Based on the diversified technology and the cross-validation mechanism,the N-variant system provides a secure service architecture for cloud providers to protect the cloud applications from attacks by executing multip...Based on the diversified technology and the cross-validation mechanism,the N-variant system provides a secure service architecture for cloud providers to protect the cloud applications from attacks by executing multiple variants of a single software in parallel and then checking their behaviors’consistency.However,it is complex to upgrade current Software as a Service(SaaS)applications to adapt N-variant system architecture.Challenges arise from the inability of tenants to adjust the application architecture in the cloud environment,and the difficulty for cloud service providers to implement N-variant systems using existing API gateways.This paper proposes SecIngress,an API gateway framework,to overcome the challenge that it is hard in the cloud environment to upgrade the applications based on N-variants system.We design a two-stage timeout processing method to lessen the service latency and an Analytic Hierarchy Process Voting under the Metadata mechanism(AHPVM)to enhance voting accuracy.We implement a prototype in a testbed environment and analyze the security and performance metrics before and after deploying the prototype to show the effectiveness of SecIngress.The results reveal that SecIngress enhances the reliability of cloud applications with acceptable performance degradation.展开更多
The complexity of cloud environments challenges secure resource management,especially for intrusion detection systems(IDS).Existing strategies struggle to balance efficiency,cost fairness,and threat resilience.This pa...The complexity of cloud environments challenges secure resource management,especially for intrusion detection systems(IDS).Existing strategies struggle to balance efficiency,cost fairness,and threat resilience.This paper proposes an innovative approach to managing cloud resources through the integration of a genetic algorithm(GA)with a“double auction”method.This approach seeks to enhance security and efficiency by aligning buyers and sellers within an intelligent market framework.It guarantees equitable pricing while utilizing resources efficiently and optimizing advantages for all stakeholders.The GA functions as an intelligent search mechanism that identifies optimal combinations of bids from users and suppliers,addressing issues arising from the intricacies of cloud systems.Analyses proved that our method surpasses previous strategies,particularly in terms of price accuracy,speed,and the capacity to manage large-scale activities,critical factors for real-time cybersecurity systems,such as IDS.Our research integrates artificial intelligence-inspired evolutionary algorithms with market-driven methods to develop intelligent resource management systems that are secure,scalable,and adaptable to evolving risks,such as process innovation.展开更多
Human Resource(HR)operations increasingly rely on cloud-based platforms that provide hiring,payroll,employee management,and compliance services.These systems,typically built on multi-tenant microservice architectures,...Human Resource(HR)operations increasingly rely on cloud-based platforms that provide hiring,payroll,employee management,and compliance services.These systems,typically built on multi-tenant microservice architectures,offer scalability and efficiency but also expand the attack surface for adversaries.Ransomware has emerged as a leading threat in this domain,capable of halting workflows and exposing sensitive employee records.Traditional defenses such as static hardening and signature-based detection often fail to address the dynamic requirements of HR Software as a Service(SaaS),where continuous availability and privacy compliance are critical.This paper presents a Moving Target Defense(MTD)framework for HR SaaS that combines container mutation,IP hopping,and node reassignment to randomize the attack surface without pausing services.Many prior defenses for cloud or IoT rely on static hardening or signature-driven detection and do not meet HR SaaS needs such as uninterrupted sessions,privacy compliance,and live service continuity.This paper presents a MTD framework for HR SaaS that combines container mutation,IP hopping,and node reassignment to randomize the attack surface without pausing services.The framework runs on Kubernetes and uses a KL-divergence-based anomaly detector that monitors HR access logs across five modules(onboarding,employee records,leave,payroll,and exit).In simulation with realistic HR traffic,the approach reaches 96.9% average detection accuracy with AUC 0.94-0.98,cuts mean time to containment to 91.4 s,and lowers the ransomware encryption rate to 13.2%.Measured overheads for CPU,memory,and per-mutation latency remainmodest.Comparedwith priorMTDand non-MTD baselines,the design provides stronger containment without service interruption and aligns with zero-trust and compliance goals.Its modular implementation and control-plane orchestration support stepwise,enterprise-scale deployment in HR SaaS environments.展开更多
Searchable encryption allows cloud users to outsource the massive encrypted data to the remote cloud and to search over the data without revealing the sensitive information. Many schemes have been proposed to support ...Searchable encryption allows cloud users to outsource the massive encrypted data to the remote cloud and to search over the data without revealing the sensitive information. Many schemes have been proposed to support the keyword search in a public cloud. However,they have some potential limitations. First,most of the existing schemes only consider the scenario with the single data owner. Second,they need secure channels to guarantee the secure transmission of secret keys from the data owner to data users. Third,in some schemes,the data owner should be online to help data users when data users intend to perform the search,which is inconvenient.In this paper,we propose a novel searchable scheme which supports the multi-owner keyword search without secure channels. More than that,our scheme is a non-interactive solution,in which all the users only need to communicate with the cloud server. Furthermore,the analysis proves that our scheme can guarantee the security even without secure channels. Unlike most existing public key encryption based searchable schemes,we evaluate the performance of our scheme,which shows that our scheme is practical.展开更多
Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets...Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets such as roles,specialties,or certifications.This data-centric cryptographic paradigm enables highly fine-grained,policydriven access control,minimizing the need for identity management and supporting scalable multi-user scenarios.This paper presents a comprehensive and critical survey of ABE schemes developed specifically for EHR/PHR systems over the past decade.It explores the evolution of these schemes,analyzing their design principles,strengths,limitations,and the level of granularity they offer in access control.The review also evaluates the security guarantees,efficiency,and practical applicability of these schemes in real-world healthcare environments.Furthermore,the paper outlines the current state of ABE as a mechanism for safeguarding EHR data and managing user access,while also identifying the key challenges that remain.Open issues such as scalability,revocation mechanisms,policy updates,and interoperability are discussed in detail,providing valuable insights for researchers and practitioners aiming to advance the secure management of health information systems.展开更多
