Smitha Sundareswaran

A Brokerage-Based Approach for Cloud Service Selection

The expanding Cloud computing services offer great opportunities for consumers to find the best service and best pricing, which however raises new challenges on how to select the best service out of the huge pool. It is time-consuming for consumers to collect the necessary information and analyze all service providers to make the decision. This is also a highly demanding task from a computational perspective, because the same computations may be conducted repeatedly by multiple consumers who have similar requirements. Therefore, in this paper, we propose a novel brokerage-based architecture in the Cloud, where the Cloud brokers is responsible for the service selection. In particular, we design a unique indexing technique for managing the information of a large number of Cloud service providers. We then develop efficient service selection algorithms that rank potential service providers and aggregate them if necessary. We prove the efficiency and effectiveness of our approach through an experimental study with the real and synthetic Cloud data.

Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation

The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. This calls for high performance XACML policy evaluation engines. A policy evaluation engine can easily become a bottleneck when enforcing XACML policies with a large number of rules. In this paper we propose an adaptive approach for XACML policy optimization. We apply a clustering technique to policy sets based on the K-means algorithm. In addition to clustering we find that, since a policy set has a variable number of policies and a policy has a variable number of rules, their ordering is important for efficient execution. By clustering policy sets and reordering policies and rules in a policy set and policies respectively, we formulated and solved the optimal policy execution problem. The proposed clustering technique categorizes policies and rules within a policy set and policy respectively in respect to target subjects. When a request is received, it is redirected to applicable policies and rules that correspond to its subjects; hence, avoiding unnecessary evaluations from occurring. We also propose a usage based framework that computes access request statistics to dynamically optimize the ordering access control to policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than standard Sun PDP.

PriMa: a comprehensive approach to privacy protection in social network sites

With social networks (SNs) allowing their users to host large amounts of personal data on their platforms, privacy protection mechanisms are becoming increasingly important. The current privacy protection mechanisms offered by SNs mostly enforce access control policies based on users’ privacy settings. The task of setting privacy preferences may be tedious and confusing for the average user, who has hundreds of connections (e.g., acquaintances, colleagues, friends, etc.) and maintains an extensive profile on his main SN. Hence, users often end up with policies that do not sufficiently protect their personal information, thus facilitating potential privacy breaches and information misuse. In this paper, we propose PriMa (Privacy Manager), a privacy protection mechanism that supports semiautomated generation of access rules for users’ profile information, filling the gap between the privacy management needs of SN users and the existing SNs’ privacy protection mechanisms. PriMa access rules are generated using a multicriteria algorithm, so as to account for an extensive set of criteria to be considered when dealing with access control in SN sites. The resulting rules are simple yet powerful specifications, indicating the adequate level of protection for each user, and are dynamically adapted to the ever-changing requirements of the users’ preferences and SN configuration. We have implemented PriMa on a Drupal platform and as a third-party Facebook application. We have evaluated the performance of the PriMa application with respect to access rule generation.

Web-Traveler Policies for Images on Social Networks

Images are one of the most popular type of contents shared on these sites. One of the most popular types of contents shared on these sites is image. Most of these networks offer some rudimentary forms of access controls such as allowing the users to choose who can view their profiles or the images uploaded by them. These controls however apply only in the perimeter of the users’ direct control such as desktops, profiles etc. Users have no control over their content once it is downloaded by others. In order to enable a user to truly maintain control over his content, new access control mechanisms must be designed so as to enable users to control their content even when managed by others. Towards fulfilling this gap, in this paper we propose the concept of “web-traveler policies”. Web-traveler policies allow the user to specify who can view, upload or download a given image within a social network. The unique, innovative feature of web-traveler policies is that they travel with the image, as long as it is hosted on the given social networking site. Additionally, we explore the possibility of extending these controls across different sites, by using the concept of mashups. In the paper we prove the feasibility of this approach, by implementing a working prototype of our approach on a real open source social network platform. We test the performance and scalability of such architecture under heavy user loads and also its resilience towards naïve attacks. This work is a first innovative step toward scalable systems for providing each user with a centralized system for his/her own content’s protection all over the web.

Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation

The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. A policy evaluation engine can easily become a bottleneck when enforcing large policies. In this paper we propose an adaptive approach for XACML policy optimization. We proposed a clustering technique that categorizes policies and rules within a policy set and policy respectively in respect to target subjects. Furthermore, we propose a usage based framework that computes access request statistics to dynamically optimize the ordering of policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than the standard Sun PDP.

Detecting Malicious Co-resident Virtual Machines Indulging in Load-Based Attacks

Virtualization provides many benefits for Cloud environments, as it helps users obtain dedicated environments abstracted from the physical layer. However, it also introduces new vulnerabilities to the Cloud such as making it possible for malicious VMs to mount cross-VM attacks through cache based side channels. In this paper, we investigate load-based measurement attacks born specifically as a result of the virtualization in Cloud systems. We develop a framework to identify these attacks based on the observation that the events taking place during the attacks lead to an identifiable sequence of exceptions. We test the accuracy of our framework using the Microsoft Azure infrastructure.

XSS-Dec: a hybrid solution to mitigate cross-site scripting attacks

Cross-site scripting attacks represent one of the major security threats in todays Web applications. Current approaches to mitigate cross-site scripting vulnerabilities rely on either server-based or client-based defense mechanisms. Although effective for many attacks, server-side protection mechanisms may leave the client vulnerable if the server is not well patched. On the other hand, client-based mechanisms may incur a significant overhead on the client system. In this work, we present a hybrid client-server solution that combines the benefits of both architectures. Our Proxy-based solution leverages the strengths of both anomaly detection and control flow analysis to provide accurate detection. We demonstrate the feasibility and accuracy of our approach through extended testing using real-world cross-site scripting exploits.

DeCore: Detecting Content Repurposing Attacks on Clients’ Systems

Web 2.0 platforms are ubiquitously used to share content and personal information, which makes them an inviting and vulnerable target of hackers and phishers alike. In this paper, we discuss an emerging class of attacks, namely content repurposing attacks, which specifically targets sites that host user uploaded content on Web 2.0 sites. This latent threat is poorly addressed, if at all, by current protection systems, both at the remote sites and at the client ends. We design and develop an approach that protects from content repurposing attacks at the client end. As we show through a detailed evaluation, our solution promptly detects and stops various types of attacks and adds no overhead to the user’s local machine or browser where it resides. Further, our approach is light-weight and does not invasively monitor all the user interactions with the browser, providing an effective protection against these new and powerful attacks.

Policy Driven Node Selection in MapReduce

The MapReduce framework has been widely adopted for processing Big Data in the cloud. While efficient, MapReduce offers very complicated (if any) means for users to request nodes that satisfy certain security and privacy requirements to process their data.

Distributed Java-Based Content Protection

The increasingly sensitive nature of data shared over the Web calls for a new approach to cross-domain content protection. Towards addressing this need, in this paper we introduce a novel Java-based architecture for distributed content protection Java - based Distributed Content Protection (JUICE). JUiCE takes a policy-driven approach that strongly couples data and content protection policies. JUiCE constitutes an effective and practical solution for content protection for a number of reasons. First, both the CPPs and the protection mechanism travel with the content, which is stored in its original form. Second, users do not need to rely on any dedicated management system to specify and apply the CPPs. Further, CPPs do not require any additional cryptographic setup such as passwords or keys to be shared. Through evaluation, we show that our architecture is scalable while being robust against a range of attacks.