@misc{TorkuraSukmanaStraussetal.2018,
  author    = {Torkura, Kennedy A. and Sukmana, Muhammad Ihsan Haikal and Strauss, Tim and Graupner, Hendrik and Cheng, Feng and Meinel, Christoph},
  title     = {CSBAuditor},
  series = {17th International Symposium on Network Computing and Applications (NCA)},
  journal   = {17th International Symposium on Network Computing and Applications (NCA)},
  publisher = {IEEE},
  address   = {New York},
  isbn      = {978-1-5386-7659-2},
  doi       = {10.1109/NCA.2018.8548329},
  pages     = {10},
  year      = {2018},
  abstract  = {Cloud Storage Brokers (CSB) provide seamless and concurrent access to multiple Cloud Storage Services (CSS) while abstracting cloud complexities from end-users. However, this multi-cloud strategy faces several security challenges including enlarged attack surfaces, malicious insider threats, security complexities due to integration of disparate components and API interoperability issues. Novel security approaches are imperative to tackle these security issues. Therefore, this paper proposes CSBAuditor, a novel cloud security system that continuously audits CSB resources, to detect malicious activities and unauthorized changes e.g. bucket policy misconfigurations, and remediates these anomalies. The cloud state is maintained via a continuous snapshotting mechanism thereby ensuring fault tolerance. We adopt the principles of chaos engineering by integrating Broker Monkey, a component that continuously injects failure into our reference CSB system, Cloud RAID. Hence, CSBAuditor is continuously tested for efficiency i.e. its ability to detect the changes injected by Broker Monkey. CSBAuditor employs security metrics for risk analysis by computing severity scores for detected vulnerabilities using the Common Configuration Scoring System, thereby overcoming the limitation of insufficient security metrics in existing cloud auditing schemes. CSBAuditor has been tested using various strategies including chaos engineering failure injection strategies. Our experimental evaluation validates the efficiency of our approach against the aforementioned security issues with a detection and recovery rate of over 96 \%.},
  language  = {en}
}
@misc{TorkuraSukmanaMeinigetal.2018,
  author    = {Torkura, Kennedy A. and Sukmana, Muhammad Ihsan Haikal and Meinig, Michael and Kayem, Anne V. D. M. and Cheng, Feng and Meinel, Christoph and Graupner, Hendrik},
  title     = {Securing cloud storage brokerage systems through threat models},
  series = {Proceedings IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA)},
  journal   = {Proceedings IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA)},
  publisher = {IEEE},
  address   = {New York},
  isbn      = {978-1-5386-2195-0},
  issn      = {1550-445X},
  doi       = {10.1109/AINA.2018.00114},
  pages     = {759 -- 768},
  year      = {2018},
  abstract  = {Cloud storage brokerage is an abstraction aimed at providing value-added services. However, Cloud Service Brokers are challenged by several security issues including enlarged attack surfaces due to integration of disparate components and API interoperability issues. Therefore, appropriate security risk assessment methods are required to identify and evaluate these security issues, and examine the efficiency of countermeasures. A possible approach for satisfying these requirements is employment of threat modeling concepts, which have been successfully applied in traditional paradigms. In this work, we employ threat models including attack trees, attack graphs and Data Flow Diagrams against a Cloud Service Broker (CloudRAID) and analyze these security threats and risks. Furthermore, we propose an innovative technique for combining Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring System (CCSS) base scores in probabilistic attack graphs to cater for configuration-based vulnerabilities which are typically leveraged for attacking cloud storage systems. This approach is necessary since existing schemes do not provide sufficient security metrics, which are imperatives for comprehensive risk assessments. We demonstrate the efficiency of our proposal by devising CCSS base scores for two common attacks against cloud storage: Cloud Storage Enumeration Attack and Cloud Storage Exploitation Attack. These metrics are then used in Attack Graph Metric-based risk assessment. Our experimental evaluation shows that our approach caters for the aforementioned gaps and provides efficient security hardening options. Therefore, our proposals can be employed to improve cloud security.},
  language  = {en}
}
@misc{TorkuraSukmanaKayemetal.2018,
  author    = {Torkura, Kennedy A. and Sukmana, Muhammad Ihsan Haikal and Kayem, Anne V. D. M. and Cheng, Feng and Meinel, Christoph},
  title     = {A cyber risk based moving target defense mechanism for microservice architectures},
  series = {IEEE Intl Conf on Parallel \& Distributed Processing with Applications, Ubiquitous Computing \& Communications, Big Data \& Cloud Computing, Social Computing \& Networking, Sustainable Computing \& Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom)},
