An Algorithmic Approach to Improving Cloud Security:

The MIST and Malachi Algorithms

Justin LeJeune
CSIT Department at
SLU
320 East 8th Avenue
Covington, LA 70433
985-373-7917

Cara Tunstall
CSIT Department at
SLU
320 Wilkinson Street
Mandeville, LA 70448
985-710-0839

Justin.LeJeune@selu.edu

Cara.Tunstall@selu.edu

Kuo-pao Yang
CSIT Department at
SLU
SLU Box 10847
Hammond, LA 70402
985-549-5088
KYang@selu.edu

Ihssan Alkadi
CSIT Department at
SLU
SLU Box 10847
Hammond, LA 70402
985-549-2037
Ihssan.Alkadi@selu.edu

BIOGRAPHIES........................................................6

Abstract---Cloud Computing is ever increasing in popularity in

the computer science field. Because of this increased usage, the
importance of data integrity and strong security has become
paramount. This paper expounds upon security measures and
methodologies for strengthening the cloud, including two new
security algorithms. According to the Cloud Security Alliance
paper, The Notorious Nine: Cloud Computing Top Threats
2013, the nine biggest threats to cloud computing are data
breaches, data loss, account or service traffic hijacking, insecure
interfaces and Application Programming Interfaces (APIs),
denial of service, malicious insiders, abuse of cloud services,
insufficient due diligence, and finally shared technology
vulnerabilities [1]. All nine of these issues would be lessened by
properly implementing stricter security on cloud systems. A
combination of security measures in concurrence is the basis of
the security improvements asserted forthwith. The security
algorithms introduced in this paper, the MIST and Malachi are
two new ways to protect users data through account security.

1. INTRODUCTION

In the current computing world, where threats like the Sony

Pictures Entertainment hack, the Sarah Palin email hack of
2008 and the recent Ashley Madison scandal are a constant
reality, the importance of hardened security measures has
become a dire concern. In order for a system to be protected
from attacks, it is first necessary to identify the vulnerabilities.
The algorithms covered in this paper focus mainly on
eliminating the weak passwords and account recovery
vulnerability that are common in todays computing systems.
Average users sometimes do not realize the importance of
strong passwords, and other inconvenient security measures,
and thus leave their accounts vulnerable to attacks in
exchange for convenience. This means it is up to the system
architects and developers to implement security measures
that protect these users adequately, while giving the users the
ease and convenience level they expect. This way the user is
still protected without being overly inconvenienced by a
security system. The juxtaposition of a users convenience
versus their level of protection is a huge factor in determining
the best security algorithm to use in a system. The MIST
security algorithm is an innovative solution that meets these
needs. The MIST combines a simple, user friendly interfacebased approach to account recovery, while also incorporating
highly user-specific questions. When the MIST algorithm is
integrated in a system, account recovery becomes far more
secure.

TABLE OF CONTENTS

1. INTRODUCTION.................................................1
2. BENEFITS OF CLOUD COMPUTING...................1
3. RISKS OF CLOUD COMPUTING.........................2
4. COMPARISON WITH OTHER SECURITY
SYSTEMS...3
5. SOCIAL ENGINEERING......................................2
6. THE MIST SECURITY ALGORITHM...................3
7. MALACHI..........................................................4
8. STATISTICAL ANALYSIS AND TESTING OF THE
MIST......................................................................4

2. BENEFITS OF CLOUD COMPUTING

9. CONCLUSION.....................................................5

Businesses that transition to cloud computing experience

many benefits. Cloud Computing is a flexible way to allocate
information technology resources such as storage, software,

REFERENCES.........................................................6
978-1-4673-7676-1/16/$31.00 2016 IEEE

advanced enough for the commercial user to be able to

practically implement these solutions. These methods also
require additional hardware, such as the physical fingerprint
or retinal scanner, which need to be made to work with a
system. This also opens the door to other kinds of attacks. For
instance, an attacker might not be able to replicate a user's
fingerprint but might be able to get in between the scanner
and the system, allowing him to send a false positive to the
system and bypass the scanner completely. Considering the
recent Apple iCloud hacking incident, it may not be a good
idea to store a users unique data on the web until such
technologies become mainstream and unbreakable.

infrastructures and bandwidth, out of a pool, enabling the

business to consume power according to their needs [2].
Using a cloud based system provides a business the
processing power to work efficiently through their peak data
intensive processes, and save money by paying for only as
much power as they need for less intensive processes by
optimizing resources. Cloud users enjoy access to data stored
on the cloud from any location with internet connectivity.
Cloud Computing is revolutionizing the way data is stored
and accessed. With Cloud Computing, a small business can
access enterprise level computing without the high
investment costs of allocating their own servers. Cloud
Computing is cheaper than other computing models; zero
maintenance cost is involved since the Cloud Service
Provider is responsible for the availability of services, and
clients are free from maintenance and management problems
of the resource machines. Due to this feature, Cloud
Computing is also known as Utility Computing, or IT on
Demand [3].

