Behavior Based Access Control For Securing Cloud Infrastructure As A Service

One of the most important challenges that have threatened cloud computing and caused its slow adoption is security.Cloud computing is a kind of Internet-based computing that provides shared processing resources and data to computers and other devices on demand.It is a model for enabling ubiquitous,on-demand access to a shared pool of configurable computing resources(e.g.,computer networks,servers,storage,applications,and services).In this thesis,we focus on addressing access control issues in cloud computing.Since cloud computing is not a traditional environment,the well-known authentication systems cannot be used for managing the on-demand huge and complicated clients' behavior towards its shared pool of configurable computing resources.Therefore,a dynamic and well-motivated access control model is urgently needed for such configurable computing resources environment.Recently,there has been considerable interest in Attribute-Based Access Control(ABAC).It is an access control paradigm whereby access rights are granted to users through the use of policies,which combine attributes together.ABAC is considered as a basic stone for the new generation of authorization models.ABAC cannot deal with the dynamic users' behavior and the dynamic access policies that are mandatory for the cloud computing environment.This thesis objective is to improve the current ABAC by introducing some new notions intoit,to mostly fit the on-demand access according to the clients,behavior in such a shared pool of configurable computing resources environment.In this thesis,we are focusing on the problem of dynamically authorizing a huge number of dynamically behaving clients to the cloud computing environment.To the best of our knowledge and according to our related literature in cloud access control models,we have proposed three new access control schemes to be used in the cloud computing environments.Our proposed access control schemes' contributions are summarized as follows:I.Attribute-Rules Attribute Based Access Control(AR-ABAC):To propose an AR-ABAC scheme,which ensures secure resource sharing among potential untrusted tenants and supports different access permissions to the same user at the same session.We introduce a new notion,called Attribute-Rules(AR),which defines an agreement on what kind of attributes should be used and how many attributes should be taken into account for making access decisions.Also,the verification mechanism for those attribute-rules is flexible enough to enforce the assign and ease of privileges for cloud access control model.The experimental results have indicated that AR-ABAC is suit-able for cloud IaaS,where the average time of token generation in communicating the AR-ABAC policy-engine is small and accepted according to the number of considered attributes and concurrent requests.II.Multi-Factor Trust-Based Access Control(TB-AC):To propose a multi-factor TB-AC scheme,which efficiently deals with the dynamic users' behavior since its autho-rization decisions are based on the users' trust level.To achieve such dynamic users'behavior authorization,we introduce a new formal definition of trust,which is based on three different factors:attributes,observation,and recommendation,as well as the semantic relations among them.In TB-AC,we also present a novel way to punish malicious users by blacklisting them for a specific period of time.The experimental results indicated that our TB-AC scheme can efficiently evaluate access requests within reasonable and acceptable processing time for different user's behaviors under different scenarios,which provable usable and scalable.III.Adaptive Cryptographic Cloud Multi-Authority Access Control(AC-MAC):To propose a cryptographic AC-MAC scheme,which adopt the cryptographic mechanisms to make it more secure and effective against the malicious attackers for trust level.In AC-MAC,we introduce a new notion,called multi-authority attributes' trust,which could be integrated with the Ciphertext-Policy Attribute-Based Encryption(CP-ABE)for different number of user's attributes for encryption and decryption.The practical cryptographic construction is presented to allow the users for requesting access from the same authority multiple times with different attribute sets.Also,the user cannot decrypt the ciphertext if it is not trusted.We not only provide a security proofs for our construction,but also run enough experiments which indicated that the average time of encryption and decryption is accepted by both the data owners and users.In the proof of concept part,we demonstrate the advantage for each of the three proposed schemes by integrating and testing each of them with our private cloud environment,which is built using the prominent IaaS platform OpenStack.We show the scalability and security of our proposed schemes in comparison with the current access control schemes under the same conditions.The performance and security analysis are provided for each proposed scheme,which measure some important factors incurred for enforcing that scheme.