Professional Documents
Culture Documents
A Software Defined Network-Based Security Assessment Framework For CloudIoT
A Software Defined Network-Based Security Assessment Framework For CloudIoT
3, JUNE 2018
Abstract—The integration of cloud and Internet of Things these two complementary technologies, the sensor-capability
(IoT), named CloudIoT, has been considered as an enabler for from IoT and the computing-capability from Cloud, has been
many different applications. However, the suspicion about the accepted as a novel IT paradigm, named CloudIoT [4]–[6],
security issue is one main concern that some organizations hes-
itate to adopt such technologies while some just ignore the for many different applications, including smart grid [7], smart
security issue while integrating the CloudIoT into their busi- cities [8], healthcare [9], [10], video surveillance [11], environ-
ness. Therefore, given the numerous choices of cloud-resource mental monitoring [12], etc. Actually, the CloudIoT is playing
providers and IoT devices, how to evaluate their security level an important role for the current IT system, especially for
becomes an important issue to promote the adoption of CloudIoT the critical infrastructure. Considering the fact that informa-
as well as reduce the business security risks. To solve this
problem, considering the importance of the business data in tion security has become increasing important for current IT
CloudIoT, we develop an end-to-end security assessment frame- environment [13] while we can observe many cyber attacks
work based on software defined network (SDN) to evaluate the these years, for example, the Ukraine Power Grid Attacks in
security level for the given CloudIoT offering. Specially, in order December 2015 resulting into power lost for a few hours elec-
to simplify the network controls and focus on the analysis about tricity lost for around 1.4 million populations,1 the security of
the data flow through CloudIoT, we develop a three-layer frame-
work by integrating SDN and CloudIoT, which consists of 23 CloudIoT is no doubt an urgent issue for both industry and
different indicators to describe its security features. Then, the academic.
interviews from industry and academic are carried out to under- On the other hand, with the prosperity of the cloud and
stand the importance of these features for the overall security. IoT these years, some CloudIoT solutions, such as Google
Furthermore, given the relevant evidences from the CloudIoT Brillo,2 Microsoft Azure IoT Suit,3 have been developed for
offering, the Google Brillo and Microsoft Azure IoT Suite, our
framework can effectively evaluate the security level which can the consumers. Due to the complexity of the CouldIoT solu-
help the consumers for their CloudIoT selection. tions, how to evaluate the security level is a nontrivial task for
the consumers. Some organizations will hesitate to adopt such
Index Terms—Cloud and Internet of Things (CloudIoT), cloud
computing, data-security-oriented, Internet of Things (IoT), technology due to the suspicion about the security and the
security assessment, software defined network (SDN). incomprehension of risk, which may harm the development
of the related business as well as affect the acceptance of the
CloudIoT. Conversely, some organizations may just integrated
CloudIoT into their business without considering the security
I. I NTRODUCTION
issue, resulting into high risk for them. Therefore, a methodol-
HE INTERNET of Things (IoT) has recently emerged
T as a novel networking paradigm to connect a large
amount of smart objects for data sharing and exchanging,
ogy to assist the security assessment of the CloudIoT solutions
is necessary for the consumers.
Recently, some researches on security assessment turn
so that we can measure, communicate, and interact with to focus on the security for the cloud-based applica-
the real physical world [1]. On the other hand, cloud com- tions [14], [15] or IoT environment [16]–[18]. Since they have
puting has been accepted as a cost-effective approach for been independently evolved, most of the existing approaches
providing high performance computing and virtually unlim- evaluate the security separately and expose some weak-points
ited storage resource [2], [3]. Therefore, the integration of in openness and standardization [19]. Actually, since CloudIoT
Manuscript received August 14, 2017; revised December 4, 2017; accepted brings data from real world through IoT system, uses cloud
January 22, 2018. Date of publication February 5, 2018; date of current version services to deal with these data and then enables triggering
June 8, 2018. This work was supported by the National Science Foundation actions into the real world, only focus on cloud or IoT is not
of China under Grant 61272106 and Grant 61572349. (Corresponding author:
Xiaohong Li.) comprehensive for assessing the secure data transmission, i.e.,
Z. Han and X. Li are with the Tianjin Key Laboratory of network security should be take into consideration. Due to the
Advanced Networking, School of Computer Science and Technology, fact that legacy network architecture based on closed networks
Tianjin University, Tianjin 300350, China (e-mail: zhuobinghan@tju.edu.cn;
xiaohongli@tju.edu.cn). 1 [Online]. Available: http://www.securityweek.com/ukraine-power-grid-
K. Huang is with the Sloan School of Management, Massachusetts Institute
of Technology, Cambridge, MA 02142 USA (e-mail: keman@mit.edu). attacks-part-2-year-campaign
2 [Online]. Available: https://developers.google.com/brillo/
Z. Feng is with the School of Computer Software, Tianjin University,
Tianjin 300350, China (e-mail: zyfeng@tju.edu.cn). 3 [Online]. Available: https://www.microsoft.com/en-us/cloud-platform/
Digital Object Identifier 10.1109/JIOT.2018.2801944 internet-of-things-azure-iot-suite
2327-4662 c 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
HAN et al.: SDN-BASED SECURITY ASSESSMENT FRAMEWORK FOR CLOUDIoT 1425
has a restriction on expanding to various services and inter- In addition, and more related to this paper, there are several
working with other devices or services, an independent scheme cloud-based IoT researches and SDN-based IoT researches
to integrate the entire networks is needed [19]. which aim to reveal the challenges and open issues in terms
As software defined network (SDN) provides flexibility to of security.
