Towards a compliance audit of SLAs for data replication in Cloud - - PowerPoint PPT Presentation

Institut Mines-Télécom

Towards a compliance audit of SLAs for data replication in Cloud storage

• J. Leneutre
• B. Djebaili, C. Kiennert, J. Leneutre, L. Chen, Data Integrity and Availability Verification Game in Untrusted Cloud

Storage, Conference on Decision and Game Theory for Security (GameSec), Los Angeles, CA, USA, November 2014, LNCS.

Institut Mines-Télécom

Outline

• Introduction
• Background
• Assumptions
• Contributions
• Game Models
• Conclusion

30/06/15

Data Integrity Verification Game in Cloud Storage 2

Institut Mines-Télécom

Outline

• Introduction
• Background
• Contributions
• Game Models
• Conclusion

30/06/15

Data Integrity Verification Game in Cloud Storage 3

Institut Mines-Télécom

Introduction

n Cloud features:

• On-demand services
• Resource pooling via multi-tenancy
• Elasticity via dynamic provisioning of resources
• Device and location independence

➡ Source of security problems

─ Reduced control over software and data ─ Potential Interference between security and cloud optimization mechanisms

30/06/15

Data Integrity Verification Game in Cloud Storage 4

n Security of data storage:

• Privacy / Confidentiality
• Integrity/availability

─ External (hackers) threats for data integrity or availability ─ Cloud Provider (CP) might behave unfaithfully ➡ Users need strong evidence that their data have not been tampered or partially deleted

Institut Mines-Télécom

Problem Statement

n Case of an Untrusted CP

• Economically-motivated CP that may be tempted to erase (copies of) data to use

less storage space ➡ How to check compliance of SLAs with regard to data replication?

30/06/15

Data Integrity Verification Game in Cloud Storage 5

n Efficient schemes for remote data integrity checking exist

• New cryptographic protocols: proof of data possession (PDP), proof of retrieval (POR) …

➡ However verification costs computing resources

n How to optimize their use ?

• Frequency of the verification process ?
• Which data to check in priority ?
• Are there data not worth checking at all ?

➡ Optimal verification policies needed

• Trade-off between security & cost of verification
• Obtained by a Game Theoretical analysis modelling interactions between Verifier & CP

Institut Mines-Télécom

Underlying assumptions

n Data replication rate is specified in SLAs

• Usually not covered in a cloud storage service provider's SLA

➡ Rather provide guarantees in terms of uptime, or allowed number of retries,

• r how long a read request can take to be serviced

➡ Offer some sort of tiered credits the users if the guarantees are not satisfied

• May be negociated in the case of storage backup or cloud archive

services

➡ Possible definition of precise retention policies

n User is allowed to access to different copies of same data

• May be necessary to check geographical location of data

30/06/15

Data Integrity Verification Game in Cloud Storage 6

Institut Mines-Télécom

Outline

• Introduction
• Background
• Contributions
• Game Models
• Conclusion

30/06/15

Data Integrity Verification Game in Cloud Storage 7

Institut Mines-Télécom

Background: Integrity verification of outsourced data

n Usual techniques for integrity control

• Hash functions, error-correcting code, checksum, …

➡ … not suited for intentional modification of data !

30/06/15

Data Integrity Verification Game in Cloud Storage 8

D

Hash(D) Audit Hash(D)

User Cloud storage

No detection of modification

Hash(D)

D: Data

Institut Mines-Télécom

Background: Integrity verification of outsourced data

n Need for a new cryptographic primitive

➡ Integrity checking challenge response protocol

30/06/15

Data Integrity Verification Game in Cloud Storage 9

• Metadata may also be outsourced
• Verification may be delegated to a

third party auditor (TPA)

