Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) October 2011 Cloud-based Assured Information Sharing and Identity Management.

Slides:



Advertisements
Similar presentations
Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),
Advertisements

SLA-Oriented Resource Provisioning for Cloud Computing
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
CLOUD COMPUTING AN OVERVIEW & QUALITY OF SERVICE Hamzeh Khazaei University of Manitoba Department of Computer Science Jan 28, 2010.
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
1 SWE Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)
Virtualization and the Cloud
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.
M.A.Doman Model for enabling the delivery of computing as a SERVICE.
Virtualization for Cloud Computing
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Secure Data Storage and Retrieval in the Cloud Bhavani Thuraisingham,
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) October 2010 Secure Cloud Computing and Cloud Forensics.
N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.
WORKFLOWS IN CLOUD COMPUTING. CLOUD COMPUTING  Delivering applications or services in on-demand environment  Hundreds of thousands of users / applications.
Chapter 2 Database System Concepts and Architecture
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2013 Assured Cloud Computing.
U.S. Department of the Interior U.S. Geological Survey David V. Hill, Information Dynamics, Contractor to USGS/EROS 12/08/2011 Satellite Image Processing.
Data Mining on the Web via Cloud Computing COMS E6125 Web Enhanced Information Management Presented By Hemanth Murthy.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cloud Computing Saneel Bidaye uni-slb2181. What is Cloud Computing? Cloud Computing refers to both the applications delivered as services over the Internet.
Committed to Deliver….  We are Leaders in Hadoop Ecosystem.  We support, maintain, monitor and provide services over Hadoop whether you run apache Hadoop,
Copyright 2002 Prentice-Hall, Inc. Chapter 1 The Systems Development Environment 1.1 Modern Systems Analysis and Design.
CS525: Special Topics in DBs Large-Scale Data Management Hadoop/MapReduce Computing Paradigm Spring 2013 WPI, Mohamed Eltabakh 1.
M.A.Doman Short video intro Model for enabling the delivery of computing as a SERVICE.
Improving Network I/O Virtualization for Cloud Computing.
Data Intensive Query Processing for Large RDF Graphs Using Cloud Computing Tools Mohammad Farhan Husain, Latifur Khan, Murat Kantarcioglu and Bhavani Thuraisingham.
Storage and Retrieval of Large RDF Graph Using Hadoop and MapReduce Mohammad Farhan Husain, Pankil Doshi, Latifur Khan, Bhavani Thuraisingham University.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
COMS E Cloud Computing and Data Center Networking Sambit Sahu
From Virtualization Management to Private Cloud with SCVMM 2012 Dan Stolts Sr. IT Pro Evangelist Microsoft Corporation
Secure Sensor Data/Information Management and Mining Bhavani Thuraisingham The University of Texas at Dallas October 2005.
Data Warehousing Data Mining Privacy. Reading Bhavani Thuraisingham, Murat Kantarcioglu, and Srinivasan Iyer Extended RBAC-design and implementation.
Event-Based Hybrid Consistency Framework (EBHCF) for Distributed Annotation Records Ahmet Fatih Mustacoglu Advisor: Prof. Geoffrey.
Information Security Analytics Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course.
“Trusted Passages”: Meeting Trust Needs of Distributed Applications Mustaque Ahamad, Greg Eisenhauer, Jiantao Kong, Wenke Lee, Bryan Payne and Karsten.
Elmasri and Navathe, Fundamentals of Database Systems, Fourth Edition Copyright © 2004 Pearson Education, Inc. Slide 2-1 Data Models Data Model: A set.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.
Chapter 2 Database System Concepts and Architecture Dr. Bernard Chen Ph.D. University of Central Arkansas.
Data and Applications Security Research at the University of Texas at Dallas Dr. Bhavani Thuraisingham The University of Texas at Dallas April 25, 2006.
User Profiling using Semantic Web Group members: Ashwin Somaiah Asha Stephen Charlie Sudharshan Reddy.
MSE Portfolio Presentation 1 Doug Smith November 13, 2008
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) November 2012 Assured Cloud Computing for Assured Information Sharing.
Security Vulnerabilities in A Virtual Environment
CS525: Big Data Analytics MapReduce Computing Paradigm & Apache Hadoop Open Source Fall 2013 Elke A. Rundensteiner 1.
Full and Para Virtualization
Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining.
Foundations of Information Systems in Business. System ® System  A system is an interrelated set of business procedures used within one business unit.
Assured Cloud Computing for Assured Information Sharing
MapReduce & Hadoop IT332 Distributed Systems. Outline  MapReduce  Hadoop  Cloudera Hadoop  Tutorial 2.
Hadoop/MapReduce Computing Paradigm 1 CS525: Special Topics in DBs Large-Scale Data Management Presented By Kelly Technologies
Information Security Analytics Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course.
Erik Jonsson School of Engineering and Computer Science The University of Texas at Dallas Cyber Security Research on Engineering Solutions Dr. Bhavani.
Role Activity Sub-role Functional Components Control Data Software.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) February 2013 Cloud Computing for Assured Information Sharing.
Chapter 04 Semantic Web Application Architecture 23 November 2015 A Team 오혜성, 조형헌, 권윤, 신동준, 이인용.
© 2007 IBM Corporation IBM Software Strategy Group IBM Google Announcement on Internet-Scale Computing (“Cloud Computing Model”) Oct 8, 2007 IBM Confidential.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) November 6, 2015 Cloud-Centric Assured Information Sharing
Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.
Organizations Are Embracing New Opportunities
Data and Applications Security
Big Data Enterprise Patterns
Chapter 2 Database System Concepts and Architecture
Data and Applications Security Developments and Directions
Assured Cloud Computing for Assured Information Sharing
Secure Cloud Computing and Cloud Forensics
Big DATA.
Query Processing.
Dr. Bhavani Thuraisingham The University of Texas at Dallas
Presentation transcript:

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) October 2011 Cloud-based Assured Information Sharing and Identity Management

Team Members Sponsor: Air Force Office of Scientific Research The University of Texas at Dallas – Faculty: Dr. Murat Kantarcioglu; Dr. Latifur Khan; Dr. Kevin Hamlen; Dr. Zhiqiang Lin Sub-contractors – Prof. Elisa Bertino (Purdue) – Ms. Anita Miller, Dr. Bob Johnson (North Texas Fusion Center) Collaborators – Dr. Steve Barker, Kings College, U of London (EOARD) – Dr. Barbara Carminati; Dr. Elena Ferrari, U of Insubria (EOARD) – Prof. Peng Liu, Penn State – Prof. Ting Yu, NC State

Outline Objectives Layered Framework Data Security Issues for Clouds Our Research – FY11 Cloud-based Assured Information Sharing Demonstration RDF-based Policy Engine on the Cloud Secure Query Processing in Hybrid Cloud CloudMask: Purdue University Stream-based Malware Detection on the Cloud Hypervisor (e.g., Xen) Integrity Issues and Forensics in the Cloud Preliminary Investigation of Identity Management – FY10 Secure Querying and Storing Relational Data with HIVE Secure Querying and Storing RDF in Hadoop with SPARQL XACML Implementation for Hadoop Amazon.com Web Services and Security Accountability and Access Control (Joint with Purdue) Acknowledgement: Research Funded by Air Force Office of Scientific Research

Objectives Cloud computing is an example of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Our research on Cloud Computing is based on Hadoop, MapReduce, Xen Apache Hadoop is a Java software framework that supports data intensive distributed applications under a free license. It enables applications to work with thousands of nodes and petabytes of data. Hadoop was inspired by Google's MapReduce and Google File System (GFS) papers. XEN is a Virtual Machine Monitor developed at the University of Cambridge, England Our goal is to build a secure cloud infrastructure to assured information sharing applications

6/1/20155 Layered Framework User Interface Hadoop/MapReduc/Storage HIVE/SPARQL/Query XEN/Linux/VMM Secure Virtual Network Monitor Policies XACML Risks/ Costs QoS Resource Allocation Cloud Monitors Figure2. Layered Framework for Assured Cloud

Secure Query Processing with Hadoop/MapReduce We have studied clouds based on Hadoop Query rewriting and optimization techniques designed and implemented for two types of data (i) Relational data: Secure query processing with HIVE (ii) RDF data: Secure query processing with SPARQL Demonstrated with XACML policies Joint demonstration with Kings College and University of Insubria – First demo (2011): Each party submits their data and policies – Our cloud will manage the data and policies – Second demo (2012): Multiple clouds

Fine-grained Access Control with Hive System Architecture  Table/View definition and loading,  Users can create tables as well as load data into tables. Further, they can also upload XACML policies for the table they are creating. Users can also create XACML policies for tables/views.  Users can define views only if they have permissions for all tables specified in the query used to create the view. They can also either specify or create XACML policies for the views they are defining.  CollaborateCom 2010

Server Backend SPARQL Query Optimizer for Secure RDF Data Processing Web Interface Data Preprocessor N-Triples Converter Prefix Generator Predicate Based Splitter Predicate Object Based Splitter MapReduce Framework Parser Query Validator & Rewriter XACML PDP Plan Generator Plan Executor Query Rewriter By Policy New Data Query Answer To build an efficient storage mechanism using Hadoop for large amounts of data (e.g. a billion triples); build an efficient query mechanism for data stored in Hadoop; Integrate with Jena Developed a query optimizer and query rewriting techniques for RDF Data with XACML policies and implemented on top of JENA IEEE Transactions on Knowledge and Data Engineering, 2011

Demonstration: Concept of Operation User Interface Layer Fine-grained Access Control with Hive SPARQL Query Optimizer for Secure RDF Data Processing Relational Data RDF Data Agency 1Agency 2Agency n …