With cloud computing,large chunks of data can be handled at a small cost.However,there are some reservations regarding the security and privacy of cloud data stored.For solving these issues and enhancing cloud computi...With cloud computing,large chunks of data can be handled at a small cost.However,there are some reservations regarding the security and privacy of cloud data stored.For solving these issues and enhancing cloud computing security,this research provides a Three-Layered Security Access model(TLSA)aligned to an intrusion detection mechanism,access control mechanism,and data encryption system.The TLSA underlines the need for the protection of sensitive data.This proposed approach starts with Layer 1 data encryption using the Advanced Encryption Standard(AES).For data transfer and storage,this encryption guarantees the data’s authenticity and secrecy.Surprisingly,the solution employs the AES encryption algorithm to secure essential data before storing them in the Cloud to minimize unauthorized access.Role-based access control(RBAC)implements the second strategic level,which ensures specific personnel access certain data and resources.In RBAC,each user is allowed a specific role and Permission.This implies that permitted users can access some data stored in the Cloud.This layer assists in filtering granular access to data,reducing the risk that undesired data will be discovered during the process.Layer 3 deals with intrusion detection systems(IDS),which detect and quickly deal with malicious actions and intrusion attempts.The proposed TLSA security model of e-commerce includes conventional levels of security,such as encryption and access control,and encloses an insight intrusion detection system.This method offers integrated solutions for most typical security issues of cloud computing,including data secrecy,method of access,and threats.An extensive performance test was carried out to confirm the efficiency of the proposed three-tier security method.Comparisons have been made with state-of-art techniques,including DES,RSA,and DUAL-RSA,keeping into account Accuracy,QILV,F-Measure,Sensitivity,MSE,PSNR,SSIM,and computation time,encryption time,and decryption time.The proposed TLSA method provides an accuracy of 89.23%,F-Measure of 0.876,and SSIM of 0.8564 at a computation time of 5.7 s.A comparison with existing methods shows the better performance of the proposed method,thus confirming the enhanced ability to address security issues in cloud computing.展开更多
Advanced cloud computing technology provides cost saving and flexibility of services for users.With the explosion of multimedia data,more and more data owners would outsource their personal multimedia data on the clou...Advanced cloud computing technology provides cost saving and flexibility of services for users.With the explosion of multimedia data,more and more data owners would outsource their personal multimedia data on the cloud.In the meantime,some computationally expensive tasks are also undertaken by cloud servers.However,the outsourced multimedia data and its applications may reveal the data owner’s private information because the data owners lose the control of their data.Recently,this thought has aroused new research interest on privacy-preserving reversible data hiding over outsourced multimedia data.In this paper,two reversible data hiding schemes are proposed for encrypted image data in cloud computing:reversible data hiding by homomorphic encryption and reversible data hiding in encrypted domain.The former is that additional bits are extracted after decryption and the latter is that extracted before decryption.Meanwhile,a combined scheme is also designed.This paper proposes the privacy-preserving outsourcing scheme of reversible data hiding over encrypted image data in cloud computing,which not only ensures multimedia data security without relying on the trustworthiness of cloud servers,but also guarantees that reversible data hiding can be operated over encrypted images at the different stages.Theoretical analysis confirms the correctness of the proposed encryption model and justifies the security of the proposed scheme.The computation cost of the proposed scheme is acceptable and adjusts to different security levels.展开更多
With the development of Internet technology and human computing, the computing environment has changed dramatically over the last three decades. Cloud computing emerges as a paradigm of Internet computing in which dyn...With the development of Internet technology and human computing, the computing environment has changed dramatically over the last three decades. Cloud computing emerges as a paradigm of Internet computing in which dynamical, scalable and often virtuMized resources are provided as services. With virtualization technology, cloud computing offers diverse services (such as virtual computing, virtual storage, virtual bandwidth, etc.) for the public by means of multi-tenancy mode. Although users are enjoying the capabilities of super-computing and mass storage supplied by cloud computing, cloud security still remains as a hot spot problem, which is in essence the trust management between data owners and storage service providers. In this paper, we propose a data coloring method based on cloud watermarking to recognize and ensure mutual reputations. The experimental results show that the robustness of reverse cloud generator can guarantee users' embedded social reputation identifications. Hence, our work provides a reference solution to the critical problem of cloud security.展开更多
In the field of cloud computing, topics such as computing resource virtualization, differences between grid and cloud computing, relationship between high-performance computers and cloud computing centers, and cloud s...In the field of cloud computing, topics such as computing resource virtualization, differences between grid and cloud computing, relationship between high-performance computers and cloud computing centers, and cloud security and standards have attracted much research interest. This paper analyzes these topics and highlights that resource virtualization allows information services to be scalable, intensive, and specialized; grid computing involves using many computers for large-scale computing tasks, while cloud computing uses one platform for multiple services; high-performance computers may not be suitable for a cloud computing; security in cloud computing focuses on trust management between service suppliers and users; and based on the existing standards, standardization of cloud computing should focus on interoperability between services.展开更多
with the increasing popularity of cloud services,attacks on the cloud infrastructure also increase dramatically.Especially,how to monitor the integrity of cloud execution environments is still a difficult task.In this...with the increasing popularity of cloud services,attacks on the cloud infrastructure also increase dramatically.Especially,how to monitor the integrity of cloud execution environments is still a difficult task.In this paper,a real-time dynamic integrity validation(DIV) framework is proposed to monitor the integrity of virtual machine based execution environments in the cloud.DIV can detect the integrity of the whole architecture stack from the cloud servers up to the VM OS by extending the current trusted chain into virtual machine's architecture stack.DIV introduces a trusted third party(TTP) to collect the integrity information and detect remotely the integrity violations on VMs periodically to avoid the heavy involvement of cloud tenants and unnecessary information leakage of the cloud providers.To evaluate the effectiveness and efficiency of DIV framework,a prototype on KVM/QEMU is implemented,and extensive analysis and experimental evaluation are performed.Experimental results show that the DIV can efficiently validate the integrity of files and loaded programs in real-time,with minor performance overhead.展开更多