Institut Mines-Télécom

Background: Integrity verification of outsourced data

n A naive scheme

30/06/15

Data Integrity Verification Game in Cloud Storage 10

• Requires large metadata size
• Consumes too much bandwidth

and computation

• Verifications limited to the number
• f precomputed hash values

Institut Mines-Télécom

Background: Integrity verification of outsourced data

n A simple protocol based on DLP [Deswarte & alii, 2004]

• Metadata: Tag computed using an homomorphic function

30/06/15

Data Integrity Verification Game in Cloud Storage 11

Deswarte, Y., Quisquater, J.-J., and Saïdane, A.. Remote Integrity Checking. In Proceedings of 6th Working Conference on Integrity and Internal Control in Information Systems (IICIS), 2004. “d”: data “T”: tag (metadata) “C”: challenge “R”: response “n”: RSA modulus “r”: random integer “DLP”: discrete logarithm problem

Storage provider Verifier

d C=gr mod n R=Cd mod n

Tr = Cd?

F(d) T=gd mod n

DLP problem à à security

Institut Mines-Télécom

Background: Integrity verification of outsourced data

n Two main approaches for data verification schemes

• Deterministic protocols: checks entire data
• Probabilistic protocols: randomly checks blocks of data

➡ reduce the computing time of verification

30/06/15

Data Integrity Verification Game in Cloud Storage 12

[Ateniese & alii 2011] Ateniese, G., Burns, R., Curtmola, R., Herring, J., Khan, O., Kissner, L., ... & Song,

• D. (2011). Remote data checking using provable data possession. ACM TISSEC, 14(1), 12.

[Juels, Kaliski 2007] Juels, A., & Kaliski Jr, B. S. (2007, October). PORs: Proofs of retrievability for large

• files. In Proceedings of the 14th ACM conference on Computer and communications security.

n Main efficient verification schemes

• PDP (Provable Data Possession) [Ateniese & alii 2011]

─ Minimize bandwith

• POR (Proofs of Retriability) [Juels, Kaliski 2007]

─ Ability to recover corrupted files by using error correcting codes

n Other features

• Public verification
• Management of dynamic data
• Verification of multiple copies of a data

Institut Mines-Télécom

Background: Game Theory

n Game theory: aims at modeling situations in which

decision makers have to make specific actions that have mutual, possibly conflicting consequences

30/06/15

Data Integrity Verification Game in Cloud Storage 13

n Glossary:

• Players: a strategic decision maker (can be a person, a machine, etc.)
• Actions: a move that can be carried out by the player at any given time
• Utility function: assigns a numerical value for every possible outcome of the

game for a given player taking into account other players’ actions

• Strategy: a plan of actions taken in the game
• Nash Equilibrium: strategy from which no player has an incentive to deviate

unilaterally

Institut Mines-Télécom

Background: Game Theory

n Example: Forwarder’s dilemma

30/06/15

A strategic approach to manage security risks 14

• Utility function:

─ c (0<c<<1): cost representing the energy and computation spent for the forwarding action ─ Reward when forwarding : 1

• Nash equilibrium: (D,D)
• Goal: device p1 (resp. p2) wants to send

a packet to his receiver r1 (resp. r2) using p2 (resp. p1) as a forwarder, in each time slot

• Actions: Forward (F) or Drop (D) a packet

Institut Mines-Télécom

Outline

• Introduction
• Game Theory
• Contributions
• Game Models
• Conclusion

30/06/15

Data Integrity Verification Game in Cloud Storage 15

Institut Mines-Télécom

Contributions

n Define a basic model

• Static game with deterministic verification protocol
• CP stores only one copy of the data

30/06/15

Data Integrity Verification Game in Cloud Storage 16

n Study different extensions of the model

• Dynamic game with deterministic verification (Stackelberg game)
• Static game with probabilistic verification protocol
• Extension where CP stores multiple copies of data
• Repeated game (multiple consecutive interactions over time)

n For each model :

