Sie sind auf Seite 1von 12

First Author et al.

: Title 3

Moisés Toapanta 0000-0002-9041-0518, Cynthia Guaigua 0000-0002-6571-


An Approach to Security Protocols
4747 and Enrique Mafla 0000-0002-7808-7738

and Algorithms to Mitigate Data Risks


in the Cloud in a Distributed
Environment

I. INTRODUCTION

T
Abstract—The cloud has been under attack for HE cloud has become a vital technology but attacks are
many years because it offers some services, becoming more frequent, due to the exponential growth
including data storage. Cloud attacks, security of the volume of data in the network and the severity that
protocols and algorithms were analyzed to these can cause to different environments. It is now 20 years
mitigate data in the cloud. The main objective was
since the first DDoS attack and is currently considered one of
to propose a protocol to decrease these attacks
the most serious threats due to overloading systems [1].
that affect the cloud. An algorithm was
These attackers try to minimize resources using mainly
implemented that identifies unknown users for the
protocols such as: TCP, UDP ICMP and DNS . If a vulnerable
server and known users were allowed access to system exists in-house, it communicates with other
the cloud. The deductive method and exploratory compromised systems to achieve its objective [3].
research were used to analyse the information in Today, in order to reduce risks, we must implement good
the reference articles. The results that were encryption using algorithms before uploading files to the
adopted are: a general model to protect the cloud cloud. This way we can verify the origin of the data and
from attack, a prototype for security in the cloud, confirm that it has not been modified. For example, an
an algorithm in the flowchart to protect the cloud encryption with a 256-bit key is safer than a 128-bit one, the
from attack and a probability formula to defend the attack risk elements must be identified, classified, quantified
cloud from attack. Each result was checked to and prioritized. [4]. If you do not have good security it is
prove the intended objective. It was concluded difficult to identify the attacker.
that the proposal generated is an alternative to What are the security protocols and algorithms to mitigate
keep information safe, reliable and available. data risks in a distributed environment?
The goal is to generate a protocol by implementing an
Index Terms— Security algorithms, security algorithm that will allow us in this investigation to reduce
protocols, distributed environment, data storage, possible attacks on the cloud. With the review of the found
cloud security references we will be motivated to analyze and identify which
part of the process to store data in the cloud can be improved.
By performing simulations, we can demonstrate the
effectiveness of what is proposed.

This paragraph of the first footnote will contain the The revised articles related to mitigating the risks of cloud
date on which you submitted your paper for review. data are:
IoT as a Land of Opportunity for DDoS Hackers [1], A
This work is supported by the Universidad Politécnica Multi-Level DDoS Mitigation Framework for the Industrial
Salesiana of Ecuador (UPS), Escuela Politécnica
Internet of Things [2], Modern Machine Learning for Cyber-
Nacional (EPN) and Secretaría of Educación Superior,
Ciencia, Tecnología e Innovación (Senescyt).
Defense and Distributed Denial-of-Service Attacks [3], Cloud
Author 1: Moises Toaapanta. He is currently Professor Attack and Risk Assessment Taxonomy [4], Combating DDoS
at the Department Computer Science in the Universidad Attacks in the Cloud: Requirements, Trends, and Future
Politécnica Salesiana of Ecuador (UPS), Investigador Directions [5], Detecting TCP-based DDoS Attacks in Baidu
Acreditado and Categorizado of the Senescyt, Research Cloud Computing Data Centers [6], On the Move: Evading
Group Coordinator: Computing, Security and Information Distributed Denial-of-Service Attacks [7], Demystifying
Technology for a Globalized World (CSITGW), Guayaquil - DDoS as a Service [8], DDoS Attack Detection Scheme Based
Ecuador (stoapanta@ups.edu.ec). on Entropy and PSO-BP Neural Network in SDN [9],
Author 2: Cynthia Janeth Guaigua Bucheli student Adequate Security Protocols Adopt in a Conceptual Model in
Universidad Politécnica Salesiana of Ecuador (UPS) Identity Management for the Civil Registry of Ecuador [10],
(cguaigua@est.ups.edu.ec).
[10], Appropriate Security Protocols to Mitigate the Risks in
Author3: Enrique Mafla he is currently a Senior Lecturer
at the Faculty of Engineering Systems of the Escuela
Electronic Money Management [11], A quantitative security
Politécnica Nacional (EPN), Quito - Ecuador metric model for security controls: Secure virtual machine
(enrique.mafla@epn.edu.ec). migration protocol as target of assessment [12], Extended TLS
First Author et al.: Title 3