Cloud computing provides services to users through Internet.This open mode not only facilitates the access by users,but also brings potential security risks.In cloud computing,the risk of data leakage exists between u...Cloud computing provides services to users through Internet.This open mode not only facilitates the access by users,but also brings potential security risks.In cloud computing,the risk of data leakage exists between users and virtual machines.Whether direct or indirect data leakage,it can be regarded as illegal information flow.Methods,such as access control models can control the information flow,but not the covert information flow.Therefore,it needs to use the noninterference models to detect the existence of illegal information flow in cloud computing architecture.Typical noninterference models are not suitable to certificate information flow in cloud computing architecture.In this paper,we propose several information flow models for cloud architecture.One model is for transitive cloud computing architecture.The others are for intransitive cloud computing architecture.When concurrent access actions execute in the cloud architecture,we want that security domain and security domain do not affect each other,that there is no information flow between security domains.But in fact,there will be more or less indirect information flow between security domains.Our models are concerned with how much information is allowed to flow.For example,in the CIP model,the other domain can learn the sequence of actions.But in the CTA model,the other domain can’t learn the information.Which security model will be used in an architecture depends on the security requirements for that architecture.展开更多
Traditional security framework in cloud platform usually brings self-vulnerability and considerable additional resource consumption. To solve these problems, we propose an external processes monitoring architecture fo...Traditional security framework in cloud platform usually brings self-vulnerability and considerable additional resource consumption. To solve these problems, we propose an external processes monitoring architecture for current popular cloud platform Open Stack with kernel-based virtual machine(KVM). With this architecture, we can monitor all active processes in online virtual machine(VMs) and scan them for their potential maliciousness in OpenS tack with no agent, and can also detect hidden processes in offline VMs’ memory snapshots and notice the user to decide whether to kill them when VMs become active. Analysis and experimental results show that our architecture is able to reduce consumption of CPU, memory and bandwidth in cloud platform and can detect viruses and hidden processes effectively in VMs.展开更多
Attribute-based encryption(ABE)is a technique used to encrypt data,it has the flexibility of access control,high security,and resistance to collusion attacks,and especially it is used in cloud security protection.Howe...Attribute-based encryption(ABE)is a technique used to encrypt data,it has the flexibility of access control,high security,and resistance to collusion attacks,and especially it is used in cloud security protection.However,a large number of bilinear mappings are used in ABE,and the calculation of bilinear pairing is time-consuming.So there is the problem of low efficiency.On the other hand,the decryption key is not uniquely associated with personal identification information,if the decryption key is maliciously sold,ABE is unable to achieve accountability for the user.In practical applications,shared message requires hierarchical sharing in most cases,in this paper,we present a message security hierarchy ABE scheme for this scenario.Firstly,attributes were grouped and weighted according to the importance of attributes,and then an access structure based on a threshold tree was constructed according to attribute weight.This method saved the computing time for decryption while ensuring security and on-demand access to information for users.In addition,with the help of computing power in the cloud,two-step decryption was used to complete the access,which relieved the computing and storage burden on the client side.Finally,we simulated and tested the scheme based on CP-ABE,and selected different security levels to test its performance.The security proof and the experimental simulation result showthat the proposed scheme has high efficiency and good performance,and the solution implements hierarchical access to the shared message.展开更多
Cloud Computing(CC)is the preference of all information technology(IT)organizations as it offers pay-per-use based and flexible services to its users.But the privacy and security become the main hindrances in its achi...Cloud Computing(CC)is the preference of all information technology(IT)organizations as it offers pay-per-use based and flexible services to its users.But the privacy and security become the main hindrances in its achievement due to distributed and open architecture that is prone to intruders.Intrusion Detection System(IDS)refers to one of the commonly utilized system for detecting attacks on cloud.IDS proves to be an effective and promising technique,that identifies malicious activities and known threats by observing traffic data in computers,and warnings are given when such threatswere identified.The current mainstream IDS are assisted with machine learning(ML)but have issues of low detection rates and demanded wide feature engineering.This article devises an Enhanced Coyote Optimization with Deep Learning based Intrusion Detection System for Cloud Security(ECODL-IDSCS)model.The ECODL-IDSCS model initially addresses the class imbalance data problem by the use of Adaptive Synthetic(ADASYN)technique.For detecting and classification of intrusions,long short term memory(LSTM)model is exploited.In addition,ECO algorithm is derived to optimally fine tune the hyperparameters related to the LSTM model to enhance its detection efficiency in the cloud environment.Once the presented ECODL-IDSCS model is tested on benchmark dataset,the experimental results show the promising performance of the ECODL-IDSCS model over the existing IDS models.展开更多
With the development of information technology,cloud computing technology has brought many conveniences to all aspects of work and life.With the continuous promotion,popularization and vigorous development of e-govern...With the development of information technology,cloud computing technology has brought many conveniences to all aspects of work and life.With the continuous promotion,popularization and vigorous development of e-government and e-commerce,the number of documents in electronic form is getting larger and larger.Electronic document is an indispensable main tool and real record of e-government and business activities.How to scientifically and effectively manage electronic documents?This is an important issue faced by governments and enterprises in improving management efficiency,protecting state secrets or business secrets,and reducing management costs.This paper discusses the application of cloud computing technology in the construction of electronic file management system,proposes an architecture of electronic file management system based on cloud computing,and makes a more detailed discussion on key technologies and implementation.The electronic file management system is built on the cloud architecture to enable users to upload,download,share,set security roles,audit,and retrieve files based on multiple modes.An electronic file management system based on cloud computing can make full use of cloud storage,cloud security,and cloud computing technologies to achieve unified,reliable,and secure management of electronic files.展开更多
