On Scalable and Efficient Security Risk Modelling of Cloud Computing Infrastructure based on Markov processes

While cloud computing infrastructures proliferates in nowadays computing and communications technology there are few reports investigating models for their security. In this paper, new efficient models are developed and evaluated for analyzing the security-related behavior of cloud computing architectures and networks comprising complex interconnected communication systems adapted towards a generalized analysis. These cloud related models, based on Markov processes, allow calculation of critical security factors for the cloud infrastructure, related to intrusion detection, of such interconnected and distributed systems components and the evaluation of the associated security mechanisms. Although, at this step an architecture of at least three interconnected systems is analyzed, the systematic model introduced allows for a generalized model of N interconnected systems in a cloud architecture under reasonable assumptions. We herein show the principles of such an analysis. Security parameters calculation and Security mechanisms evaluation may support the risk analysis and the decision making process in resolving the trade-offs between security and quality of service characteristics corresponding to the complex interconnected computing and communication


Introduction
The increasing role of communication services makes crucial the issue of ensuring the security attributes of the underlying computing and communication infrastructures in terms of secrecy, integrity and availability.The security attacks in computer and communication systems may result in [1]: information disclosure, unauthorized modification of files, messages and transactions, masquerading or successful break-in, decreasing communication services availability, repudiation in sending and receiving messages of electronic orders or in creating and modifying files, and the possibility of traffic analysis and the creation of user/consumer profiles.These attacks may emanate from legitimate users, unauthorized users and processes, such as malicious software.Security is often cited as one of the greatest barriers to communications services, including Internet commerce.Of course, security is important to communication services in many ways, but it is really part of the way that business is enabled by the technology.Indeed, the security of communication systems, for instance for electronic commerce, is a business problem, not merely a technology one.Technologies such as public key encryption provide critical components of an overall solution, but they are not enough.Such technologies can be applied both to systems designed from scratch as well as to systems built around off-the-shelf products for Internet commerce.The important issue is to properly design the whole interconnected communication system so that security technologies could be applied.To this end a significant help could be provided by attempting to model the system computing and communication infrastructure.This is precisely the goal of this paper, namely, to model such interconnected infrastructures in terms of security.Security violations leave abnormal patterns of system usage and accounting [2,3].To cope with intrusions or attempted break-ins, system monitoring techniques or intrusion-detection mechanisms and audit trails are used, that rely on the collection of audit data and their comparison with the usage and accounting profiles maintained by the system [4].The conditional probability of detecting an intrusion given that the intrusion has occurred is called intrusion coverage and used as a measure of the effectiveness of the intrusion-detection mechanism.The number of normal and abnormal usage and accounting types (patterns) is extremely high and they can be differentiated only partially so that it is very difficult to have an intrusion coverage close to 1.An alarm is triggered if certain thresholds are reached.The detection sensitivity level and the false alarm rate depend on the thresholds set [5].Increasing the detection sensitivity level leads to higher false alarm rates, i.e., better intrusion coverage appears to be in trade-off with false alarms.Audit trails, i.e., data that allow tracing from users and transactions of related processes aim at detecting or deterring system intrusion and helping assessing the damage caused by intrusions in the case of successful ones.Issues regarded in research efforts in the context of audit trails include the analysis and specification of auditable events and the quality improvement of the mechanisms related to efficiency, protection and the prevention of denial of service.They, also, include the association and analysis of related events and the automation of intrusion detection and damage assessment functions [4].Intrusion detection mechanisms can be used in standalone or networked systems.They are based on the development of user and system or network resources usage profiles and knowledge-oriented or statistically oriented methods.They have limitations, since the absence of rules for all possible intrusion scenarios or inaccurate statistical distributions do not lead to detection of intrusions or attempted break-ins.On the other hand, they may lead to false alarms, if unexpected user actions or resource usage patterns occur, which are not foreseen by the rules or the distributions used.To study the behavior of security attacks or intrusion processes, models have to be developed and used, since it is quite impossible to directly analyze real computer systems and networks or information infrastructures to this respect.In section 2, the model is described and the mathematical notations and the system equations are discussed.In section 3, we apply the model and discuss the various results obtained for a set of parameter values.Finally, section 4 summarizes this paper with conclusions and future directions.