In addition to fingerprint, retinal scanning and facial

recognition systems, physical security methods can also be
effective in computer security. It is not uncommon for a
server terminal to be locked inside of a cage, which can only
fit a single person at a time. Similarly things like security
cameras and guards make breaking into a terminal much
more difficult. The problem with all these however is that
while very secure, they are usually never practical or
applicable.

3. RISKS OF CLOUD COMPUTING

Traditional security questions and answers make the user

type in the answer to a standard question that the user
answered during setup. There are two main problems with
this. The first is that today actual private information is
almost non-existent. Through social engineering and
standard information gathering you can find almost anything
about a person. Sarah Palins email system was breached
back in 2008 because of this. One of her password recovery
questions was What highschool did you attend?,
information that was easily accessible from her Wikipedia
page. Even more obscure questions like What was your first
pets name? and Who was your first crush? can be
breached using very basic social engineering methods, which
will be further explained in the following section. Most
people are very open about themselves, especially online, and
usually will give up valuable information without even
realizing it. There is little to no privacy in the modern world,
so security information based on information like this can be
easily bypassed.

Three important areas of research in Cloud Computing

include security, performance and availability [4]. Security is
by far the riskiest area of cloud computing. Cloud users
experience a loss of security control over the cloud-hosted
assets [5]. It is the duty of the Cloud Service Provider to
maintain the cloud infrastructure. This includes providing
adequate security measures to protect cloud users private
data. Virtualization software, the prime technology used in
Cloud Computing, and Cloud Computing itself contain many
security weaknesses that affect data integrity and
confidentiality. Some examples of these security issues are
VMware escape, hopping, mobility and diversity monitoring
[6]. A good security algorithm presents a strategy to counter
the vulnerabilities in a cloud system [7]. One of the most
important aspects of improving security in the cloud is a
strong security algorithm.

4. COMPARISON WITH OTHER SECURITY

SYSTEMS

The second problem with this system is that the answer is

checked with the help of regular expression engines. Meaning
the answer provided by a user should be identical to what was
set during initial setup. By nature, human beings tend to
forget the exact answer and it is often same as typing a
password. Most of the time, a user needs multiple attempts to
answer the question correctly. Since the MIST and Malachi
are enhanced security question and answer algorithms, they
do not rely on this system. This eliminates the hurdle of
typing the same exact answer while still granting access to an
account. The MIST has been developed and implemented for
use in protected cloud systems. It works around existing
technology.

Fingerprint, retinal scanning and facial recognition systems

are some of the most advanced security systems in the world.
Because they use the unique differences and features of each
user to authenticate them it becomes almost impossible for an
attacker to duplicate a users unique physical features. Since
no two people's fingerprints are the same, not even identical
twins (who share exactly the same genes), fingerprints are
one of the best biometric authenticators to use as a password
for protected systems. Unfortunately, the installation of
fingerprint scanners are not always applicable to Internet
applications. The same issues apply to retinal scanning and
facial recognition systems. Technology simply is not
978-1-4673-7676-1/16/$31.00 2016 IEEE

personality and tastes of the user, questions such as 'What is

your dream car brand?'. The main challenge with this is
creating questions that are specific enough that a user will
always remember it and make the same choice, but not be so
obvious that an attacker that knows the user would be able to
figure out that user's answers.