Infrastructure as a Service(IaaS)provides logical separation between data,network,applications and machines from the physical constrains of real machines.IaaS is one of the basis of cloud virtualization.Recently,secur...Infrastructure as a Service(IaaS)provides logical separation between data,network,applications and machines from the physical constrains of real machines.IaaS is one of the basis of cloud virtualization.Recently,security issues are also gradually emerging with virtualization of cloud computing.Different security aspects of cloud virtualization will be explored in this research paper,security recognizing potential threats or attacks that exploit these vulnerabilities,and what security measures are used to alleviate such threats.In addition,a dis-cussion of general security requirements and the existing security schemes is also provided.As shown in this paper,different components of virtualization environ-ment are targets to various attacks that in turn leads to security issues compromis-ing the whole cloud infrastructure.In this paper an overview of various cloud security aspects is also provided.Different attack scenarios of virtualization envir-onments and security solutions to cater these attacks have been discussed in the paper.We then proceed to discuss API security concerns,data security,hijacking of user account and other security concerns.The aforementioned discussions can be used in the future to propose assessment criteria,which could be useful in ana-lyzing the efficiency of security solutions of virtualization environment in the face of various virtual environment attacks.展开更多
The dissociation between data management and data ownership makes it difficult to protect data security and privacy in cloud storage systems.Traditional encryption technologies are not suitable for data protection in ...The dissociation between data management and data ownership makes it difficult to protect data security and privacy in cloud storage systems.Traditional encryption technologies are not suitable for data protection in cloud storage systems.A novel multi-authority proxy re-encryption mechanism based on ciphertext-policy attribute-based encryption(MPRE-CPABE) is proposed for cloud storage systems.MPRE-CPABE requires data owner to split each file into two blocks,one big block and one small block.The small block is used to encrypt the big one as the private key,and then the encrypted big block will be uploaded to the cloud storage system.Even if the uploaded big block of file is stolen,illegal users cannot get the complete information of the file easily.Ciphertext-policy attribute-based encryption(CPABE)is always criticized for its heavy overload and insecure issues when distributing keys or revoking user's access right.MPRE-CPABE applies CPABE to the multi-authority cloud storage system,and solves the above issues.The weighted access structure(WAS) is proposed to support a variety of fine-grained threshold access control policy in multi-authority environments,and reduce the computational cost of key distribution.Meanwhile,MPRE-CPABE uses proxy re-encryption to reduce the computational cost of access revocation.Experiments are implemented on platforms of Ubuntu and CloudSim.Experimental results show that MPRE-CPABE can greatly reduce the computational cost of the generation of key components and the revocation of user's access right.MPRE-CPABE is also proved secure under the security model of decisional bilinear Diffie-Hellman(DBDH).展开更多
The theory of compressed sensing(CS)has been proposed to reduce the processing time and accelerate the scanning process.In this paper,the image recovery task is considered to outsource to the cloud server for its abun...The theory of compressed sensing(CS)has been proposed to reduce the processing time and accelerate the scanning process.In this paper,the image recovery task is considered to outsource to the cloud server for its abundant computing and storage resources.However,the cloud server is untrusted then may pose a considerable amount of concern for potential privacy leakage.How to protect data privacy and simultaneously maintain management of the image remains challenging.Motivated by the above challenge,we propose an image encryption algorithm based on chaotic system,CS and image saliency.In our scheme,we outsource the image CS samples to cloud for reduced storage and portable computing.Consider privacy,the scheme ensures the cloud to securely reconstruct image.Theoretical analysis and experiment show the scheme achieves effectiveness,efficiency and high security simultaneously.展开更多
Security issues in cloud networks and edge computing have become very common. This research focuses on analyzing such issues and developing the best solutions. A detailed literature review has been conducted in this r...Security issues in cloud networks and edge computing have become very common. This research focuses on analyzing such issues and developing the best solutions. A detailed literature review has been conducted in this regard. The findings have shown that many challenges are linked to edge computing, such as privacy concerns, security breaches, high costs, low efficiency, etc. Therefore, there is a need to implement proper security measures to overcome these issues. Using emerging trends, like machine learning, encryption, artificial intelligence, real-time monitoring, etc., can help mitigate security issues. They can also develop a secure and safe future in cloud computing. It was concluded that the security implications of edge computing can easily be covered with the help of new technologies and techniques.展开更多
In the cloud environment,ensuring a high level of data security is in high demand.Data planning storage optimization is part of the whole security process in the cloud environment.It enables data security by avoiding ...In the cloud environment,ensuring a high level of data security is in high demand.Data planning storage optimization is part of the whole security process in the cloud environment.It enables data security by avoiding the risk of data loss and data overlapping.The development of data flow scheduling approaches in the cloud environment taking security parameters into account is insufficient.In our work,we propose a data scheduling model for the cloud environment.Themodel is made up of three parts that together help dispatch user data flow to the appropriate cloudVMs.The first component is the Collector Agent whichmust periodically collect information on the state of the network links.The second one is the monitoring agent which must then analyze,classify,and make a decision on the state of the link and finally transmit this information to the scheduler.The third one is the scheduler who must consider previous information to transfer user data,including fair distribution and reliable paths.It should be noted that each part of the proposedmodel requires the development of its algorithms.In this article,we are interested in the development of data transfer algorithms,including fairness distribution with the consideration of a stable link state.These algorithms are based on the grouping of transmitted files and the iterative method.The proposed algorithms showthe performances to obtain an approximate solution to the studied problem which is an NP-hard(Non-Polynomial solution)problem.The experimental results show that the best algorithm is the half-grouped minimum excluding(HME),with a percentage of 91.3%,an average deviation of 0.042,and an execution time of 0.001 s.展开更多
基金the Foundation of the National Natural Science Foundation of China(62072467)the Foundation for Innovative Research Groups of the National Natural Science Foundation of China(61521003)the Foundation of the National Natural Science Foundation of China(62002383).