manage the network by separating the control plane from the
data plane, the integration of SDN and CloudIoT enables more
agile and scalable networks based on demand and a simplified A. Cloud Security
and strain less network control. In an SDN, data plane devices Various studies have investigated the methodologies of
are used as a packet forwarding device and leaving the network cloud-security auditing and assessment. Pilevari et al. [29]
control management to a logically centralized system called presented a model to assess the satisfaction of users of a given
controller [20]. The controller connects to the switch through cloud service with two main stages: the first stage is a con-
a secured OpenFlow [21] channel and manages this switch ceptual model consists of several attributes, including security,
via the OpenFlow protocol [22]. Several research works have efficiency and performance, adaptability, and cost; the second
been published on SDN-based architecture [23]–[26]. one is a fuzzy inference system architecture which consists of
Therefore, to solve these existing issues, this paper aims to five main rules and 11 inputs (the attributes). Taha et al. [30]
offer an end-to-end security assessment approach for CloudIoT proposed an AHP-based framework to quantitatively com-
solution selection. Since CloudIoT will collect data from pare, benchmark, and rank the security level provided by
real-world and then use these data to enable further appli- different cloud service providers based on its security level
cations, based on the analysis of the data flow, we develop agreements depending on cloud user security requirements.
an SDN-based three-layer framework consisting of 23 differ- Li and Bardi [31] adopted multifuzzy comprehensive evalu-
ent indicators to evaluate the data-security-oriented security ation and AHP method to assess the potential risk of cloud
for the CloudIoT solution. Then in order to assign the weight environment, including asset, vulnerability, threat, and con-
for these indicators, an online interview with researchers and trol measures. The result accurately reflects the overall safety
practitioners is carried out and then three different method- condition of cloud platform.
ologies, including AdaRank [27], analytic hierarchical pro- There are also some works focus on reviewing the cloud
cess (AHP) [28], and weighted-mean, are used to integrate the security open issues and challenges. Abuhussein et al. [14]
survey to generate a crowd-wisdom weight for different indi- studied security evaluation of cloud services by identifying
cators. Finally, given the document for the CloudIoT solution, and categorizing 17 attributes of cloud security and privacy.
the Google Brillo based on Google Cloud and Microsoft Azure By comparing three cloud service providers: 1) Amazon EC2;
IoT Suite based on Azure Cloud, we are success to identify the 2) Microsoft Azure; and 3) Google AppEngine based on their
security-related evidences and map them into the framework so attributes, consumers can get a better view of their security
that we can get an overall security level to facilitate the selec- features. Subashini and Kavitha [32] reviewed the security
tion for consumers. Hence, the main contribution of this paper issues based on the service delivery models of cloud com-
is the first end-to-end data-security-oriented security assess- puting. They present 14 security issues in SaaS and also make
ment approach to assist the CloudIoT selection, consisting of a general survey on PaaS and infrastructure as a service (IaaS).
the following.
1) An SDN-based three-layer indicator framework for secu-
rity level assessment. B. IoT Security
2) The methodology to integrate indicator weight learn- Most of the IoT security researches review the security
ing and solutions’ security-related evidences mapping to issues within different frameworks. Zhang et al. [18] proposed
offer the real-world CloudIoT solution security assess- a four-level security index system, including perceptual layer
ment. security, transport layer security, application layer security,
The rest of this paper is organized as follows. Section II and cloud computing security. Fuzzy-AHP method is adopted
surveys the current efforts on security assessment. Section III to evaluate the selected indicators and to find the key indi-
presents our indicator framework. Section IV reports the cators of the IoT security development. Farooq et al. [33]
interview weight learning process and results. Section V shows presented a four layer architecture of IoT and set the main
the security assessment for the two real-world solutions and security goal to keep data confidentiality. Then they discussed
discusses our findings. Section VI concludes this paper and 18 open security challenges which should be addressed at
proposes some future works. each layer. Finally, a security architecture of IoT with 11
security issues is proposed. Qiang et al. [34] described five
types of IoT security requirements: 1) RFID tag informa-
II. R ELATED W ORK tion security; 2) wireless communications and information
Generally, state-of-the-art CloudIoT security publications security; 3) network transmission of information security;
can be classified into the following categories. Many works 4) privacy protection; and 5) information processing security.
