Joseph Idziorek

Exploiting Cloud Utility Models for Profit and Ruin

This paper discusses an attack on the cloud computing model by which an attacker subtly exploits a fundamental vulnerability of current utility compute models over a sustained period of time. Internet-accessible cloud services expose resources that are metered for billing purposes. These resources are subject to fraudulent resource consumption that is intended to run up the operating expenses for public cloud service customers. The details and significance of this attack are discussed as well as two detection methodologies and there respective experimental results. This work investigates a potentially significant vulnerability of the cloud computing model that could be exploited from any Internet connected host. Well-crafted transactions that only differ in intent but not in content are challenging to differentiate and thus this attack may be difficult to detect and prevent.

Detecting fraudulent use of cloud resources

Initial threat modeling and security research on the public cloud model has primarily focused on the confidentiality and integrity of data transferred, processed, and stored in the cloud. Little attention has been paid to the external threat sources that have the capability to affect the financial viability, hence the long-term availability, of services hosted in the public cloud. Similar to an application-layer DDoS attack, a Fraudulent Resource Consumption (FRC) attack is a much more subtle attack carried out over a longer duration of time. The objective of the attacker is to exploit the utility pricing model which governs the resource usage in the cloud model by fraudulently consuming web content with the purpose of depriving the victim of their long-term economic availability of hosting publicly accessible web content in the cloud. In this paper, we thoroughly describe the FRC attack and discuss why current application-layer DDoS detection schemes are not applicable to a more subtle attack. We propose three detection metrics that together form the criteria for identifying a FRC attack from that of normal web activity. Experimental results based on three plausible attack scenarios show that an attacker without knowledge of the web log has a difficult time mimicking the self-similar and consistent request semantics of normal web activity.

The Insecurity of Cloud Utility Models

Cloud-based services are vulnerable to attacks that seek to exploit the pay-as-you-go pricing model. A botnet could perform fraudulent resource consumption (FRC) by consuming the bandwidth of Web-based services, thereby increasing the cloud consumers financial burden.

Attribution of Fraudulent Resource Consumption in the Cloud

Obligated by a utility pricing model, Internet-facing web resources hosted in the public cloud are vulnerable to Fraudulent Resource Consumption (FRC) attacks. Unlike an application-layer DDoS attack that consumes resources with the goal of disrupting short-term availability, an FRC attack is a considerably more subtle attack that instead seeks to disrupt the long-term financial viability of operating in the cloud by exploiting the utility pricing model over an extended time period. By fraudulently consuming web resources in sufficient volume (i.e. data transferred out of the cloud), an attacker (e.g. botnet) is able to incur significant fraudulent charges to the victim. This paper proposes an attribution methodology to identify malicious clients participating in an FRC attack. Experimental results demonstrate that the presented methodology achieves qualified success against challenging attack scenarios.

Discrete event simulation model for analysis of horizontal scaling in the cloud computing model

One of the distinguishing characteristics of the cloud model is the ability for the service users to horizontally scale computing resources to match customer demand. Because the cloud model is offered in a pay-as-you-go schem, it is in the service users best interest to maximize utilization while still providing a high quality of service to the customer. This paper describes a discrete event simulation model that is used to explore the relationship between the horizontal scaling profile configurations and the functionality of the cloud model. Initial results show that both a state-aware load distribution algorithm and the parameters that dictate the elasticity of the horizontal scaling ability are essential to achieving high rates of utilization. Through modeling and simulation, this paper presents both a framework and initial results to further explore the cloud model.

Security analysis of public cloud computing

Cloud computing is in its infancy and continues to evolve. As this evolution proceeds, there are a number of privacy and security concerns emerging from the cloud computing model that need to be addressed before broad acceptance occurs. This paper is an initial literature survey of cloud computing security, which promises to be a challenging research area. Although cloud computing security research inherits previous research from its elemental technologies, this paper will limit its focus on surveying cloud computing targeted research. By performing a systematic analysis of the security aspects of the cloud model, this work seeks to succinctly clarify why security continues to be a significant impediment for cloud adoption.

Security across the curriculum and beyond

Societys dependency on information technology has drastically outpaced educational curricula and the opportunities that universities and higher education institutes provide to students from both technical (e.g., computer engineering, computer science) and non-technical majors. To increase the opportunities for all students to learn how protect themselves as individuals and others as professionals from numerous cyber threats the focus of this work is to identify gaps in engineering curricula and present novel approaches to fulfill the growing and diverse needs of cyber security education. The overall objective of this paper is to make security education accessible, relevant, and tangible across educational curricula, as well as to provide the framework to extend these efforts beyond university classrooms and into community colleges and high schools. While the predominant focus, research, and innovative practices in the area of cyber security have focused on technical students at the university level, this work instead concentrates on the demographic of students that desire to learn about cyber security without having to major in computer engineering, for example. In this paper we present a three-tiered framework that provides breadth and depth to security education across multiple education levels. This all-encompassing framework for security education includes providing (1) formal literacy-based training for students of all backgrounds, (2) inquiry-based learning through security- and technically-focused student groups and activities, and (3) classical technical·based initiatives. For each of these respective areas, previous research and efforts are discussed as well as the innovative practices that we have developed to address identified educational gaps.

Modeling web usage profiles of cloud services for utility cost analysis

Early proponents of public cloud computing have come to identify cost savings a key factor for adoption. However, the adoption and hosting of a web application in the cloud does not provide any such guarantees. This is in part due to the utility pricing model that dictates the cost of public cloud resources. In this work we seek to model and simulate data usage for a web application for the purpose of utility cost analysis. Although much research has been performed in the area of web usage mining, previously proposed models are unable to accurately model web usage profiles for a specific web application. In this paper, we present a simulation model and corresponding algorithm to model web usage based on empirical observations. The validation of the proposed model shows that the simulated output conforms to that of what was observed and is within acceptable tolerance limits.

Workshop: Teaching computer security literacy to the masses: A practical approach

We are losing the battle in cyber security. We heavily rely on technology as the main defense, instead of recognizing that the easiest attack vectors are the people who operate the computers. The general public does not understand the decisions they make each and every day have security implications for themselves, their projects and their companies. Since people are a primary target, education is one of the “secret weapons” in the cyber security battlefield. Further, if everyday users are the targets, then all audiences, not just technical staff, need training and education in cyber security basics. We argue that computer security literacy is not only the next step in computer security defense; it may be one of the most important steps we can take. Through this workshop we want to encourage the profession to reach out to the populous and help make them security literate. The goal of the workshop is to provide an alternative approach to teaching Computer Security Literacy. This approach, developed at Iowa State University, demonstrates how Computer Security Literacy courses for non-technical students benefit them in their daily lives, now as students and in the future as working professionals.