Facultatea de Automatica si Calculatoare Universitatea “Politehnica“ din Bucuresti Security in Clouds Building a Malicious Client Detection module for.

Slides:

Advertisements

Similar presentations

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

Advertisements

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Chapter 9: Moving to Design

seminar on Intrusion detection system

INTERACT : M OTION S ENSOR D RIVEN G ESTURE R ECOGNITION C LOUD S ERVICE School of Electronic & Computer Engineering Technical University of Crete, Greece.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Adaptive Trust Negotiation and Access Control Tatyana Ryutov, et.al. Presented by: Carlos Caicedo.

Enhancing the Security of Corporate Wi-Fi Networks using DAIR PRESENTED BY SRAVANI KAMBAM 1.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Through the development of advanced middleware, Grid computing has evolved to a mature technology in which scientists and researchers can leverage to gain.

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

SWIM-SUIT Information Models & Services

A semi autonomic infrastructure to manage non functional properties of a service Pierre de Leusse Panos Periorellis Paul Watson Theo Dimitrakos UK e-Science.

A Study of Wireless Virtual Network Computing Kiran Erra.

Oracle Data Integrator Architecture Components.

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

9 Systems Analysis and Design in a Changing World, Fourth Edition.

9 Systems Analysis and Design in a Changing World, Fourth Edition.

Module 7: Advanced Application and Web Filtering.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

Universitatea Politehnica Bucureşti - Facultatea de Automatică şi Calculatoare TOWARDS A SECURE DATA SHARING PEER-TO-PEER NETWORK BASED ON GEOMETRIC AND.

Secure middleware patterns E.B.Fernandez. Middleware security Architectures have been studied and several patterns exist Security aspects have not been.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Universitatea Politehnica Bucureşti - Facultatea de Automatică şi Calculatoare Towards a Peer-to-Peer Recommender System Based on Collaborative Filtering.

ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.

Authors Universitatea Politehnica București Facultatea de Automatică și Calculatoare Catedra de Calculatoare Extension of a port knocking client- server.

REST API to develop application for mobile devices Mario Torrisi Dipartimento di Fisica e Astronomia – Università degli Studi.

Autonomic aspects in cloud data management Alexandra Carpen-Amarie KerData.

Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.

Some Great Open Source Intrusion Detection Systems (IDSs)

Congress Blueprint --policy abstraction

SWG Infrastructure Standards © 2007 IBM Corporation IMPACT 2011.odp OASIS Cloud Symposium 2011 Interop Scenario.

The Network Aware IoT Service at Edge Guoxi Wang.

Grid based telemedicine application

Stop Those Prying Eyes Getting to Your Data

Talal H. Noor, Quan Z. Sheng, Lina Yao,

Integration of and Third-Generation Wireless Data Networks

StoRM: a SRM solution for disk based storage systems

Cloud based linked data platform for Structural Engineering Experiment

Module Overview Installing and Configuring a Network Policy Server

High Performance Computing Lab.

A Study of Wireless Virtual Network Computing

Securing the Network Perimeter with ISA 2004

Middleware independent Information Service

T-StoRM: a StoRM testing framework

THE STEPS TO MANAGE THE GRID

Securing Cloud-Native Applications Jason Schmitt CEO

Chapter 1: Introduction

NAAS 2.0 Features and Enhancements

Embedded & Cloud Platforms

Security & .NET 12/1/2018.

Autonomous Aggregate Data Analytics in Untrusted Cloud

Chapter 6 – Architectural Design

WEB SERVICES DAVIDE ZERBINO.

AAA: A Survey and a Policy- Based Architecture and Framework

Yining ZHAO Computer Network Information Center,

Presentation transcript:

Facultatea de Automatica si Calculatoare Universitatea “Politehnica“ din Bucuresti Security in Clouds Building a Malicious Client Detection module for BlobSeer Catalin Leordeanu

Outline Introduction Secure access to Web Services over BlobSeer Malicious Client detection Policy enforcement Trust level Conclusions and future work

Introduction This work was done as part of the KerData-PUB associated team project. Coordinated projects: BlobSeer Policy Enforcement – Cristina Basescu (Master internship, Rennes) BlobSeer Trust Level – Ana-Maria Lepar (Bachelor project, Bucharest) Secure Access to Cloud Services over BlobSeer – Dumbrava Maria (Bachelor project, Bucharest)

Secure access to web services over BlobSeer Goals: To use BlobSeer as a backend for web services with Axis2. To provide a secure environment to access and deploy web services

Security aspects: For each deployed service we have its owner and a list of users with access rights to it The administrator is the only one with complete access to all deployed services Each client can access the web services deployed by him and request access to other services. The actual blobs are hidden from the user and can only be accessed through service invocations. Secure access to web services over BlobSeer

Service invocation patterns

Conclusions and future work Conclusions: We demonstrated that we can use BlobSeer for data management for web services using Axis2. We integrated simple authentication and authorization mechanisms to manage the users access rights. Future work: Test this framework for more complex services and orchestration Implement the delegation of access rights from one user to another

Malicious Client Detection Types of malicious activity: Protocol Breach Heavy writing without the creation of a new version (WriteNoPublish) Publish the version and create the metadata tree, but write nothing actually(PublishNoWrite). Policy enforcement – matching of predefined policies Denial of Service Detection of suspicious activity Crawling Repeated reading of the same data Abnormal client activity

Challenges: BlobSeer has no authentication mechanism or any way to distinguish the users each client accesses the information in the same way there is no way of certifying the users Malicious Client Detection

Anomaly Engine - Analyses the client behavior and looks for changes in access patterns Matching Engine, Pattern Storage, Policy Enforcement – Reads the user history and looks for policy violations or malicious activity, based on a set of predefined patterns Trust Level – Computes a Trust Level for each client based on the user history and feedback from the policy enforcement.

Policy enforcement Advantages: Simple to use and easy to customize XML patterns that describe malicious activity It can take complex actions in the case of policy violations Directly Through the TL Disadvantages: Unable to adapt to unknown malicious activity Possible large delay due to the monitoring infrastructure and storage of user history.

Policy example - -

Policy example - fd - 100" /> - - -

Trust Level Each event has an effect on the Trust Level of the user Also uses the system state of the providers to determine the gravity of the malicious activity The Trust level can be between 0 and 100. If a user has a high Trust Level he may be rewarded with relaxed security policies for a period of time. A low Trust level may be punished by more restrictive policies.

Conclusions and future work Conclusions: We designed a malicious client detection architecture Right now, the Policy Enforcement and Trust Level modules are functional Future work: Build a complete, functional security framework for BlobSeer Finish the implementation of the other modules Connect the modules with each other Test with large scenarios with many users

Questions ? Thank you !