Data in Motion and Data at Rest 2015


	Data in Motion and Data at Rest 2015

Data protection has distinguished between data in motion and data at rest for more than a decade. Research into these areas continues with the proliferation of cloud and mobile technologies. For the Science of Security community, the topic relates to resilience and composability. The articles cited here, separated by motion and rest, were offered in 2015.

Sidorov, V.; Wee Keong Ng, "Transparent Data Encryption for Data-in-Use and Data-at-Rest in a Cloud-Based Database-as-a-Service Solution," in Services (SERVICES), 2015 IEEE World Congress on, pp. 221-228, June 27 2015-July 2 2015. doi: 10.1109/SERVICES.2015.40

Abstract: With high and growing supply of Database-as-a-Service solutions from cloud platform vendors, many enterprises still show moderate to low demand for them. Even though migration to a DaaS solution might result in a significantly reduced bill for IT maintenance, data security and privacy issues are among the reasons of low popularity of these services. Such a migration is also often only justified if it could be done seamlessly, with as few changes to the system as possible. Transparent Data Encryption could help, but solutions for TDE shipped with major database systems are limited to securing only data-at-rest, and appear to be useless if the machine could be physically accessed by the adversary, which is a probable risk when hosting in the cloud. This paper proposes a different approach to TDE, which takes into account cloud-specific risks, extends encryption to cover data-in-use and partly data-in-motion, and is capable of executing large subsets of SQL including heavy relational operations, complex operations over attributes, and transactions.

Keywords: SQL; cloud computing; cryptography; data privacy; database management systems; DaaS solution; IT maintenance; SQL; TDE; attributes; cloud platform vendors; cloud-specific risks; complex operations; data security; data-at-rest; data-in-motion; data-in-use; database-as-a-service solution; privacy issues; relational operations; transactions; transparent data encryption; Data models; Databases; Encryption; Protocols; Transforms; data privacy; data security; query processing; relational databases (ID#: 15-8755)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7196528&isnumber=7196486

Althobaiti, A.; Calyam, P.; Akella, R.; Vallabhaneni, P., "Data Integrity Protection through Security Monitoring for Just-in-Time News Feeds," in Cloud Networking (CloudNet), 2015 IEEE 4th International Conference on, pp. 184-190, 5-7 Oct. 2015. doi: 10.1109/CloudNet.2015.7335303

Abstract: There has recently been a major shift in news related media consumption trends and readers are increasingly relying on just-in-time news feeds versus the traditional newspaper print medium. Cloud-networked infrastructures are being setup by the media companies to aggregate news feeds from affiliates, and to meet the elastic demands of Internet-scale users accessing news feeds. However, cyber attacks could compromise these just-in-time news feed services and hackers could particularly launch data integrity as well as denial-of-service attacks that: (a) tarnish the reputation of media companies and (b) impact the service availability for users. In this paper, we describe data integrity and availability checking techniques to protect just-in-time news feed services against cyber attacks in use cases such as: (a) “Data-in-Motion” - when obtaining just-in-time news feeds (e.g., RSS feeds) from affiliates and (b) “Data-at-Rest” - when compiled news feeds reside within cloud-networked infrastructure for real-time premium subscriber access. Using concepts of distributed trust and anomaly detection and a realistic testbed environment in the DeterLab infrastructure, we show the impact of the different cyber attacks and propose solutions to defend against them.

Keywords: cloud computing; data integrity; data protection; electronic publishing; trusted computing; DeterLab infrastructure; Internet-scale users; RSS feeds; anomaly detection; cloud-networked infrastructures; compiled news feeds; cyber attacks; data integrity protection; data-at-rest; data-in-motion; denial-of-service attacks; distributed trust; elastic demands; just-in-time news feed service protection; news feed aggregation; real-time premium subscriber access; security monitoring; service availability checking techniques; Cloud computing; Companies; Feeds; Media; Monitoring; Servers; Uniform resource locators (ID#: 15-8756)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7335303&isnumber=7335267

