A New Lightweight Symmetric Searchable Encryption Scheme for String Identification.
In this paper, we provide an efficient and easy-to-implement symmetric searchable encryption scheme (SSE) for string search, which takes one round of communication, O(n) times of computations over O(n) documents. Unlike previous schemes, we use hash-chaining instead of chain of encryption operations for index generation, which makes it suitable for lightweight applications. Unlike the previous SSE schemes for string search, with our scheme, server learns nothing about the frequency and the relative positions of the words being searched except what it can learn from the history. We are the first to propose probabilistic trapdoors in SSE for string search. We provide concrete proof of nonadaptive
security of our scheme against honest-but-curious server based on the definitions of . We also introduce a new notion of search pattern privacy, which gives a measure of security against the leakage from trapdoor. We have shown that our scheme is secure under search pattern indistinguishability definition. We show why SSE scheme for string search cannot attain adaptive indistinguishability criteria as mentioned in . We also propose modifications of our scheme so that the scheme can be used against active adversaries at the cost of more rounds of communications and memory space. We validate our scheme against two different commercial datasets.
Efficient Traceable Authorization Search System for Secure Cloud Storage.
Secure search over encrypted remote data is crucial in cloud computing to guarantee the data privacy and usability.
To prevent unauthorized data usage, fine-grained access control is necessary in multi-user system. However, authorized user may
intentionally leak the secret key for financial benefit. Thus, tracing and revoking the malicious user who abuses secret key needs to
be solved imminently. In this paper, we propose an escrow free traceable attribute based multiple keywords subset search system
with verifiable outsourced decryption (EF-TAMKS-VOD). The key escrow free mechanism could effectively prevent the key generation
centre (KGC) from unscrupulously searching and decrypting all encrypted files of users. Also, the decryption process only requires ultra
lightweight computation, which is a desirable feature for energy-limited devices. In addition, efficient user revocation is enabled after
the malicious user is figured out. Moreover, the proposed system is able to support flexible number of attributes rather than polynomial
bounded. Flexible multiple keyword subset search pattern is realized, and the change of the query keywords order does not affect the
search result. Security analysis indicates that EF-TAMKS-VOD is provably secure. Efficiency analysis and experimental results show
that EF-TAMKS-VOD improves the efficiency and greatly reduces the computation overhead of users’ terminals.
A Key-Policy Attribute-Based Temporary Keyword Search scheme for Secure Cloud Storage.
Temporary keyword search on confidential data in a cloud environment is the main focus of this research. The cloud
providers are not fully trusted. So, it is necessary to outsource
data in the encrypted form. In the attribute-based keyword search
(ABKS) schemes, the authorized users can generate some search
tokens and send them to the cloud for running the search operation.
These search tokens can be used to extract all the ciphertexts
which are produced at any time and contain the corresponding
keyword. Since this may lead to some information leakage, it is
more secure to propose a scheme in which the search tokens can
only extract the ciphertexts generated in a specified time interval. To
this end, in this paper, we introduce a new cryptographic primitive
called key-policy attribute-based temporary keyword search (KPABTKS)
which provide this property. To evaluate the security of our
scheme, we formally prove that our proposed scheme achieves the
keyword secrecy property and is secure against selectively chosen
keyword attack (SCKA) both in the random oracle model and
under the hardness of Decisional Bilinear Diffie-Hellman (DBDH)
assumption. Furthermore, we show that the complexity of the
encryption algorithm is linear with respect to the number of the
involved attributes. Performance evaluation shows our scheme’s
Practical Privacy-Preserving Content-Based Retrieval in Cloud Image Repositories.
Storage requirements for visual data have been increasing in recent years, following the emergence of many highly
interactive multimedia services and applications for mobile devices in both personal and corporate scenarios. This has been a key
driving factor for the adoption of cloud-based data outsourcing solutions. However, outsourcing data storage to the Cloud also leads to
new security challenges that must be carefully addressed, especially regarding privacy. In this paper we propose a secure framework
for outsourced privacy-preserving storage and retrieval in large shared image repositories. Our proposal is based on IES-CBIR, a novel
Image Encryption Scheme that exhibits Content-Based Image Retrieval properties. The framework enables both encrypted storage
and searching using Content-Based Image Retrieval queries while preserving privacy against honest-but-curious cloud administrators.
We have built a prototype of the proposed framework, formally analyzed and proven its security properties, and experimentally
evaluated its performance and retrieval precision. Our results show that IES-CBIR is provably secure, allows more efficient operations
than existing proposals, both in terms of time and space complexity, and paves the way for new practical application scenarios.
Publicly Verifiable Boolean Query Over Outsourced Encrypted Data.
Outsourcing storage and computation to the cloud
has become a common practice for businesses and individuals.
As the cloud is semi-trusted or susceptible to attacks,
many researches suggest that the outsourced data should be
encrypted and then retrieved by using searchable symmetric
encryption (SSE) schemes. Since the cloud is not fully trusted,
we doubt whether it would always process queries correctly
or not. Therefore, there is a need for users to verify their
query results. Motivated by this, in this paper, we propose
a publicly verifiable dynamic searchable symmetric encryption
scheme based on the accumulation tree. We first construct an
accumulation tree based on encrypted data and then outsource
both of them to the cloud. Next, during the search operation, the
cloud generates the corresponding proof according to the query
result by mapping Boolean query operations to set operations,
while keeping privacy-preservation and achieving the verification
requirements: freshness, authenticity, and completeness. Finally,
we extend our scheme by dividing the accumulation tree into
different small accumulation trees to make our scheme scalable.
The security analysis and performance evaluation show that the
proposed scheme is secure and practical.
