Securing clouds using cryptography and traffic classification

PhD Thesis


Khader Al-Nassar, Aqeel Sahi. 2018. Securing clouds using cryptography and traffic classification. PhD Thesis Doctor of Philosophy. University of Southern Queensland. https://doi.org/10.26192/5c0de0e2f69e0
Title

Securing clouds using cryptography and traffic classification

TypePhD Thesis
Authors
AuthorKhader Al-Nassar, Aqeel Sahi
SupervisorLai, David
Li, Yan
Institution of OriginUniversity of Southern Queensland
Qualification NameDoctor of Philosophy
Number of Pages309
Year2018
Digital Object Identifier (DOI)https://doi.org/10.26192/5c0de0e2f69e0
Abstract

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Over the last decade, cloud computing has gained popularity and wide acceptance, especially within the health sector where it offers several advantages such as low costs, flexible processes, and access from anywhere.

Although cloud computing is widely used in the health sector, numerous issues remain unresolved. Several studies have attempted to review the state of the art in eHealth cloud privacy and security however, some of these studies are outdated or do not cover certain vital features of cloud security and privacy such as access control, revocation and data recovery plans. This study targets some of these problems and proposes protocols, algorithms and approaches to enhance the security and privacy of cloud computing with particular reference to eHealth clouds.

Chapter 2 presents an overview and evaluation of the state of the art in eHealth security and privacy. Chapter 3 introduces different research methods and describes the research design methodology and processes used to carry out the research objectives. Of particular importance are authenticated key exchange and block cipher modes. In Chapter 4, a three-party password-based authenticated key exchange (TPAKE) protocol is presented and its security analysed. The proposed TPAKE protocol shares no plaintext data; all data shared between the parties are either hashed or encrypted. Using the random oracle model (ROM), the security of the proposed TPAKE protocol is formally proven based on the computational Diffie-Hellman (CDH) assumption. Furthermore, the analysis included in this chapter shows that the proposed protocol can ensure perfect forward secrecy and resist many kinds of common attacks such as man-in-the-middle attacks, online and offline dictionary attacks, replay attacks and known key attacks. Chapter 5 proposes a parallel block cipher (PBC) mode in which blocks of cipher are processed in parallel. The results of speed performance tests for this PBC mode in various settings are presented and compared with the standard CBC mode. Compared to the CBC mode, the PBC mode is shown to give execution time savings of 60%. Furthermore, in addition to encryption based on AES 128, the hash value of the data file can be utilised to provide an integrity check. As a result, the PBC mode has a better speed performance while retaining the confidentiality and security provided by the CBC mode.

Chapter 6 applies TPAKE and PBC to eHealth clouds. Related work on security, privacy preservation and disaster recovery are reviewed. Next, two approaches focusing on security preservation and privacy preservation, and a disaster recovery plan are proposed. The security preservation approach is a robust means of ensuring the security and integrity of electronic health records and is based on the PBC mode, while the privacy preservation approach is an efficient authentication method which protects the privacy of personal health records and is based on the TPAKE protocol. A discussion about how these integrated approaches and the disaster recovery plan can ensure the reliability and security of cloud projects follows.

Distributed denial of service (DDoS) attacks are the second most common cybercrime attacks after information theft. The timely detection and prevention of such attacks in cloud projects are therefore vital, especially for eHealth clouds. Chapter 7 presents a new classification system for detecting and preventing DDoS TCP flood attacks (CS_DDoS) for public clouds, particularly in an eHealth cloud environment. The proposed CS_DDoS system offers a solution for securing stored records by classifying incoming packets and making a decision based on these classification results. During the detection phase, CS_DDOS identifies and determines whether a packet is normal or from an attacker. During the prevention phase, packets classified as malicious are denied access to the cloud service, and the source IP is blacklisted. The performance of the CS_DDoS system is compared using four different classifiers: a least-squares support vector machine (LS-SVM), naïve Bayes, K-nearest-neighbour, and multilayer perceptron. The results show that CS_DDoS yields the best performance when the LS-SVM classifier is used. This combination can detect DDoS TCP flood attacks with an accuracy of approximately 97% and a Kappa coefficient of 0.89 when under attack from a single source, and 94% accuracy and a Kappa coefficient of 0.9 when under attack from multiple attackers. These results are then discussed in terms of the accuracy and time complexity, and are validated using a k-fold cross-validation model.

