Dynamic Security Risk Assessment in Cloud Computing Using IAG

  • Gopi Puppala
  • Syam Kumar Pasupuleti
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 710)


Cloud computing is one of the most emerging technologies because of its benefits. However, cloud security is one of the major issues that attracting lot of research. In cloud computing environment, cloud users may have privilege to install their own applications, Particularly in Infrastructure as a Service (IaaS) clouds provide privileges to users to install applications on their virtual machines (VMs), so users may install vulnerable applications. In this case, identifying zombie’s exploitation attack is difficult. Many attack graph-based solutions were proposed to detect compromised VMs, but they focus only on static attack scenario. In this paper, we propose a dynamic risk assessment system by incorporating Bayes theorem into attack graph model, namely improved attack graph (IAG) to assess the dynamic risks and decide appropriate countermeasure based on IAG analytical models. The effectiveness and efficiency of the propose system are demonstrated in security and performance analysis, respectively.


Cloud computing DDoS attack Vulnerability Attack graph Risk management Bayesian theorem 


  1. 1.
    Coud Security Alliance, "Top Threats to Cloud Computing v1.0," v1.0.pdf, Mar. 2010.
  2. 2.
    Chun-Jen Chung, Tianyi Xing and Dijiang Huang, "NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems", IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 10, NO. 4, JULY/AUGUST 2013.Google Scholar
  3. 3.
    P. Mell, K. Scarfone, and S. Romanosky, Common Vulnerability Scoring System (CVSS), html, May 2010.
  4. 4.
    Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, Detecting Spam Zombies by Monitoring Outgoing Messages, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp. 198–210, 2012.CrossRefGoogle Scholar
  5. 5.
    G. Gu, J. Zhang, and W. Lee, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, Proc. 15th Ann. Network and Distributed Sytem Security Symp. (NDSS 08), Feb. 2008.Google Scholar
  6. 6.
    R. Sadoddin and A. Ghorbani, Alert Correlation Survey: Framework and Techniques, Proc. ACM Intl Conf. Privacy, Security and Trust: Bridge the Gap between PST Technologies and Business Services (PST 06), pp. 37:1–37:10, 2006.Google Scholar
  7. 7.
    O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing, Automated Generation and Analysis of Attack Graphs, Proc. IEEE Symp. Security and Privacy, pp. 273–284, 2002.Google Scholar
  8. 8.
    NuSMV: A New Symbolic Model Checker, Aug. 2012.
  9. 9.
    P. Ammann, D. Wijesekera, and S. Kaushik, Scalable, graphbased network vulnerability analysis, Proc. 9th ACM Conf. Computer and Comm. Security (CCS 02), pp. 217–224, 2002.Google Scholar
  10. 10.
    X. Ou, S. Govindavajhala, and A.W. Appel, MulVAL: A Logic Based Network Security Analyzer, Proc. 14th USENIX Security Symp., pp. 113–128, 2005.Google Scholar
  11. 11.
    The MITRE Corporation. Common weakness scoring system. 2010.
  12. 12.
    National vulnerability database. available at:, May 9, 2008.
  13. 13.
    OpenStack Open Source Cloud Software (2014). [Online]. Available:
  14. 14.
    M. Dacier. Towards quantitative evaluation of computer security. Ph.D. Thesis, Institut National Polytechnique de Toulouse, 1994Google Scholar
  15. 15.
    R. Ortalo, Y. Deswarte, and M. Kaaniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Software Eng., 25(5):633650, 1999.CrossRefGoogle Scholar
  16. 16.
    D. Balzarotti, M. Monga, and S. Sicari. Assessing the risk of using vulnerable components. In Proceedings of the 1st ACM QoP, 2005.Google Scholar
  17. 17.
    W. Li and R. B. Vaughn. Cluster security research involving the modeling of network exploitations using exploitation graphs. In Proceedings of the Sixth IEEE International Symposium on Cluster Computing and the Grid, CCGRID 06, pages 26, Washington, DC, USA, 2006. IEEE Computer Society.Google Scholar
  18. 18.
    E. Clarke, O. Grumberg, and D. Peled. Model Checking MIT Press, 2000.Google Scholar
  19. 19.
    Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray, Member, Dynamic Security Risk Management Using Bayesian Attack Graphs, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 1, JANUARY/FEBRUARY 2012. pp. 61–74.Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.University of HyderabadHyderabadIndia
  2. 2.Institute for Development and Research in Banking Technology (IDRBT)HyderabadIndia

Personalised recommendations