  journal   = {IEEE Intl Conf on Parallel \& Distributed Processing with Applications, Ubiquitous Computing \& Communications, Big Data \& Cloud Computing, Social Computing \& Networking, Sustainable Computing \& Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom)},
  publisher = {Institute of Electrical and Electronics Engineers},
  address   = {Los Alamitos},
  isbn      = {978-1-7281-1141-4},
  issn      = {2158-9178},
  doi       = {10.1109/BDCloud.2018.00137},
  pages     = {932 -- 939},
  year      = {2018},
  abstract  = {Microservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. The key advantages of MSA include inherent support for continuous deployment of large complex applications, agility and enhanced productivity. However, studies indicate that most MSA are homogeneous, and introduce shared vulnerabilites, thus vulnerable to multi-step attacks, which are economics-of-scale incentives to attackers. In this paper, we address the issue of shared vulnerabilities in microservices with a novel solution based on the concept of Moving Target Defenses (MTD). Our mechanism works by performing risk analysis against microservices to detect and prioritize vulnerabilities. Thereafter, security risk-oriented software diversification is employed, guided by a defined diversification index. The diversification is performed at runtime, leveraging both model and template based automatic code generation techniques to automatically transform programming languages and container images of the microservices. Consequently, the microservices attack surfaces are altered thereby introducing uncertainty for attackers while reducing the attackability of the microservices. Our experiments demonstrate the efficiency of our solution, with an average success rate of over 70\% attack surface randomization.},
  language  = {en}
}
@misc{TorkuraSukmanaChengetal.2017,
  author    = {Torkura, Kennedy A. and Sukmana, Muhammad Ihsan Haikal and Cheng, Feng and Meinel, Christoph},
  title     = {Leveraging cloud native design patterns for security-as-a-service applications},
  series = {IEEE International Conference on Smart Cloud (SmartCloud)},
  journal   = {IEEE International Conference on Smart Cloud (SmartCloud)},
  publisher = {Institute of Electrical and Electronics Engineers},
  address   = {New York},
  isbn      = {978-1-5386-3684-8},
  doi       = {10.1109/SmartCloud.2017.21},
  pages     = {90 -- 97},
  year      = {2017},
  abstract  = {This paper discusses a new approach for designing and deploying Security-as-a-Service (SecaaS) applications using cloud native design patterns. Current SecaaS approaches do not efficiently handle the increasing threats to computer systems and applications. For example, requests for security assessments drastically increase after a high-risk security vulnerability is disclosed. In such scenarios, SecaaS applications are unable to dynamically scale to serve requests. A root cause of this challenge is employment of architectures not specifically fitted to cloud environments. Cloud native design patterns resolve this challenge by enabling certain properties e.g. massive scalability and resiliency via the combination of microservice patterns and cloud-focused design patterns. However adopting these patterns is a complex process, during which several security issues are introduced. In this work, we investigate these security issues, we redesign and deploy a monolithic SecaaS application using cloud native design patterns while considering appropriate, layered security counter-measures i.e. at the application and cloud networking layer. Our prototype implementation out-performs traditional, monolithic applications with an average Scanner Time of 6 minutes, without compromising security. Our approach can be employed for designing secure, scalable and performant SecaaS applications that effectively handle unexpected increase in security assessment requests.},
  language  = {en}
}
@misc{SukmanaTorkuraGraupneretal.2019,
  author    = {Sukmana, Muhammad Ihsan Haikal and Torkura, Kennedy A. and Graupner, Hendrik and Cheng, Feng and Meinel, Christoph},
  title     = {Unified Cloud Access Control Model for Cloud Storage Broker},
  series = {33rd International Conference on Information Networking (ICOIN 2019)},
  journal   = {33rd International Conference on Information Networking (ICOIN 2019)},
  publisher = {IEEE},
  address   = {Los Alamitos},
  isbn      = {978-1-5386-8350-7},
  issn      = {1976-7684},
  doi       = {10.1109/ICOIN.2019.8717982},
  pages     = {60 -- 65},
  year      = {2019},