文摘Based on the diversified technology and the cross-validation mechanism,the N-variant system provides a secure service architecture for cloud providers to protect the cloud applications from attacks by executing multiple variants of a single software in parallel and then checking their behaviors’consistency.However,it is complex to upgrade current Software as a Service(SaaS)applications to adapt N-variant system architecture.Challenges arise from the inability of tenants to adjust the application architecture in the cloud environment,and the difficulty for cloud service providers to implement N-variant systems using existing API gateways.This paper proposes SecIngress,an API gateway framework,to overcome the challenge that it is hard in the cloud environment to upgrade the applications based on N-variants system.We design a two-stage timeout processing method to lessen the service latency and an Analytic Hierarchy Process Voting under the Metadata mechanism(AHPVM)to enhance voting accuracy.We implement a prototype in a testbed environment and analyze the security and performance metrics before and after deploying the prototype to show the effectiveness of SecIngress.The results reveal that SecIngress enhances the reliability of cloud applications with acceptable performance degradation.
文摘The complexity of cloud environments challenges secure resource management,especially for intrusion detection systems(IDS).Existing strategies struggle to balance efficiency,cost fairness,and threat resilience.This paper proposes an innovative approach to managing cloud resources through the integration of a genetic algorithm(GA)with a“double auction”method.This approach seeks to enhance security and efficiency by aligning buyers and sellers within an intelligent market framework.It guarantees equitable pricing while utilizing resources efficiently and optimizing advantages for all stakeholders.The GA functions as an intelligent search mechanism that identifies optimal combinations of bids from users and suppliers,addressing issues arising from the intricacies of cloud systems.Analyses proved that our method surpasses previous strategies,particularly in terms of price accuracy,speed,and the capacity to manage large-scale activities,critical factors for real-time cybersecurity systems,such as IDS.Our research integrates artificial intelligence-inspired evolutionary algorithms with market-driven methods to develop intelligent resource management systems that are secure,scalable,and adaptable to evolving risks,such as process innovation.
文摘Human Resource(HR)operations increasingly rely on cloud-based platforms that provide hiring,payroll,employee management,and compliance services.These systems,typically built on multi-tenant microservice architectures,offer scalability and efficiency but also expand the attack surface for adversaries.Ransomware has emerged as a leading threat in this domain,capable of halting workflows and exposing sensitive employee records.Traditional defenses such as static hardening and signature-based detection often fail to address the dynamic requirements of HR Software as a Service(SaaS),where continuous availability and privacy compliance are critical.This paper presents a Moving Target Defense(MTD)framework for HR SaaS that combines container mutation,IP hopping,and node reassignment to randomize the attack surface without pausing services.Many prior defenses for cloud or IoT rely on static hardening or signature-driven detection and do not meet HR SaaS needs such as uninterrupted sessions,privacy compliance,and live service continuity.This paper presents a MTD framework for HR SaaS that combines container mutation,IP hopping,and node reassignment to randomize the attack surface without pausing services.The framework runs on Kubernetes and uses a KL-divergence-based anomaly detector that monitors HR access logs across five modules(onboarding,employee records,leave,payroll,and exit).In simulation with realistic HR traffic,the approach reaches 96.9% average detection accuracy with AUC 0.94-0.98,cuts mean time to containment to 91.4 s,and lowers the ransomware encryption rate to 13.2%.Measured overheads for CPU,memory,and per-mutation latency remainmodest.Comparedwith priorMTDand non-MTD baselines,the design provides stronger containment without service interruption and aligns with zero-trust and compliance goals.Its modular implementation and control-plane orchestration support stepwise,enterprise-scale deployment in HR SaaS environments.
基金supported by Natural Science Foundation of China(No.61303264)
文摘Searchable encryption allows cloud users to outsource the massive encrypted data to the remote cloud and to search over the data without revealing the sensitive information. Many schemes have been proposed to support the keyword search in a public cloud. However,they have some potential limitations. First,most of the existing schemes only consider the scenario with the single data owner. Second,they need secure channels to guarantee the secure transmission of secret keys from the data owner to data users. Third,in some schemes,the data owner should be online to help data users when data users intend to perform the search,which is inconvenient.In this paper,we propose a novel searchable scheme which supports the multi-owner keyword search without secure channels. More than that,our scheme is a non-interactive solution,in which all the users only need to communicate with the cloud server. Furthermore,the analysis proves that our scheme can guarantee the security even without secure channels. Unlike most existing public key encryption based searchable schemes,we evaluate the performance of our scheme,which shows that our scheme is practical.
文摘Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets such as roles,specialties,or certifications.This data-centric cryptographic paradigm enables highly fine-grained,policydriven access control,minimizing the need for identity management and supporting scalable multi-user scenarios.This paper presents a comprehensive and critical survey of ABE schemes developed specifically for EHR/PHR systems over the past decade.It explores the evolution of these schemes,analyzing their design principles,strengths,limitations,and the level of granularity they offer in access control.The review also evaluates the security guarantees,efficiency,and practical applicability of these schemes in real-world healthcare environments.Furthermore,the paper outlines the current state of ABE as a mechanism for safeguarding EHR data and managing user access,while also identifying the key challenges that remain.Open issues such as scalability,revocation mechanisms,policy updates,and interoperability are discussed in detail,providing valuable insights for researchers and practitioners aiming to advance the secure management of health information systems.