security and Defensive Algorithm in OpenFlow SDN [13], It concludes that the results are an alternative to improve
Improve data security in cloud environment by using LDAP cloud data security. In the simulations we can check the
and two way encryption algorithm [14], miTLS: Verifying mitigation of the data in the cloud.
Protocol Implementations against Real-World Attacks [15],
Design and Implementation of a Client Based DNSSEC II. MATERIALS AND METHODS
Validation and Alert System [16], Cloud computing security
risks with authorization access for secure Multi-Tenancy In the first instance in materials, we work with means and
based on AAAS Protocol [17], A new authentication protocol procedures based on the review of reference articles. Second
for an Authentication-as-a-Service (AaaS) cloud using in methods, the following was proposed: safety protocols,
Pedersen commitment scheme [18], Secure data sharing in comparative table with our proposed protocol, comparative
multi-clouds [19], DDoS attack mitigation and Resource table of algorithms and methodology to generate results.
provisioning in Cloud using Fog Computing [20], Minimizing A. Materials
Financial Cost of DDoS Attack Defense in Clouds with Fine-
Grained Resource Management [21], Cloud-centric multi- In 2015 Arbor Network reported that DDoS attacks with
level authentication as a service for secure public safety device more than 500 Gbps of bandwidth had been carried out. It also
networks [22], Secure algorithm for cloud computing and its indicated that more than 33% of DDoS attacks were directed
applications [23], Improving Privacy and Trust in Federated at cloud services [5]. The authors point out that the attacks can
Identity Using SAML with Hash Based Encryption Algorithm last from a few seconds to weeks causing a big impact. When
[24], Securing Cloud Computing Environment using a new they succeed, it is difficult to identify the source of the attack
Trend of Cryptography [25], TTP based vivid protocol design and what causes the victim to be unable to defend himself [6]
for authentication and security for cloud [26], Design and and [7].
Implementation of a Lightweight Privacy extension of The authors point out that the increase in attacks is currently
DNSSEC protocol [27], Securing Data and Reducing the Time due to commodification, making requests from several
Traffic Using AES Encryption with Dual Cloud [28], A computers using a remote control method to send a large
Secure Erasure Cloud Storage System Using Advanced number of packets to the target host by putting a fake IP as the
Encryption Standard Algorithm and Proxy Re-Encryption source IP, which could cause network capacity to overflow
[29], A Hybrid Cryptography Algorithm for Cloud Computing and lead to a denial of service to normal traffic [8] and [9].
Security [30], An Approach of Efficient Security Algorithms The authors describe encryption as a means of
for Distribute Architectures [31], Cloud Security and Storage demonstrating both authenticity, origin of information and
Space Management using DCACrypt [32], Encrypted Data confidentiality through an algorithm and the appropriate key
Management with Deduplication in Cloud Computing [33], A [12].
practical group key management algorithm for cloud data Prevent the release of passwords on the web, the authors
sharing with dynamic group [34], Secure multi-keyword propose to use the TLS protocol because it provides
search supporting dynamic update and ranked retrieval [35], A comprehensive protection and identifies the risk involved in
pragmatic elliptic curve cryptography-based extension for the attack. [13]. The author Raipurkar indicates that the
energy-efficient device-to-device communications in smart system uses an authentication method, if the user does not
cities [36], CFSec: Password based secure communication have a validated ip address is detected with a fake ip
protocol in cloud-fog environment [37], Authentication detection tool proceeds to block this user [14]. The authors
protocol in CTNs for a CWD-WPT charging system in a cloud propose a new correction at the protocol level to protect
environment [38], Certificateless Anonymous User them from threats such as the forwarding of credentials [15].
Authentication Protocol for Cloud Computing [39], RSEAP: The author Kakoi propose a customer-based warning and
RFID based secure and efficient authentication protocol for validation system [16]. The Dnssec validates the request sent
vehicular cloud computing [40], Feasibility of FPGA by the user, in case there is a validation error the user is
Accelerated IPsec on Cloud [41], SSH Key Management informed by an alert message because the received ip is not
Challenges and Requirements [42]. identical to the registered one.
In the method we applied our own protocol comparing it The AAAS protocol is used to authentication, authorization
with those we analyzed in the references, we also analyzed the and secure transport accounting [17] and [18]. Cloud
algorithms to see which would be more optimal to implement. authorization services operate on the second layer, protecting
The results we generate are: conceptual model to protect the the resources of these services with the authorized client
cloud from attack, prototype security in the cloud, algorithm in API, storing authorization and membership data in the
the flowchart to protect the cloud from attack and probability database. This protocol consists of 4 phases: registration,
formula to defend the cloud from attack. Each result has its request, authentication and reports.
own verification. The author Razaque et al. use multi-cloud architecture to
reduce the risk of service availability failures, data loss and
corruption by decreasing the amount of data stored in each of
these clouds. This way you can solve the problems of
availability but to increase the security you use the
encryption of the data, being more protected and difficult to
decipher [19].
First Author et al.: Title 3