in literature have surveyed Cloud and IoT security separately. Sathishkumar and Patel [35] also listed several security con-
A broad number of publications review cloud-security issues, cerns and privacy concerns of IoT. Three categories of security
challenges, as well as the auditing and assessment approaches, concerns are proposed: 1) front-end sensors and equipment;
while some studies focus on the security concerns of IoT. 2) network; and 3) back-end of it systems. Sicari et al. [16]
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
1426 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 3, JUNE 2018
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
HAN et al.: SDN-BASED SECURITY ASSESSMENT FRAMEWORK FOR CLOUDIoT 1427
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
1428 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 3, JUNE 2018
4) Data Transfer Protocol (I12 ) [14]: Traditionally, a data vulnerability scanners are suggested to mitigate mali-
transfer protocol is a standardized format for transmit- cious attacks.
ting data between two devices. Cryptographic protocols, 6) Locality (I19 ) [14], [32]: Data locality focuses on the
such as FTPS (SSL), SFTP (SSH), and HTTPS protects storage location of the cloud data, the circumstances
the data when it travels over network. In SDN, the data that data ever transferred from the cloud location, the
transfer protocol is usually OpenFlow. location of management, and control structures.
5) Transport Encryption (I13 ) [32]: Transport encryption 7) Integrity (I20 ) [32], [33], [35]: Data integrity is the
techniques encrypted all the communications at the maintenance of the accuracy and consistency of data
beginning of information transferring through devices. over its entire life-cycle. Service providers should pro-
Certain encryption algorithms should put on constrained vide some tracking methods to protect user information
devices to provide communications security during from unauthorized tampering during data transmission.
transport. 8) Isolation (I21 ) [14]: Data isolation determines how
transaction integrity is visible to other users and systems.
In order to guarantee user transactions being inde-
C. Cloud-Based Application Layer Indicators pendently executed, mechanisms on supporting data
At the cloud-based application layer, data is stored and ana- isolation such as the two-phase locking protocol should
lyzed on the cloud due to its high reliability, scalability, and be provided by service providers.
autonomy to provide ubiquitous access. However, the virtual 9) Confidentiality (I22 ) [33], [35], [37]: Data confidential-
environment of cloud may bring security threats to user data. ity focuses on the ability to protect user privacy and
Thus, virtual machine security, virtual network security, and sensitive data which means only authorized users can
data security should be taken into consideration. Since virtual get access to the data. There are several mechanisms
machine security and virtual network security are key prob- to ensure data confidentiality, such as virtual private
lems in cloud computing, especially at the IaaS layer, they networks or physical media encryption.
must be considered in cloud-based IoT systems. Data security 10) Post-Termination Data Management (I23 ) [14]: Some
focuses on the data acquired from sensor-equipped devices, cloud service providers may not erase the customer’s
finally stored and analyzed on the cloud platform. Around data immediately when their contract expires. Post-
these three criterion, ten indicators are examined in order to termination data-management is a way of maintaining
analyze issues related to cloud-based application layer security the client data and ensure the security of data before the
(see Fig. 2). client retrieve it or for a period of time.
1) Virtual-Machine (VM) Image Repository Security
(I14 ) [48]: The VM image may be attacked by mali- IV. I NDEX W EIGHT L EARNING
cious viruses or even stolen. Moreover, VM templates
may contain information of previous users, which could Straightforwardly, we can employ the presented indicators
be accessed by subsequent users. Since attackers may to evaluate the security level for the CloudIoT. However, dif-
place a new image or produce poisoned images, scan- ferent indicators in different layers have different contributions
ning, and filtering mechanisms are suggested to cloud for the overall security. Therefore, to get the weight for dif-
providers. ferent indicators, in this section, an online interview with
2) VM Boundaries (I15 ) [49]: The VMs are coexisted researchers and practitioners is carried out to assign the weight
on the same server, so that they share resources with for these indicators based on their experiences. Then three dif-
limited CPU and memory. As there is no physical iso- ferent methodologies, including AdaRank [27], AHP [28], and
lation among VM resources, an artificial boundary for weighted-mean, are used to integrate the survey to generate a
the virtual machine is the responsibility of the cloud crowd-wisdom weight.
providers.