Cloud Security Models Description and Analysis
In this research we develop and use Markov models by considering the states of each system component of the interconnected information infrastructure, which reflect system functioning with respect to the above stated possible attacks.These states are explicitly associated with the security attributes of secrecy, integrity and availability.On the other hand, the existing dependencies between the component systems comprising the cloud infrastructure are taken into account in the proposed models.While single system security models exist in the literature [4,6], the suggested models for analyzing security parameters in infrastructures is one of the first research efforts for investigating the effects of multiple dependent systems operation in the interconnected communication and information infrastructure security planning.We assume constant arrival rates of attacks and constant state transition rates, which allow the use of exponential or geometrical distributions, since there are no exact analytical solution methods for non-Markovian models.(Approximation techniques could be used in the case of non-constant rates.) Model A-the cloud as a single system being in attack Figure 1 shows the model, which relates to a single system and consists of 7 states.The system is in state 0 when there are no security violations or attempted attacks.All security attributes are well maintained.With the first attempted attack, the system enters in state 1.The system remains in this state as long as it is under attack, the attacks are not detected and the system has not been penetrated.From this state, transition back to state 0 takes place if the attacks are detected or to state 2, if the attacker obtains authentication information and penetrates the system.The attacker remains in state 2 as long as he obtains (disclosures) confidential information and may move to state 3 if he starts to modify files, programs and messages or to state 4 if he chooses to hinder the access of authorized users to programs, hardware and data.When the attacker is detected, the system enters in the state 5, where it is reconfigured and transition back to state 0 occurs.Transition from state 0 to state 6 may take place if a false alarm is triggered.After the reconfiguration the inverse transition occurs.Transitions between states 2, 3 and 4 take place according to the actions of the attacker, which lead to unauthorized information disclosure, modification and access to system or network resources, respectively.

Notation and system of equations
In this research we use the following notation, which is common in textbooks on stochastic processes, queueing theory and Markovian chains in particular [7].λij, is the transition rate from state i to state j, τij, is the transition probability from state i to state j and Pi, is the probability of the system or network or infrastructure to be in state i (steady state).From the state-transition-rate diagram shown in Fig. 1, it is obvious that the Markov chain is irreducible and we accept the limit that Pk =lim Pk(t) as t.In the equilibrium case we are interested in that the flow must be conserved in the sense that the input flow must equal the output flow for any given state.By inspection we can establish the following equilibrium (steady-state) equations for the cloud model A.
  (5) ) ( ( 4) By means of this model we may analyze the systems comprising an interconnected information infrastructure separately.The security-related dependence between these systems can be taken into account if we adapt the probability transitions from state 1 to state 2 of the controlled system by adding to its initial value the equilibrium probability of the controlling system being in state 2. We assume that successful attacks in the various systems are independent.However, if the controlling system is penetrated, the controlled system may be penetrated immediately or with higher probability than when it is attacked directly and not through the controlling system.However, the cloud is an interconnected system of let's say N components.In order to find out the related probabilities for every component we could assume that all components are independent, each corresponding to a probability Pc(state-k), with probabilities Pc(state-k) being equal for all components c, and for every state k of the above defined system of equations.In order to estimate Pc(state-k) from the relevant P(state-k) of the cloud system, after solving the previously mentioned equations, we have to model the events involved for c=1..N and k=0..6.Under these assumptions we could have, involving the theory of total probability for independent and mutually disjoint events, since each cloud component state could be considered as such compared to the rest of cloud components, P(state-k)= P(all possible combinations of events for c=1..N components being in state k) => where it is known that, C(n,r)=n!(r!(n-r)!) If P(state-k) is known by solving the previously mentioned Markov process based system of Model A, then every Pc(state-k) can be calculated solving equation (8).