The authors propose to use a resource provisioning them with the secret key to the receiver, with the same key
algorithm and the fog server placing it between the user and can decipher the original data, the symmetric algorithm RSA
the cloud to defend it from DDoS attacks, the rules that apply encrypts the secret key so that it does not suffer any. When the
for forwarding packages and better resource management are decryption process is performed, SH2 generates a message to
defined on the basis of the protocol used, package size, traffic the signature. This key has a length between 448 bits at 1024
speed and duration of attack [20]. The authors indicate that bits.
each request will consume a certain amount of memory Toapanta, Mafla and Orizaga [31], propose a scale to
resources setting a scenario of 500 requests per second. [21]. measure the priority classification of the security algorithms of
The authors propose authentication as a cloud service and a distributed architecture and the advantages and
can be configured on a large number of devices. The user disadvantages. The prototype of this architecture uses IAAA
sends the request and is validated by the algorithm SHA-1 and CIA, using the proposed encryption algorithms.
verifies using his public key, if the verification is successful a Propose 3 different levels that are arranged according to the
node is sent to the coordinator for identification, once importance of the data. Using the algorithm, they designed and
authenticated he has access to the information in the cloud keys, we encrypted and decrypted the data before storing it in
[22]. the cloud according to its ranking by importance. This way
The scheme proposed by the authors is a hybrid encryption they secure data from attacks and intruders [32].
algorithm with AES having 3 processes: key generation, The authors propose to deduce keys from data encrypted
encryption and decryption. They generate public and private with the ABE attribute stored in the cloud and have secure
keys, secret keys can be shared between users and only they access. It is applicable when the user wants to control the
know these keys, to encrypt the data is shared a secret key that access, storage and location of the data, status of use. This
is encrypted by a public key, to decrypt different keys are used schema allows storage savings because it only stores one copy
to not allow to know the information. [23]. of the data [33].
The authors propose an HBE algorithm. User information The authors in their document exchange data with a system
and credentials are identified and stored in the PAD by composed of 3 entities and are: cloud storage server, owner
providing a PIN to access a different number of services. SML and user. The cloud has authenticated and unauthenticated
provides a secure login allowing authentication and security to users, the owner uploads the encrypted data and then shares
each identity. The HBE algorithm can encrypt and decrypt the stored data with authenticated users [34].
using 128-bit keys with this procedure it is difficult to get the They propose a scheme of 3 entities and are: user, owner
identities of each user [24]. and server in the cloud, the owner generates a search index
The authors incorporate the QAES algorithm. QKD and with the key to enable the search capability on the server, has
AES algorithms are used to provide an unconditional level of several documents that encrypts them and sends them to the
security, the AES generates the QKD key in the encryption server along with the index. The cloud server can update the
process that becomes difficult to attack and decrypt. Each index and the set of stored documents. The user must have the
session is changed to a different key [25]. owner’s key and will have access to the cloud [35].
Implement the algorithm firefly and the merkle hash, to This new authentication protocol is an improvement of
mitigate the risks of the authentication problem, Parameters Wang’s scheme [36]. It seeks to prevent the storage of too
such as encryption time, decryption time, network delay, much data for authentication, to make communication
performance, response time, migration time, scalability and between end devices and to improve the security for possible
fault tolerance each will be evaluated by the algorithm to attacks, through the 3 phases proposed by the authors: in the
facilitate authentication of data in the cloud [26]. Then when registration, device-authentication server and device-device
you have the authentication result it will be in binary format authentication; in the first phase identity is stored and cookies
and then we convert it to decimal using decimal functions, it is data are answered, in the second phase presents your cookies
stored in the Array list. data to access the cloud and the third phase before
The authors use the AES algorithm in the cloud to encrypt communicating you must authenticate device-device that is
by blocks and decrypt data, process the key and give the user similar to the previous authentication but the advantage is that
the same key as the encryption/decryption, the size of the only these devices know the session key for security and if
block depends on the file size [28]. If a block is removed it they intercept the data they will not be able to use it due to the
cannot create a verification of information reliability. lack of real session keys.
The authors propose the AES and Md5 algorithms [29], They propose a new security protocol (Cfsec). The aim of
when the file is loaded it is stored encrypted to the cloud and the authors is to establish a secure communication between
divided to 4 servers, then the Md5 algorithm stores it to the user, server and devices. They use routers, switches, and
database after processing the 32-bit hexadecimal key. If the various network devices to send or receive data; the cloud
user wants to recover the files after a successful process, he server chooses the private key for the user and calculates the
must provide the 16-bit access key in case he wants to decrypt public key; users who register must enter password and
it he uses a same size access key. biometric information. The authors demonstrate nine attack
Timothy and Santra [30], includes the combination of analyses where attackers cannot execute any attack due to a
symmetric and asymmetric algorithms to the method, the robust protocol and the use of hash functions [37].
symmetric algorithm Blowfish encrypts the data and sends
First Author et al.: Title 3