Zerfos, Petros; Yeo, Hangu; Paulovicks, Brent D.; Sheinin, Vadim, "SDFS: Secure Distributed File System for Data-at-Rest Security for Hadoop-as-a-service," in Big Data (Big Data), 2015 IEEE International Conference on, pp. 1262-1271, Oct. 29 2015-Nov. 1 2015. doi: 10.1109/BigData.2015.7363881

Abstract: Cloud service providers are offering the popular Hadoop analytics platform following an "as-a-service" model, i.e. clusters of machines in their cloud infrastructures pre-configured with Hadoop software. Such offerings lower the cost and complexity of deploying a comparable system on-premises, however security considerations and in particular data confidentiality hamper wider adoption of such services by enterprises that handle data of sensitive nature. In this paper, we describe our efforts in providing security for data-at-rest (i.e. data that is stored) when Hadoop is offered as a cloud service. We analyze the requirements and architecture for such service and further describe a new distributed file system that we developed for Hadoop called SDFS, towards supporting this premise. We analyze parameter tuning for SDFS and through experiments on a real test-bed we evaluate its performance. We further present simulation results that explore the parameter space and can guide tuning.

Keywords: Cloud computing; Encryption; File systems; Redundancy; Servers; Data-at-rest security; Shamir's secret sharing; hadoop-as-a-service; information dispersal; secure distributed file system (ID#: 15-8757)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7363881&isnumber=7363706

Vivek, S.Sree; Ramasamy, Rajkumar, "Forward Secure On-device Encryption Scheme Withstanding Cold Boot Attack," in Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on, pp. 488-493, 3-5 Nov. 2015. doi: 10.1109/CSCloud.2015.43

Abstract: Encryption of data residing on the permanent memory of a device, also known as On-Device Encryption (ODE), is a well studied problem with many popular software available these days. We consider the adversary who is capable of taking one RAM snapshot (e.g: Cold Boot Attack) when the device is in locked state. Writing data securely, when the device is in locked state can be handled in the presence of this strong adversary, by employing public key encryption techniques. When it comes to reading of data from a locked device, it is not known until now, whether it is possible. In this paper, we state the impossibility of performing the read operation securely, when the device is in locked state. Moreover, we propose a new forward secure ODE scheme which supports secure writing in locked state and is more efficient when compared to the public key based solution. We have proposed the security model for forward secure ODE and proved the security of our scheme in the proposed security model.

Keywords: Encryption; Hardware; Performance evaluation; Public key; Random access memory; Data at Rest; Forward Secure Symmetric Key Encryption; On-Device Encryption (ODE); Provable Security; Random Oracle (ID#: 15-8758)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7371527&isnumber=7371418

Hein, D.; Winter, J.; Fitzek, A., "Secure Block Device -- Secure, Flexible, and Efficient Data Storage for ARM TrustZone Systems," in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, pp. 222-229, 20-22 Aug. 2015. doi: 10.1109/Trustcom.2015.378

Abstract: Recent years have seen a flurry of activity in the area of efficient and secure file systems for cloud storage, and also in the area of memory protection for secure processors. Both scenarios use cryptographic methods for data protection. Here, we consider the middle ground: the problem of using cryptographic methods to protect data integrity and confidentiality on a system with two strongly isolated execution environments, specifically an ARM TrustZone system with a Trusted Execution Environment. We introduce the Secure Block Device, a secure, easy to use, flexible, efficient, and widely applicable minimal Trusted Computing Base solution to provide data confidentiality and integrity for Data at Rest. The Secure Block Device is an open source C software library that uses a Merkle-Tree in conjunction with a selectable Authenticated Encryption scheme to provide an easy to integrate solution for applications that require fast and secure random access to data, but not a fully fledged file system. It was designed for Trusted Applications running in a Trusted Execution Environment that already have secure storage for cryptographic keys, but no secure general purpose data store. Beyond that, the Secure Block Device is applicable in all similar scenarios. We evaluate the Secure Block Device by using it as the core component in a secure storage Trusted Application that uses the ARM TrustZone Trusted Execution Environment to provide a confidential and integrity protected block device to the normal world OS.