Recent news reveal a powerful attacker which breaks data confidentiality by acquiring cryptographic keys, by
means of coercion or backdoors in cryptographic software. Once the encryption key is exposed, the only viable measure to
preserve data confidentiality is to limit the attacker’s access to the ciphertext. This may be achieved, for example, by spreading
ciphertext blocks across servers in multiple administrative domains—thus assuming that the adversary cannot compromise all
of them. Nevertheless, if data is encrypted with existing schemes, an adversary equipped with the encryption key, can still
compromise a single server and decrypt the ciphertext blocks stored therein. In this paper, we study data confidentiality
against an adversary which knows the encryption key and has access to a large fraction of the ciphertext blocks. To this end,
we propose Bastion, a novel and efficient scheme that guarantees data confidentiality even if the encryption key is leaked
and the adversary has access to almost all ciphertext blocks. We analyze the security of Bastion, and we evaluate its
performance by means of a prototype implementation. We also discuss practical insights with respect to the integration of
Bastion in commercial dispersed storage systems. Our evaluation results suggest that Bastion is well-suited for integration in
existing systems since it incurs less than 5% overhead compared to existing semantically secure encryption modes.
A Lightweight Secure Data Sharing Scheme for Mobile Cloud Computing.
With the popularity of cloud computing, mobile devices can store/retrieve personal data from anywhere at any time. Consequently, the data security problem in mobile cloud becomes more and more severe and prevents further development of mobile cloud. There are substantial studies that have been conducted to improve the cloud security. However, most of them are not applicable for mobile cloud since mobile devices only have limited computing resources and power. Solutions with low computational overhead are in great need for mobile cloud applications. In this paper, we propose a lightweight data sharing scheme (LDSS) for mobile cloud computing. It adopts CP-ABE, an access control technology used in normal cloud environment, but changes the structure of access control tree to make it suitable for mobile cloud environments. LDSS moves a large portion of the computational intensive access control tree transformation in CP-ABE from mobile devices to external proxy servers. Furthermore, to reduce the user revocation cost, it introduces attribute description fields to implement lazy-revocation, which is a thorny issue in program based CP-ABE systems. The experimental results show that LDSS can effectively reduce the overhead on the mobile device side when users are sharing data in mobile cloud environments.
Privacy-Preserving Outsourced Support Vector Machine Design for Secure Drug Discovery.
In this paper, we propose a framework for privacy-preserving outsourced drug discovery in the cloud, which we refer to as
POD. Specifically, POD is designed to allow the cloud to securely use multiple drug formula providers’ drug formulas to train Support
Vector Machine (SVM) provided by the analytical model provider. In our approach, we design secure computation protocols to allow
the cloud server to perform commonly used integer and fraction computations. To securely train the SVM, we design a secure SVM
parameter selection protocol to select two SVM parameters and construct a secure sequential minimal optimization protocol to privately
refresh both selected SVM parameters. The trained SVM classifier can be used to determine whether a drug chemical compound is
active or not in a privacy-preserving way. Lastly, we prove that the proposed POD achieves the goal of SVM training and chemical
compound classification without privacy leakage to unauthorized parties, as well as demonstrating its utility and efficiency using three
real-world drug datasets.
Most current security solutions are based on perimeter security. However, Cloud computing breaks the organization
perimeters. When data resides in the Cloud, they reside outside the organizational bounds. This leads users to a loos of control over
their data and raises reasonable security concerns that slow down the adoption of Cloud computing. Is the Cloud service provider
accessing the data? Is it legitimately applying the access control policy defined by the user? This paper presents a data-centric access
control solution with enriched role-based expressiveness in which security is focused on protecting user data regardless the Cloud
service provider that holds it. Novel identity-based and proxy re-encryption techniques are used to protect the authorization model.
Data is encrypted and authorization rules are cryptographically protected to preserve user data against the service provider access or
misbehavior. The authorization model provides high expressiveness with role hierarchy and resource hierarchy support. The solution
takes advantage of the logic formalism provided by Semantic Web technologies, which enables advanced rule management like
semantic conflict detection. A proof of concept implementation has been developed and a working prototypical deployment of the
proposal has been integrated within Google services.
Efficient Proofs of Retrievability with Public Verifiability for Dynamic Cloud Storage.
Cloud service providers offer various facilities to their clients. The clients with limited resources opt for some of these
facilities. They can outsource their bulk data to the cloud server. The cloud server maintains these data in lieu of monetary benefits.
However, a malicious cloud server might delete some of these data to save some space and offer this extra amount of storage to
another client. Therefore, the client might not retrieve her file (or some portions of it) as often as needed. Proofs of retrievability (PoR)
provide an assurance to the client that the server is actually storing all of her data appropriately and they can be retrieved at any point
of time. In a dynamic PoR scheme, the client can update her data after she uploads them to the cloud server. Moreover, in publicly
verifiable PoR schemes, the client can delegate her auditing task to some third party specialized for this purpose. In this work, we
exploit the homomorphic hashing technique to design a publicly verifiable dynamic PoR scheme that is more efficient (in terms of
bandwidth required between the client and the server) than the “state-of-the-art” publicly verifiable dynamic PoR scheme. We also
analyze security and performance of our scheme.
Two-Cloud Secure Database for Numeric-Related SQL Range
Queries with Privacy Preserving.
Industries and individuals outsource database to
realize convenient and low-cost applications and services. In
order to provide sufficient functionality for SQL queries, many
secure database schemes have been proposed. However, such
schemes are vulnerable to privacy leakage to cloud server. The
main reason is that database is hosted and processed in cloud
server, which is beyond the control of data owners. For the
numerical range query (“>”, “<”, etc.), those schemes cannot
provide sufficient privacy protection against practical challenges,
e.g., privacy leakage of statistical properties, access pattern.
Furthermore, increased number of queries will inevitably leak
more information to the cloud server. In this paper, we propose
a two-cloud architecture for secure database, with a series
of intersection protocols that provide privacy preservation to
various numeric-related range queries. Security analysis shows
that privacy of numerical information is strongly protected
against cloud providers in our proposed scheme.
Achieving secure, universal, and fine-grained query results verification for secure search
scheme over encrypted cloud data.
Secure search techniques over encrypted cloud data allow an authorized user to query data files of interest by submitting
encrypted query keywords to the cloud server in a privacy-preserving manner. However, in practice, the returned query results may
be incorrect or incomplete in the dishonest cloud environment. For example, the cloud server may intentionally omit some qualified
results to save computational resources and communication overhead. Thus, a well-functioning secure query system should provide a
query results verification mechanism that allows the data user to verify results. In this paper, we design a secure, easily integrated, and
fine-grained query results verification mechanism, by which, given an encrypted query results set, the query user not only can verify
the correctness of each data file in the set but also can further check how many or which qualified data files are not returned if the set is
incomplete before decryption. The verification scheme is loose-coupling to concrete secure search techniques and can be very easily
integrated into any secure query scheme. We achieve the goal by constructing secure verification object for encrypted cloud data.