RDF-based Policy Engine on the Cloud A testbed for evaluating different policy sets over different data representation. Also supporting provenance as directed graph and viewing policy outcomes graphically  Determine how access is granted to a resource as well as how a document is shared  User specify policy: e.g., Access Control, Redaction, Released Policy  Parse a high-level policy to a low-level representation  Support Graph operations and visualization. Policy executed as graph operations  Execute policies as SPARQL queries over large RDF graphs on Hadoop  Support for policies over Traditional data and its provenance  IFIP Data and Applications Security, 2010, ACM SACMAT 2011

Integration with Assured Information Sharing: User Interface Layer RDF Data Preprocessor Policy Translation and Transformation Layer MapReduce Framework for Query Processing Hadoop HDFS Agency 1Agency 2Agency n … RDF Data and Policies SPARQL Query Result

Secure Storage and Query Processing in a Hybrid Cloud: Problem Motivation The use of hybrid clouds is an emerging trend in cloud computing – Ability to exploit public resources for high throughput – Yet, better able to control costs and data privacy Several key challenges – Data Design: how to store data in a hybrid cloud? Solution must account for data representation used (unencrypted/encrypted), public cloud monetary costs and query workload characteristics – Query Processing: how to execute a query over a hybrid cloud? Solution must provide query rewrite rules that ensure the correctness of a generated query plan over the hybrid cloud

Research Results Data Design: A user submits data, a query workload, monetary and confidentiality constraints –Solve the data partitioning problem in four phases –Partition the data into several public (P pu ) and private (P pr ) components –For each partition, P pu & P pr, obtain their associated statistics –Estimate the execution cost of given query workload based on a user’s choice of confidentiality level as well as the statistics associated with the partition –Select the best partition as the one that minimizes query workload execution cost without violating monetary and confidentiality constraints Query Processing: A user submits a query Q Solve the query processing problem in four phases –Query Rearrangement: Use query rewrite rules to transform an original query Q into public (Q pu ) and private (Q pr ) query(ies) –Public Cloud Execution: Execute Q pu on public cloud –Private Cloud Execution: Execute Q pr on private cloud –Post-Processing: Combine the results of the execution of Q pu and Q pr into the final result

Hypervisor integrity and forensics in the Cloud Cloud integrity & forensics Hardware Layer Virtualization Layer (Xen, vSphere) Linux Solaris XP MacOS  Secure control flow of hypervisor code  Integrity via in-lined reference monitor  Forensics data extraction in the cloud  Multiple VMs  De-mapping (isolate) each VM memory from physical memory Hypervisor OS Applications integrity forensics

Cloud-based Malware Detection Dr. Mehedy Benign Buffer Feature extraction and selection using Cloud Training & Model update Unknown executable Feature extraction Classif y Class Malware Remove Keep Stream of known malware or benign executables Ensemble of Classification models

Cloud-based Malware Detection ACM Transactions on Management Information Systems Binary feature extraction involves – Enumerating binary n-grams from the binaries and selecting the best n-grams based on information gain – For a training data with 3,500 executables, number of distinct 6-grams can exceed 200 millions – In a single machine, this may take hours, depending on available computing resources – not acceptable for training from a stream of binaries – We use Cloud to overcome this bottleneck A Cloud Map-reduce framework is used – to extract and select features from each chunk – A 10-node cloud cluster is 10 times faster than a single node – Very effective in a dynamic framework, where malware characteristics change rapidly

Fine-grained attribute-based privacy-preserving access control Fine-grained access control: different parts of the data can be covered by different access control policies Attribute-based access control: access control policies are expressed in terms of identity attributes of subjects accessing the data Privacy-preserving: the cloud does not learn anything about the contents of the data and the values of the identity attributes of users System Developed is CloudMask Joint Paper at CollobarateCom 2011 Key Features of CloudMask System: Elisa Bertino Purdue University and Murat Kantarcioglu, UT Dallas

Directions Secure VMM (Virtual Machine Monitor) and VNM (Virtual Network Monitor) – Exploring XEN VMM and examining security issues – Developing automated techniques for VMM introspection – Will examine VNM issues January 2012 Integrate Secure Storage Algorithms into Hadoop (FY 2012) Identity Management (FY 2012) Technology Transfer through Knowledge and Security Analytics, LLC

October 2011 Identity Management for the Cloud Kevin Hamlen, Peng Liu, Murat Kantarcioglu, Bhavani Thuraisingham, Ting Yu

Identity Management Considerations in a Cloud Trust model that handles – (i) Various trust relationships, (ii) access control policies based on roles and attributes, iii) real-time provisioning, (iv) authorization, and (v) auditing and accountability. Several technologies have to be examined to develop the trust model – Service-oriented technologies; standards such as SAML and XACML; and identity management technologies such as OpenID. Does one size fit all? – Can we develop a trust model that will be applicable to all types of clouds such as private clouds, public clouds and hybrid clouds Identity architecture has to be integrated into the cloud architecture.