Keywords: cloud computing; data integrity; data protection; private key cryptography; public key cryptography; storage management; trusted computing; ARM TrustZone systems; ARM TrustZone trusted execution environment; Data at Rest integrity; Merkle-Tree; authenticated encryption scheme; cloud storage; confidential block device; cryptographic keys; cryptographic methods; data confidentiality; data integrity protection; integrity protected block device; memory protection; open source C software library; secure block device; secure file systems; secure storage trusted application; secure-flexible-efficient-data storage; trusted computing base solution; Cryptography; Hardware; Kernel; Memory; Program processors; Secure storage; ARM TrustZone; Authenicated Encryption; Merkle-Tree; Secure storage; Trusted Applications (ID#: 15-8759)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7345286&isnumber=7345233

Keywords: cloud computing; data integrity; data protection; electronic publishing; trusted computing; DeterLab infrastructure; Internet-scale users; RSS feeds; anomaly detection; cloud-networked infrastructures; compiled news feeds; cyber attacks ;data integrity protection; data-at-rest; data-in-motion; denial-of-service attacks; distributed trust; elastic demands; just-in-time news feed service protection; news feed aggregation; real-time premium subscriber access; security monitoring; service availability checking techniques; Cloud computing; Companies; Feeds; Media; Monitoring; Servers; Uniform resource locators (ID#: 15-8760)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7335303&isnumber=7335267

Rettig, Laura; Khayati, Mourad; Cudre-Mauroux, Philippe; Piorkowski, Michal, "Online Anomaly Detection over Big Data streams," in Big Data (Big Data), 2015 IEEE International Conference on, pp. 1113-1122, Oct. 29 2015-Nov. 1 2015. doi: 10.1109/BigData.2015.7363865

Abstract: Data quality is a challenging problem in many real world application domains. While a lot of attention has been given to detect anomalies for data at rest, detecting anomalies for streaming applications still largely remains an open problem. For applications involving several data streams, the challenge of detecting anomalies has become harder over time, as data can dynamically evolve in subtle ways following changes in the underlying infrastructure. In this paper, we describe and empirically evaluate an online anomaly detection pipeline that satisfies two key conditions: generality and scalability. Our technique works on numerical data as well as on categorical data and makes no assumption on the underlying data distributions. We implement two metrics, relative entropy and Pearson correlation, to dynamically detect anomalies. The two metrics we use provide an efficient and effective detection of anomalies over high velocity streams of events. In the following, we describe the design and implementation of our approach in a Big Data scenario using state-of-the-art streaming components. Specifically, we build on Kafka queues and Spark Streaming for realizing our approach while satisfying the generality and scalability requirements given above. We show how a combination of the two metrics we put forward can be applied to detect several types of anomalies ??? like infrastructure failures, hardware misconfiguration or user-driven anomalies ??? in large-scale telecommunication networks. We also discuss the merits and limitations of the resulting architecture and empirically evaluate its scalability on a real deployment over live streams capturing events from millions of mobile devices.

Keywords: Big data; Correlation; Data structures; Entropy; Measurement; Sparks; Yttrium (ID#: 15-8761)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7363865&isnumber=7363706

Baughman, A.K.; Bogdany, R.J.; McAvoy, C.; Locke, R.; O'Connell, B.; Upton, C., "Predictive Cloud Computing with Big Data: Professional Golf and Tennis Forecasting [Application Notes]," in Computational Intelligence Magazine, IEEE, vol. 10, no. 3, pp. 62-76, Aug. 2015. doi: 10.1109/MCI.2015.2437551