3) DNS Server Security (I16 ) [50]: When a DNS server A. Online Interview
resolves a DNS name request to an IP address, the A 13-item short-form4 was constructed to survey the rela-
response ought to exactly match the query. However, tive importance of the proposed CloudIoT security evaluation
if the resolving server caches a malicious request, secu- indicators. The survey was designed for use in obtaining the
rity problems may ensue. Thus, DNS firewalls and the experts knowledge on CloudIoT security assessment and indi-
latest DNS software patches are suggested to ensure the cator importance ranking list, which includes 12 multi-item
DNS Server security. scale that assesses all the eight criterion and 23 indicators. As
4) Virtual-Switch Security (I17 ) [51]: Virtual switches the CloudIoT security is a specific knowledge and experience
enable the specification of a logical network among a set intensive domain, we should not use the general crowd sourc-
of VMs. There are many types of virtual-switch security ing platform, such as Amazon Mechanical Turk5 to hire people
mechanisms, such as isolation and content inspection for interview. Instead, based on the online community focusing
between VMs. on the related domains, we succeed to invite 46 persons with
5) Malicious Network Attacks (I18 ) [32]: Malicious
network attacks may happen when user data transmit- 4 [Online]. Available: https://sojump.com/jq/10302676.aspx
ted via the virtual network with illegal access. Routine 5 [Online]. Available: https://www.mturk.com/mturk/welcome
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
HAN et al.: SDN-BASED SECURITY ASSESSMENT FRAMEWORK FOR CLOUDIoT 1429
TABLE I TABLE II
A DA R ANK N OTATIONS AND E XPLANATIONS 0-2 S CALE OF R ELATIVE I MPORTANCE
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
1430 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 3, JUNE 2018
TABLE IV
C OMPARING THE R ESULTS BY T HREE D IFFERENT R ANKING
M ETHODS W ITH A LL THE PARTICIPANTS DATA
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
HAN et al.: SDN-BASED SECURITY ASSESSMENT FRAMEWORK FOR CLOUDIoT 1431
TABLE VI
C OMPARING D IFFERENT G ROUP OF PARTICIPANTS b) core platform services; and c) a developer kit. Google
W ITH LTR (A DA R ANK ) Brillo is about the smart home, which comes hand-in-
hand with Google’s new communications protocol called
Google Wave Federation Protocol.6 Googles Brillo OS
will run on devices with 64 or 32 MB of RAM and that it
will launch under the Android brand. The data storage
and processing center for this IoT service can be the
Google cloud, including the Google Compute Engine,
the Google App Engine.
2) Azure IoT Suite is a set of cloud-based services built
on the flexible and scalable Microsoft Azure Cloud
Platform, which is about the business. The Azure IoT
Suite is designed to integrate with the existing processes,
devices, and systems to enable users to analyze and
mine disparate data with worldwide availability of the
Microsoft Cloud Platform, which including Azure’s
Linux virtual machine, Azure’s new “cloud services.”
These two CloudIoT offers both provide the official, pub-
licly available security documentations so that we can find the
rating. Furthermore, for the “data isolation,” which is
related evidences, explaining how these providers address the
important for the privacy, the professor group and the
concern related to each indicator. Some examples of the evi-
industry group have a much higher rating than the
dences are listed in Table VII and the whole list is in the link.7
student group. Conversely, the student group give the
Finally, we can generate the ranking for these indicators for
“authentication” and “network socket” much higher
each solution, which is shown in Table VIII. It can be seen as
rating than the professor and industry group.
follows.
Therefore, based on the experiments, we can see that the
1) The indicators at SDN layer rank the top, which is con-
group’s background will affect the ranking about the indica-
sistent with the learning results present in Section IV.
tors. We will further discuss the observations in Section VI.
The average score shows that the eight indicators in the
Since the rankings about the weight for different indicators
perception layer (A1) and the “network socket (A2-C4-
from three approaches are consistent, we will use the average
I9)” occupy the bottom nine positions. Goolge Brillo
of these three approaches for the further solution security level
contains four bottom indicators and Azure IoT Suite has
assessment.
five. However, for Google Brillo, it can be seen that
the authentication (A1-C3-I6) has a related top position.
V. C LOUD I OT S OLUTION S ECURITY L EVEL This indicates that at the perception layer, neither of
A SSESSMENT: C ASE S TUDY these two solutions pays many attentions while Google
Until now we already get the different weights for different Brillo may have a better security level than the Azure
indicators representing their importance for the overall secu- IoT Suite.
rity. Therefore, given a CloudIoT solution, we can map its 2) Comparing the two solution in the cloud-based appli-
security-related mechanism into the framework to figure out cation layer, it is obviously that the Azure CloudIoT
whether they offer the necessary security guarantee. Since we has a better security-related performance: four indica-
offer its definition for each indicator, we can use the related tors in “data security” except the “data locality” gain the
key words to search over the solution’s description documents top positions while these indicators have a high impor-
to find the related security mechanisms. Then for each found tance. However, for the same level, all the indicators
mechanism, we can further evaluate its relevance to the indica- for Google Brillo are lower than top 8. It indicates that
tor. To assess this relevance, similarly, we invite five security for the security level in the data security criterion in
experts chosen from the survey participants, then show them the cloud-based application layer, Azure CloudIot has a
the related evidence and ask them to remark the relevance in better performance than Google Brillo. Actually, Azure
“low,” “medium,” and “high,” which represents the degree that CloudIoT has a higher overall score than the Google
the solution can solve the security concern. Finally, we can get Brillo. The Pearson correlation testing shows that the
the ranking based on the input from these experts and then cal- ranking of the indicators for Azure has a significant pos-
culate the overall security score by multiplying the indicators’ itive correlation with the indicator importance ranking,
weights and the covered degree. r = 0.574, p = 0.004. However, the correlation between
To proof the effectiveness of this framework, in this section, Google Brillo and the indicator importance ranking can-
we demonstrate how our framework can offer the end-to-end not pass the testing. Hence, we can conclude that overall,
CloudIoT solution security assessment, we use the following Azure IoT Suite has a better security level than Google
two real-world CloudIoT offering as the cases.