  abstract  = {Cloud Storage Broker (CSB) provides value-added cloud storage service for enterprise usage by leveraging multi-cloud storage architecture. However, it raises several challenges for managing resources and its access control in multiple Cloud Service Providers (CSPs) for authorized CSB stakeholders. In this paper we propose unified cloud access control model that provides the abstraction of CSP's services for centralized and automated cloud resource and access control management in multiple CSPs. Our proposal offers role-based access control for CSB stakeholders to access cloud resources by assigning necessary privileges and access control list for cloud resources and CSB stakeholders, respectively, following privilege separation concept and least privilege principle. We implement our unified model in a CSB system called CloudRAID for Business (CfB) with the evaluation result shows it provides system-and-cloud level security service for cfB and centralized resource and access control management in multiple CSPs.},
  language  = {en}
}
@misc{SukmanaTorkuraChengetal.2018,
  author    = {Sukmana, Muhammad Ihsan Haikal and Torkura, Kennedy A. and Cheng, Feng and Meinel, Christoph and Graupner, Hendrik},
  title     = {Unified logging system for monitoring multiple cloud storage providers in cloud storage broker},
  series = {32ND International Conference on Information Networking (ICOIN)},
  journal   = {32ND International Conference on Information Networking (ICOIN)},
  publisher = {IEEE},
  address   = {New York},
  isbn      = {978-1-5386-2290-2},
  doi       = {10.1109/ICOIN.2018.8343081},
  pages     = {44 -- 49},
  year      = {2018},
  abstract  = {With the increasing demand for personal and enterprise data storage service, Cloud Storage Broker (CSB) provides cloud storage service using multiple Cloud Service Providers (CSPs) with guaranteed Quality of Service (QoS), such as data availability and security. However monitoring cloud storage usage in multiple CSPs has become a challenge for CSB due to lack of standardized logging format for cloud services that causes each CSP to implement its own format. In this paper we propose a unified logging system that can be used by CSB to monitor cloud storage usage across multiple CSPs. We gather cloud storage log files from three different CSPs and normalise these into our proposed log format that can be used for further analysis process. We show that our work enables a coherent view suitable for data navigation, monitoring, and analytics.},
  language  = {en}
}
@misc{GawronChengMeinel2018,
  author    = {Gawron, Marian and Cheng, Feng and Meinel, Christoph},
  title     = {Automatic vulnerability classification using machine learning},
  series = {Risks and Security of Internet and Systems},
  journal   = {Risks and Security of Internet and Systems},
  publisher = {Springer},
  address   = {Cham},
  isbn      = {978-3-319-76687-4},
  issn      = {0302-9743},
  doi       = {10.1007/978-3-319-76687-4_1},
  pages     = {3 -- 17},
  year      = {2018},
  abstract  = {The classification of vulnerabilities is a fundamental step to derive formal attributes that allow a deeper analysis. Therefore, it is required that this classification has to be performed timely and accurate. Since the current situation demands a manual interaction in the classification process, the timely processing becomes a serious issue. Thus, we propose an automated alternative to the manual classification, because the amount of identified vulnerabilities per day cannot be processed manually anymore. We implemented two different approaches that are able to automatically classify vulnerabilities based on the vulnerability description. We evaluated our approaches, which use Neural Networks and the Naive Bayes methods respectively, on the base of publicly known vulnerabilities.},
  language  = {en}
}
@misc{GawronChengMeinel2017,
  author    = {Gawron, Marian and Cheng, Feng and Meinel, Christoph},
  title     = {PVD: Passive Vulnerability Detection},
  series = {8th International Conference on Information and Communication Systems (ICICS)},
  journal   = {8th International Conference on Information and Communication Systems (ICICS)},
  publisher = {IEEE},
  address   = {New York},
  isbn      = {978-1-5090-4243-2},
  issn      = {2471-125X},
  doi       = {10.1109/IACS.2017.7921992},
  pages     = {322 -- 327},
  year      = {2017},
  abstract  = {The identification of vulnerabilities relies on detailed information about the target infrastructure. The gathering of the necessary information is a crucial step that requires an intensive scanning or mature expertise and knowledge about the system even though the information was already available in a different context. In this paper we propose a new method to detect vulnerabilities that reuses the existing information and eliminates the necessity of a comprehensive scan of the target system. Since our approach is able to identify vulnerabilities without the additional effort of a scan, we are able to increase the overall performance of the detection. Because of the reuse and the removal of the active testing procedures, our approach could be classified as a passive vulnerability detection. We will explain the approach and illustrate the additional possibility to increase the security awareness of users. Therefore, we applied the approach on an experimental setup and extracted security relevant information from web logs.},
  language  = {en}
}