Fog Computing: Mitigating Insider Data Theft

Attacks in the Cloud

Position Paper
Salvatore J. Stolfo Malek Ben Salem Angelos D. Keromytis
Computer Science Department Cyber Security Laboratory
Columbia University Accenture Technology Labs Allure Security Technologies
New York , NY, USA Reston, VA, USA New York , NY, USA
Email: [email protected] Email: [email protected] Email: [email protected]

Abstract hosted on Google’s infrastructure as Google Docs. The damage

Cloud computing promises to significantly change the way was significant both for Twitter and for its customers.
we use computers and access and store our personal and busi- While this particular attack was launched by an outsider,
ness information. With these new computing and communica- stealing a customer’s admin passwords is much easier if
tions paradigms arise new data security challenges. Existing perpetrated by a malicious insider. Rocha and Correia outline
data protection mechanisms such as encryption have failed in how easy passwords may be stolen by a malicious insider of
preventing data theft attacks, especially those perpetrated by the Cloud service provider [6]. The authors also demonstrated
an insider to the cloud provider. how Cloud customers’ private keys might be stolen, and how
We propose a different approach for securing data in the their confidential data might be extracted from a hard disk.
cloud using offensive decoy technology. We monitor data After stealing a customer’s password and private key, the
access in the cloud and detect abnormal data access patterns. malicious insider get access to all customer data, while the
When unauthorized access is suspected and then verified using customer has no means of detecting this unauthorized access.
challenge questions, we launch a disinformation attack by Much research in Cloud computing security has focused
returning large amounts of decoy information to the attacker. on ways of preventing unauthorized and illegitimate access to
This protects against the misuse of the user’s real data. data by developing sophisticated access control and encryption
Experiments conducted in a local file setting provide evidence mechanisms. However these mechanisms have not been able to
that this approach may provide unprecedented levels of user prevent data compromise. Van Dijk and Juels have shown that
data security in a Cloud environment. fully homomorphic encryption, often acclaimed as the solution
to such threats, is not a sufficient data protection mechanism
I. I NTRODUCTION when used alone [7].
We propose a completely different approach to securing the
Businesses, especially startups, small and medium busi- cloud using decoy information technology, that we have come
nesses (SMBs), are increasingly opting for outsourcing data to call Fog computing. We use this technology to launch
and computation to the Cloud. This obviously supports better disinformation attacks against malicious insiders, preventing
operational efficiency, but comes with greater risks, perhaps them from distinguishing the real sensitive customer data from
the most serious of which are data theft attacks. fake worthless data. In this paper, we propose two ways of
Data theft attacks are amplified if the attacker is a malicious using Fog computing to prevent attacks such as the Twitter
insider. This is considered as one of the top threats to cloud attack, by deploying decoy information within the Cloud by
computing by the Cloud Security Alliance [1]. While most the Cloud service customer and within personal online social
Cloud computing customers are well-aware of this threat, networking profiles by individual users.
they are left only with trusting the service provider when it
comes to protecting their data. The lack of transparency into, II. S ECURING C LOUDS WITH F OG
let alone control over, the Cloud provider’s authentication,
authorization, and audit controls only exacerbates this threat. Numerous proposals for cloud-based services describe
The Twitter incident is one example of a data theft at- methods to store documents, files, and media in a remote
tack from the Cloud. Several Twitter corporate and per- service that may be accessed wherever a user may connect
sonal documents were ex-filtrated to technological website to the Internet. A particularly vexing problem before such
TechCrunch [2], [3], and customers’ accounts, including the services are broadly accepted concerns guarantees for securing
account of U.S. President Barack Obama, were illegally ac- a user’s data in a manner where that guarantees only the user
cessed [4], [5]. The attacker used a Twitter administrator’s and no one else can gain access to that data. The problem of
password to gain access to Twitter’s corporate documents, providing security of confidential information remains a core
security problem that, to date, has not provided the levels of unauthorized disclosure. The decoys, then, serve two
assurance most people desire. purposes: (1) validating whether data access is autho-
Many proposals have been made to secure remote data in the rized when abnormal information access is detected, and
Cloud using encryption and standard access controls. It is fair (2) confusing the attacker with bogus information.
