Optimus: Framework of Vulnerabilities, Attacks, Defenses and SLA Ontologies
##plugins.themes.academic_pro.article.main##
Abstract
Maintaining security and privacy in the Cloud is a complex task. The task is made even more challenging as the number of vulnerabilities associated with the cloud infrastructure, and applications are increasing very rapidly. Understanding the security service level agreements (SSLAs) and privacy policies offered by the service and infrastructure providers is critical for consumers to assess the risks of the Cloud before they consider migrating their IT operations to the Cloud. To address these concerns related to the assessment of security and privacy risks of Cloud, we have developed a framework that relies on ontologies that obtain different objects, policies and vulnerabilities. Our framework called Optimus, utilizes three related ontologies: the vulnerability knowledge base (OKB) and ontologies for representing security SLAs (SSLA). Our framework can be used to assess the risks associated with a cloud services and system configurations using our vulnerability ontologies. The risk assessment may be useful to both the provider and consumer of the cloud services. Our ontologies for SSLAs can be used to understand the security agreements of a provider, to negotiate desired security levels, and to audit the compliance of a provider with respect to federal regulations (such as HIPAA). In this paper, we describe our Optimus framework and provide some examples of its application.
##plugins.themes.academic_pro.article.details##
How to Cite
Chen-Yu Lee, Patrick Kamongi, Krishna Kavi, & Mahadevan Gomathisankaran. (2015). Optimus: Framework of Vulnerabilities, Attacks, Defenses and SLA Ontologies. International Journal of Next-Generation Computing, 6(1), 42–56. https://doi.org/10.47164/ijngc.v6i1.77
References
- Andrieux, A., Czajkowski, K., Dan, A., Keahey, K., Ludwig, H., Nakata, T., Pruyne, J., Rofrano, J., Tuecke, S., and Xu, M. 2011. Web services agreement speci cation (ws-agreement). Tech. rep., Open Grid Forum (OGF). Nov.
- CSA. 2013. Cloud controls matrix version 3.0. Tech. rep., Cloud Security Alliance.
- CSCC. 2012. Practical guide to cloud service level agreements. Tech. rep., Cloud Standards Customer Council.
- ENISA 2012. Procure secure: A guide to monitoring of security service levels in cloud contracts. Tech. rep., European Union Agency for Network and Information Security.
- Fenz, S. 2010. Ontology-based generation of it-security metrics. In Proceedings of the 2010 ACM Symposium on Applied Computing. 1833{1839.
- Hale, M. and Gamble, R. 2013. Building a compliance vocabulary to embed security controls in cloud slas. In Proceedings of IEEE 9th World Congress on Services. 118{125.
- Henning, R. R. 1999. Security service level agreements: quanti able security for the enterprise? In Proceedings of the 1999 Workshop on New Security Paradigms. Ontario, Canada, 54{60.
- HIPAA. 2013. Hipaa administrative simpli cation. Tech. rep., U.S. Department of Health and Human Services Oce for Civil Rights. Mar.
- HITECH. 2013. Health information technology for economic and clinical health (hitech) act. Tech. rep., U.S. Department of Health and Human Services Oce for Civil Rights. Oct.
- Kamongi, P., Kotikela, S., Kavi, K., Gomathisankaran, M., and Singhal, A. 2013. Vulcan: Vulnerability assessment framework for cloud computing. In Proceedings of IEEE 7th International Conference on Software Security and Reliability. 218{226.
- Keller, A. and Ludwig, H. 2003. The wsla framework: Specifying and monitoring service level agreements forweb services. Journal of Network and Systems Management 11, 1 (Mar.), 57{81.
- Lee, C.-Y., Kavi, K. M., and Gomathisankaran, M. 2014. Ontology-based privacy setting transfer scheme on social networking systems. In Proceedings of the 2014 International Conference on Security and Management. 506{515.
- McGlothlin, J. P., Khan, L., and Thuraisingham, B. 2011. Rdfkb: a semantic web knowledge base. In Proceedings of the Twenty-Second International Joint Conference on Arti cial Intelligence. Vol. 22. 2830{2831.
- Modica, G. D., Petralia, G., and Tomarchio, O. 2012. A business ontology to enable semantic matchmaking in open cloud markets. In Proceedings of the 8th International Conference on Semantics, Knowledge and Grids. Beijing, China, 96{103. of Government Commerce, O. 2010. Introduction to the ITIL Service Lifecycle, 2nd ed. The Stationery Oce, Norwich.
- PCIDSS. 2013. Payment card industry data security standard: Requirements and security assessment procedures. Tech. rep., PCI Security Standards Council. Nov.
- Rong, C., Nguyen, S. T., and Jaatun, M. G. 2013. Beyond lightning: A survey on security challenges in cloud computing. Computers and Electrical Engineering 39, 1, 47{54.
- Takahashi, T., Kannisto, J., Harju, J., Heikkinen, S., Silverajan, B., Helenius, M., and Matsuo, S. 2013. Tailored security: Building nonrepudiable security service-level agreements. IEEE Vehicular Technology Mag- azine 8, 3 (Sept.), 54{62.
- Tsoumas, B. and Gritzalis, D. 2006. Towards an ontology-based security management. In Proceedings of the 20th International Conference on Advanced Information Networking and Applications. Vol. 1. 985{992.
- Wang, A. J. A., Xia, M., Guo, M., Wang, H., and Zhou, L. 2009. Osat tutorial.
- Wang, J. and Guo, M. 2009. Ovm: an ontology for vulnerability management. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies. 34.
- Zhou, B. and Pei, J. 2008. Preserving privacy in social networks against neighborhood attacks. In Proceedings of IEEE 24th International Conference on Data Engineering. 506{515.