Initial Ad-Hoc Model B for cloud in intrusion
The interconnected communication and information infrastructure is modeled by a Markovian chain again for two non local systems under the same cloud.In this case an Ad Hoc analysis and model is presented, where some states are omitted.In the general form, the model relates to n systems and m states of each system, which may lead to mxn states of the Markovian chain if transitions from all states to all others are possible.We assume Markov chains which are irreducible and for which exists the limit Pk =lim Pk(t) as t->∞ for all states k. Figure 2 shows the initial model B, which relates to two systems or networks comprising an information infrastructure and consists of 12 states.The systems are in state (0,0) when there are no security violations or attempted attacks.With the first attempted attack, the attacked systems enter in state (1,0) or (0,1) if it is the first or the second system attacked.From this, state transition to state (1,1) may occur if both systems are under attack.Transition to state (2,0), (2,1) or (0,2), (1,2) takes place if the attempted intrusion leads to successful penetration of the first or the second system, respectively.If one of the systems is occupied then the second system is penetrated as well, (2,2).From this, state transition to state (3,3) occurs when the penetration is detected.After the reconfiguration of the systems, state (0,0) is entered.
From state (0,0) transition may occur to state (4,0) or (0,4) if a false alarm of the first or the second system is flagged.
However, again, this model B based cloud infrastructure is an interconnected system of let's say N components.In order to find out the related probabilities for every such component we could assume that all components are independent, as in model A, each corresponding to a probability PBc(state-k), with probabilities PBc(state-k) being equal for all components c, and for every state k of the above defined system of equations.In order to estimate PBc(state-k) from the relevant PB(state-k) of the cloud system, after solving the previously mentioned equations, we have to model the events involved for c=1..N and k=0..12.Under these assumptions we could have, involving the theory of total probability for independent and mutually disjoint events, since each cloud component state could be considered as such compared to the rest of cloud components, PB(state-k)= P(all possible combinations of events for c=1..N components being in state k) => where it is known that, C(n,r)=n!(r!(n-r)!) If PB(state-k) is known by solving the previously mentioned Markov process based system of Model A, then every PBc(state-k) can be calculated solving equation (21).

A systematic Model B for cloud in intrusion-Towards a Scalable Analysis for interconnected cloud subsystems
In this interconnected cloud model, again, the communication and information cloud infrastructure is considered as a Markovian chain moxdel.In the general form, the model relates to n systems and m states of each system, which may lead to mxn states of the Markovian chain if transitions from all states to all others are possible.We herein employ, however, a scalable model B, which leads to more unknown variables than the previous initial model B but it leads to a better, scalable and more systematic model B of two interconnected system than before.We assume again Markov chains which are irreducible and for which exists the limit Pk =lim Pk(t) as t->∞ for all states k.
Figure 3 shows the model, which relates to two systems or networks comprising an information infrastructure and consists of 14 states.Figure 3 can be obtained from figure 1 and it is its generalization for two interconnected systems.It bares similarities with figure 2 architecture, which is ad hoc.Such a systematic view could lead to other possible meaningful generalizations.Taking into account that mn states of the Markovian chain if transitions from all states to all others are possible, this means that in our case 72 = 49 states would exist.However, the proposed meaningful generalization of model A, in the case of two interconnected systems, leads, as we will see in m x n = 14 states only.The systems are in state (0,0) when there are no security violations or attempted attacks.With the first attempted attack, the attacked systems enter in state (1,0) or (0,1) if it is the first or the second system attacked.From this, state transition to state (1,1) may occur if both systems are under attack.Transition to state (2,0), (2,1) or (0,2), (1,2) takes place if the attempted intrusion leads to successful penetration of the first or the second system, respectively.If one of the systems is occupied then the second system is penetrated as well, (2,2).The attacker remains in state (2,2) as long as he obtains (disclosures) confidential information and may move to state (3,3) if he starts to modify files, programs and messages or to state (4,4) if he chooses to hinder the access of authorized users to programs, hardware and data.When the attacker is detected, the system enters in the state (5,5), where it is reconfigured and transition back to state (0,0) occurs.
After the reconfiguration the inverse transition occurs.Transition from state (0,0) to state (6,0) or (0,6) may take place if a false alarm of the first or the second system is flagged.

Fig. 1 .
Fig. 1.State-transition-rate for the diagram of model A for the cloud modelled as a single system

Fig. 2 .
Fig. 2. State-transition-rate diagram of an initial model B for two interconnected systems or networks of the same cloud infrastructure.

Fig. 3 .
Fig. 3. State-transition-rate diagram of model B for two interconnected subsystems of the cloud infrastructure.

Fig. 4 .Fig. 5 .
Fig. 4. Steady state probability of intrusion for model A as a function of intrusion coverage