B. Methods
1)Security Protocols
Through the network we can access the various resources of
the cloud where each protocol has its function to improve its
security, achieving data protection and confidentiality,
performing authentications at the start of each session and
encrypted at the time the user sent the data to store in the
cloud.
These protocols will also be proposed in the results
methodology to mitigate data risk.
From we work with the following security protocols:
 IPsec: It is composed of several different protocols (AH,
ESP, IKE) and algorithms (DES, 3DES, AES) for
security, designed to ensure that data packets are sent
over an IP network and remain invisible and inaccessible
to third parties [10]. By performing data encryption,
authentication and integrity verification this protocol can
guarantee reliability in data transmission, privacy,
encryption and protection at the time of forwarding.
When authentication is performed, the digital signature is
used to demonstrate that a sender is sending it and not an
attacker.
 DNSsec: It protects the cloud against counterfeit dns by
the use of algorithms and public keys, its response is
digital signatures of authorized data when they enter the
system and then validates them [27]. Also, with this
Fig. 1. Three phases of the authentication protocol [36]. protocol can be demonstrated when a domain does not
exist. It allows data integrity, improving security because
In this article the protocol consists of 4 phases: it does not allow data modification without the user’s
initialization, registration, purchase of tickets and request for permission.
loading. In the first phase they generate random numbers and  SSL: Usually data sent from browsers and web servers is
are processed by a hash function, the cloud chooses the private sent in plain text, which makes it vulnerable to attack,
key and calculates the public key; in the second phase for this secure protocol encrypts data from a computer
registration it chooses a random number, uses the public and connected to the network, preventing the alteration of
private key and sends them to store in the cloud; In the third such data. The public key is for encrypting the data and
phase of this system the tickets are bought by a secure channel the private key is for decrypting said data that only the
and the fourth phase performs the authentication so that the owner has access [11].
data reaches the server. With authentication this protocol is
 TLS: Performs Encryption, authentication and generates
resistant to different cloud attacks using random numbers,
keys in data transmission. In the event that the owner
hash functions and keys [38].
verifies if the data was manipulated, a message
According to the ID-based authentication scheme, the
authentication code (MAC) is sent and through a
authors propose new certificates for authentication and cloud
cryptographic hash table can be interpreted by the
access. The scheme has two steps: registration and mutual
senders and recipients who have the key, ensuring that
authentication; the first step the ID provider selects the public
they come from a source holding the key and that they
key and the secret key and sends them to the separate user and
have not been intercepted or falsified subsequently [13].
server through a secret channel; the second phase the server
 SSH: It encrypts all sessions with 128 bits making it
denies access to the user if the TS is not valid otherwise
difficult to decipher and read attacks. When a connection
allows login. Attackers are unable to obtain the secret key; the
is made the SSH protocol identifies the remote user. It
scheme prevents internal and external attacks [39].
allows us to copy data and manage RSA keys so as not to
The RSEAP protocol proposed by the authors has 4 phases
write keys when connecting to sessions, these keys are
similar to other protocols: initialization, registration,
not repeated in another session are unique to avoid
authentication and password change. The first phase generates
sharing these keys and put the system at risk. The digital
the secret key for the user; the second phase stores all
certificate as it is encrypted cannot be imitated and
identification data in the databases; third stage sends a request
cannot contact the server. [10].
for access and in the fourth stage we can create a new
password and generates another random number for the start
of the session [40]. It is a secure protocol against different
attacks on the cloud by the cryptographic techniques applied.
First Author et al.: Title 3