基金funded by UKRI EPSRC Grant EP/W020408/1 Project SPRITE+2:The Security,Privacy,Identity and Trust Engagement Network plus(phase 2)for this studyThe authors also have been funded by PhD project RS718 on Explainable AI through UKRI EPSRC Grant funded Doctoral Training Centre at Swansea University.
文摘With cloud computing,large chunks of data can be handled at a small cost.However,there are some reservations regarding the security and privacy of cloud data stored.For solving these issues and enhancing cloud computing security,this research provides a Three-Layered Security Access model(TLSA)aligned to an intrusion detection mechanism,access control mechanism,and data encryption system.The TLSA underlines the need for the protection of sensitive data.This proposed approach starts with Layer 1 data encryption using the Advanced Encryption Standard(AES).For data transfer and storage,this encryption guarantees the data’s authenticity and secrecy.Surprisingly,the solution employs the AES encryption algorithm to secure essential data before storing them in the Cloud to minimize unauthorized access.Role-based access control(RBAC)implements the second strategic level,which ensures specific personnel access certain data and resources.In RBAC,each user is allowed a specific role and Permission.This implies that permitted users can access some data stored in the Cloud.This layer assists in filtering granular access to data,reducing the risk that undesired data will be discovered during the process.Layer 3 deals with intrusion detection systems(IDS),which detect and quickly deal with malicious actions and intrusion attempts.The proposed TLSA security model of e-commerce includes conventional levels of security,such as encryption and access control,and encloses an insight intrusion detection system.This method offers integrated solutions for most typical security issues of cloud computing,including data secrecy,method of access,and threats.An extensive performance test was carried out to confirm the efficiency of the proposed three-tier security method.Comparisons have been made with state-of-art techniques,including DES,RSA,and DUAL-RSA,keeping into account Accuracy,QILV,F-Measure,Sensitivity,MSE,PSNR,SSIM,and computation time,encryption time,and decryption time.The proposed TLSA method provides an accuracy of 89.23%,F-Measure of 0.876,and SSIM of 0.8564 at a computation time of 5.7 s.A comparison with existing methods shows the better performance of the proposed method,thus confirming the enhanced ability to address security issues in cloud computing.
基金This work was supported by the National Natural Science Foundation of China(No.61702276)the Startup Foundation for Introducing Talent of Nanjing University of Information Science and Technology under Grant 2016r055 and the Priority Academic Program Development(PAPD)of Jiangsu Higher Education Institutions.The authors are grateful for the anonymous reviewers who made constructive comments and improvements.
文摘Advanced cloud computing technology provides cost saving and flexibility of services for users.With the explosion of multimedia data,more and more data owners would outsource their personal multimedia data on the cloud.In the meantime,some computationally expensive tasks are also undertaken by cloud servers.However,the outsourced multimedia data and its applications may reveal the data owner’s private information because the data owners lose the control of their data.Recently,this thought has aroused new research interest on privacy-preserving reversible data hiding over outsourced multimedia data.In this paper,two reversible data hiding schemes are proposed for encrypted image data in cloud computing:reversible data hiding by homomorphic encryption and reversible data hiding in encrypted domain.The former is that additional bits are extracted after decryption and the latter is that extracted before decryption.Meanwhile,a combined scheme is also designed.This paper proposes the privacy-preserving outsourcing scheme of reversible data hiding over encrypted image data in cloud computing,which not only ensures multimedia data security without relying on the trustworthiness of cloud servers,but also guarantees that reversible data hiding can be operated over encrypted images at the different stages.Theoretical analysis confirms the correctness of the proposed encryption model and justifies the security of the proposed scheme.The computation cost of the proposed scheme is acceptable and adjusts to different security levels.
基金supported by National Basic Research Program of China (973 Program) (No. 2007CB310800)China Postdoctoral Science Foundation (No. 20090460107 and No. 201003794)
文摘With the development of Internet technology and human computing, the computing environment has changed dramatically over the last three decades. Cloud computing emerges as a paradigm of Internet computing in which dynamical, scalable and often virtuMized resources are provided as services. With virtualization technology, cloud computing offers diverse services (such as virtual computing, virtual storage, virtual bandwidth, etc.) for the public by means of multi-tenancy mode. Although users are enjoying the capabilities of super-computing and mass storage supplied by cloud computing, cloud security still remains as a hot spot problem, which is in essence the trust management between data owners and storage service providers. In this paper, we propose a data coloring method based on cloud watermarking to recognize and ensure mutual reputations. The experimental results show that the robustness of reverse cloud generator can guarantee users' embedded social reputation identifications. Hence, our work provides a reference solution to the critical problem of cloud security.
文摘In the field of cloud computing, topics such as computing resource virtualization, differences between grid and cloud computing, relationship between high-performance computers and cloud computing centers, and cloud security and standards have attracted much research interest. This paper analyzes these topics and highlights that resource virtualization allows information services to be scalable, intensive, and specialized; grid computing involves using many computers for large-scale computing tasks, while cloud computing uses one platform for multiple services; high-performance computers may not be suitable for a cloud computing; security in cloud computing focuses on trust management between service suppliers and users; and based on the existing standards, standardization of cloud computing should focus on interoperability between services.
