Professional Documents
Culture Documents
An Algorithmic Approach To Improving Cloud Security: The MIST and Malachi Algorithms
An Algorithmic Approach To Improving Cloud Security: The MIST and Malachi Algorithms
Cara Tunstall
CSIT Department at
SLU
320 Wilkinson Street
Mandeville, LA 70448
985-710-0839
Justin.LeJeune@selu.edu
Cara.Tunstall@selu.edu
Kuo-pao Yang
CSIT Department at
SLU
SLU Box 10847
Hammond, LA 70402
985-549-5088
KYang@selu.edu
Ihssan Alkadi
CSIT Department at
SLU
SLU Box 10847
Hammond, LA 70402
985-549-2037
Ihssan.Alkadi@selu.edu
BIOGRAPHIES........................................................6
1. INTRODUCTION
TABLE OF CONTENTS
1. INTRODUCTION.................................................1
2. BENEFITS OF CLOUD COMPUTING...................1
3. RISKS OF CLOUD COMPUTING.........................2
4. COMPARISON WITH OTHER SECURITY
SYSTEMS...3
5. SOCIAL ENGINEERING......................................2
6. THE MIST SECURITY ALGORITHM...................3
7. MALACHI..........................................................4
8. STATISTICAL ANALYSIS AND TESTING OF THE
MIST......................................................................4
9. CONCLUSION.....................................................5
REFERENCES.........................................................6
978-1-4673-7676-1/16/$31.00 2016 IEEE
5. SOCIAL ENGINEERING
Although security measures are becoming more and more
effective at protecting sensitive information, people remain
susceptible to manipulation. Social engineering is a common
method of exploiting security vulnerabilities in protected
systems by beguiling users into divulging sensitive
information [8]. The basic concept is a non-technical method
of intrusion hackers use that relies heavily on human
interaction and often involves tricking people into breaking
normal security procedures. This usually involves the
attacker exploiting a non-technical person with access to the
network to be attacked. Examples of social engineering are
pretexting, phishing, and baiting. Pretexting uses an invented
scenario, such as planning on running into the victim in a
social situation, seemingly by chance, to engage a targeted
victim in a manner that increases the chance the victim will
divulge sensitive information. Phishing is a technique of
obtaining private information in a fraudulent fashion.
Typically, the phisher will send an email that appears to come
from a legitimate business, such as a bank or credit card
company, requesting verification of information and warning
of some dire consequence if it is not provided. The email
usually contains a link to a fraudulent web page that appears
legitimate, and has a form requesting everything from a home
address to an ATM card's PIN. Baiting is like a modern
version of the Trojan Horse that uses physical media and
relies on the curiosity or greed of the victim. The attacker
leaves a malware infected CD-ROM or USB flash drive in a
location where it is sure to be found like a bathroom, elevator,
sidewalk, or parking lot, and gives it a legitimate looking and
interesting looking label, and simply waits for a victim to use
the device.
When the user enters the system they are prompted with 50
different possible answers to each question, including their
own, and given 30 seconds per question to select the correct
answer. The answers are, of course, randomized in their
position on the screen so that the system cannot be bruteforced by traditional methods. To address the issue of an
attacker or program being able to identify a pattern by
viewing multiple instances of a page several, static decoy
answers are also introduced. These decoys are randomized
when a user sets their security answers and remain persistent
until the users change their security question answers again.
These decoys will not allow an attacker the gain access to the
system via any kind of pattern recognition software.
In addition to this several authorization tokens are generated
by the system and passed through the pages to ensure that an
attacker is not able to forge results from the security questions
and access the system that way. These authorization tokens
are generated on each of the question pages and verified in
the systems final step, before granting access to a user. In
addition to these tokens each page generates a unique POST
value that must be passed along to each subsequent page in
the proper sequence. This prevents attackers from opening
the pages out of order or falsifying a pages results.
Finally after each question has been answered the user must
then answer a procedurally generated question. This question
prevents bots and automated programs from attempting to get
through the system. It provides the same service as a captcha,
but is more secure since captchas can be broken with relative
ease using an OCR(optical character recognition) program.
The system will also lock a users account after a certain
number of attempts have been made at guessing the security
questions. In this event the user will need to contact the
system administrator and have them unlock it and let them
into the system. All available information on the user
attempting to access the system is also recorded in case it is
needed to locate an attack on the system.
7. MALACHI
Another solution proposed in the paper is a developing
algorithm titled Malachi, which takes an entirely different
approach to account security. Instead of using click-based
interfaces like the MIST, Malachi relies entirely on typed
user input. The algorithm is as follows: when a user creates
an account for a cloud service, the user must (1) create an
alphanumeric username, and a password consisting of at least
one capitalized letter, at least two numbers and at least one
special character, with a minimum length of eight characters.
Next, the user must (2) type in four custom security questions,
and provide corresponding answers. The user will enter each
question and answer twice to verify spelling before being
allowed to proceed. (3) The security questions and answers
will then be hashed and stored in the database with the
corresponding account information. (4) These security
questions and answers will need to be provided at each login
attempt unless the user has selected a checkbox to indicate I
trust this computer on a previous login on the same machine.
This checkbox will alleviate the inconvenience of entering
the four questions and answers constantly on the users home
computer, but when the account is being accessed from a
computer that is not trusted, the questions will once again be
required. The idea behind this algorithm is that in order for
the account to be as invulnerable as possible, the security
4
or
0.000008%
REFERENCES
9. CONCLUSION
BIOGRAPHIES