1) Google Brillo is an OS for low-powered IoT devices 6 [Online]. Available: www.waveprotocol.org/
with three elements: a) Android-based embedded OS; 7 [Online]. Available: https://www.overleaf.com/6848614vxbfhcbddfyb
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
1432 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 3, JUNE 2018
TABLE VII
P RIORITY W EIGHTS AND E VIDENCE A NALYSIS FOR C ASE S TUDIES
TABLE VIII
A SSESSMENT BASED ON G OOGLE B RILLO AND A ZURE I OT S UITE be generated in the same way as in our approach. A set of sur-
vey questions about the specialized use case can be formulated,
weights can be assigned to the questions responses accord-
ing to the security needs, and various analysis approaches can
again be adopted to formulate a crowd-reviewed ranking of
the responses.
Due to the complexity of the CloudIoT platform, there
are numerous indicators affect the security assessment of
the CloudIoT offerings besides our indication framework, for
example, the number and severity of major security incidences,
as well as the number and scale of the CloudIoT deployment.
These indicators also provide measures of the readiness of the
CloudIoT offering for deployment, as well as the popularity of
the offering. However, our approach is data-security-oriented,
we design the framework based on a basic thought of ensur-
ing data security during the whole process of data flow and
simplify the network control, decision making, and action
implementation process.
Additionally, based on our experiment, it can be seen that
Brillo. This is consistency with our previous work on overall, the security for the perception layer is considered as
assessing cloud security [55]. low priority while two solutions also offer few mechanisms
3) Comparing the two solutions with the indicator impor- to guarantee this layer’s security. However, on October 21,
tance ranking, Azure IoT has a related weakness in “port 2016, massive amounts of the Internet in USA have been shut
security,” “virtual switch security,” and “DNS server down by the huge DDOS attack. One of the sources of traf-
security” as it has a significant gap between its rank- fic of the attacks came from the Mirai botnet, which consists
ing to the indicator importance ranking. On the other of millions of infected IoT and smart home devices.8 This
hand, for the Google Brillo, the weakness locates in October-21 DDos attack ring the bell for the whole society,
data isolation and “data confidentiality.” Good news is including academic and industry, to pay attention to the secu-
that Google Brillo has a better performance in authen- rity of the perception layer. Good new is that our experiment
tication in the perception layer. Hence, it can has a shows that the professor group give a related higher rating
related better performance than Azure IoT in defending for this layer. Google Brillo solution pays a specific attention
the cyberattack to the IoT devices. to the authentication for defending the cyberattack to the IoT
Therefore, the result from the two cases shows that our frame- devices. However, it is still a far way to go for the security of
work can finally help the consumer to compare the security CloudIoT.
level of the offered solution with a overall security score. Also,
it can also identify the weaknesses so that the providers can
have a guide to improve their solution’s security. B. Threat to Validity
There are internal and external threats that may potentially
affect the validity of our experiments.
A. Discussion 1) Threats to Internal Validity: It relate to errors in our
Since our approach aims at providing an overall evalua- experimental dataset and methodology implementation. We
tion result for a given CloudIoT offering in terms of security, avoid such errors by having implementation and experiment
we can also help the customer who seeks to use offerings results double checked by co-authors. We have also manually
with specific security requirements. In such cases, some indi- checked the statistics data in our interview and the scores by
cators from our indication framework are obviously important,
while others are obviously irrelevant. The weights learned in 8 [Online]. Available: http://www.zonealarm.com/blog/2016/10/how-
Section III are no longer suitable but a customized weights can internet-shut-down-ddos-attack-dyn/
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
HAN et al.: SDN-BASED SECURITY ASSESSMENT FRAMEWORK FOR CLOUDIoT 1433
security experts to ensure that they have matched with the [4] A. Botta, W. De Donato, V. Persico, and A. Pescapé, “Integration of
right value and values are assigned to the right indicators. cloud computing and Internet of Things: A survey,” Future Gener.
Comput. Syst., vol. 56, pp. 684–700, Mar. 2016.
2) Threats to External Validity: It relate to the generaliz- [5] M. Díaz, C. Martín, and B. Rubio, “State-of-the-art, challenges, and open
ability of our results. In this paper, we assume that a business issues in the integration of Internet of Things and cloud computing,” J.
consumer can get access to cybersecurity experts who can Netw. Comput. Appl., vol. 67, pp. 99–117, May 2016.
[6] J. Zhou et al., “CloudThings: A common architecture for integrating
use the proposed assessment framework to evaluate candi- the Internet of Things with cloud computing,” in Proc. IEEE 17th
date CloudIoT offerings. We have a small-sized applicants in Int. Conf. Comput. Supported Cooperat. Work Design (CSCWD), 2013,
the interview and the number of security experts are limited, pp. 651–657.