基金Supported by the National Natural Science Foundation of China under Grant No. 61370068
文摘with the increasing popularity of cloud services,attacks on the cloud infrastructure also increase dramatically.Especially,how to monitor the integrity of cloud execution environments is still a difficult task.In this paper,a real-time dynamic integrity validation(DIV) framework is proposed to monitor the integrity of virtual machine based execution environments in the cloud.DIV can detect the integrity of the whole architecture stack from the cloud servers up to the VM OS by extending the current trusted chain into virtual machine's architecture stack.DIV introduces a trusted third party(TTP) to collect the integrity information and detect remotely the integrity violations on VMs periodically to avoid the heavy involvement of cloud tenants and unnecessary information leakage of the cloud providers.To evaluate the effectiveness and efficiency of DIV framework,a prototype on KVM/QEMU is implemented,and extensive analysis and experimental evaluation are performed.Experimental results show that the DIV can efficiently validate the integrity of files and loaded programs in real-time,with minor performance overhead.
基金Natural Science Research Project of Jiangsu Province Universities and Colleges(No.17KJD520005,Congdong Lv).
文摘Cloud computing provides services to users through Internet.This open mode not only facilitates the access by users,but also brings potential security risks.In cloud computing,the risk of data leakage exists between users and virtual machines.Whether direct or indirect data leakage,it can be regarded as illegal information flow.Methods,such as access control models can control the information flow,but not the covert information flow.Therefore,it needs to use the noninterference models to detect the existence of illegal information flow in cloud computing architecture.Typical noninterference models are not suitable to certificate information flow in cloud computing architecture.In this paper,we propose several information flow models for cloud architecture.One model is for transitive cloud computing architecture.The others are for intransitive cloud computing architecture.When concurrent access actions execute in the cloud architecture,we want that security domain and security domain do not affect each other,that there is no information flow between security domains.But in fact,there will be more or less indirect information flow between security domains.Our models are concerned with how much information is allowed to flow.For example,in the CIP model,the other domain can learn the sequence of actions.But in the CTA model,the other domain can’t learn the information.Which security model will be used in an architecture depends on the security requirements for that architecture.
基金Supported by the National Natural Science Foundation of China(61170026)
文摘Traditional security framework in cloud platform usually brings self-vulnerability and considerable additional resource consumption. To solve these problems, we propose an external processes monitoring architecture for current popular cloud platform Open Stack with kernel-based virtual machine(KVM). With this architecture, we can monitor all active processes in online virtual machine(VMs) and scan them for their potential maliciousness in OpenS tack with no agent, and can also detect hidden processes in offline VMs’ memory snapshots and notice the user to decide whether to kill them when VMs become active. Analysis and experimental results show that our architecture is able to reduce consumption of CPU, memory and bandwidth in cloud platform and can detect viruses and hidden processes effectively in VMs.
基金funded by the Funding of Nanjing Institute of Technology No.JXGG2021017the National Natural Science Foundation of China No.61701221.
文摘Attribute-based encryption(ABE)is a technique used to encrypt data,it has the flexibility of access control,high security,and resistance to collusion attacks,and especially it is used in cloud security protection.However,a large number of bilinear mappings are used in ABE,and the calculation of bilinear pairing is time-consuming.So there is the problem of low efficiency.On the other hand,the decryption key is not uniquely associated with personal identification information,if the decryption key is maliciously sold,ABE is unable to achieve accountability for the user.In practical applications,shared message requires hierarchical sharing in most cases,in this paper,we present a message security hierarchy ABE scheme for this scenario.Firstly,attributes were grouped and weighted according to the importance of attributes,and then an access structure based on a threshold tree was constructed according to attribute weight.This method saved the computing time for decryption while ensuring security and on-demand access to information for users.In addition,with the help of computing power in the cloud,two-step decryption was used to complete the access,which relieved the computing and storage burden on the client side.Finally,we simulated and tested the scheme based on CP-ABE,and selected different security levels to test its performance.The security proof and the experimental simulation result showthat the proposed scheme has high efficiency and good performance,and the solution implements hierarchical access to the shared message.
基金The Deanship of Scientific Research(DSR)at King Abdulaziz University(KAU),Jeddah,Saudi Arabia has funded this project,under grant no.KEP-1-120-42.
文摘Cloud Computing(CC)is the preference of all information technology(IT)organizations as it offers pay-per-use based and flexible services to its users.But the privacy and security become the main hindrances in its achievement due to distributed and open architecture that is prone to intruders.Intrusion Detection System(IDS)refers to one of the commonly utilized system for detecting attacks on cloud.IDS proves to be an effective and promising technique,that identifies malicious activities and known threats by observing traffic data in computers,and warnings are given when such threatswere identified.The current mainstream IDS are assisted with machine learning(ML)but have issues of low detection rates and demanded wide feature engineering.This article devises an Enhanced Coyote Optimization with Deep Learning based Intrusion Detection System for Cloud Security(ECODL-IDSCS)model.The ECODL-IDSCS model initially addresses the class imbalance data problem by the use of Adaptive Synthetic(ADASYN)technique.For detecting and classification of intrusions,long short term memory(LSTM)model is exploited.In addition,ECO algorithm is derived to optimally fine tune the hyperparameters related to the LSTM model to enhance its detection efficiency in the cloud environment.Once the presented ECODL-IDSCS model is tested on benchmark dataset,the experimental results show the promising performance of the ECODL-IDSCS model over the existing IDS models.
基金research Grants from the National Social Science Foundation of China(Grant No.18FTQ005).The author of the grant is Shi Jin.The URL of the sponsor site is http://www.npopss-cn.gov.cn/.