Finally, a method to mitigate DoS attacks in the cloud and reduce excessive energy consumption through managing and limiting certain flows of packets is proposed. Instead of a system shutdown, the proposed method ensures the availability of service. The proposed method manages the incoming packets more effectively by dropping packets from the most frequent requesting sources. This method can process 98.4% of the accepted packets during an attack.

Practicality and effectiveness are essential requirements of methods for preserving the privacy and security of data in clouds. The proposed methods successfully secure cloud projects and ensure the availability of services in an efficient way.

Keywordscloud computing, cryptography, classification, security
ANZSRC Field of Research 2020460401. Cryptography
460499. Cybersecurity and privacy not elsewhere classified
Byline AffiliationsSchool of Agricultural, Computational and Environmental Sciences
Permalink -

https://research.usq.edu.au/item/q4yxx/securing-clouds-using-cryptography-and-traffic-classification

Download files


Published Version
Al-Nassar_2018_whole.pdf
File access level: Anyone

  • 294
    total views
  • 267
    total downloads
  • 4
    views this month
  • 7
    downloads this month

Export as

Related outputs

A Review of the State of the Art in Privacy and Security in the eHealth Cloud
Sahi, Aqeel, Lai, David and Li, Yan. 2021. "A Review of the State of the Art in Privacy and Security in the eHealth Cloud." IEEE Access. 9, pp. 104127-104141. https://doi.org/10.1109/ACCESS.2021.3098708
An efficient hash based parallel block cipher mode of operation
Sahi, Aqeel, Lai, David and Li, Yan. 2018. "An efficient hash based parallel block cipher mode of operation." 3rd IEEE International Conference on Computer and Communication Systems (ICCCS 2018). Nagoya, Japan 27 - 30 Apr 2018 New York, United States.
Three-party password-based authenticated key exchange protocol based on the computational Diffie-Hellman assumption
Sahi, Aqeel, Lai, David and Li, Yan. 2018. "Three-party password-based authenticated key exchange protocol based on the computational Diffie-Hellman assumption." International Journal of Communication Networks and Distributed Systems. 21 (4), pp. 560-581. https://doi.org/10.1504/IJCNDS.2018.095373
An Efficient DDoS TCP Flood Attack Detection and Prevention System in a Cloud Environment
Sahi, Aqeel, Lai, David, Li, Yan and Diykh, Mohammed. 2017. "An Efficient DDoS TCP Flood Attack Detection and Prevention System in a Cloud Environment ." IEEE Access. 5, pp. 6036-6048. https://doi.org/10.1109/ACCESS.2017.2688460
An energy efficient TCP DoS attacks mitigation method in cloud computing
Sahi, Aqeel, Lai, David and Li, Yan. 2017. "An energy efficient TCP DoS attacks mitigation method in cloud computing." Al-Jumaily, Adel Ali, Barifcani, Ahmed and Al-Jumaily, Ahmed (ed.) 1st MoHESR and HCED Iraqi Scholars Conference in Australasia 2017 (ISCA 2017). Melbourne, Australia 05 - 06 Dec 2017 Melbourne, Australia.
Security and privacy preserving approaches in the eHealth clouds with disaster recovery plan
Sahi, Aqeel, Lai, David and Li, Yan. 2016. "Security and privacy preserving approaches in the eHealth clouds with disaster recovery plan." Computers in Biology and Medicine. 78, pp. 1-8. https://doi.org/10.1016/j.compbiomed.2016.09.003
Parallel encryption mode for probabilistic scheme to secure data in the cloud
Sahi, Aqeel, Lai, David and Li, Yan. 2015. "Parallel encryption mode for probabilistic scheme to secure data in the cloud." 10th International Conference on Information Technology and Applications (ICITA 2015). Sydney, Australia 01 - 04 Jul 2015 Australia.
Preventing man-in-the-middle attack in Diffie-Hellman key exchange protocol
Khader, Aqeel Sahi and Lai, David. 2015. "Preventing man-in-the-middle attack in Diffie-Hellman key exchange protocol." 22nd International Conference on Telecommunications (ICT2015). Sydney, Australia 27 - 29 Apr 2015 United States. https://doi.org/10.1109/ICT.2015.7124683