to say all of the standard approaches have been demonstrated We posit that the combination of these two security features
to fail from time to time for a variety of reasons, including in- will provide unprecedented levels of security for the Cloud. No
sider attacks, mis-configured services, faulty implementations, current Cloud security mechanism is available that provides
buggy code, and the creative construction of effective and this level of security.
sophisticated attacks not envisioned by the implementers of We have applied these concepts to detect illegitimate data
security procedures [8]. Building a trustworthy cloud comput- access to data stored on a local file system by masqueraders,
ing environment is not enough, because accidents continue to i.e. attackers who impersonate legitimate users after stealing
happen, and when they do, and information gets lost, there is their credentials. One may consider illegitimate access to
no way to get it back. One needs to prepare for such accidents. Cloud data by a rogue insider as the malicious act of a
The basic idea is that we can limit the damage of stolen masquerader. Our experimental results in a local file system
data if we decrease the value of that stolen information setting show that combining both techniques can yield better
to the attacker. We can achieve this through a ‘preventive’ detection results, and our results suggest that this approach
disinformation attack. We posit that secure Cloud services may work in a Cloud environment, as the Cloud is intended
can be implemented given two additional security features: to be as transparent to the user as a local file system. In the
1) User Behavior Profiling: It is expected that access following we review briefly some of the experimental results
to a user’s information in the Cloud will exhibit a achieved by using this approach to detect masquerade activity
normal means of access. User profiling is a well known in a local file setting.
technique that can be applied here to model how, when,
and how much a user accesses their information in the A. Combining User Behavior Profiling and Decoy Technology
Cloud. Such ‘normal user’ behavior can be continu- for Masquerade Detection
ously checked to determine whether abnormal access 1) User Behavior Profiling: Legitimate users of a computer
to a user’s information is occurring. This method of system are familiar with the files on that system and where
behavior-based security is commonly used in fraud they are located. Any search for specific files is likely to be
detection applications. Such profiles would naturally targeted and limited. A masquerader, however, who gets access
include volumetric information, how many documents to the victim’s system illegitimately, is unlikely to be familiar
are typically read and how often. These simple user- with the structure and contents of the file system. Their search
specific features can serve to detect abnormal Cloud is likely to be widespread and untargeted.
access based partially upon the scale and scope of data Based on this key assumption, we profiled user search
transferred [9]. behavior and developed user models trained with a one-
2) Decoys: Decoy information, such as decoy documents, class modeling technique, namely one-class support vector
honeyfiles, honeypots, and various other bogus informa- machines. The importance of using one-class modeling stems
tion can be generated on demand and serve as a means from the ability of building a classifier without having to share
of detecting unauthorized access to information and data from different users. The privacy of the user and their data
to ‘poison’ the thief’s ex-filtrated information. Serving is therefore preserved.
decoys will confound and confuse an adversary into We monitor for abnormal search behaviors that exhibit de-
believing they have ex-filtrated useful information, when viations from the user baseline. According to our assumption,
they have not. This technology may be integrated with such deviations signal a potential masquerade attack. Our pre-
user behavior profiling technology to secure a user’s vious experiments validated our assumption and demonstrated
information in the Cloud. Whenever abnormal access that we could reliably detect all simulated masquerade attacks
to a cloud service is noticed, decoy information may using this approach with a very low false positive rate of
be returned by the Cloud and delivered in such a 1.12% [9].