文摘With the development of information technology,cloud computing technology has brought many conveniences to all aspects of work and life.With the continuous promotion,popularization and vigorous development of e-government and e-commerce,the number of documents in electronic form is getting larger and larger.Electronic document is an indispensable main tool and real record of e-government and business activities.How to scientifically and effectively manage electronic documents?This is an important issue faced by governments and enterprises in improving management efficiency,protecting state secrets or business secrets,and reducing management costs.This paper discusses the application of cloud computing technology in the construction of electronic file management system,proposes an architecture of electronic file management system based on cloud computing,and makes a more detailed discussion on key technologies and implementation.The electronic file management system is built on the cloud architecture to enable users to upload,download,share,set security roles,audit,and retrieve files based on multiple modes.An electronic file management system based on cloud computing can make full use of cloud storage,cloud security,and cloud computing technologies to achieve unified,reliable,and secure management of electronic files.
文摘Infrastructure as a Service(IaaS)provides logical separation between data,network,applications and machines from the physical constrains of real machines.IaaS is one of the basis of cloud virtualization.Recently,security issues are also gradually emerging with virtualization of cloud computing.Different security aspects of cloud virtualization will be explored in this research paper,security recognizing potential threats or attacks that exploit these vulnerabilities,and what security measures are used to alleviate such threats.In addition,a dis-cussion of general security requirements and the existing security schemes is also provided.As shown in this paper,different components of virtualization environ-ment are targets to various attacks that in turn leads to security issues compromis-ing the whole cloud infrastructure.In this paper an overview of various cloud security aspects is also provided.Different attack scenarios of virtualization envir-onments and security solutions to cater these attacks have been discussed in the paper.We then proceed to discuss API security concerns,data security,hijacking of user account and other security concerns.The aforementioned discussions can be used in the future to propose assessment criteria,which could be useful in ana-lyzing the efficiency of security solutions of virtualization environment in the face of various virtual environment attacks.
基金supported by the National Natural Science Foundation of China(6120200461472192)+1 种基金the Special Fund for Fast Sharing of Science Paper in Net Era by CSTD(2013116)the Natural Science Fund of Higher Education of Jiangsu Province(14KJB520014)
文摘The dissociation between data management and data ownership makes it difficult to protect data security and privacy in cloud storage systems.Traditional encryption technologies are not suitable for data protection in cloud storage systems.A novel multi-authority proxy re-encryption mechanism based on ciphertext-policy attribute-based encryption(MPRE-CPABE) is proposed for cloud storage systems.MPRE-CPABE requires data owner to split each file into two blocks,one big block and one small block.The small block is used to encrypt the big one as the private key,and then the encrypted big block will be uploaded to the cloud storage system.Even if the uploaded big block of file is stolen,illegal users cannot get the complete information of the file easily.Ciphertext-policy attribute-based encryption(CPABE)is always criticized for its heavy overload and insecure issues when distributing keys or revoking user's access right.MPRE-CPABE applies CPABE to the multi-authority cloud storage system,and solves the above issues.The weighted access structure(WAS) is proposed to support a variety of fine-grained threshold access control policy in multi-authority environments,and reduce the computational cost of key distribution.Meanwhile,MPRE-CPABE uses proxy re-encryption to reduce the computational cost of access revocation.Experiments are implemented on platforms of Ubuntu and CloudSim.Experimental results show that MPRE-CPABE can greatly reduce the computational cost of the generation of key components and the revocation of user's access right.MPRE-CPABE is also proved secure under the security model of decisional bilinear Diffie-Hellman(DBDH).
文摘The theory of compressed sensing(CS)has been proposed to reduce the processing time and accelerate the scanning process.In this paper,the image recovery task is considered to outsource to the cloud server for its abundant computing and storage resources.However,the cloud server is untrusted then may pose a considerable amount of concern for potential privacy leakage.How to protect data privacy and simultaneously maintain management of the image remains challenging.Motivated by the above challenge,we propose an image encryption algorithm based on chaotic system,CS and image saliency.In our scheme,we outsource the image CS samples to cloud for reduced storage and portable computing.Consider privacy,the scheme ensures the cloud to securely reconstruct image.Theoretical analysis and experiment show the scheme achieves effectiveness,efficiency and high security simultaneously.
文摘Security issues in cloud networks and edge computing have become very common. This research focuses on analyzing such issues and developing the best solutions. A detailed literature review has been conducted in this regard. The findings have shown that many challenges are linked to edge computing, such as privacy concerns, security breaches, high costs, low efficiency, etc. Therefore, there is a need to implement proper security measures to overcome these issues. Using emerging trends, like machine learning, encryption, artificial intelligence, real-time monitoring, etc., can help mitigate security issues. They can also develop a secure and safe future in cloud computing. It was concluded that the security implications of edge computing can easily be covered with the help of new technologies and techniques.
基金the deputyship for Research&Innovation,Ministry of Education in Saudi Arabia for funding this research work through the Project Number(IFP-2022-34).
文摘In the cloud environment,ensuring a high level of data security is in high demand.Data planning storage optimization is part of the whole security process in the cloud environment.It enables data security by avoiding the risk of data loss and data overlapping.The development of data flow scheduling approaches in the cloud environment taking security parameters into account is insufficient.In our work,we propose a data scheduling model for the cloud environment.Themodel is made up of three parts that together help dispatch user data flow to the appropriate cloudVMs.The first component is the Collector Agent whichmust periodically collect information on the state of the network links.The second one is the monitoring agent which must then analyze,classify,and make a decision on the state of the link and finally transmit this information to the scheduler.The third one is the scheduler who must consider previous information to transfer user data,including fair distribution and reliable paths.It should be noted that each part of the proposedmodel requires the development of its algorithms.In this article,we are interested in the development of data transfer algorithms,including fairness distribution with the consideration of a stable link state.These algorithms are based on the grouping of transmitted files and the iterative method.The proposed algorithms showthe performances to obtain an approximate solution to the studied problem which is an NP-hard(Non-Polynomial solution)problem.The experimental results show that the best algorithm is the half-grouped minimum excluding(HME),with a percentage of 91.3%,an average deviation of 0.042,and an execution time of 0.001 s.
