Research On Defense Technology On Insider Threats In Cloud Computing Model

According to the definitions of CERT(Computer Emergency Response Teams)research center of Carnegie Mellon University,insider threats refer to one or more current or former company employees,contractors or business partners,who had authorized access to an organization's network,system,or data,intentionally exceeded or misused that access in a manner that negatively affected the confidentiality,integrity,or availability of the organization's information or information systems.According to the report of CSA(Cloud Security Alliance),malicious insider threat is one of the treacherous 12 cloud computing top threats.The separation of data ownership and management is the essential feature of cloud computing model.That is,as the data is migrated to the cloud,the user needs to use the cloud computing platform to achieve data management.In addition to facing the traditional threats of insider attacks,the introduction of cloud computing model faces many new security issues and challenges,such as malicious privileged cloud administrators.When the cloud administrator objectively has the right to peek and leak the data or the computing resources of users,how to protect the rights and interests of the user has become a very challenging issue.Therefore,the research on how to defend against the insider threats in cloud computing model has become especially important,as well as a common focus of attention in both academia and industry in recent years.In this thesis,the author researches on the defense technology on insider threats in cloud computing model.It implements practical inside attack instances,studies on both attack and defense technologies to effectively defend against insider threats in cloud computing model.This thesis first systematically analyzes and summarizes the types and features of insider threats in cloud computing model,then constructs and implements practical methods of insider threat attacks against the real cloud platforms.To defend against insider threats in cloud computing model,this thesis introduces user trusted access broker that protects the cloud-hosted user data from the perspectives of users and administrators respectively.The access broker is transparently located between the cloud application and the user,and it does not reveal any user information to the outside.From the user's perspective,data encryption and searchable encryption technology is an effective way to defend against the insider threats in cloud computing model.For practical cloud applications,the current searchable encryption solution still has many challenges in terms of practicality.For example,the search function is fixed and single,the search process leaks certain plaintext information,and the cloud service program needs to be modified and customized.This thesis first systematically analyzes the architectures,challenges and information leakage models of current searchable encryption research,and builds new practical searchable encryption attack algorithms against the summarized information leakage models.Based on the above,this thesis designed and implemented cloud executed and access broker executed searchable encryption schemes respectively,to improve the security,efficiency and practicality,and provide multiple advanced search capabilities.From the cloud administrator's perspective,this thesis introduces the access broker to divide the administrative privileges finely,and separate responsibilities.In particular,the access broker non-invasively records and controls the operational behaviors of the cloud administrators,and guarantees the collected data to be audited is trustworthy.The main contents of this thesis include survey on insider threats in cloud computing model,new attack algorithms on searchable encryption based on partially known documents,cloud executed practical searchable symmetric encryption scheme,data encryption and searchable encryption scheme based on the access broker,and recording,controlling and auditing the operations of administrators in the cloud platform.The main work of this thesis is as follows:In the direction of survey on insider threats in cloud computing model,this thesis firstly summarizes the major types and features of insider threats in the cloud environment,analyzes the new security issues and challenges that the cloud computing model faces,and then constructs and implements practical examples of insider threat attacks against the real cloud platform.In the attacks,the cloud administrator used his own privileges to successfully steal the data privacy of the user,thus presenting available security risks of the cloud platform and typical attack methods.On this basis,by summarizing the current related research work,this thesis generalizes three main approaches to deal with insider threats in the cloud,as:personnel evaluation and behavior analysis,cloud administration priority division and run-time access control,user controlled data encryption and searchable encryption related technologies.For each approach,this thesis thoroughly analyzes its technical principles,key technologies,the latest developments,as well as practical possibilities in the real world.At last,this thesis points out key research points on insider threats in cloud computing model.In the direction of new attack algorithms on searchable encryption based on partially known documents,this thesis sums up different information leakage models based on typical searchable encryption schemes and designs new attack algorithms on searchable encryption according to the information leakage models.The current research of searchable encryption attack often needs to grasp all the information of the target documents,to accurately infer the plaintext keyword represented by the trapdoor in the encrypted query,which is not realistic under normal circumstances.When the attacker only has partial knowledge of the target documents,its attack success rate is very low.This thesis proposes new attack algorithms based on little prior knowledge,in which an adversary only needs to have partial knowledge of the target documents to accurately recover the encrypted query,so as to be more practical.Experimental evaluation is conducted based on real mail data,and the results demonstrate the effectiveness of proposed attacks.In the direction of cloud executed practical searchable symmetric encryption scheme,this thesis first gives the security definition of searchable encryption and inference attacks on searchable encryption schemes,and then designs a cloud executed practical searchable symmetric encryption(SSE)scheme called IDCrypt.The IDCrypt architecture deployed a service program on the cloud side for searching encrypted data,which can be implemented with the help of off-the-shelf inverted-index-based search engines,to improve the practicality and deploy ability of searchable encryption without modifying or customizing cloud applications.IDCrypt effectively protects against searchable encryption attacks with proven high security,and the attack experimental results with real mail data show its security strength compared with a traditional searchable encryption scheme.The thesis further points out the main challenges in securely searching on encrypted data in multi-user scenarios,and designs a token-adjusted search scheme that allows users to search across multiple indexes encrypted with different keys.In the direction of data encryption and searchable encryption scheme based on the access broker,this thesis designs a searchable encryption scheme implemented by the access broker based on the CASB(Cloud Access Security Broker)technology.The scheme can implement multiple advanced search functions on the inverted index structure in the access broker.It can also support multi-user interaction in the access broker,adapt multiple cloud applications,and has high efficiency and security.In terms of query expressiveness,performance and security,this thesis gives systematic and quantitative analysis on the access broker executed searchable encryption contrasting with the traditional searchable encryption schemes,and also studies how to build the index on the access broker,query resolution and search request execution.However,not all problems are naturally solved as the searchable encryption architecture is changed.With real deployment and practicality,some important issues in practical applications that the access broker executed searchable encryption scheme faces are pointed out,such as the challenges of securely sharing index and encrypted data between access brokers,and corresponding schemes and prototype system are designed to address the above challenges.To record,control and audit the operations of cloud administrators in the cloud platform,this thesis introduces the access broker which records,controls and audits the manage operations of cloud platform continuously and timely.All access to resources or data in the cloud platform must be arbitrated by the access broker.After authenticated to the access broker,the request can single sign-on related resources or data,thus avoiding the confusion in access and certification,achieving unified control and preventing internal administrators bypassing the authentication system to implement malicious acts.After logging in the access broker authentication system,all the operations on the resources or data of the cloud platform must be recorded in detail,and the dangerous operations or the override operations must be alerted or blocked based on the hierarchical mechanism of cloud administrators' operations.To audit user behavior with the recorded data,a user identification algorithm based on operating frequency analysis is proposed.The real data simulation shows that the algorithm is effective to user behavior analysis.In project realization,this thesis realized the key technologies and architectures of the data encryption and searchable encryption scheme based on the access broker,completed the prototype system and tested its performance.The designed scheme obtained multiple national patent licenses.This thesis also completed the architecture and prototype system of recording,controlling and auditing the operations of cloud administrators in the cloud platform.