TCCP of cloud computing platform trustworthy. It provides a box- type environment, the implementation of closed based on this platform, IAAS service provider ensures confidentiality of the guest virtual systems running. In addition, IAAS service provider of secure service introduced to allows the user to start by virtual machine. Trusted hardware and software has provided by trusted computing technology. Sadeghi believes that trusted design the credibility of the symbolic software, under Security briefing model authentication, It is under non-disclosure of any information, as well as it's proving itself a credible method. it can be perform various functions to be data confidentiality and integrity

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 57

with sensitive operation as data encryption. to solve outsourcing of data. [8].

3. Problem statement:

There are many problems and challenges face the cloud computing providers and the cloud clients. Therefore, data have to be isolated to avoid data leakage.

This paper suggests that to protect cloud computing, the service providers should secure data first. overall, companies should defending their information, it is very important to classify their data to know what guidelines they must adhere to secure them:

 Its sensitivity to handled at a specific trust levels.

 Determine what stage of protection they need. Different design in cloud offers various levels of business.

 Identify what kinds of information and procedures to move to the cloud. [9]

4. Research model:

The model suggests that cloud computing facility should be created by the service providers by incorporating the requirements of the business. To co-create value for sustainability, organizations need to take a more extensive view of the surroundings in which it competes. There is a need for the corporation to make and sustain resource alignment abilities that allow collaborating firms to develop “solution” to business problems that customers will value (Teece, 2010)[11].

Cloud system structure used to convey the Iaas include software and hardware habitant in the cloud. Although there are several perspectives, they all share the same core elements, namely: People, Procedures and Technology. Organizations of all sizes across nearly every industry are investigating new ways to address their business. Cloud computing provides many alternatives to the problems had faced.

The authors have developed a conceptual

framework for co-creation of value for business.

The dynamic ability value co-creation framework should involve of the following capabilities:

 Client-Side Security abilities  Virtual System Security capabilities  Authentication Business capabilities  Management of cloud services abilities

(Access Control)  Market alignment abilities businesses

(Fig 1. Framework for Co-creation of Value on IT Business in cloud computing)

Data will be stored in the cloud which has built

in a distributed environment with others data client. As the enterprises are moving delicate data, it have to be ensured that the data can only be used by authorized persons showing proper authentication so the data remains safe from any unauthorized users.

4.1. The proposed model: The proposed model provide universal service to the customers, with a high level of trust to be trustworthy on the customers. like,

o Client-Side Security abilities: A successful protection against strikes needs both a protected customer and a secure Website infrastructure. The Browsers was be an important element in a cloud environment. Because of plug- ins and extensions for them are disreputable for their security issue [12]. Moreover, many web

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 58

browser add-ons do not offer automatic up to dates that increases vulnerabilities.

o Virtual System Security capabilities: Virtualization systems consist of switches and hubs on network, that is configured as part of the virtual environment. they have the ability to create software which allow VMs to connect directly immediately and efficiently effectively “For example, VMware virtual network infrastructure that supports the same networks that host subnet is created especially for VMS does not require access to the external network”. Security protection devices can not noticeable the traffic over networks, such as matching attack network-based and firewall protection. This model provide or avoid a lack of protection against attacks to services providers in cloud computing, by create virtual network to make duplication of the actual protections. [12].

o Authentication: Most of cloud service providers endure the (SAML) Security Assertion Markup Language and use it to manage customers and verify previously so offering accessibility to platforms and information. SAML introduce techniques for data exchange, such as motivation regarding on a matter or verification information among participating websites [10].

o Access Control: Besides documentation, required the ability to get privileges to users and maintain control over access to resources as well, as part of the identity management. Criteria such as language and access control extensible Markup (XACML) can be used to control access to cloud resources, rather than using the interface property service provider. XACML concentrates on the procedure for reaching at permission resolutions, which enhances SAML’s focus on the means for shifting verification and permission resolutions among the entities involved. XACML is able to managing

Service Interfaces property for most suppliers, and some cloud companies, such Amazon.com and Google Apps. This is already in position. Messages was be attacked when it passed among XACML entities because of his vulnerable and it is harmful by third parties, Which makes it important to be safety scales in position to protect resolutions demands and permission resolutions from potential offensives, through illegal detection, replay, removal and adjustment [12].

o Data Isolation:

This model proposed data isolation to keep database integration and safety from outside attack or illegal users. This tool working with the structure of virtual system to get users a factual system after the access control stage was done. This techniques means to keep data away from illegal users, by encryption. even customers, finish his own process to buy from the cloud portal. After the system analyze the entities records from client to inform on this is a real purchase. Then the system moved from virtual system to a real one to make the business process are safety. So the system can book a goods and up-date the database repository. 4.2. Cloud Goals in this model:

These goals will be accomplished through a cloud investment strategy:

- Reduce the costs to subscribers companies. - Introduce another IT solutions through the

virtual system to confirmed best practice procedures

- Improved client satisfaction through to make duplication of the actual protections.