Abstract: Major Golf and Grand Slam Tennis tournaments such as Australian Open, The Masters, Roland Garros, United States Golf Association (USGA), Wimbledon, and United States Tennis Association (USTA) United States (US) Open provide real-time and historical sporting information to immerse a global fan base in the action. Each tournament provides realtime content, including streaming video, game statistics, scores, images, schedule of play, and text. Due to the game popularities, some of the web servers are heavily visited and some are not, therefore, we need a method to autonomously provision servers to provide a smooth user experience. Predictive Cloud Computing (PCC) has been developed to provide a smart allocation/deallocation of servers by combining ensembles of forecasts and predictive modeling to determine the future origin demand for web site content. PCC distributes processing through analytical pipelines that correlate streaming data, such as scores, media schedules, and player brackets with a future-simulated tournament state to measure predicted demand spikes for content. Social data streamed from Twitter provides social sentiment and popularity features used within predictive modeling. Data at rest, such as machine logs and web content, provide additional features for forecasting. While the duration of each tournament varies, the number of origin website requests range from 29,000 to 110,000 hits per minute. The PCC technology was developed and deployed to all Grand Slam tennis events and several major golf tournaments that took place in 2013 and to the present, which has decreased wasted computing consumption by over 50%. We propose a novel forecasting ensemble that includes residual, vector, historical, partial, adjusted, cubic and quadratic forecasters. In addition, we present several predictive models based on Multiple Regression as inputs into several of these forecasters. We conclude by empirically demonstrating that the predictive cloud technology is able- to forecast the computing load on origin web servers for professional golf and tennis tournaments.

Keywords: Big Data; Internet; cloud computing; file servers; regression analysis; social networking (online);sport; Big Data; Grand Slam Tennis tournaments; PCC technology; Twitter; Web servers; Web site content; forecasting ensemble; major golf; multiple regression; predictive cloud computing; predictive modeling; professional golf; smart allocation-deallocation; social data; streaming data; tennis forecasting; Cloud computing; Entertainment; Forecasting; Games; Predictive models; Real-time systems; Servers (ID#: 15-8762)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7160840&isnumber=7160805

Jiangping Li; Hongbin Ma; Chenguang Yang; Mengyin Fu, "Discrete-Time Adaptive Control of Robot Manipulator with Payload Uncertainties," in Cyber Technology in Automation, Control, and Intelligent Systems (CYBER), 2015 IEEE International Conference on, pp.1971-1976, 8-12 June 2015

doi: 10.1109/CYBER.2015.7288249

Abstract: In this paper, a new discrete-time adaptive control scheme for controlling robot manipulators is proposed. The objective is to control position of a robot manipulator end effector in the presence of uncertainties caused by unknown fixed or time-varying payload. For simplicity, the unknown payload is considered as the only unknown factor and the data in use is sampled from the true continuous-time plant with constant fixed sampling interval. We estimate the payload according to the available history information and design a discrete-time adaptive controller based on the estimation of the external payload. The adaptive estimator adopted in the adaptive controller only uses one step history and is capable of fast adaptation. The simulation results demonstrated that the new controller can yield a satisfactory tracking performance in the presence of payload uncertainties.

Keywords: adaptive control; continuous time systems; control system synthesis; discrete time systems; end effectors; position control; uncertain systems; adaptive estimator; constant fixed sampling interval; continuous-time plant; discrete-time adaptive controller design; external payload estimation; payload uncertainties; position control; robot manipulator end effector; step history; time-varying payload; tracking performance; unknown fixed payload; End effectors; Estimation; Mathematical model; Payloads; Uncertainty; Discrete-time Adaptive Control; One-step Guess; Payload Estimation; Payload Uncertainty; Robot Manipulator (ID#: 15-8763)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7288249&isnumber=7287893

“IEEE Standard Cybersecurity Requirements for Substation Automation, Protection, and Control Systems," in IEEE Std C37.240-2014, pp. 1-38, Jan. 30 2015. doi: 10.1109/IEEESTD.2015.7024885

Abstract: Cybersecurity measures require that a balance be achieved between technical feasibility and economic feasibility and that this balance addresses the risks expected to be present at a substation. Further, cybersecurity measures must be designed and implemented in such a manner that access and operation to legitimate activities is not impeded, particularly during times of emergency or restoration activity. This standard presents a balance of the above factors.

Keywords: IEEE standards; power engineering computing; security of data; substation automation; substation protection; IEEE Std C37.240-2014;IEEE standard cybersecurity requirements; emergency; restoration activity; substation automation; substation control systems; substation protection; Access controls; Authentication; Computer crime; Computer security; Encryption; IEEE Standards; Passwords; Remote access; IEEE C37.240;critical infrastructure protection; cybersecurity; electronic access; encryption; password management; remote access;substations (ID#: 15-8764)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7024885&isnumber=7024884