Furthermore, a short signature technique with extremely small storage cost is proposed to guarantee the authenticity of verification
object and a verification object request technique is presented to allow the query user to securely obtain the desired verification object.
Performance evaluation shows that the proposed schemes are practical and efficient.
Optimizing Information Leakage in Multicloud Storage Services.
Many schemes have been recently advanced for storing data on multiple clouds. Distributing data over different cloud storage providers
(CSPs) automatically provides users with a certain degree of information leakage control, for no single point of attack can leak all the information.
However, unplanned distribution of data chunks can lead to high information disclosure even while using multiple clouds. In this paper, we study an
important information leakage problem caused by unplanned data distribution in multicloud storage services. Then, we present StoreSim, an information
leakage aware storage system in multicloud. StoreSim aims to store syntactically similar data on the same cloud, thus minimizing the user’s information
leakage across multiple clouds. We design an approximate algorithm to efficiently generate similarity-preserving signatures for data chunks based on
MinHash and Bloom filter, and also design a function to compute the information leakage based on these signatures. Next, we present an effective storage
plan generation algorithm based on clustering for distributing data chunks with minimal information leakage across multiple clouds. Finally, we evaluate
our scheme using two real datasets from Wikipedia and GitHub. We show that our scheme can reduce the information leakage by up to 60% compared to
unplanned placement. Furthermore, our analysis on system attackability demonstrates that our scheme makes attacks on information more complex.
An Efficient Privacy-Preserving Ranked Keyword Search Method.
Cloud data owners prefer to outsource documents in an encrypted form for the purpose of privacy preserving. Therefore it is essential to develop efficient and reliable ciphertext search techniques. One challenge is that the relationship between documents will be normally concealed in the process of encryption, which will lead to significant search accuracy performance degradation. Also the volume of data in data centers has experienced a dramatic growth. This will make it even more challenging to design ciphertext search schemes that can provide efficient and reliable online information retrieval on large volume of encrypted data. In this paper, a hierarchical clustering method is proposed to support more search semantics and also to meet the demand for fast ciphertext search within a big data environment. The proposed hierarchical approach clusters the documents based on the minimum relevance threshold, and then partitions the resulting clusters into sub-clusters until the constraint on the maximum size of cluster is reached. In the search phase, this approach can reach a linear computational complexity against an exponential size increase of document collection. In order to verify the authenticity of search results, a structure called minimum hash sub-tree is designed in this paper. Experiments have been conducted using the collection set built from the IEEE Xplore. The results show that with a sharp increase of documents in the dataset the search time of the proposed method increases linearly whereas the search time of the traditional method increases exponentially. Furthermore, the proposed method has an advantage over the traditional method in the rank privacy and relevance of retrieved documents.
Web service composition (WSC) is the undertaking of joining a chain of associated single administrations together to make a more mind boggling and esteem included composite administration. Nature of Service (QoS) has been for the most part connected to speak to nonfunctional properties of Web administrations and separate those with a similar usefulness. Many research has been done on QoS-mindful administration sythesis, as it fundamentally influences the nature of a composite administration. Be that as it may, existing strategies are confined to predefined work processes, which can bring about a few restrictions, including the absence of certification for the optimality on general QoS and for the culmination of finding a composite administration arrangement. In this proposition we research the issue of SaaS Web Service Composition. We display another strategy that consolidates an encoding into SAT and a Minimal Unsatisfiability Subformulas extraction to acquire the base SaaS Web Service Composition. At that point, we sum up this way to deal with consider the nature of SaaS Web Services.
The current works consider just Web benefit creation. For security, our proposed work considers protection saving Web benefit creation. In proposed, we depict a formal protection display for Web Services that goes past customary information situated models. It manages protection not just at the information level (i.e., sources of info and yields) additionally benefit level (i.e., benefit conjuring). In this work, we expand upon this model two different augmentations to address security issues amid SaaS structure.
Cloud computing is a growing technology of large scale distributed computing. Cloud computing provides on-demand access to different services on paid basis. Almost all the industries now a day’s want to use cloud services to reduce overall cost of infrastructure and maintenance. Therefore the load on cloud is increasing day by day. Balancing the load is one of the biggest and prime issue that cloud computing is facing today. It simply means that there should be a provision so that no node is overloaded. The load should be distributed fairly among all the nodes. The goal of load balancing is to maximize the resource utilization. Load balancing gives high user satisfaction and also improves overall performance of the system. Proper load balancing will further reduce energy consumption and carbon emission rate. There are many algorithms for load balancing in cloud computing. All algorithms work in different ways and have some advantages and limitations. The most important for load balancing algorithms is to consider the characteristics like fairness, throughput, fault tolerance, overhead, performance, and response time and resource utilization. Single algorithm can’t provide all these characteristics. There is need to combine two or more algorithms for balancing the load. The proposed system implements load balancing algorithm which combines the features of two or more algorithms and considers resource specific demands of the jobs. Proposed system also divides the available VMs into groups. By using this approach, performance of system can be increased significantly.
Building confidential and efficient query services in the cloud with RASP data perturbation.
With the wide deployment of public cloud computing infrastructures, using clouds to host data query services has become an appealing solution for the advantages on scalability and cost-saving. However, some data might be sensitive that the data owner does not want to move to the cloud unless the data confidentiality and query privacy are guaranteed. On the other hand, a secured query service should still provide efficient query processing and significantly reduce the in-house workload to fully realize the benefits of cloud computing. We propose the random space perturbation (RASP) data perturbation method to provide secure and efficient range query and kNN query services for protected data in the cloud. The RASP data perturbation method combines order preserving encryption, dimensionality expansion, random noise injection, and random projection, to provide strong resilience to attacks on the perturbed data and queries. It also preserves multidimensional ranges, which allows existing indexing techniques to be applied to speedup range query processing. The kNN-R algorithm is designed to work with the RASP range query algorithm to process the kNN queries. We have carefully analyzed the attacks on data and queries under a precisely defined threat model and realistic security assumptions. Extensive experiments have been conducted to show the advantages of this approach on efficiency and security.