5. SOCIAL ENGINEERING
Although security measures are becoming more and more
effective at protecting sensitive information, people remain
susceptible to manipulation. Social engineering is a common
method of exploiting security vulnerabilities in protected
systems by beguiling users into divulging sensitive
information [8]. The basic concept is a non-technical method
of intrusion hackers use that relies heavily on human
interaction and often involves tricking people into breaking
normal security procedures. This usually involves the
attacker exploiting a non-technical person with access to the
network to be attacked. Examples of social engineering are
pretexting, phishing, and baiting. Pretexting uses an invented
scenario, such as planning on running into the victim in a
social situation, seemingly by chance, to engage a targeted
victim in a manner that increases the chance the victim will
divulge sensitive information. Phishing is a technique of
obtaining private information in a fraudulent fashion.
Typically, the phisher will send an email that appears to come
from a legitimate business, such as a bank or credit card
company, requesting verification of information and warning
of some dire consequence if it is not provided. The email
usually contains a link to a fraudulent web page that appears
legitimate, and has a form requesting everything from a home
address to an ATM card's PIN. Baiting is like a modern
version of the Trojan Horse that uses physical media and
relies on the curiosity or greed of the victim. The attacker
leaves a malware infected CD-ROM or USB flash drive in a
location where it is sure to be found like a bathroom, elevator,
sidewalk, or parking lot, and gives it a legitimate looking and
interesting looking label, and simply waits for a victim to use
the device.

When the user enters the system they are prompted with 50
different possible answers to each question, including their
own, and given 30 seconds per question to select the correct
answer. The answers are, of course, randomized in their
position on the screen so that the system cannot be bruteforced by traditional methods. To address the issue of an
attacker or program being able to identify a pattern by
viewing multiple instances of a page several, static decoy
answers are also introduced. These decoys are randomized
when a user sets their security answers and remain persistent
until the users change their security question answers again.
These decoys will not allow an attacker the gain access to the
system via any kind of pattern recognition software.
In addition to this several authorization tokens are generated
by the system and passed through the pages to ensure that an
attacker is not able to forge results from the security questions
and access the system that way. These authorization tokens
are generated on each of the question pages and verified in
the systems final step, before granting access to a user. In
addition to these tokens each page generates a unique POST
value that must be passed along to each subsequent page in
the proper sequence. This prevents attackers from opening
the pages out of order or falsifying a pages results.
Finally after each question has been answered the user must
then answer a procedurally generated question. This question
prevents bots and automated programs from attempting to get
through the system. It provides the same service as a captcha,
but is more secure since captchas can be broken with relative
ease using an OCR(optical character recognition) program.
The system will also lock a users account after a certain
number of attempts have been made at guessing the security
questions. In this event the user will need to contact the
system administrator and have them unlock it and let them
into the system. All available information on the user
attempting to access the system is also recorded in case it is
needed to locate an attack on the system.

These techniques exploit serious vulnerabilities that cannot

be programmatically eliminated, but with the addition of
strong security algorithms such as the MIST and Malachi, in
conjunction with proper training for employees on how to
recognize these ploys, the threat can be neutralized.

6. THE MIST SECURITY ALGORITHM

The MIST is an implementation of the question and answer
system that uses predetermined questions with a number of
possible answers for each question. These questions are
generic enough that most everyone has an answer to them but
with a large enough answer pool that the user can give a nongeneric answer. During the development of the MIST,
multiple approaches were developed and then eliminated
once they were deemed inadequate for this system's needs.
The first iteration was a setup where a user could manually
setup security questions, but that was quickly revised as it ran
into one of the problems that we are trying to avoid. Finally
we decided on having three to five generic set questions that
will produce a wide range of answers depending on the
978-1-4673-7676-1/16/$31.00 2016 IEEE

Figure 1- MIST answer selection screen

As a final security precaution, a limited access token will be
sent via email to the users on file email account. When
verified it will take the user to a password recovery page. In
addition to this it also verifies the user's current IP against
that user's previous IPs on record, only allowing access if that
IP has had access to that user's account before. This
eliminates the threat of an attacker breaking into a user's
email and stealing their authorization token and using it
themselves.
The MIST does not alert the user if each of their choices is
correct or incorrect, instead it just lets them through to the
next question. The system keeps a record of whether each
question is answered correctly and will only allow a password
reset if all questions are answered correctly. Once all
questions have been answered the user is given a message
that states if all the questions were answered properly. It
never tells them if they were or not until all questions have
been answered correctly and does not tell them which were
answered incorrectly. This is done to prevent an attacker from
guessing correct one time and then knowing the answer to
that individual question. They have no way of knowing if the
answer they selected was correct unless all of their answers
are correct. While still being under production and pilot
testing, we believe that these security measures address the
main threats faced by security systems today while still being
easy to use from the users point of view, thus making The
MIST a more secure alternative to traditional computing
Cloud security methods.