[7] M. Yun and B. Yuxin, “Research on the architecture and key technology
which may lead to bias. Besides, the reliance on specifica- of Internet of Things (IoT) applied on smart grid,” in Proc. Int. Conf.
tions of the CloudIoT offering recovered from the security Adv. Energy Eng. (ICAEE), 2010, pp. 69–72.
technical documentation leads to the possibility that vague or [8] I. P. Zarko, A. Antonic, and K. Pripužic, “Publish/subscribe middle-
ware for energy-efficient mobile crowdsensing,” in Proc. ACM Conf.
incomplete documentation may affect the security assessment. Pervasive Ubiquitous Comput. Adjunct Publ. (UbiComp Adjunct), 2013,
These allows us to perform manual analysis to understand the pp. 1099–1110.
capability and limitations of our approach. We will reduce [9] A. Forkan, I. Khalil, and Z. Tari, “CoCaMAAL: A cloud-
oriented context-aware middleware in ambient assisted living,”
this threat by expanding the scope of the interview and intro- Future Gener. Comput. Syst., vol. 35, pp. 114–127, Jun. 2014,
ducing semantic analysis into the framework to automatically doi: 10.1016/j.future.2013.07.009.
identify the evidence from the solution description documents [10] G. Fortino, D. Parisi, V. Pirrone, and G. Di Fatta, “BodyCloud: A SaaS
approach for community body sensor networks,” Future Gener. Comput.
to facilitate the assessment process in the future. Syst., vol. 35, pp. 62–79, Jun. 2014, doi: 10.1016/j.future.2013.12.015.
[11] A. Prati, R. Vezzani, M. Fornaciari, and R. Cucchiara, “Intelligent
video surveillance as a service,” in Intelligent Multimedia Surveillance.
VI. C ONCLUSION Heidelberg, Germany: Springer, Nov. 2013, pp. 1–16.
[12] M. T. Lazarescu, “Design of a WSN platform for long-term environmen-
The integration of cloud computing and IoT motivate the tal monitoring for IoT applications,” IEEE J. Emerg. Sel. Topics Circuits
emergence of the CloudIoT. Since the security has become Syst., vol. 3, no. 1, pp. 45–54, Mar. 2013.
one important issue for its adoption, how to evaluate the secu- [13] R. Anderson and T. Moore, “The economics of information security,”
Science, vol. 314, no. 5799, pp. 610–613, 2006.
rity level of the offered solution is valuable and necessary [14] A. Abuhussein, H. Bedi, and S. Shiva, “Evaluating security and pri-
for consumers. In this paper, based on the analysis about vacy in cloud computing services: A Stakeholder’s perspective,” in Proc.
the data flow over the CloudIoT, we propose an SDN-based Internet Technol. Secured Trans., 2012, pp. 388–395.
[15] M. Sookhak et al., “Remote data auditing in cloud computing environ-
three-layer indication framework consisting of 23 indicators. ments: A survey, taxonomy, and open issues,” ACM Comput. Surveys,
To evaluate the importance of these indicators, we construct vol. 47, no. 4, pp. 1–34, 2015.
the online survey research to invite experts from researchers [16] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security,
privacy and trust in Internet of Things: The road ahead,” Comput. Netw.,
and practitioners to rate the indicators and then three differ- vol. 76, pp. 146–164, Jan. 2015, doi: 10.1016/j.comnet.2014.11.008.
ent methodologies to generate the aggregate rating are used to [17] H. Yu, J. He, T. Zhang, P. Xiao, and Y. Zhang, “Enabling end-to-
gain the weights. Given the weights for different indicators, end secure communication between wireless sensor networks and the
Internet,” World Wide Web, vol. 16, no. 4, pp. 515–540, 2013.
taking the two real-world CloudIoT solutions as an example, [18] B. Zhang, Z. Zou, and M. Liu, “Evaluation on security system of Internet
we identify the evidences for the related security mechanisms of Things based on fuzzy-AHP method,” in Proc. E-Bus. E-Govt.
so that we can figure out how the solutions offer the security (ICEE), 2011, pp. 2230–2234, doi: 10.1109/ICEBEG.2011.5881939.
[19] S. Kim and W. Na, “Safe data transmission architecture based on
guarantee for customers. Therefore, we can offer the consumer cloud for Internet of Things,” Wireless Pers. Commun., vol. 86, no. 1,
the end-to-end approach to compare the security level of dif- pp. 287–300, 2016.
ferent solutions as well as to identify the weakness for the [20] K. S. Sahoo, B. Sahoo, and A. Panda, “A secured SDN framework for
IoT,” in Proc. IEEE Int. Conf. Man Mach. Interfacing (MAMI), 2015,
solution providers. pp. 1–4.
In the future, we will expand the scope of the interview [21] N. McKeown et al., “OpenFlow: Enabling innovation in campus
and the cases not only to understand the current security sta- networks,” ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2,
pp. 69–74, 2008.
tus of the CloudIoT ecosystem but also to make the indicator [22] O. Flauzac, C. González, A. Hachani, and F. Nolot, “SDN based archi-
framework more comprehensive. Also, we are intending to tecture for IoT and improvement of the security,” in Proc. IEEE 29th
introduce the semantic analysis into the framework to auto- Int. Conf. Adv. Inf. Netw. Appl. Workshops (WAINA), 2015, pp. 688–693.