1)Comparative table of algorithms Table II shows the methods of references to protect the
The authors different proposals, revised from the references, cloud and the threats of each that try to affect security and
propose algorithms to mitigate cloud attacks through make them vulnerable.
authentication, authorization and auditing. In the case of the 2)Comparative table with our proposed protocol
cloud, it becomes more secure for data transmission. We made the table I to get a better comparison with the
revised references and our proposed protocol, it presents the
TABLE I. entities that were based the authors to achieve a successful
COMPARISON OF THE ALGORITHMS access to the cloud and if each makes its respective
authentication to mitigate the attacks.
References Proposed method Threats in the cloud
TABLE II
[14] Develops a method to increase False IP address via a COMPARISON TABLE OF PROTOCOLS
the security of important data. trusted host during
It uses LDAP authentication to identification.
validate the user and block References Entities considered Authentication?
attackers by detecting the IP
address. If the data is not IPsec [41] End devices, an SDN No
confidential it is sent directly to switch, the router/firewall,
the cloud storage, in case they server, cloud
are confidential the two-way DNSsec [27] Server, device, openSSL Yes
encryption algorithm (SHA- SSL/ TLS [13] Server, switch, end Yes
512 and AES) is used, the devices, SDN controller
encryption is done and sent to SSH [42] Server, openSSH, cloud, Yes
the storage cloud. LDAP
[18] The cloud authenticates users -MITM attack Authentication Device, trusted servers Yes
without the need for digital -Repeat attack protocol [36]
certificates to establish -Hash dependency CFSec protocol Fog devices, cloud server, Yes
communication. In the database [37] switch, cloud
it stores a record of user Protocol [38] EV, pad, RSU, fog Yes
responses if the access was RSEAP server, cloud
successful or not. The protocol Protocol [40] Database server, cloud, Yes
that performs the authentication device, wireless networks
consists of 4 phases: Our proposed Server, device, cloud, Yes
registration, request, protocol database
authentication and reports.
[19] In this method the authors -Hijacking
propose to store the data in -Phishing
shared clouds solved the -SQL Injection Attack Table II. Description of the protocol entities
problem of availability. For -Data Corruption
security, encrypt the data -Privacy Issues 2)Methodology to generate results
before transmission. -Sybil Attack Conceptual model to protect against attacks: To propose a
[23] It has 3 processes: key -Mathematical attack data protection model, the following information was taken
generation, encryption and -Time attack from references: defences to prevent attacks [7]; phases to
decryption. Public and private -Brute force attack detect attacks was considered [6]; attacks affecting the
keys are generated, the secret -SQL Injection Attack network [13]; encryption algorithms were considered [28],
key is only known to users who
share the key between them and [30] and [23]; cloud security risks were considered [17];
is encrypted by the public key, security protocols were adopted [14], [16].
to decrypt different keys can be Cloud prototype: architecture, protocol and algorithm that
used so that the attacker does protect data were considered the following references [10],
not know the data.
[26] It presents two layers in cloud - MITM attack [31] ,[34] ,[36], [37], [38] and [40]. With this reference, a
configuration and are: -Hijacking three-phase prototype was analyzed and made to mitigate
virtualization layer and - Brute force attack cloud attacks.
management. To have good -DDoS attack Algorithm: The authentication and encryption of the
authentication use firefly -Attack of malware
algorithms and merkle hash injection proposed protocol were considered [19], [26] and [39].; from
when sharing data. [14] we adopted the steps to the proposed algorithm. In the
[32] The segmentation of the data is - DDoS attack algorithm we demonstrate the three phases and perform the
classified according to their -Phishing verification by means of a formula that our algorithm is stable.
importance which are in 3 -Hijacking
levels. Encrypt data separately Formula: A formula was determined that with encryption
and avoid interceptions, using algorithms can mitigate attacks.
algorithms and For each formula, two tables with security levels were
encryption/decryption keys implemented to make our protocol optimal. In the probability
before storing them in the
clouds. phase we use 3 simulations to check the hidden attacks that
can reach the cloud.
The information in Table I, certain characteristics of
the references were adopted to propose results.
First Author et al.: Title 3

TABLE III
SAFETY SCORE
III. RESULTS
This research attempts to reduce the cloud attacks that occur Score Secure level
daily to steal data from different users. 8-10 Excellent
The following results were obtained: 5-7 Optimal
2-4 Regular
 Conceptual model to protect the cloud against attacks.
0-1 Deficient
 Prototype of security in the cloud
 Algorithm in the flowchart to protect the cloud from
attacks Table III. Score of our proposed protocol
 Probability formula to defend the cloud from attacks
1) Conceptual Model to protect the cloud against Example:
attacks. If we have a time interval of 45 seconds in an attack, a total
With this proposed model we can analyze the security of 100 attacks have occurred, the total number of users
registered in the cloud is 600 and 350 Ips of devices used to
infromation to mitigate the risks in the cloud are:
access the cloud are known. The server number is one value of
n.
Applying the formula (1) we have:

1
1
EA   (600  350)
45  100 i 1

1
EA   600  350 
45  100

950
Fig. 2. Conceptual model of our proposed protocol EA 
145
Fig. 2. This model was designed to reduce cloud attacks and
protect data of the users. We develop a model where we EA  6.55
indicate that we will use the hash algorithm in our protocol
with encryption, decryption and digital signature; the objective
According to Table III, our protocol for this scenario shows
we want to control in the storage process is to prevent data
us that it is optimal.
loss in the transmission to the cloud; authentication will be
2)Prototype of security in the cloud
performed by the server when the user enters his ID and
It is proposed to have more security, this conceptual model
password in the login to check if he is not an attacker; the 3
identifies the intruders, authenticates the user to send the data,
phases (registration, authentication between the server and the
authorizes in the event of a successful access.
devices, encrypting information) which will have the proposed
protocol is to achieve successful access and resistance to
external attacks that will be mitigated by the services proposed
in the algorithm.
For the calculation an efficient protocol of the conceptual
model presented, we make the following formula:

1 n
EA   e  E
w  k i 1

Here:
EA = efficient authentication. Fig. 3. Prototype of security in the cloud.
w = time interval in seconds.
e = amount of records. Encryption is an important part in for data, with your help
k = amount of attacks. we can thwart the theft of our data from malicious people at
n = amount of servers. the time of transmission.
E = amount of devices in the environment. .
First Author et al.: Title 3