way as to appear completely legitimate and normal. 2) Decoy Technology: We placed traps within the file
The true user, who is the owner of the information, system. The traps are decoy files downloaded from a Fog
would readily identify when decoy information is being computing site, an automated service that offers several types
returned by the Cloud, and hence could alter the Cloud’s of decoy documents such as tax return forms, medical records,
responses through a variety of means, such as challenge credit card statements, e-bay receipts, etc. [10]. The decoy
questions, to inform the Cloud security system that it files are downloaded by the legitimate user and placed in
has inaccurately detected an unauthorized access. In highly-conspicuous locations that are not likely to cause any
the case where the access is correctly identified as an interference with the normal user activities on the system. A
unauthorized access, the Cloud security system would masquerader, who is not familiar with the file system and its
deliver unbounded amounts of bogus information to contents, is likely to access these decoy files, if he or she is in
the adversary, thus securing the user’s true data from search for sensitive information, such as the bait information
embedded in these decoy files. Therefore, monitoring access detection approaches by user model1 . The results show that the
to the decoy files should signal masquerade activity on the models using the combined detection approach achieve equal
system. The decoy documents carry a keyed-Hash Message or better results than the search profiling approach alone.
Authentication Code (HMAC), which is hidden in the header
section of the document. The HMAC is computed over the
file’s contents using a key unique to each user. When a
decoy document is loaded into memory, we verify whether
the document is a decoy document by computing a HMAC
based on all the contents of that document. We compare it with
HMAC embedded within the document. If the two HMACs
match, the document is deemed a decoy and an alert is issued.
The advantages of placing decoys in a file system are three-
fold: (1) the detection of masquerade activity (2) the confusion
of the attacker and the additional costs incurred to distinguish
real from bogus information, and (3) the deterrence effect
which, although hard to measure, plays a significant role in
preventing masquerade activity by risk-averse attackers.
3) Combining the Two Techniques: The correlation of
search behavior anomaly detection with trap-based decoy
files should provide stronger evidence of malfeasance, and
therefore improve a detector’s accuracy. We hypothesize that Fig. 1. AUC Comparison By User Model for the Search Profiling and
Integrated Approaches
detecting abnormal search operations performed prior to an
unsuspecting user opening a decoy file will corroborate the
suspicion that the user is indeed impersonating another victim The results of our experiments suggest that user profiles
user. This scenario covers the threat model of illegitimate are accurate enough to detect unauthorized Cloud access [9].
access to Cloud data. Furthermore, an accidental opening of When such unauthorized access is detected, one can respond
a decoy file by a legitimate user might be recognized as by presenting the user with a challenge question or with a
an accident if the search behavior is not deemed abnormal. decoy document to validate whether the access was indeed
In other words, detecting abnormal search and decoy traps unauthorized, similar to how we used decoys in a local file
together may make a very effective masquerade detection setting, to validate the alerts issued by the anomaly detector
system. Combining the two techniques improves detection that monitors user file search and access behavior.
accuracy.
III. C ONCLUSION
We use decoys as an oracle for validating the alerts issued
by the sensor monitoring the user’s file search and access In this position paper, we present a novel approach to
behavior. In our experiments, we did not generate the decoys securing personal and business data in the Cloud. We propose
on demand at the time of detection when the alert was issued. monitoring data access patterns by profiling user behavior
Instead, we made sure that the decoys were conspicuous to determine if and when a malicious insider illegitimately
enough for the attacker to access them if they were indeed accesses someone’s documents in a Cloud service. Decoy
trying to steal information by placing them in highly con- documents stored in the Cloud alongside the user’s real
spicuous directories and by giving them enticing names. With data also serve as sensors to detect illegitimate access. Once
this approach, we were able to improve the accuracy of our unauthorized data access or exposure is suspected, and later
detector. Crafting the decoys on demand improves the accuracy verified, with challenge questions for instance, we inundate the
of the detector even further. Combining the two techniques, malicious insider with bogus information in order to dilute
and having the decoy documents act as an oracle for our the user’s real data. Such preventive attacks that rely on
detector when abnormal user behavior is detected may lower disinformation technology, could provide unprecedented levels
the overall false positive rate of detector. of security in the Cloud and in social networks.