Towards Building Forensics Enabled Cloud Through Secure Logging-as-a-Service.
Cloud computing has emerged as a popular computing paradigm in recent years. However, today’s cloud computing architectures often lack support for computer forensic investigations. Analyzing various logs (e.g., process logs, network logs) plays a vital role in computer forensics. Unfortunately, collecting logs from a cloud is very hard given the black-box nature of clouds and the multi-tenant cloud models, where many users share the same processing and network resources. Researchers have proposed using log API or cloud management console to mitigate the challenges of collecting logs from cloud infrastructure. However, there has been no concrete work, which shows how to provide cloud logs to investigator while preserving users’ privacy and integrity of the logs. In this paper, we introduce Secure-Logging-as-a-Service (SecLaaS), which stores virtual machines’ logs and provides access to forensic investigators ensuring the confidentiality of the cloud users. Additionally, SecLaaS preserves proofs of past log and thus protects the integrity of the logs from dishonest investigators or cloud providers.
Strategy-Proof Pricing for Cloud Service Composition.
Cloud computing is a genuine innovative creation in the zone of data frameworks improvement that provisions the advantages of self-administration applications, source blending, and wide system get to. These days, a distributed computing to bolster speed, simple mix, and minimal effort of circulated applications in unique situations have turned out to be progressively celebrated. In this way, benefit mix is a developing strategy that multiplies the quantity of utilizations of distributed computing by reusing appealing administrations. Benefit arrangement techniques can be connected in two primary situations: single and multicloud. In this postulation we propose a Service Composition Mechanisms in the Multi-Cloud Environments utilizing Strategy-Proof Pricing. A conceivable arrangement is the Vickrey-Clarke-Groves (VCG) component, where the prevailing technique for a specialist co-op is to report the genuine cost of his administration. Regardless of this alluring property, actualizing the VCG instrument for administration piece experiences computational cost. The count of installments to specialist co-ops in light of the VCG instrument requires iterative administration choice. Guess calculations can't be connected in light of the fact that surmised arrangements don't guarantee the attractive property of the VCG component. In this manner, we display VCG installments for administration showcases and propose a dynamic programming (DP)- based calculation for administration determination and VCG installment estimation. Our proposed calculation understands benefit choice in semi polynomial time and gives a correct arrangement.
Attribute-Based Data Sharing Scheme Revisited in Cloud Computing.
Adoption of cloud computing technology has significantly increased over the last few years, promising a great opportunity for innovation amongst businesses. However some businesses are still sceptical of how Cloud Computing can enhance or replace all or part of their IT environment. Cloud is typically marketed to promote benefits such as improved efficiency, flexibility and even opportunity for expansion. However many of these benefits lack tangibility, often making it difficult to validate a move to the cloud. Organizations considering the change typically look at implementing a solution that incorporates a mix of on premise, and public or private cloud, referred to as a hybrid cloud model. Furthermore, how to securely and efficiently share user data is one of the toughest challenges in the scenario of cloud computing. Ciphertext-policy attribute-based encryption (CP-ABE), has turned to be an important encryption technology to tackle the challenge of secure data sharing. Data owner is allowed to fully control the access policy associated with his data which to be shared. However, CP-ABE is limited to a potential security risk that is known as key escrow problem whereby the secret keys of users have to be issued by a trusted key authority. Besides, most of the existing CP-ABE schemes cannot support attribute with arbitrary state. To tackle this problem, we proposed a Hybrid Cloud Approach for Attribute-Based Data Sharing Scheme Revisited, which is denoted as ciphertext-policy weighted ABE scheme with removing escrow (Hybrid Cloud based CP-WABE-RE). It successfully resolves two types of problems: key escrow and arbitrary-sate attribute expression. An Experimental Results shows that our proposed system able to share data secure and efficiently.
Towards Differential Query Services in Cost-Efficient Clouds.
Cloud computing as an emerging technology trend is expected to reshape the advances in information technology. In a cost-efficient cloud environment, a user can tolerate a certain degree of delay while retrieving information from the cloud to reduce costs. In this paper, we address two fundamental issues in such an environment: privacy and efficiency. We first review a private keyword-based file retrieval scheme that was originally proposed by Ostrovsky. Their scheme allows a user to retrieve files of interest from an untrusted server without leaking any information. The main drawback is that it will cause a heavy querying overhead incurred on the cloud and thus goes against the original intention of cost efficiency. In this paper, we present three efficient information retrieval for ranked query (EIRQ) schemes to reduce querying overhead incurred on the cloud. In EIRQ, queries are classified into multiple ranks, where a higher ranked query can retrieve a higher percentage of matched files. A user can retrieve files on demand by choosing queries of different ranks. This feature is useful when there are a large number of matched files, but the user only needs a small subset of them. Under different parameter settings, extensive evaluations have been conducted on both analytical models and on a real cloud environment, in order to examine the effectiveness of our schemes.
Provable Multicopy Dynamic Data Possession in Cloud Computing Systems.
Increasingly more and more organizations are opting for outsourcing data to remote cloud service providers (CSPs). Customers can rent the CSPs storage infrastructure to store and retrieve almost unlimited amount of data by paying fees metered in gigabyte/month. For an increased level of scalability, availability, and durability, some customers may want their data to be replicated on multiple servers across multiple data centers. The more copies the CSP is asked to store, the more fees the customers are charged. Therefore, customers need to have a strong guarantee that the CSP is storing all data copies that are agreed upon in the service contract, and all these copies are consistent with the most recent modifications issued by the customers. In this paper, we propose a map-based provable multicopy dynamic data possession (MB-PMDDP) scheme that has the following features: 1) it provides an evidence to the customers that the CSP is not cheating by storing fewer copies; 2) it supports outsourcing of dynamic data, i.e., it supports block-level operations, such as block modification, insertion, deletion, and append; and 3) it allows authorized users to seamlessly access the file copies stored by the CSP. We give a comparative analysis of the proposed MB-PMDDP scheme with a reference model obtained by extending existing provable possession of dynamic single-copy schemes. The theoretical analysis is validated through experimental results on a commercial cloud platform. In addition, we show the security against colluding servers, and discuss how to identify corrupted copies by slightly modifying the proposed scheme.