Each section of the prototype is related to protocols, document if the digital signatures are equal.
encryptions, keys, users, authentication and all these resources End
with the cloud.
In the Fig. 3. we find the three phases of our protocol:
First Phase:
Here we find the users of the distributed environment who
will register with their identification and password to access
the cloud.
Second Phase:
The hash algorithm performs authentication on the server
and to know if the user is registered is checked in the database
where all this information is located, if the user is not
registered, access is denied.
Third Phase:
If the user was authenticated and the document was not
altered, the document is encrypted with the digital signature
and a private key is generated that can only be held by the user
to prevent attacks. All this data is stored in the cloud.
Remote distributed environment:
Finally, the algorithm generates two private and public
keys, the user has the option to deliver the public key to
another user. In the case of this event occurs, the public key
decrypts the document and the hash algorithm compares the
original digital signature with the current one and if they are
equal it shows the content of the document, if they are
different it means that the document was altered.
3)Algorithm in the flowchart to protect the cloud
from attacks
The methodology proposed in algorithm and data flow
results in the steps we must take to mitigate the risks of
information security.
Figure 4 expresses the algorithm in flowchart, the phases
are described below:
Description of the phases:
Phase 1: Registration: if the user is already registered, he
must sign in by entering his ID and password, in the case of a
new user, he must register in order to access the cloud.
Phase 2: Authentication between the servers and device,
with authentication we can see if they try to make an attack.
The server consults in the database, if the user exists has
access to send the data to the cloud, if it does not exist in the
database, it must return to register. If our hash algorithm
detects threats, this user is blocked and must return to login.
Phase 3: Encrypting Information, data before it is stored in
the cloud is encrypted with the digital signature and a private
key is generated, demonstrating that it is secure and has not
been altered during transmission.
Algorithm:
Start
Phase 1: Registration
If you do not have an account you must register
Else login with your ID and password
Phase 2: Authentication between the servers and device
The hash algorithm detects threats from attackers
Else It proceeds to block the suspicious user .
Else Go Directly to Cloud Storage
Phase 3: Encrypting Information.
User Data Successfully Stored in cloud
If the user gives another user the public key can decrypt the
First Author et al.: Title 3

Fig. 4. Proposed algorithm expressed in flowchart

We demonstrate with a formula that our algorithm is stable:

1 n
  k  w
e i 1
x
2

We replace the value of k :

E 
k    AS 
m 

The formula (5) where is the algorithm’s quantitative


average the time interval in second [0,20]:

1 n  E  requests is 500, the time is 15 seconds and n is the number of



e
    AS   w 
m 
servers available in our algorithm.
x  i 1  
TABLE IV
2
PERCENTAGE OF SECURITY ALGORITHM

Finally, we calculated the percentage the formula used was:


Score Secure level
s  x  100% 
76-100 Excellent
51-75 Optimal
Here: 25-50 Regular
0-24 Deficient
E = number of failed attempts.
m = number of users blocked.
e = number of registered users. Table IV. Score of our security algorithm
AS = number of requests.
w = time interval in seconds. We will calculate the security percentage of our algorithm
n = amount of servers. using the formula (3):
The number of registered users 400, the number of failed
attempts is 100, the number of users blocked, the number of
First Author et al.: Title 3

1 n  E   s  0.64(100%)
e
    AS   w 
m 
x  i 1   s  64
2
The security percentage is 64, according to our table IV our
1 1   100   algorithm is optimal to implement it.
  
400 i 1   50
 500   15 
 
4)Probability formula to defend the cloud from
x attacks
2 It is proposed in the following formula, to determine the
probability of cloud attack:
1
 517  1
x  400
2 x w
n

x  0.64 e
i 1
i

As a last step we calculate the safety percentage:


We replace the value of e: i

s  x  100% 
e k
e i
 
E w
Finally, we get the probability formula:

1
x w
2
n
 e m
   
i 1  E k

Here:
w = time interval in seconds.
e = amount of records.
k = amount of attacks.
E = amount of devices in the environment.
m = number of failed attempts.
n = amount of servers.
For the representation of the simulation is given in a
interval of 20 seconds, the number of registration is 300 users,
the number of devices registered in the database is 200, the
number of failed attempts is 60.

Fig. 5. Probability of attacks in the first simulation


First Author et al.: Title 3

 The proposed research relates to the articles of the


In figure 5, we can observe that in the second 14 there are a revised references: protocols and algorithms that protect
number of high attacks and the hidden attacks that can happen data [10], [31], [34], [36] and [37]; attacks that affect the
are minimal. network [13]; reducing availability problems [19];
In the second example, we have a number of records of 150 authentication and encryption of the proposed algorithms
users, the interval of 20 seconds is maintained, the number of were taken into account 19], [26], [38] and [39]; attack
devices registered in the database is 120, the number of failed difficult to detect [6]; defences to prevent attacks [7] and
attempts is 80. [42].
 The number of threats can be mitigated by applying a
hash algorithm since documents are sent with a digital
signature and two keys are generated.
 The devices are recognized by the database because Ips
are stored.
 A user is blocked by incorrect identification in the second
phase of the protocol.