We trained eighteen classifiers with computer usage data ACKNOWLEDGMENT
from 18 computer science students collected over a period of
This material is based on work supported by the Defense
4 days on average. The classifiers were trained using the search
Advanced Research Projects Agency (DARPA) under the
behavior anomaly detection described in a prior paper [9]. We
ADAMS (Anomaly Detection at Multiple Scales) Program
also trained another 18 classifiers using a detection approach
with grant award number W911NF-11-1-0140 and through
that combines user behavior profiling with monitoring access
the Mission-Resilient Clouds (MRC) program under Contract
to decoy files placed in the local file system, as described
FA8650-11-C-7190. The views and conclusions contained in
above. We tested these classifiers using simulated masquerader
data. Figure 1 displays the AUC scores achieved by both 1 This figure has been published in one of our technical reports [11]
this document are those of the authors and should not be
interpreted as necessarily representing the official policies,
either expressed or implied, of DARPA. Professor Stolfo is
founder of Allure Security Technology, Inc.
R EFERENCES
[1] Cloud Security Alliance, “Top Threat to Cloud
Computing V1.0,” March 2010. [Online]. Available:
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
[2] M. Arrington, “In our inbox: Hundreds of con-
fidential twitter documents,” July 2009. [Online].
Available: http://techcrunch.com/2009/07/14/in-our-inbox-hundreds-of-
confidential-twitter-documents/
[3] D. Takahashi, “French hacker who leaked Twitter doc-
uments to TechCrunch is busted,” March 2010. [On-
line]. Available: http://venturebeat.com/2010/03/24/french-hacker-who-
leaked-twitter-documents-to-techcrunch-is-busted/
[4] D. Danchev, “ZDNET: french hacker gains access to
twitter’s admin panel,” April 2009. [Online]. Avail-
able: http://www.zdnet.com/blog/security/french-hacker-gains-access-to-
twitters-admin-panel/3292
[5] P. Allen, “Obama’s Twitter password revealed after french hacker ar-
rested for breaking into U.S. president’s account,” March 2010. [Online].
Available: http://www.dailymail.co.uk/news/article-1260488/Barack-
Obamas-Twitter-password-revealed-French-hacker-arrested.html
[6] F. Rocha and M. Correia, “Lucy in the sky without diamonds: Stealing
confidential data in the cloud,” in Proceedings of the First International
Workshop on Dependability of Clouds, Data Centers and Virtual Com-
puting Environments, Hong Kong, ser. DCDV ’11, June 2011.
[7] M. Van Dijk and A. Juels, “On the impossibility of cryptography
alone for privacy-preserving cloud computing,” in Proceedings of the
5th USENIX conference on Hot topics in security, ser. HotSec’10.
Berkeley, CA, USA: USENIX Association, 2010, pp. 1–8. [Online].
Available: http://dl.acm.org/citation.cfm?id=1924931.1924934
[8] J. Pepitone, “Dropbox’s password nightmare highlights cloud risks,”
June 2011.
[9] M. Ben-Salem and S. J. Stolfo, “Modeling user search-behavior for
masquerade detection,” in Proceedings of the 14th International Sympo-
sium on Recent Advances in Intrusion Detection. Heidelberg: Springer,
September 2011, pp. 1–20.
[10] B. M. Bowen and S. Hershkop, “Decoy Document Distributor:
http://sneakers.cs.columbia.edu/ids/fog/,” 2009. [Online]. Available:
http://sneakers.cs.columbia.edu/ids/FOG/
[11] M. Ben-Salem and S. J. Stolfo, “Combining a baiting
and a user search profiling techniques for masquerade
detection,” in Columbia University Computer Science Department,
Technical Report # cucs-018-11, 2011. [Online]. Available:
https://mice.cs.columbia.edu/getTechreport.php?techreportID=1468