[23] B.-L. Cai, R.-Q. Zhang, X.-B. Zhou, L.-P. Zhao, and K.-Q. Li,
matically identify the evidence from the solution description “Experience availability: Tail-latency oriented availability in software-
documents to facilitate the assessment process. defined cloud computing,” J. Comput. Sci. Technol., vol. 32, no. 2,
pp. 250–257, 2017.
[24] K. Sood, S. Yu, and Y. Xiang, “Software-defined wireless networking
R EFERENCES opportunities and challenges for Internet-of-Things: A review,” IEEE
Internet Things J., vol. 3, no. 4, pp. 453–463, Aug. 2016.
[1] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of [25] C. Vandana, “Security improvement in IoT based on software defined
Things (IoT): A vision, architectural elements, and future directions,” networking (SDN),” Int. J. Sci. Eng. Technol. Res., vol. 5, no. 1,
Future Gener. Comput. Syst., vol. 29, no. 7, pp. 1645–1660, 2013, pp. 291–295, 2016.
doi: 10.1016/j.future.2013.01.010. [26] F. Olivier, G. Carlos, and N. Florent, “New security architecture for IoT
[2] M. Armbrust et al., “Above the clouds: A Berkeley view of cloud com- network,” Procedia Comput. Sci., vol. 52, pp. 1028–1033, 2015.
puting,” EECS Dept., Univ. California at Berkeley, Berkeley, CA, USA, [27] J. Xu and H. Li, “AdaRank: A boosting algorithm for information
Rep. UCB/EECS-2009-28, pp. 7–13, 2009. retrieval,” in Proc. 30th Annu. Int. ACM SIGIR Conf. Res. Develop.
[3] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, and I. Brandic, “Cloud Inf. Retrieval, 2007, pp. 391–398.
computing and emerging IT platforms: Vision, hype, and reality for [28] Q. Zhang and M. Zhong, “Using multi-level fuzzy comprehensive evalu-
delivering computing as the 5th utility,” Future Gener. Comput. Syst., ation to assess reservoir induced seismic risk,” J. Comput., vol. 6, no. 8,
vol. 25, no. 6, pp. 599–616, Jun. 2009. pp. 1670–1676, 2011.
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.
1434 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 3, JUNE 2018
[29] N. Pilevari, A. T. Eshlaghy, and M. Sanaei, “A framework for eval- [52] M. A. Lubiano, A. Salas, S. D. L. R. de Sáa, M. Montenegro, and
uating cloud computing user’s satisfaction in information technology M. Á. Gil, “An empirical analysis of the coherence between fuzzy
management,” Int. J. Manag. Bus. Res., vol. 1, no. 4, pp. 231–240, rating scale-and Likert scale-based responses to questionnaires,” in
2011. Soft Methods for Data Science. Cham, Switzerland: Springer, 2017,
[30] A. Taha, R. Trapero, J. Luna, and N. Suri, “AHP-based quantitative pp. 329–337.
approach for assessing and comparing cloud security,” in Proc. IEEE [53] T.-Y. Liu, “Learning to rank for information retrieval,” Found. Trends
13th Int. Conf. Trust Security Privacy Comput. Commun. (TrustCom), Inf. Retrieval, vol. 3, no. 3, pp. 225–331, 2009.
2015, pp. 284–291. [54] T. L. Saaty, “How to make a decision: The analytic hierarchy process,”
[31] M. Li and M. Bardi, “A risk assessment method of cloud computing Eur. J. Oper. Res., vol. 48, no. 1, pp. 9–26, 1990.
based on multi-level fuzzy comprehensive evaluation,” in Proc. Int. Conf. [55] Z. Han, X. Li, and E. Stroulia, “A hierarchical security-auditing method-
Cyberspace Technol. (CCT), 2014, pp. 1–4. ology for cloud computing,” in Proc. IEEE Int. Conf. Services Comput.,
[32] S. Subashini and V. Kavitha, “A survey on security issues in service 2015, pp. 202–209.
delivery models of cloud computing,” J. Netw. Comput. Appl., vol. 34,
no. 1, pp. 1–11, 2011.
[33] M. U. Farooq, M. Waseem, A. Khairi, and S. Mazhar, “A critical analysis
on the security concerns of Internet of Things (IoT),” Int. J. Comput.
Appl., vol. 111, no. 7, pp. 1–6, 2015.
[34] C. Qiang, G.-R. Quan, B. Yu, and L. Yang, “Research on security issues
of the Internet of Things,” Int. J. Future Gener. Commun. Netw., vol. 6, Zhuobing Han (GS’15) received the B.S. degree
no. 6, pp. 1–10, 2013. in computer science from Sichuan University,
[35] J. Sathishkumar and D. R. Patel, “A survey on Internet of Things: Chengdu, China, in 2011 and the M.S. degree from
Security and privacy issues,” Int. J. Comput. Appl., vol. 90, no. 11, Tianjin University, Tianjin, China, in 2013, where
pp. 20–26, 2014. she is currently pursuing the Ph.D. degree at the
School of Computer Science and Technology.