V. FUTURE WORK AND CONCLUSION

As future work, a methodology must be implemented to


reduce large attacks on the cloud using quantifiable security.
 We conclude that the protocol proposed with the hash
algorithm has an optimal level of security for the
Fig. 6. Probability of attacks in the second simulation mitigation of data in the cloud, the identifications stored
in the database allow us to identify each known user. The
In figure 6, we can observe that in the second 8 there are a encryption of the data with the digital signature allows us
minimum number of attacks and the hidden attacks that can to know that they have not been modified during the
happen are very few, in this case no occult attack on the cloud transmission to the cloud.
happens.  In the first result we include a table showing the security
In the last example, we have a number of records of 600 level of the algorithm applied to each scenario.
users, the interval of 20 seconds is maintained, the number of  In the second result, we conclude that each phase helps
devices registered in the database is 450, the number of failed prevent an unknown user from accessing through the
attempts is 220. server that is in charge of authentication.
 In the third result, the algorithm was performed to check
that our protocol is optimal against attacks with the
proposed formula we can check.
 In the last result, the simulations showed us the
percentages of the attacks they can access. Another
algorithm can be implemented to further decrease attacks.

VI. ACKNOWLEDGMENT
The authors thanks to Universidad Politécnica Salesiana del
Ecuador, to the research group of the Guayaquil Headquarters
“Computing, Security and Information Technology for a
Globalized World” (CSITGW) created according to resolution
142-06-2017-07-19 and Secretaría de Educación Superior,
Fig. 7. Probability of attack in the third simulation Ciencia, Tecnología e Innovación (Senescyt).

It was observed that in the interval of twenty seconds are VII. REFERENCES
minimal hidden attacks that can reach the cloud after [1] N. Vlajic and D. Zhou, “IoT as a Land of Opportunity
authentication. When the number of attacks is high and in a for DDoS Hackers,” Computer (Long. Beach. Calif).,
few seconds the percentage is higher, in the simulation of vol. 51, no. 7, pp. 26–34, 2018.
figure 2 we can observe that 40 attacks had 5.5% hidden [2] Q. Yan, W. Huang, X. Luo, Q. Gong, and F. R. Yu,
attacks that arrived successfully. “A Multi-Level DDoS Mitigation Framework for the
Industrial Internet of Things,” IEEE Commun. Mag.,
IV. DISCUSSION vol. 56, no. 2, pp. 30–36, 2018.
[3] R. C. Paffenroth and C. Zhou, “Modern Machine
 This is an alternative proposal to greatly decrease attacks
Learning for Cyber-Defense and Distributed Denial-
on the cloud.
First Author et al.: Title 3

