1) The document proposes a methodology for cloud monitoring and forensics using security metrics. 2) The methodology involves 5 steps - monitoring consumer activity, detecting malicious activity via signature matching, activating an automated forensic system, stopping remote access for the consumer, and legal action. 3) A generic architecture is presented that implements the methodology using host-based intrusion detection and collecting data in security metrics.

1. 2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
Cloud Monitoring and Forensic using Security Metrics
Sandeep Saxena Goutam Sanyal
Computer Science and Engineering Computer Science and Engineering
Galgotias College of Engineering & Technology National Institute of Technology
Greater Noida, India Durgapur, India
Sandeepsaxena4444@gmail.com nitgsanyal@gmail.com
Abstract— In current scenario cloud forensic comes as service because it is accessible whenever you need it. In
challenging job for cloud providers because cloud is not current communication infrastructure, there are two types of
physically exits in one place or within country wide. It’s cloud shortly public and private cloud [1].
dispersing throughout the worldwide area and each and every
country posses its own jurisdiction to access any personal or Public Clouds:
private data. So we need some common approach to perform Service provider runs cloud platforms and made them
these talks efficiently and effectively. We may use service level available to many end-user organizations. These cloud
agreement (SLA) between cloud service provider (CSP) and provide application-as-a-service or platform as-a-service.
consumer to have right to perform monitoring their activities
throughout the session used by consumer in cloud environment
Private Clouds:
and save that activities in some place on cloud server for the
A cloud platform runs solely for an only end-user
purpose of further forensics if any illegal or malicious activities
performed. We know that intrusion detection system (IDS) is
organization, such as a financial sectors or retailer. This
widely used for forensic analysis whenever required. Host- technology seems like public clouds, but the economic
based IDS is used for a particular system for study which able prospects are different. It exists within premises of
to watch the regular activities of user/consumer. The intrusion individual organization.
detection system specially involve two types of techniques:
Anomaly Detection involving the detection based on
behavior/heuristic rules and Misuse detection involving the
detection based on patterns and signature.
Keywords- Cloud, Security Metrics, Forensic, Cloud
Monitoring
I. INTRODUCTION
We are entering into new epoch of computing, and it’s all
about the ―cloud‖. This immediately brings up several
important questions, which deserve thoughtful answer:
―why we use cloud computing?‖ ―Is it real, or just another
catchphrase?‖ And most important,‖ How does it affect us?‖
In a nutshell, cloud computing is completely real and will
affect more or less everyone. Cloud Computing is defined as
―Cloud computing paradigm is used to enable expedient,
on-demand network (cloud) access to a public pool of Figure 1: Public cloud (service provider) and Private cloud
configurable computing resources (e.g. Networks, Servers, (On-Premises)
Storage, Application and Services) that can be fast
stipulated and released with minimal management effort However various researches are done in cloud computing
or service provider interaction ‖. It is also known as self- arena, but this is not to say that cloud computing is perfect.
service environment for computing resources. It’s not. Actually, it’s not even close. It’s very much new,
In cloud terminology, the turn of phrase ―as-a-service‖ is and there are thousands of bend to still be worked out.
widely used, which simply means that a given cloud According to the National Institute of Standard and
products (whether Infrastructure-as-a-service, Platform-as- Technology (NSIT) Computer Security Division, the cloud
a-service or software-as-a-service) is obtainable in a way paradigm still suffers from significant security lacunae. For
that it can be ―rented‖ by customers over the Internet. By example, Software as a service (SaaS) vendors are
―rented,‖ we are implying that you pay only for as much as implementing various security approaches, raising critical
you use. It is frequently described as an ―on demand‖ questions about where data is hosted, international privacy
978-1-4673-1850-1/12/$31.00 © 2012 IEEE 270

2. 2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
laws, exposure of data to foreign entities, nonstandard insiders. Because this is the most flexible environment to
authentication, monitoring, forensics and leaks in provisioned and De-provisioned any cloud services.
multitenant architecture. These security concerns are putting The Architectural Services of Cloud Computing are three
mission critical data at risk, while slowing the adoption of types of services: Software-as-a-service (SAAS), Platform-
cloud computing technologies. That’s why cloud monitoring as-a-service (PAAS) and Infrastructure-as-a-service (IAAS).