Decentralized Access Control with Anonymous Authentication of Data Stored in Clouds.
We propose a new decentralized access control scheme for secure data storage in clouds that supports anonymous authentication. In the proposed scheme, the cloud verifies the authenticity of the series without knowing the user's identity before storing data. Our scheme also has the added feature of access control in which only valid users are able to decrypt the stored information. The scheme prevents replay attacks and supports creation, modification, and reading data stored in the cloud. We also address user revocation. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. The communication, computation, and storage overheads are comparable to centralized approaches.
Cloud workflow scheduling with deadlines and
time slot availability.
Allocating service capacities in cloud computing is based on the assumption that they are unlimited and can be used at any time. However, available service capacities change with workload and cannot satisfy users’ requests at any time from the cloud provider’s perspective because cloud services can be shared by multiple tasks. Cloud service providers provide available time slots for new user’s requests based on available capacities. In this paper, we consider workflow scheduling with deadline and time slot availability in cloud computing. An iterated heuristic framework is presented for the problem under study which mainly consists of initial solution construction, improvement, and perturbation. Three initial solution construction strategies, two greedy- and fair-based improvement strategies and a perturbation strategy are proposed. Different strategies in the three phases result in several heuristics. Experimental results show that different initial solution and improvement strategies have different effects on solution qualities.
DeyPoS: Deduplicatable Dynamic Proof of Storage for Multi-User Environments.
In this Paper, Dynamic Proof of Storage (PoS) is a useful cryptographic primitive that enables a user to check the integrity of outsourced files and to efficiently update the files in a cloud server. Although researchers have proposed many dynamic PoS schemes in singleuser environments, the problem in multi-user environments has not been investigated sufficiently. A practical multi-user cloud storage system needs the secure client-side cross-user deduplication technique, which allows a user to skip the uploading process and obtain the ownership of the files immediately, when other owners of the same files have uploaded them to the cloud server. To the best of our knowledge, none of the existing dynamic PoSs can support this technique. In this paper, we introduce the concept of deduplicatable dynamic proof of storage and propose an efficient construction called DeyPoS, to achieve dynamic PoS and secure cross-user deduplication, simultaneously. Considering the challenges of structure diversity and private tag generation, we exploit a novel tool called Homomorphic Authenticated Tree (HAT). We prove the security of our construction, and the theoretical analysis and experimental results show that our construction is efficient in practice.
Enabling Cloud Storage Auditing with Verifiable Outsourcing of Key Updates.
Key-exposure resistance has always been an important issue for in-depth cyber defence in many security applications. Recently, how to deal with the key exposure problem in the settings of cloud storage auditing has been proposed and studied. To address the challenge, existing solutions all require the client to update his secret keys in every time period, which may inevitably bring in new local burdens to the client, especially those with limited computation resources such as mobile phones. In this paper, we focus on how to make the key updates as transparent as possible for the client and propose a new paradigm called cloud storage auditing with verifiable outsourcing of key updates. In this paradigm, key updates can be safely outsourced to some authorized party, and thus the key-update burden on
the client will be kept minimal. Specifically, we leverage the third party auditor (TPA) in many existing public auditing designs, let it play the role of authorized party in our case, and make it in charge of both the storage auditing and the secure key updates for key-exposure resistance. In our design, TPA only needs to hold an
encrypted version of the client’s secret key, while doing all these burdensome tasks on behalf of the client. The client only needs to download the encrypted secret key from the TPA when uploading new files to cloud. Besides, our design also equips the client with capability to further verify the validity of the encrypted secret keys provided by TPA. All these salient features are carefully designed to make the whole auditing procedure with key exposure resistance as transparent as possible for the client. We formalize the definition and the security model of this paradigm. The security proof and the performance simulation show that our detailed design instantiations are secure and efficient.
Cloud Federations in the Sky: Formation
Game and Mechanism.
The amount of computing resources required by current and future data-intensive applications is expected to increase dramatically, creating high demands for cloud resources. The cloud providers’ available resources may not be sufficient enough to cope with such demands. Therefore, the cloud providers need to reshape their business structures and seek to improve their dynamic resource scaling capabilities. Federated clouds offer a practical platform for addressing this service management issue. We introduce a cloud federation formation game that considers the cooperation of the cloud providers in offering cloud IaaS services. Based on the
proposed federation formation game, we design a cloud federation formation mechanism that enables the cloud providers to dynamically form a cloud federation maximizing their profit. In addition, the proposed mechanism produces a stable cloud federation structure, that is, the participating cloud providers in the federation do not have incentives to break away from the federation. We analyze the performance of the proposed mechanism by performing extensive experiments. The results of the experiments show that the cloud federation obtained by our proposed mechanism is stable, yielding high profit for the participating cloud providers.
Combining Efficiency, Fidelity, and Flexibility in Resource Information Services.
A large-scale resource sharing system (e.g., collaborative cloud computing and grid computing) creates a virtual supercomputer by providing an infrastructure for sharing tremendous amounts of resources (e.g., computing, storage, and data) distributed over the Internet. A resource information service, which collects resource data and provides resource search functionality for locating desired resources, is a crucial component of the resource sharing system. In addition to resource discovery speed and cost (i.e., efficiency), the ability to accurately locate all satisfying resources (i.e., fidelity) is also an important metric for evaluating service quality. Previously, a number of resource information service systems have been proposed based on Distributed Hash Tables (DHTs) that offer scalable key-based lookup functions. However, these systems either achieve high fidelity at low efficiency, or high efficiency at low fidelity. Moreover, some systems have limited flexibility by only providing exact-matching services or by describing a resource using a pre-defined list of attributes. This paper presents a resource information service that offers high efficiency and fidelity without restricting resource expressiveness, while also providing a similar-matching service. Extensive simulation and PlanetLab experimental results show that the
proposed service outperforms other services in terms of efficiency, fidelity, and flexibility; it dramatically reduces overhead and yields significant enhancements in efficiency and fidelity.
Contributory Broadcast Encryption with Efficient Encryption and Short Ciphertexts.