• Prove the existence of an attractive data set on which both attacker

and verifier should focus exclusively

• Find the Nash Equilibrium
• Analyze the results in terms of expected behaviours & deduce

guidelines for optimal TPA data checking

Institut Mines-Télécom

Outline

• Introduction
• Game Theory
• Contributions
• Game Models
• Conclusion

30/06/15

Data Integrity Verification Game in Cloud Storage 17

Institut Mines-Télécom

Generic game Model

n Non-cooperative game n Two rational players

• Attacker (CP)
• Verifier (TPA)

n Two actions per player for each data :

• Attacker : Not replicating / Do nothing
• Verifier : Check data integrity / Do nothing

n Strategies: distribution of attack/verification resources

• For each data Di, the attacker decides to not replicate data with

probability pi, and the verifier checks data with probability ti

• Available resources for attacker (resp. verifier) : P (resp. T)

30/06/15

Data Integrity Verification Game in Cloud Storage 18

Lin Chen and Jean Leneutre. A game theoretical framework on intrusion Detection in heterogeneous networks.IEEE TIFS, 4(2):165-178, 2009

Institut Mines-Télécom

Generic game Model

n Game parameters

• Amount of data stored at the CP : N
• Size of data Di : Si
• Importance (integrity level) of data Di : Fi
• Overall TPA probability of detecting fraud when checking data : a

─ a = 1 for deterministic verification protocols ─ a < 1 for probabilistic verification protocols

• Computing costs for CP and TPA : Cs and Ct
• Hypothesis : Players are perfectly rational

─ Each players aims at maximizing his payoff

30/06/15

Data Integrity Verification Game in Cloud Storage 19

Institut Mines-Télécom

Generic game model

30/06/15

Data Integrity Verification Game in Cloud Storage 20

Data Di Verify resource Attack resource Size Sensibility & value Cost of verification (TPA) Cost of executing verification (CP)

CP \ TPA Check Not check Correct/Available data 0, -Ct Si – Cs Si 0, 0 Incorrect/unavailable data – Cs Si – Si, – Ct Si + Fi Si, -Fi

n Utility functions of static game for deterministic verification

TPA payoff: CP payoff: and Ressource constraints:

Institut Mines-Télécom

Generic game model

30/06/15

Data Integrity Verification Game in Cloud Storage 21

Movie S=15 Compressed file S=11 Compressed file S=5 Photo S=3 Text S=2 Text S=1 Audio S=7

n Data distribution

• Does a rational attacker (CP) attack all data ?

Existence of an Attractive Dataset Actually, a rational attacker will only attack data with large enough sizes Si

Guideline 1: A rational defender has only to verify data in the attractive dataset

Institut Mines-Télécom

Generic game model

n Nash equilibrium: analytical result when all resources are used by both players ( )

30/06/15

Data Integrity Verification Game in Cloud Storage 22

(Attractive dataset) Guideline 2: Verification resources to data should be allocated accordingly to the values of ti*

Institut Mines-Télécom

Generic game model : numerical analysis

30/06/15

Data Integrity Verification Game in Cloud Storage 23

Defender (TPA) Attacker (CP)

• 0.13976
• 0.34721
• 0.61456

Table 1: Payoff at the Nash Equilibrium (NE) Table 2: Payoff Degradation due to deviation from NE

Number of data

n=20

TPA random strategy CP best response TPA best & maximum gain TPA average gain TPA minimal gain

Institut Mines-Télécom

Game with multiple data copies

n Multiple copies of the same data on the CP servers

• Parameters : same than generic game plus

─ Number of copies of data Di: Ri ─ Reward the CP gets if he acts honestly: ε (ε>0)