and forensics are so important issues to allure consumer and
gaining consumer belief that consumer is secure enough not Software-as-a-service (SaaS):
only outside the cloud user other than inside consumer also SaaS is a highest layer of service which provides complete
which are existed in cloud service environment. application as a service on demand and multi-tenancy-which
means single instance of the application, runs on provider’s
Organization of this paper is as follows, Section II covers infrastructure and serves many client organizations.
the analysis of previous related research in the area of Example of SaaS is salesforce.com, Google Apps etc.
forensics of cloud. Section III represents the proposed
methodology and generic security architecture of cloud Platform-as-a-service (PAAS):
system. At last section IV concludes the paper and gives its The middle layer or PAAS is offering every phase of
future directions. software development and testing or it can be specialized
around a particular area, such as content management. For
II. ANALYSIS OF PREVIOUS RESEARCHES example Google Apps Engine, this serves application on
Google’s Infrastructures [4].
In current scenario a way of validation security design is
based on Model and Methodology approaches. For example, Infrastructure-as-a-service (IAAS):
NIST also introduces a system security model in which The lowest layer IAAS is providing basic storage and
security services are fictionally defined [2]. It differentiated computing capabilities as standard services over the
between security support and prevention, detection and network. Servers, Switches, Gateways, Routers, Storage
recovery services. Systems and other resources are pooled in one place.
NIST is also defined a Model for security metrics ,which is For example Amazon Web Services, whose provides EC2
limited to the definition of key security services term not and S3 service offer bare-bones compute and Storage
considering a construct theory of security for any specific services respectively [5]. Another example is joyent which
system of interest. provide line of virtualized servers, that provides a highly
A security model that comes that construct theory of scalable on-demand infrastructure for running web site, web
security is the International Telecommunications Union’s application etc.
(ITU) data network and Open communication security IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-
architecture for system providing end-to-end Service) and SaaS (Software-as-a-Service), these service
communications( X.805 Standard) [3].it presents Details may form a basis for a differentiation in system level
telecommunication architecture as combination of three function that will help recognize the basis for security
layers: features. IaaS service may commend secure network and
Infrastructure Level: The set of hardware and software storage services. SaaS service may provide secure
components that provide telecommunication functionality. application service, but leave end user ID provisioning and
Service Level: The billable customer traffic flows. auditing to the customer [9].
Application Level: this is the layer that motivates users to In Cloud computing Environment may malicious insider
pay for the control layer services. which perform some malicious activities, for the purpose of
In current IT generation security tenets are three: gaining trust of our customer we may implement Trusted
confidentiality, integrity and Availability. Confidentiality Third party to provide Strong authentication for financial
concern about communication must be secure from intruder transaction, Authorization, Data confidentiality and Non-
which tries to access data for passive or active attacks. Repudiation on cloud Environment [10].
Integrity means data must be same as transfer from source. Monitoring system is used for monitor consumer activity
Availability means data must be available to authenticated regularly when we find any illegal or malicious activity
and authorized users. These three security tenets we are through the consumer we need to start forensics to find root
consider where ever to apply security in IT environments. cause. Forensic analysis deals with detection, prevention,
But rather then these issues ,we must be know that source acquisition and provenance method used as digital evidence
may be intruder which try to perform some illegal or to establish cyber crime in court of law [6]. Computer
malicious activity on current network or particular forensic tools (CFT) are used for recover data as evidence to
user/users which are on same network. For such issues, we verify of action/activity validate in front of court of law.
need to monitor the user’s activity as prevention measure to Forensic Experts install packet sniffers and monitoring tools
provide security to other users on network/internet. (MT) on targeted machine to collect volatile information. If
Monitoring and Forensic is major concern of security for computer investigation is involved in a private cloud, the
taking appropriate action against intruders or attackers. In digital evidence resides within the organization or within its
new of era technology cloud computing is the most outsourced supplier. The main areas for potential evidence
demanding feature to secure our cloud environment from are servers, application and data repositories reside within
271

3. 2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
the company or organization. But in public cloud, it will be
much more difficult to identify and collect evidence because
As we know cloud computing environment aims to be
dynamic and customizable [11].