Traditional broadcast encryption (BE) schemes allow a sender to securely broadcast to any subset of members but require a trusted party to distribute decryption keys. Group key agreement (GKA) protocols enable a group of members to negotiate a common encryption key via open networks so that only the group members can decrypt the ciphertexts encrypted under the shared encryption key, but a sender cannot exclude any particular member from decrypting the ciphertexts. In this paper, we bridge these two notions with a hybrid primitive referred to as contributory broadcast encryption (ConBE). In this new primitive, a group of members negotiate a common public encryption key while each member holds a decryption key. A sender seeing the public group encryption key can limit the decryption to a subset of members of his choice. Following this
model, we propose a ConBE scheme with short ciphertexts. The scheme is proven to be fully collusion-resistant under the decision n-Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model. Of independent interest, we present a new BE scheme that is aggregatable. The aggregatability property is shown to be useful to construct advanced protocols.
Control Cloud Data Access Privilege and
Anonymity With Fully Anonymous Attribute-Based Encryption.
Cloud computing is a revolutionary computing paradigm, which enables flexible, on-demand, and low-cost usage of computing resources, but the data is outsourced to some cloud servers, and various privacy concerns emerge from it.Various schemes based on the attribute-based encryption have been proposed to secure the cloud storage. However, most work focuses on the data contents privacy and the access control, while less attention is paid to the privilege control and the identity privacy. In this paper, we present a semianonymous privilege control scheme AnonyControl to address not only the data privacy, but also the user identity privacy in existing access control schemes. AnonyControl decentralizes the central authority to limit the identity leakage and thus achieves semianonymity. Besides, it also generalizes the file access control to the privilege control, by which privileges of all operations on the cloud data can be managed in a fine-grained manner. Subsequently, we present the AnonyControl-F, which fully prevents the identity leakage and achieve the full anonymity. Our security analysis shows that both AnonyControl and AnonyControl-F are secure under the decisional bilinear Diffie–Hellman assumption, and our performance evaluation exhibits the feasibility of our schemes.
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security.
Data sharing has never been easier with the advances of cloud computing, and an accurate analysis on the shared data provides an array of benefits to both the society and individuals. Data sharing with a large number of participants must take into account several issues, including efficiency, data integrity and privacy of data owner. Ring signature is a promising candidate to construct an anonymous and authentic data sharing system. It allows a data owner to anonymously authenticate his data which can be put into the cloud for storage or analysis purpose. Yet the costly certificate verification in the traditional public key infrastructure (PKI) setting becomes a bottleneck for this solution to be scalable. Identity-based (ID-based) ring signature, which eliminates the process of certificate verification, can be used instead. In this paper, we further enhance the security of ID-based ring signature by providing forward security: If a secret key of any user has been compromised, all previous generated signatures that include this user still remain valid. This property is especially important to any large scale data sharing system, as it is impossible to ask all data owners to reauthenticate their data even if a secret key of one single user has been compromised. We provide a concrete and efficient instantiation of our scheme, prove its security and provide an implementation to show its practicality.
Cost-Minimizing Dynamic Migration of Content Distribution Services into Hybrid clouds.
With the recent advent of cloud computing technologies, a growing number of content distribution applications are contemplating a switch to cloud-based services, for better scalability and lower cost. Two key tasks are involved for such a move: to migrate the contents to cloud storage, and to distribute the web service load to cloud-based web services. The main issue is to best utilize the cloud as well as the application provider’s existing private cloud, to serve volatile requests with service response time guarantee at all times, while incurring the minimum operational cost. While it may not be too difficult to design a simple heuristic, proposing one with guaranteed cost optimality over a long run of the system constitutes an intimidating challenge. Employing Lyapunov optimization techniques, we design a dynamic control algorithm to optimally place contents and dispatch requests in a hybrid cloud infrastructure spanning geo-distributed data centers, which minimizes overall operational cost over time, subject to service response time constraints. Rigorous analysis shows that the algorithm nicely bounds the response times within the preset QoS target, and guarantees that the overall cost is within a small constant gap from the optimum achieved by a T-slot lookahead mechanism with known future information. We verify the performance of our dynamic algorithm with prototype-based evaluation.
CHARM: A Cost-efficient Multi-cloud Data
Hosting Scheme with High Availability.
Nowadays, more and more enterprises and organizations are hosting their data into the cloud, in order to reduce the IT maintenance cost and enhance the data reliability. However, facing the numerous cloud vendors as well as their heterogenous pricing policies, customers may well be perplexed with which cloud(s) are suitable for storing their data and what hosting strategy is cheaper. The general status quo is that customers usually put their data into a single cloud (which is subject to the vendor lock-in risk) and then simply trust to luck. Based on comprehensive analysis of various state-of-the-art cloud vendors, this paper proposes a novel data hosting scheme (named CHARM) which integrates two key functions desired. The first is selecting several suitable clouds and an appropriate
redundancy strategy to store data with minimized monetary cost and guaranteed availability. The second is triggering a transition process to re-distribute data according to the variations of data access pattern and pricing of clouds. We evaluate the performance of CHARM using both trace-driven simulations and prototype experiments. The results show that compared with the major existing schemes, CHARM not only saves around 20% of monetary cost but also exhibits sound adaptability to data and price adjustments.
Circuit Ciphertext-policy Attribute-based
Hybrid Encryption with Verifiable Delegation in Cloud Computing.
In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attribute-based encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For instance, during the delegation, the cloud servers could tamper or replace the delegated ciphertext and respond a forged computing result with malicious intent.
They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution.
Using cloud computing, individuals can store their data on remote servers and allow data access to public users through the cloud servers. As the outsourced data are likely to contain sensitive privacy information, they are typically encrypted before uploaded to the cloud. This, however, significantly limits the usability of outsourced data due to the difficulty of searching over the encrypted data. In this paper, we address this issue by developing the fine-grained multi-keyword search schemes over encrypted cloud data. Our original contributions are three-fold. First, we introduce the relevance scores and preference factors upon keywords which enable the precise keyword search and personalized user experience. Second, we develop a practical and very efficient multi-keyword search scheme. The proposed scheme can support complicated logic search the mixed “AND”, “OR” and “NO” operations of keywords. Third, we further employ the classified sub-dictionaries technique to achieve better efficiency on index building, trapdoor generating and query. Lastly, we analyze the security of the proposed schemes in terms of confidentiality of documents, privacy protection of index and trapdoor, and unlinkability of trapdoor. Through extensive experiments using the real-world dataset, we validate the performance of the proposed schemes. Both the security analysis and experimental results demonstrate that the proposed schemes can achieve the same security level comparing to the existing ones and better performance in terms of functionality, query complexity and efficiency.