978-1-4673-7676-1/16/$31.00 2016 IEEE

Figure 2 - Diagram of MIST algorithm

7. MALACHI
Another solution proposed in the paper is a developing
algorithm titled Malachi, which takes an entirely different
approach to account security. Instead of using click-based
interfaces like the MIST, Malachi relies entirely on typed
user input. The algorithm is as follows: when a user creates
an account for a cloud service, the user must (1) create an
alphanumeric username, and a password consisting of at least
one capitalized letter, at least two numbers and at least one
special character, with a minimum length of eight characters.
Next, the user must (2) type in four custom security questions,
and provide corresponding answers. The user will enter each
question and answer twice to verify spelling before being
allowed to proceed. (3) The security questions and answers
will then be hashed and stored in the database with the
corresponding account information. (4) These security
questions and answers will need to be provided at each login
attempt unless the user has selected a checkbox to indicate I
trust this computer on a previous login on the same machine.
This checkbox will alleviate the inconvenience of entering
the four questions and answers constantly on the users home
computer, but when the account is being accessed from a
computer that is not trusted, the questions will once again be
required. The idea behind this algorithm is that in order for
the account to be as invulnerable as possible, the security
4

questions associated with it should be entirely of the users

design. Whereas typically, the security question approach
involves a dropdown list of possible questions, this new
approach depends entirely on the user entering the question
and answer exactly as entered when the account was created.
It is possible through social engineering to find out the
maiden name of someones mother, or the place they became
engaged, but this depends on the intruder already knowing
which security question they should search for the answer to.
This makes a successful breach into these accounts much
more difficult than a typical security question from a
dropdown list. 3 Another fail safe in place in this algorithm
is that (5) there is no confirmation until after submitting the
three questions and answers, each on a different page with a
continue button at the bottom, as to whether the information
provided was right or wrong. (6) After three failed attempts
to log in using the security questions, the account is locked
for 10 minutes. The further development of the Malachi
security algorithm is a future plan of this team.

answers), What is your favorite number between 1 and 100?

(the question had 100 possible answers), and What country
would you like to visit one day? (the question had 103
possible answers). Below are several pie charts
demonstrating the diversity of the answers. For readability
only the most common answers are represented with a label,
because of this any answer with a score of one percent or
lower is not able to be represented.

8. STATISTICAL ANALYSIS AND TESTING OF THE

MIST

Figure 3 - Pie chart of most frequent answers for

question What is your favorite car manufacturer?

The MIST algorithm was subjected to a blind intrusion test

from a researcher with experience in the use of both social
engineering and automated hacking techniques.
The first iteration of testing showed significant weaknesses
in the implementation. The standard question used was
Which street did you grow up on? This question was weak
to the same social engineering approaches used to break
traditional security question and answer schemes. In the first
test, someone from another country had set up the
account. With knowing the country and city of origin for the
user, a screenshot of the possible answers was combined with
knowledge from Google Maps to determine that there were
only two valid answers in the 50 provided answers. The total
number of attempts to break the security layer was two.
The current iteration of the MIST still has some potential
weaknesses. The number of possibilities for answer selection
can be stated rather straightforwardly. With three questions
with fifty independent possible answers, we know by the
multiplication principle that there are 125,000 possible
answer combinations.
Further:

Figure 4 - Pie chart of most frequent answers for

question What is your favorite number between 1100?

1/50 * 1/50 * 1/50 = 1/125,000

or

0.000008%

This seems to be a reasonable strength for a low level security

algorithm. A small survey population of 100 students, from
Southeastern Louisiana University, were given accounts on a
school server that was using an implementation of the MIST
Security Algorithm. They were instructed answer each
question as honestly as possible and their results were
collected and observed. The implementation of the MIST that
the students used asked these three questions: What is your
dream cars brand? (the question had 70 possible
978-1-4673-7676-1/16/$31.00 2016 IEEE

Security will never be an exact science, and it is impossible

to predict the changes in security threats coming in the future.
In the last decade the cloud has transformed the way data is
handled on the internet. With all the research going into cloud
and cloud security now, one can only imagine where the
cloud will be in another ten years. The best way to keep up
with the most recent security threats is to always stay current
security methods, and to always strive to find new ways to
improve cloud security.
Figure 5 - Pie chart of most frequent answers for
question Which country would you like to visit one
day?