III. PROPOSED GENERIC MODEL FOR CLOUD
MONITORING AND FORENSICS
In current environment cloud computing will get high trust
of business and financial institutions by using strong
monitoring and forensic methodology to ensure privacy,
confidentiality, and tracking of all activities of consumer at
cloud service provider (CSP) end. It is must be ensure that
the consumer of a CSP is persuaded that the data forensic
have attribution data managed in a secure manner. If this
information is compromised then whole model will be
collapse.
In this paper, we proposed a methodology through which we
can develop a complete architecture to provide service to
our consumer included secure monitoring and forensic
system. Before implementing this model we have a Service
Level Agreement (SLA) with our consumers. SLA having
rules and regulation which signed by consumer that if any Figure 2: Monitoring and Forensic Methodology
illegal or malicious activities will perform, stop their system
and remote service and will take appropriate action against
him. For example, a provider may not disclose how it grants
employees access to physical and virtual resources, how it
A. PROPOSED METHODOLOGY monitors these employees or consumers, or how it analyzes
and reports on policy compliance. To make difficult matters,
there is often little or no visibility into the recruiting
Figure 2 represents proposed methodology, which will be standards and practices for cloud employees. This kind of
implemented with the help of various monitoring and situation clearly creates a smart opportunity for an adversary
Forensic tools and techniques available in current — ranging from the professional hacker, to organized crime,
Technology. This methodology is developed for secure to commercial espionage, or even nation-state sponsored
monitoring and forensic system. In which we can’t intrusion. The level of access approved could enable such an
performed forensic until find any malicious or illegal adversary to yield confidential data or gain complete control
activities from particular consumer system. In this over the cloud services with little or no risk of detection [7].
methodology, we use pattern or signature based Misuse
detection which also use in Intrusion Detection System For the purpose of to provide security to other consumer
(IDS). from malicious insider, we need to monitor each and every
When any signature will be finding from the data or consumer of our cloud environment. In this step we monitor
information communicated on communication channel then the consumer activity and save their records during the
at that time automatic forensic system will be activated to session. This record is maintained temporary on the cloud
collect data or information and save in metrics for digital environment for the further steps.
evidence.
Our proposed methodology contains 5 steps given in figure. Step 2: Find any Malicious Activity Match with
Signature
Step 1: Monitoring Consumer Activity and Save Session
log Records In this step, we continue to scan user activities at the
system and application level. In order to identify malicious
The threat of a malicious insider or disgruntle employee is or illegal activities, we have develop signature based
well-known to most organizations. This threat is bigger for methods in which we check the contents of packets going
consumers of cloud services by the union of IT services and outside from cloud system and match with the saved
customers under a same management Domain, combined signature, if signature is matched then it’s identified that this
with a most general lack of transparency in to provider consumer is performed malicious activities. After
procedures and processes. identifying malevolent host, we mentioned it as a malicious
node in cloud environment. For the development of new
272

4. 2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
signature we use real time experience from our existed non- Level Agreement (SLA) with our consumers. SLA having
cloud environment. rules and regulation which signed by consumer that if any
illegal or malicious activities will perform, stop their system
Step 3: Automated Forensic System will be activated to and remote service and will take appropriate action against
Store All Activities and Data in Metrics him.
As early as we identified malevolent host, an automated
forensic system is activated and collects all previous and
current activities of that particular malevolent node. When
we collect all data for forensic purpose then we saved that
data in predefined security matrices as per predefined
format. This data is saved on separate Forensic server,
which will access by the cloud administrator.
Step 4: Stop Remote Access OR Outside the cloud
Services (at the same Time, Message send to
consumer on Phone and Email).
After identifying illegal activities performed by malevolent Figure 3: Generic architecture for cloud monitoring and
host, it is required to collect all data from that node and forensic
saved in security metrics for the purpose of forensics. We
stop the services of the malevolent node to access outside to Figure 3 represents generic architecture as per proposed
his cloud environment and regularly watch and store their methodology for cloud monitoring and forensic. In this
activities. architecture, we used Host-based IDS for monitoring of
For confirmation of wrong authentication, we send a incoming and outgoing network communication on
message to consumer phone no. and email id that we find consumer system. An ID includes both Anomaly Detection
that you have performed some malicious activity on the and Misuse Detection techniques for identifying activities
cloud service environment. on host system. It includes 6 steps which are shows in
Figure 2.