Identity-based Encryption with Outsourced Revocation in Cloud Computing.
Identity-Based Encryption (IBE) which simplifies the public key and certificate management at Public Key Infrastructure (PKI) is an important alternative to public key encryption. However, one of the main efficiency drawbacks of IBE is the overhead computation at Private Key Generator (PKG) during user revocation. Efficient revocation has been well studied in traditional PKI setting, but the cumbersome management of certificates is precisely the burden that IBE strives to alleviate. In this paper, aiming at tackling the critical issue of identity revocation, we introduce outsourcing computation into IBE for the first time and propose a revocable IBE scheme in the server-aided setting. Our scheme offloads most of the key generation related operations during key-issuing and key-update processes to a Key Update Cloud Service Provider, leaving only a constant number of simple operations for PKG and users to perform locally. This goal is achieved by utilizing a novel collusion-resistant technique: we employ a hybrid private key for each user, in which an AND gate is involved to connect and bound the identity component and the time component. Furthermore, we propose another construction which is provable secure under the recently formulized Refereed Delegation of Computation model. Finally, we provide extensive experimental results to demonstrate the efficiency of our proposed construction.
Innovative Schemes for ResourceAllocation
in the Cloud for Media Streaming Applications.
Media streaming applications have recently attracted a large number of users in the Internet. With the advent of these bandwidth-intensive applications, it is economically inefficient to provide streaming distribution with guaranteed QoS relying only on central resources at a media content provider. Cloud computing offers an elastic infrastructure that media content providers (e.g., Video on Demand (VoD) providers) can use to obtain streaming resources that match the demand. Media content providers are charged for the amount of resources allocated (reserved) in the cloud. Most of the existing cloud providers employ a pricing model for the reserved resources that is based on non-linear time-discount tariffs (e.g., Amazon CloudFront and Amazon EC2). Such a pricing scheme offers discount rates depending non-linearly on the period of time during which the resources are reserved in the cloud. In this case, an open problem is to decide on both the right amount of resources reserved in the cloud, and their reservation time such that the financial cost on the media content provider is minimized. We propose a simple - easy to implement - algorithm for resource reservation that maximally exploits discounted rates offered in the tariffs, while ensuring that sufficient resources are reserved in the cloud. Based on the prediction of demand for streaming capacity, our algorithm is carefully designed to reduce the risk of making wrong resource allocation decisions. The results of our numerical evaluations and simulations show that the proposed algorithm significantly reduces the monetary cost of resource allocations in the cloud as compared to other conventional schemes.
OPoR: Enabling Proof of Retrievability in
Cloud Computing with Resource-Constrained Devices.
Cloud Computing moves the application software and databases to the centralized large data centers, where the management of the data and services may not be fully trustworthy. In this work, we study the problem of ensuring the integrity of data storage in Cloud Computing. To reduce the computational cost at user side during the integrity verification of their data, the notion of public verifiability has been proposed. However, the challenge is that the computational burden is too huge for the users with resource-constrained devices to compute the public authentication tags of file blocks. To tackle the challenge, we propose OPoR, a new cloud storage scheme involving a cloud storage server and a cloud audit server, where the latter is assumed to be semi-honest. In particular, we consider the task of allowing the cloud audit server, on behalf of the cloud users, to pre-process the data before uploading to the cloud storage server and later verifying the data integrity. OPoR outsources the heavy computation of the tag generation to the cloud audit server and eliminates the involvement of user in the auditing and in the preprocessing phases. Furthermore, we strengthen the Proof
of Retrievabiliy (PoR) model to support dynamic data operations, as well as ensure security against reset attacks launched by the cloud storage server in the upload phase.
Privacy Preserving Ranked Multi-Keyword
Search for Multiple Data Owners in Cloud Computing.
With the advent of cloud computing, it has become increasingly popular for data owners to outsource their data to public cloud servers while allowing data users to retrieve this data. For privacy concerns, secure searches over encrypted cloud data has motivated several research works under the single owner model. However, most cloud servers in practice do not just serve one owner; instead, they support multiple owners to share the benefits brought by cloud computing. In this paper, we propose schemes to deal with Privacy preserving Ranked Multi-keyword Search in a Multi-owner model (PRMSM). To enable
cloud servers to perform secure search without knowing the actual data of both keywords and trapdoors, we systematically construct a novel secure search protocol. To rank the search results and preserve the privacy of relevance scores between keywords and files, we propose a novel Additive Order and Privacy Preserving Function family. To prevent the attackers from eavesdropping secret keys and pretending to be legal data users submitting searches, we propose a novel dynamic secret key generation protocol and a new data user authentication protocol. Furthermore, PRMSM supports efficient data user revocation. Extensive experiments on real-world datasets confirm the efficacy and efficiency of PRMSM.
Stealthy Denial of Service Strategy
in Cloud Computing.
The success of the cloud computing paradigm is due to its on-demand, self-service, and pay-by-use nature. According to this paradigm, the effects of Denial of Service (DoS) attacks involve not only the quality of the delivered service, but also the service maintenance costs in terms of resource consumption. Specifically, the longer the detection delay is, the higher the costs to be incurred.
Therefore, a particular attention has to be paid for stealthy DoS attacks. They aim at minimizing their visibility, and at the same time, they can be as harmful as the brute-force attacks. They are sophisticated attacks tailored to leverage the worst-case performance of the target system through specific periodic, pulsing, and low-rate traffic patterns. In this paper, we propose a strategy to orchestrate stealthy attack patterns, which exhibit a slowly-increasing-intensity trend designed to inflict the maximum financial cost to the cloud customer, while respecting the job size and the service arrival rate imposed by the detection mechanisms. We describe both how to apply the proposed strategy, and its effects on the target system deployed in the cloud.