REFERENCES

These questions are meant to achieve the most diverse range

of answers possible. And while it can be argued based on this
data that these three questions do that, we believe some
adjustments can get these percentages even lower. Through
question selection or answer refinement, the answer
distribution should be ideal in order to maintain the 0.000008%
chance of selecting the correct answer. Eventually, the
development of additional questions could aid in the users
answer retention. Each question should be evaluated based
on the following criteria: 1) the even distribution of the
answers and 2) the vulnerability of the question to social
engineering from the social media and other public
information.
Another weakness in past implementation was that the
displayed answers were less than the number of possible
answers. As a user attempts to reset the password for an
account, the MIST algorithm selected 49 random possible
answers in addition to the given answer. A browser plugin
was developed to highlight answers that were repeatedly
randomly selected for display with each additional reset
attempt. With each attempt, the number of possible correct
answers was statistically reduced by half. This problem was
corrected by implementing the decoy system described above
in the section detailing the MIST.

[2] R. Chalse, A. Selokar, A. Katara, 2013 5th Annual

Conference
on
Computational
Intelligence
and
Communication Networks, A New Technique of Data
Integrity for Analysis of the Cloud Computing Security
2013.
[3] F. B. Shaikh, S. Haider, 6th International Conference on
Internet Technology and Secured Transactions, 11-14
December 2011, Abu Dhabi, United Arab Emirates,
Security Threats in Cloud Computing, December 2011.
[4] Z. Xin, L. Song-qing, L. Nai-wen, 2012 International
Symposium on Information Technology in Medicine and
Education, Research on Cloud Computing Data Security
Model Based on Multi-Dimension, 2012.
[5] M. Almorsy, J. Grundy, A. S. Ibrahim, 2011 IEEE 4th
International
Conference
on
Cloud
Computing,
Collaboration-Based
Cloud
Computing
Security
Management Framework, 2011.
[6] M. N. Omar, M. Salleh, M. Bakhtiari, 2014 International
Symposium on Biometrics and Security Technologies
(ISBAST),
Biometric
Encryption
to
Enhance
Confidentiality in Cloud Computing, 2014.

9. CONCLUSION

[7] D. Devkota, P. Ghimire, J. Burris, I. Alkadi, IEEE,

Comparison of Security Algorithms in Cloud Computing,
2015.

Cloud Computing is the future of the information technology

industry. Because so much vulnerable private data is being
stored on the cloud, research into data integrity and security
on the cloud has become one of the fastest growing
disciplines in Computer Science. The security approaches
covered in this paper are all strong individually, but the best
way to ensure optimum security is to use these methods in
concurrence. The MIST algorithm introduces an innovative
method for account recovery. The Malachi algorithm offers
a new approach to protecting accounts in regular logins. The
goal in implementing these security algorithms into a cloud
infrastructure is protecting the private data stored there even
more effectively.
978-1-4673-7676-1/16/$31.00 2016 IEEE

[1] Cloud Security Alliance, Top Threats Working Group,

The Notorious Nine: Cloud Computing Top Threats 2013,
February 2013.

[8] F. Mouton, M. M. Malan, L. Leenen, H. S. Venter,

Social Engineering Attack Framework , Information
Security for South Africa (ISSA), 2014

BIOGRAPHIES

Kuo-pao Yang is on the faculty at Southeastern Louisiana

University. He works in the Computer Science and
Industrial Technology department. He received his B.S.
degree in Computer Science at Tamkang University, Taipei,
Taiwan, R.O.C., June 1991. In December 1994, he earned
his M.S. degree in Computer Science from Illinois Institute
of Technology. He earned his Ph.D. degree in Computer
Science at Illinois Institute of Technology, June 2003. His
research interests include Computer Architecture,
Programming Languages, and Expert Systems. Tel.: +1
985.549.5088; E-mail: kyang@selu.edu

Justin LeJeune is pursuing a Bachelor of Science in

Information Technology at Southeastern Louisiana
University. He is currently employed as an Application
Developer for IBM in Baton Rouge, Louisiana.
Justin is interested in mainly computer security and Big Data
system development.

Cara Tunstall is currently pursuing a Bachelor of Science in

Information Technology at Southeastern Louisiana
University in Hammond Louisiana, with an anticipated
graduation date of December of 2016. Tunstall is currently
employed as a System Administrator at Laitram L.L.C. in
Harahan Louisiana.

Ihssan Alkadi is on the faculty at Southeastern Louisiana

University. He works in the Computer Science Department.
He received his BS Degree in Computer Science at SLU, May
1985. In May 1992 he earned his MS in Systems Science from
Louisiana State University (LSU). He earned his doctoral
degree in Computer Science from LSU in May 1999. His
research interests include testing in object oriented systems,
systems validation, and systems verification.

978-1-4673-7676-1/16/$31.00 2016 IEEE