Security of Separated Data in Cloud Systems with Competing Attack Detection and Data Theft Processes

Risk Anal. 2019 Apr;39(4):846-858. doi: 10.1111/risa.13219. Epub 2018 Oct 12.

Abstract

Empowered by virtualization technology, service requests from cloud users can be honored through creating and running virtual machines. Virtual machines established for different users may be allocated to the same physical server, making the cloud vulnerable to co-residence attacks where a malicious attacker can steal a user's data through co-residing their virtual machines on the same server. For protecting data against the theft, the data partition technique is applied to divide the user's data into multiple blocks with each being handled by a separate virtual machine. Moreover, early warning agents (EWAs) are deployed to possibly detect and prevent co-residence attacks at a nascent stage. This article models and analyzes the attack success probability (complement of data security) in cloud systems subject to competing attack detection process (by EWAs) and data theft process (by co-residence attackers). Based on the suggested probabilistic model, the optimal data partition and protection policy is determined with the objective of minimizing the user's cost subject to providing a desired level of data security. Examples are presented to illustrate effects of different model parameters (attack rate, number of cloud servers, number of data blocks, attack detection time, and data theft time distribution parameters) on the attack success probability and optimization solutions.

Keywords: Cloud system; co-residence attack; cost; data partition; data security; early warning; virtual machine.

Publication types

  • Research Support, Non-U.S. Gov't