A Scalable and Reliable Matching Service for Content-Based Publish/Subscribe Systems.
Characterized by the increasing arrival rate of live content, the emergency applications pose a great challenge: how to disseminate large-scale live content to interested users in a scalable and reliable manner. The publish/subscribe (pub/sub) model is widely used for data dissemination because of its capacity of seamlessly expanding the system to massive size. However, most event matching services of existing pub/sub systems either lead to low matching throughput when matching a large number of skewed subscriptions, or interrupt dissemination when a large number of servers fail. The cloud computing provides great opportunities for the requirements of complex computing and reliable communication. In this paper, we propose SREM, a scalable and reliable event matching service for content-based pub/sub systems in cloud computing environment. To achieve low routing latency and reliable links among servers, we propose a distributed overlay SkipCloud to organize servers of SREM. Through a hybrid space partitioning technique HPartition, large-scale skewed subscriptions are mapped into multiple subspaces, which ensures high matching throughput and provides multiple candidate servers for each event. Moreover, a series of dynamics maintenance mechanisms are extensively studied. To evaluate the performance of SREM, 64 servers are deployed and millions of live content items are tested in a CloudStack
testbed. Under various parameter settings, the experimental results demonstrate that the traffic overhead of routing events in SkipCloud is at least 60 percent smaller than in Chord overlay, the matching rate in SREM is at least 3.7 times and at most 40.4 times larger than the single-dimensional partitioning technique of BlueDove. Besides, SREM enables the event loss rate to drop back to 0 in tens of seconds even if a large number of servers fail simultaneously.
Identifying Features in Opinion Mining via Intrinsic and Extrinsic Domain Relevance.
The vast majority of existing approaches to opinion feature extraction rely on mining patterns only from a single review corpus, ignoring the nontrivial disparities in word distributional characteristics of opinion features across different corpora. In this paper, we propose a novel method to identify opinion features from online reviews by exploiting the difference in opinion feature statistics across two corpora, one domain-specific corpus (i.e., the given review corpus) and one domain-independent corpus (i.e., the contrasting corpus). We capture this disparity via a measure called domain relevance (DR), which characterizes the relevance of a term to a text collection. We first extract a list of candidate opinion features from the domain review corpus by defining a set of syntactic dependence rules. For each extracted candidate feature, we then estimate its intrinsic-domain relevance (IDR) and extrinsic-domain relevance (EDR) scores on the domain-dependent and domain-independent corpora, respectively. Candidate features that are less generic (EDR score less than a threshold) and more domain-specific (IDR score greater than another threshold) are then confirmed as opinion features. We call this interval thresholding approach the intrinsic and extrinsic domain relevance (IEDR) criterion. Experimental results on two real-world review domains show the proposed IEDR approach to outperform several other well-established methods in
identifying opinion features.
A Heuristic Clustering-based Task Deployment Approach for Load Balancing Using Bayes Theorem in Cloud Environment.
Aiming at the current problems that most physical hosts in the cloud data center are so overloaded that it makes the whole cloud data center’ load imbalanced and that existing load balancing approaches have relatively high complexity, this paper
has focused on the selection problem of physical hosts for deploying requested tasks and proposed a novel heuristic approach called LB-BC (Load Balancing based on Bayes and Clustering). Most previous works, generally, utilize a series of algorithms through optimizing the candidate target hosts within an algorithm cycle and then picking out the optimal target hosts to achieve the immediate load balancing effect. However, the immediate effect doesn’t guarantee high execution efficiency for the next task although it has abilities in achieving high resource utilization. Based on this argument, LB-BC introduces the concept of achieving
the overall load balancing in a long-term process in contrast to the immediate load balancing approaches in the current literature. LB-BC makes a limited constraint about all physical hosts aiming to achieve a task deployment approach with global search capability in terms of the performance function of computing resource. The Bayes theorem is combined with the clustering process to obtain the optimal clustering set of physical hosts finally. Simulation results show that compared with the existing works, the proposed approach has reduced the failure number of task deployment events obviously, improved the throughput, and optimized the external services performance of cloud data centers.
Secure Authorized Deduplication backup storage with reducing fragmentation via exploiting backup history and cache knowledge.
Duplicate chunks are eliminated between multiple backups, the chunks of a backup unfortunately become physically scattered in different containers, which is known as fragmentation in backup systems. We observe that the fragmentation comes in two categories of containers: sparse containers and out-of-order containers, which have different negative impacts and require dedicated solutions. During a restore, a majority of chunks in a sparse container are never accessed, and the chunks in an out-of-order container are accessed intermittently. Both of them hurt the restore performance. Increasing the restore cache size alleviates the negative impacts of out-of-order containers, but it is ineffective for sparse containers because they directly amplify read operations. Additionally, the merging operation is required to reclaim sparse containers in the garbage collection after users delete backups. In order to reduce the fragmentation, we propose History-Aware Rewriting algorithm (HAR) and Cache-Aware Filter (CAF). HAR exploits historical information in backup systems to accurately identify and reduce sparse containers, and CAF exploits restore cache knowledge to identify the out-of-order containers that hurt restore performance. To reduce the metadata overhead of the garbage collection, we further propose a Container-Marker Algorithm (CMA) to identify valid containers instead of valid chunks. Although data deduplication brings a lot of benefits, security and privacy concerns arise as users’ sensitive data are susceptible to both insider and outsider attacks. In this project, Convergent encryption has been proposed to enforce data confidentiality while making deduplication feasible. It encrypts/decrypts a data copy with a convergent key, which is obtained by computing the cryptographic hash value of the content of the data copy. After key generation and data encryption, users retain the keys and send the ciphertext to the backup storage. Since the encryption operation is deterministic and is derived from the data content, identical data copies will generate the same convergent key and hence the same ciphertext. To prevent unauthorized access, a secure proof of ownership protocol is also needed to provide the proof that the user indeed owns the same file when a duplicate is found. After the proof, subsequent users with the same file will be provided a pointer from the server without needing to upload the same file. A user can download the encrypted file with the pointer from the server, which can only be decrypted by the corresponding data owners with their convergent keys. Thus, convergent encryption allows the backup storage to perform deduplication on the ciphertexts and the proof of ownership prevents the unauthorized user to access the file.