30/06/15

Data Integrity Verification Game in Cloud Storage 24

CP \ TPA Check Not check Correct/Available copy

ε, -Ct Si – Cs Si

0, 0 Incorrect/unavailable copy – Cs Si – Si, – Ct Si + Fi Si, -Fi

n Strategies

• Probability that the CP deletes i copies of data Dm (0≤i≤Rm): pi

m

• Probability that the TPA checks i copies of data Dm (0≤i≤Rm): qi

m

Institut Mines-Télécom

Game with multiple data copies

30/06/15

Data Integrity Verification Game in Cloud Storage 25

Data Di Verify resource Attack resource Size Sensibility & value Cost of verification (TPA) Cost of executing verification (CP)

n Utility functions of game with multiple copies

TPA payoff: CP payoff:

qi

Notation: denotes the indicator function

Si

Institut Mines-Télécom

Game with multiple data copies

30/06/15

Data Integrity Verification Game in Cloud Storage 26

n Two game settings

• Player’s strategy fo each data does not depend on other data:

─ for each data Dm:

• Player’s strategy fo each data depends on strategies for other data:

─ for N data: ➡ There exists a unique NE in both settings ➡ Characterization of the NE in the corresponding stackelberg game (TPA is the leader) ➡ Current study: extension to an infinite repeated game

Institut Mines-Télécom

Outline

• Introduction
• Game Theory
• Contributions
• Game Models
• Conclusion

30/06/15

Data Integrity Verification Game in Cloud Storage 27

Institut Mines-Télécom

Conclusion

n Remote data integrity verification in the cloud

• Modeling the interaction between the verifier and the cloud provider

as a non cooperative game

• Verification of a single copy / multiple copies

➡ Give some guidelines to define an optimal verification strategy for data replication compliance checking

n Perspectives

• Take into account location requirements for data

➡ May be used to define “ ALAs (Audit Level Agreements)”

30/06/15

Data Integrity Verification Game in Cloud Storage 28

Institut Mines-Télécom

Outline

• Introduction
• Game Theory
• Contributions
• Game Models
• Conclusion
• Appendices

30/06/15

Data Integrity Verification Game in Cloud Storage 29

Institut Mines-Télécom

Background: Game Theory

n Some type of games

• Deterministic vs. Stochastic games

─ Stochastic game: game involving probabilistic transitions between different states of the system

• Static vs. Dynamic games

─ Static game (one-shot game): all players choose their strategies simultaneously ─ Dynamic game (Stackelberg game, leader & follower game): players choose their actions in more than one stage

• Complete information vs. Incomplete information game

─ Complete Information game: players know each others’ strategies and payoffs ─ Incomplete Information game (Bayesian game): information about the characteristics (strategies, payoffs) of other players are incomplete

• Pure strategies vs. Mixed strategies

30/06/15

Data Integrity Verification Game in Cloud Storage 30

Institut Mines-Télécom

Stackelberg game for deterministic verification

n Players have sequential interaction: the move of one player is conditioned by the move of the other player n Game principle :

• The leader moves first
• The follower observes the leader’s choice, then chooses his

strategy

n Three cases analyzed :

• Case 1: Leader: CP, Follower: TPA
• Case 2: Leader: TPA, Follower: CP
• Case 3: Which strategy will be better for both TPA & CP ?

─ Actually, Case 1 corresponds to the best strategy for both

30/06/15

Data Integrity Verification Game in Cloud Storage 31

Guideline 3: TPA should choose the follower strategy in order to maximize his payoff, while leader is the best strategy for the CP

Institut Mines-Télécom

Data Di Verify resource Attack resource Size Sensibility & value Cost of verification (TPA) Cost of executing verification (CP) Detection proba a Storage loss

Static game for probabilistic verification

30/06/15

Data Integrity Verification Game in Cloud Storage 32

CP \ TPA Check Not check Correct/Available copy 0, -Ct Si – Cs Si Incorrect/unavailable copy (1–2a) Si – aCs Si,

–(1–2a) Fi – (1–a)CsSi–Ct Si

Si,

• Fi

Institut Mines-Télécom

Numerical Analysis

30/06/15

Fig 1: Payoff at the Nash Equilibrium (NE)

30/06/15

33