- Standards authentication and guidance - Improved performance - Improved the services abilities - Make a business value

4.3. Business Processes:

A business procedure is a organized set of activities developed to generate a particular outcome or accomplish a goal. This implies a high emphasis on how work is performed within an

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 59

organization, in contrast with the product approach in which the emphasis is on what is created. Therefore, the procedure is a specific sequence of perform activities through time and area, with a beginning, an end, and clearly assign inputs and outputs 4.4. Business/It alignment in cloud security

model:

A relational procedure that enable both IT people and business to achieve their liabilities in endure of business/IT alignment to create value from information technology to inform business investments. [13]

(Figure 2, Business/IT goals)

The authors said, the results of the model was

thorough understanding of the goals of information technology and business goals and how to connect. This paper contains detailed findings on how the goals of information technology can support business goals. Figure 2, shows in a matrix how the goals of information technology are relevant to business goals. For example, the IT goal “Make sure that IT services are available and secure” does prop all business goals in a primary (P) or a secondary manner (S). And IT goal “Accomplish proper use of applications, information and technology solutions” does prop all business goals in a secondary (S) manner. And the IT goal

“Improve IT's cost-efficiency” does prop some business goals in a primary manner (P). [13].

The outcomes of this paper provide authentic guidance. The writers focus in the correlation between the security problem and the trust to enhance build up business goals and the goals of information technology for a particular enterprise and this way you get the best participate in the business/IT alignment issue. 5. Conclusion:

This model attempt to permitted by a virtualization part will provide a provide duplication of the actual protections to make a better market and a safety environment. The system appliances will help simplify this conversion. Cloud computing, in synchronism with virtualization software to keep data far from illegal users, and will also create new business designs that will enable providers to offer a single product on the premises, on demand, or in a hybrid deployment pattern. While it is necessary to begin understanding the new characteristics that will begin to appear to offer application and components to end customers.

From author’s perspective, to protect cloud computing, the service providers should secure data first. Overall, companies should defending their information, and then protected the infrastructure. In this aria, the authors developed model to kept data from leakage and secure it on cloud computing.

6. Acknowledgements:

We would like to thank our Prof. Dr. Mohd Adam Suhaimi for his kind assistant and great contribution in this research. 7. References

1- Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Konwinski, A., & Zaharia, M., (2010). A view of Cloud Computing. Communications of the ACM, 53 (4), 50-58.

International Journal of Computer Trends and Technology(IJCTT) – volume 7 number 1 – Jan 2014

ISSN: 2231-2803 www.internationaljournalssrg.org Page 60

2- Low, C., Chen, Y., & Wu, M. (2011). Understanding the determinants of cloud computing adoption. Industrial Management & Data Systems, 111(7), 1006–1023.

3- Barber, H. H., Lawler, J., Desai, S., & Joseph, A. (2012). A Study of Cloud Computing Soft ware-as-a- Service (SaaS) in Financial Firms. Education special interest group of the AITP, 5(2205), 1–14.

4- Joseph, A., Kim, P., & Wu, P. (2013). Information Systems Applied Research Special Issue: Cloud Computing In this issue, 6(3), 1–33.

5- Bisong, A. (2011). AN OVERVIEW OF THE SECURITY CONCERNS IN, 3(1), 30–45.

6- Wang, C., Chow, S. S. M., Wang, Q., Ren, K., & Lou, W. (2013). Privacy-Preserving Public Auditing for Secure Cloud Storage. Institute of Electrical and Electronics Engineers (IEEE), 62 (2), 1–12.

7- Wang, C., Wang, Q., Ren, K., & Lou, W., (2009). Ensuring data storage security in Cloud Computing. International Workshop on Quality of Service, 1–9.

8- Ming, T., & Yongsheng, Z., (2012). Analysis of Cloud Computing and Its Security. Information Technology in Medicine and Education (ITME), 1, 379–381.

9- Hamouda, S., (2012). Security and privacy in cloud computing. Cloud Computing Technologies, Applications and Management (ICCCTAM), 241–245.

10- Zissis, D., & Lekkas, D., (2012). Addressing cloud computing security issues. Future Generation Computer Systems,28(3),583–592.

11- Teece, D. J. (2010). Business Models, Business Strategy and Innovation. Long Range Planning, 43(2-3), 172–194.

12- Jansen, W. a., (2011). Cloud Hooks: Security and Privacy Issues in Cloud Computing. Hawaii International Conference on System Sciences, 1–10.

13- Van, G. W., & De, H. S. (2008). Enterprise governance of information technology: Achieving strategic alignment and value. New York: Springer.

14- Edwards, J. (2009). Cutting through the fog of cloud security. Computerworld. Framingham: 43, (8), 3-26

15- Francis, T., & Vadivel, S. (2012). Cloud computing security: Concerns, strategies and best practices. Cloud Computing Technologies, Applications and Management (ICCCTAM), 205–207.

  • Cybersecurity Paper 1
    • Local Disk
      • Evernote Export
  • Cybersecurity Paper 2
  • Cybersecurity Paper 3
  • Cybersecurity Paper 4