Step 5: Administrator Checks Security Metrics and In first step, when any malicious activities identify on
collects data then send to higher authority for Legal consumer system then it reports to Cloud Server.
Processing. In step second, when Cloud Server receives any malicious
activities from cloud system/consumer system then it invoke
In this step, administrator performed further proceedings. In s forensics system and collects data from consumer system.
this phase administrator analyzed the data which had saved In step Third, Cloud server collects data in metrics because
in security metrics and collect details of consumer which it may be multiple consumers performed malicious/illegal
has been performed malicious activities. He collects all activities during their log session.
details their personnel information, their malicious In step four, Cloud administrator checks data saved in
activities, collect evidence after forensic and victims, and metrics and verifies consumer’s details available on cloud.
sends all these details to higher authority for further legal In step fifth, Cloud Administrator send collect
proceedings. data/information to Higher Authority to perform further
proceedings.
In step six, Higher Authority checks and verifies
B. PROPOSED GENERIC MODEL FOR CLOUD data/information and discusses with their legal advisor then
MONITORING AND FORENSICS: takes legal action against consumer as per cyber law and
In current environment cloud computing will get high trust jurisdiction time.
of business and financial institutions by using strong
monitoring and forensic methodology to ensure privacy, IV. CONCLUSION AND FUTURE WORK
confidentiality, and tracking of all activities of consumer at
cloud service provider (CSP) end. It is must be ensure that The cloud services is rapidly growing and favoring the new
the consumer of a CSP is persuaded that the data forensic advent of service providers. User confidence and its privacy
have attribution data managed in a secure manner. If this is the biggest challenging phenomenon for cloud service
information is compromised then whole model will be providers. In this paper we proposed a novel forensics
collapse [8]. methodology and its legal jurisdiction to assure the
In this paper, we proposed a methodology through which we confidentiality of user of clouds. In order to perform
can develop a complete architecture to provide service to forensics on cloud we create security matrix and perform
our consumer included secure monitoring and forensic monitoring of each user’s activity to create audit trail for
system. Before implementing this model we have a Service
investigation purposes. To make this process legally right
273

5. 2012 4th International Conference on Electronics Computer Technology (ICECT 2012)
there is a procedure of service level agreement with
customer. In future we will focus on the rule base of
security matrix and integrity part of user’s data.
REFERENCES
1. Cary Landis and Dan Blacharski, ―Cloud
Computing Made Easy‖ , Version 0.3.
2. G. Stoneburner, ―Underlying Technical Models for
Information Technology Security,‖ National
Institute of Standards and Technology, 2001
3. G. McGraw, Software Security: Addison-
Wesley,2006
4. Google App Engine, http://appengine.google.com
5. Amazon Elastic Compute Cloud(EC2),
http://www.amazon.com/ec2
6. Gary C. Kessler, ―Anti-Forensic and the Digital
Investigator‖ Champlain College Burlington, VT ,
USA Edith Cowan University, Mount Lawley,
WA, Australia
7. CSA cloud Security Alliance, top Threats to cloud
Computing V1.0, 2010
8. Shaftab Ahmad and M. yahin Akhtar Raja,
―Tackling Cloud Security Issues And Forensic
Model‖, IEEE 2010
9. Jennifer Bayuk, ―Cloud Security Metrics‖ , 6 th
International Conference on System of Systems
Engineering, Albuquerque, New Mexico, USA –
June 27-30,2011 (IEEE)
10. D. Zissis and D. Lekkas ,‖Addressing Cloud
Computing Security issues‖, Future Generation
Computer System (2011) Elsevier,
doi:10.1016/j.future.2010.12.006
11. M.Tayor, J. Haggerty, D. Gresty and R. Hegarty,
―Digital evidence in cloud computing systems‖,
Computer Law and Security Review 26 (2010)
304-308, published by Elsevier Ltd.
274