[36] S. Sicari, C. Cappiello, F. D. Pellegrini, D. Miorandi, and
Her current research interests include software
A. Coen-Porisini, “A security-and quality-aware system architecture
security assessment, software evolution analysis, and
for Internet of Things,” Inf. Syst. Front., vol. 18, no. 4, pp. 665–677,
mining software repositories.
2016.
[37] A. Shipley, “Security in the Internet of Things: Lessons from the past for
the connected future,” Wind River, Alameda, CA, USA, White Paper,
2013, pp. 1–5.
[38] L. Markowsky and G. Markowsky, “Scanning for vulnerable devices
in the Internet of Things,” in Proc. IEEE 8th Int. Conf. Intell. Data
Acquisition Adv. Comput. Syst. Technol. Appl. (IDAACS), vol. 1. 2015, Xiaohong Li (M’17) received the Ph.D. degree from
pp. 463–467. Tianjin University, Tianjin, China.
[39] A. Hassanzadeh, S. Modi, and S. Mulchandani, “Towards effective secu- She is a Full Tenured Professor with the School
rity control assignment in the industrial Internet of Things,” in Proc. of Computer Science and Technology, Tianjin
IEEE World Forum Internet Things (WF IoT), 2016, pp. 795–800. University. Her current research interests include
[40] A. Botta, W. de Donato, V. Persico, and A. Pescapé, “On the integration knowledge engineering, trusted computing, and
of cloud computing and Internet of Things,” in Proc. Future Gener. security software engineering.
Comput. Syst., vol. 56, 2013, pp. 23–30.
[41] M. Henze et al., “A comprehensive approach to privacy in the cloud-
based Internet of Things,” Future Gener. Comput. Syst., vol. 56,
pp. 701–718, Mar. 2016, doi: 10.1016/j.future.2015.09.016.
[42] Y. Jararweh et al., “SDIoT: A software defined based Internet of Things
framework,” J. Ambient Intell. Humanized Comput., vol. 6, no. 4,
pp. 453–461, 2015.
[43] X. Wang, Y. Zhang, V. Leung, N. Guizani, and T. Jiang, “D2D big Keman Huang (GS’13–M’17) received the B.S.
data: Content deliveries over wireless device-to-device sharing in real- degree from the Department of Automation,
istic large scale mobile networks,” IEEE Wireless Commun., vol. 25, School of Economics and Management, Tsinghua
no. 1, pp. 32–38, Feb. 2018. University, Beijing, China, in 2009, and the
[44] X. Wang, Z. Sheng, S. Yang, and V. C. Leung, “Tag-assisted social-aware Ph.D. degree from the Department of Automation,
opportunistic device-to-device sharing for traffic offloading in mobile Tsinghua University, in 2014.
social networks,” IEEE Wireless Commun., vol. 23, no. 4, pp. 60–67, He is currently with the Sloan School of
Aug. 2016. Management, Massachusetts Institute of Technology,
[45] CNSS Glossary Working Group, “National information assurance (IA) Cambridge, MA, USA. His current research interests
glossary,” document 4009, CNSS Instruct., Fort Meade, MD, USA, include service ecosystem, service recommendation,
2006. mobile service, and semantic Web.
[46] R. Jain and S. Paul, “Network virtualization and software defined Dr. Huang was a recipient of the Best Student Paper Award from the IEEE
networking for cloud computing: A survey,” IEEE Commun. Mag., ICWS 2014 and the ICSS 2013.
vol. 51, no. 11, pp. 24–31, Nov. 2013.
[47] H. T. Dinh, C. Lee, D. Niyato, and P. Wang, “A survey of mobile
cloud computing: Architecture, applications, and approaches,” Wireless
Commun. Mobile Comput., vol. 13, no. 18, p. 1587–1611, 2013.
[48] E. B. Fernandez, R. Monge, and K. Hashizume, “Building a security
reference architecture for cloud systems,” Requirements Eng., vol. 21,
no. 2, pp. 225–249, 2016. Zhiyong Feng (M’13) received the Ph.D. degree
[49] A. Bouayad, A. Blilat, N. El Houda Mejhed, and M. El Ghazi, “Cloud from Tianjin University, Tianjin, China.
computing: Security challenges,” in Proc. Colloquium Inf. Sci. Technol., He is currently a Full Professor with the School
2012, pp. 26–31. of Computer Software, Tianjin University. He has
[50] R. Bhadauria, R. Chaki, N. Chaki, and S. Sanyal, “A survey on security authored 1 book, over 130 papers, and holds 39
issues in cloud computing,” Int. J. Eng. Technol., vol. 5, no. 2, pp. 1–15, patents. His current research interests include knowl-
2013. edge engineering, service computing, and security
[51] W. Dawoud, I. Takouna, and C. Meinel, “Infrastructure as a service software engineering.
security: Challenges and solutions,” in Proc. 7th Int. Conf. Informat. Dr. Feng is a member of the IEEE Computer
Syst. (INFOS), 2010, pp. 1–8. Society and ACM.
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on November 20,2023 at 05:56:40 UTC from IEEE Xplore. Restrictions apply.