A Novel Integrated Attestation Graph Analysis Scheme for Enhancing Result Quality and Higher Attacker Pinpointing Accuracy

Software-as-a-service (SaaS) cloud systems enable application service providers to deliver their applications via massive cloud computing infrastructures. However, due to their sharing nature, SaaS clouds are vulnerable to malicious attacks. In this paper, we present IntTest, a scalable and effective service integrity attestation framework for SaaS clouds. IntTest provides a novel integrated attestation graph analysis scheme that can provide stronger attacker pinpointing power than previous schemes. Moreover, IntTest can automatically enhance result quality by replacing bad results produced by malicious attackers with good results produced by benign service providers. We have implemented a prototype of the IntTest system and tested it on a production cloud computing infrastructure using IBM System S stream processing applications. Our experimental results show that IntTest can achieve higher attacker pinpointing accuracy than existing approaches. IntTest does not require any special hardware or secure kernel support and imposes little performance impact to the application, which makes it practical for large-scale cloud systems. KWYWORDS: Web services architecture (WSA); National Institute of Standards and Terminology (NIST); Infrastructure-as-a-Service (IaaS); Platform-as-a-Service (PaaS); and Software-as-a-Service (SaaS); Trusted Platform Module (TPM)

[1]  Angelos D. Keromytis,et al.  F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services , 2009, ISC.

[2]  Vincent Roca,et al.  Managing and securing Web services with VPNs , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[3]  Jennifer Widom,et al.  STREAM: The Stanford Stream Data Manager , 2003, IEEE Data Eng. Bull..

[4]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[5]  Michel Savoie,et al.  Service-Oriented Virtual Private Networks for Grid Applications , 2007, IEEE International Conference on Web Services (ICWS 2007).

[6]  Ying Xing,et al.  The Design of the Borealis Stream Processing Engine , 2005, CIDR.

[7]  Philip S. Yu,et al.  SPADE: the system s declarative stream processing engine , 2008, SIGMOD Conference.

[8]  Gustavo Alonso,et al.  Web Services: Concepts, Architectures and Applications , 2009 .

[9]  Barbara Carminati,et al.  Towards standardized Web services privacy technologies , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[10]  Stefan Berger,et al.  TVDc: managing security in the trusted virtual datacenter , 2008, OPSR.

[11]  I. V. Ramakrishnan,et al.  A Framework for Building Privacy-Conscious Composite Web Services , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).