Formal modeling and verification of security controls for multimedia systems in the cloud

Organizations deploy the Security Information and Event Management (SIEM) systems for centralized management of security alerts for securing their multimedia content. The SIEM system not only preserves events data, generated by devices and applications, in the form of logs but also performs real-time analysis of the event data. The SIEM works as the Security Operation Centre (SOC) in an organization, therefore, errors in the SIEM may compromise the security of the organization. In addition to focusing on the architecture, features, and the performance of the SIEM, it is imperative to carry out a formal analysis to verify that the system is impeccable. The ensuing research focuses mainly on the formal verification of the OSTORM a SIEM system. We have used High-Level Petri Nets (HLPN) and Z language to model and analyze the system. Moreover, Satisfiability Modulo Theories Library (SMT-Lib) and Z3 solver are used in this research to prove the correctness of the overall working of the OSTORM system. We demonstrate the correctness of the underlying system based on four security properties, namely: a) event data confidentiality, b) authentication, c) event data integrity, and d) alarm integrity. The results reveal that the OSTORM system functions correctly.

[1]  Gregorio Díaz,et al.  Model Checking Wireless Sensor Network Security Protocols: TinySec + LEAP , 2007 .

[2]  Geoffrey Fox,et al.  Modeling, simulation, and practice of floor control for synchronous and ubiquitous collaboration , 2011, Multimedia Tools and Applications.

[3]  Kashif Saghar,et al.  Formal modelling and analysis of routing protocol security in wireless sensor networks , 2009 .

[4]  William Stallings,et al.  Cryptography and network security , 1998 .

[5]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[6]  Bixin Li,et al.  A classification and comparison of model checking software architecture techniques , 2010, J. Syst. Softw..

[7]  Armin Biere,et al.  Bounded model checking , 2003, Adv. Comput..

[8]  Roger M. Needham,et al.  Authentication revisited , 1987, OPSR.

[9]  David Garlan,et al.  Analyzing architectural styles with alloy , 2006, ROSATEA '06.

[10]  Ahmed Bouridane,et al.  Applying formal modelling to detect DoS attacks in wireless medium , 2010, 2010 7th International Symposium on Communication Systems, Networks & Digital Signal Processing (CSNDSP 2010).

[11]  Pierre de Saqui-Sannes,et al.  Multimedia Authoring with Hierarchical Timed Stream Petri Nets and Java , 2004, Multimedia Tools and Applications.

[12]  T. Aaron Gulliver,et al.  SOCaaS: Security Operations Center as a Service for Cloud Computing Environments , 2014, CloudCom 2014.

[13]  Kelly M. Kavanagh,et al.  Magic Quadrant for Security Information and Event Management , 2011 .

[14]  Behrouz A. Forouzan Cryptography & Network Security , 2007 .

[15]  Jun Sun,et al.  Using Monterey Phoenix to Formalize and Verify System Architectures , 2012, 2012 19th Asia-Pacific Software Engineering Conference.

[16]  Samee Ullah Khan,et al.  Modeling and Analysis of State-of-the-art VM-based Cloud Management Platforms , 2013, IEEE Transactions on Cloud Computing.

[17]  Shawn R. Chaput,et al.  Cloud Compliance: A Framework for Using Cloud Computing in a Regulated World , 2010, Cloud Computing.

[18]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[19]  Kashif Saghar,et al.  Evaluation of a sensor network node communication using formal verification , 2015, 2015 12th International Bhurban Conference on Applied Sciences and Technology (IBCAST).

[20]  Kurt Jensen High-Level Petri Nets , 1982, European Workshop on Applications and Theory of Petri Nets.

[21]  Ahmed Bouridane,et al.  Formal modelling of a robust Wireless Sensor Network routing protocol , 2010, 2010 NASA/ESA Conference on Adaptive Hardware and Systems.

[22]  Albert Y. Zomaya,et al.  On the Characterization of the Structural Robustness of Data Center Networks , 2013, IEEE Transactions on Cloud Computing.

[23]  Kunihiko Miyazaki,et al.  How to Evaluate the Security of Real-Life Cryptographic Protocols? - The Cases of ISO/IEC 29128 and CRYPTREC , 2010, Financial Cryptography Workshops.

[24]  Vangalur S. Alagar,et al.  A formal approach for the specification and verification of trustworthy component-based systems , 2011, J. Syst. Softw..

[25]  Hridesh Rajan,et al.  Slede: a domain-specific verification framework for sensor network security protocol implementations , 2008, WiSec '08.

[26]  Richard A. Kemmerer,et al.  Formal analysis of an electronic voting system: An experience report , 2011, J. Syst. Softw..

[27]  Kang Zhao,et al.  Parallel Stimulus Generation Based on Model Checking for Coherence Protocol Verification , 2015, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[28]  Phillip H. Griffin Secure authentication on the Internet of Things , 2017, SoutheastCon 2017.

[29]  Keke Gai,et al.  Intrusion detection techniques for mobile cloud computing in heterogeneous 5G , 2016, Secur. Commun. Networks.

[30]  David Garlan,et al.  A formal basis for architectural connection , 1997, TSEM.

[31]  Annabelle McIver,et al.  Security, Probability and Nearly Fair Coins in the Cryptographers' Café , 2009, FM.

[32]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2018, Handbook of Model Checking.

[33]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[34]  Athanasios V. Vasilakos,et al.  Formal Verification of the xDAuth Protocol , 2016, IEEE Transactions on Information Forensics and Security.

[35]  Christel Baier,et al.  Principles of model checking , 2008 .

[36]  Clare Dixon,et al.  Toward Reliable Autonomous Robotic Assistants Through Formal Verification: A Case Study , 2016, IEEE Transactions on Human-Machine Systems.

[37]  Bruno Blanchet,et al.  Abstracting Cryptographic Protocols by Prolog Rules , 2001, SAS.

[38]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[39]  A. Ihsan,et al.  Analysis of LEACH protocol(s) using formal verification , 2015, 2015 12th International Bhurban Conference on Applied Sciences and Technology (IBCAST).

[40]  Llanos Tobarra,et al.  Formal Analysis of Sensor Network Encryption Protocol (SNEP) , 2007, 2007 IEEE Internatonal Conference on Mobile Adhoc and Sensor Systems.

[41]  Jeonghun Cho,et al.  Advanced verification on WBAN and cloud computing for u-health environment , 2014, Multimedia Tools and Applications.

[42]  Mario Mišić SECURITY INFORMATION AND EVENT MANAGEMENT SYSTEMS , 2013 .

[43]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2021, Handbook of Satisfiability.