of-Service Attacks,” IEEE Eng. Manag. Rev., vol. 47, computing security risks with authorization access for
no. 4, pp. 80–85, 2019. secure Multi-Tenancy based on AAAS protocol,”
[4] N. V. Juliadotter and K. K. R. Choo, “Cloud attack IEEE Reg. 10 Annu. Int. Conf. Proceedings/TENCON,
and risk assessment taxonomy,” IEEE Cloud Comput., vol. 2016-Janua, pp. 1–5, 2016.
vol. 2, no. 1, pp. 14–20, 2015. [18] A. Ibrahim and M. Singhal, “A new authentication
[5] G. Somani, M. S. Gaur, D. Sanghi, M. Conti, M. protocol for an Authentication-as-a-Service (AaaS)
Rajarajan, and R. Buyya, “Combating DDoS attacks in cloud using Pedersen commitment scheme,” 2016 Int.
the cloud: Requirements, trends, and future Conf. Ind. Informatics Comput. Syst. CIICS 2016, pp.
directions,” IEEE Cloud Comput., vol. 4, no. 1, pp. 1–6, 2016.
22–32, 2017. [19] A. Razaque et al., “Secure data sharing in multi-
[6] J. Jiao et al., “Detecting TCP-based DDoS attacks in clouds,” Int. Conf. Electr. Electron. Optim. Tech.
Baidu cloud computing data centers,” Proc. IEEE ICEEOT 2016, pp. 1909–1913, 2016.
Symp. Reliab. Distrib. Syst., vol. 2017-Septe, pp. 256– [20] Deepali and K. Bhushan, “DDoS attack mitigation and
258, 2017. resource provisioning in cloud using fog computing,”
[7] D. F. and C. K. A. Stavrou, “On the Move: Evading Proc. 2017 Int. Conf. Smart Technol. Smart Nation,
Distributed Denial-of-Service Attacks,” Comput., vol. SmartTechCon 2017, pp. 308–313, 2018.
49, no. 3, pp. 104–107, 2016. [21] B. Yuan et al., “Minimizing Financial Cost of DDoS
[8] A. Zand, G. Modelo-Howard, A. Tongaonkar, S. J. Attack Defense in Clouds with Fine-Grained Resource
Lee, C. Kruegel, and G. Vigna, “Demystifying DDoS Management,” IEEE Trans. Netw. Sci. Eng., vol.
as a service,” IEEE Commun. Mag., vol. 55, no. 7, pp. 4697, no. c, pp. 1–14, 2020.
14–21, 2017. [22] I. Butun, M. Erol-Kantarci, B. Kantarci, and H. Song,
[9] L. Zhang and J. Wang, “DDoS Attack Detection “Cloud-centric multi-level authentication as a service
Scheme Based on Entropy and PSO-BP Neural for secure public safety device networks,” IEEE
Network in SDN,” Jisuanji Yanjiu yu Commun. Mag., vol. 54, no. 4, pp. 47–53, 2016.
Fazhan/Computer Res. Dev., vol. 56, no. 5, pp. 909– [23] A. Bhandari, A. Gupta, and D. Das, “Secure algorithm
918, 2017. for cloud computing and its applications,” Proc. 2016
[10] M. Toapanta, E. Mafla, and A. Orizaga, “Adequate 6th Int. Conf. - Cloud Syst. Big Data Eng. Conflu.
security protocols adopt in a conceptual model in 2016, pp. 188–192, 2016.
identity management for the Civil Registry of [24] J. A. George, S. Veni, and S. Soomroo, “Improving
Ecuador,” IOP Conf. Ser. Mater. Sci. Eng., vol. 225, privacy and trust in federated identity using SAML
no. 1, 2017. with hash based encryption algorithm,” 4th IEEE Int.
[11] S. M. T. Toapanta, M. E. C. Zamora, and L. E. M. Conf. Eng. Technol. Appl. Sci. ICETAS 2017, vol.
Gallegos, “Appropriate Security Protocols to Mitigate 2018-Janua, pp. 1–5, 2018.
the Risks in Electronic Money Management,” Smart [25] O. K. J. Mohammad, S. Abbas, E. S. M. El-Horbaty,
Innov. Syst. Technol., vol. 165, no. January, pp. 65–74, and A. B. M. Salem, “Securing Cloud Computing
2020. Environment using a New Trend of Cryptography,”
[12] T. Zeb, M. Yousaf, and H. A. T, “A quantitative 2015 Int. Conf. Cloud Comput. ICCC 2015, pp. 1–8,
security metric model for security controls: Secure 2015.
virtual machine migration protocol as target of [26] R. M. and S. A. K. Bhardwaj, “TTP based vivid
assessment,” vol. 15, no. August, pp. 126–140, 2018. protocol design for authentication and security for
[13] S. Midha and K. Triptahi, “Extended TLS security and cloud,” 2016 3rd Int. Conf. Comput. Sustain. Glob.
defensive algorithm in openflow SDN,” Proc. 9th Int. Dev. (INDIACom), New Delhi, pp. 3275–3278, 2016.
Conf. Cloud Comput. Data Sci. Eng. Conflu. 2019, pp. [27] T. Saraj and M. Yousaf, “Design and implementation
141–146, 2019. of a lightweight privacy extension of DNSSEC
[14] K. V. Raipurkar and A. V. Deorankar, “Improve data protocol,” Proc. - 2017 13th Int. Conf. Emerg.
security in cloud environment by using LDAP and two Technol. ICET2017, vol. 2018-Janua, pp. 1–6, 2018.
way encryption algorithm,” 2016 Symp. Colossal [28] P. Sivakumar, M. Nandhakumar, R. Jayaraj, and A.
Data Anal. Networking, CDAN 2016, pp. 1–4, 2016. Sakthi Kumaran, “Securing data and reducing the time
[15] K. Bhargavan, C. Fournet, and M. Kohlweiss, traffic using AES encryption with dual cloud,” 2019
“miTLS: Verifying protocol implementations against IEEE Int. Conf. Syst. Comput. Autom. Networking,
real-world attacks,” IEEE Secur. Priv., vol. 14, no. 6, ICSCAN 2019, pp. 1–5, 2019.
pp. 18–25, 2016. [29] R. Nivedhaa and J. J. Justus, “A Secure Erasure Cloud
[16] K. Kakoi, Y. Jin, N. Yamai, N. Kitagawa, and M. Storage System Using Advanced Encryption Standard
Tomoishi, “Design and Implementation of a Client Algorithm and Proxy Re-Encryption,” Proc. 2018
Based DNSSEC Validation and Alert System,” Proc. IEEE Int. Conf. Commun. Signal Process. ICCSP
- Int. Comput. Softw. Appl. Conf., vol. 2, pp. 8–13, 2018, pp. 755–759, 2018.
2016. [30] D. P. Timothy and A. K. Santra, “A hybrid
[17] S. K. Abd, R. T. Salih, S. A. R. Al-Haddad, F. cryptography algorithm for cloud computing security,”
Hashim, A. B. H. Abdullah, and S. Yussof, “Cloud 2017 Int. Conf. Microelectron. Devices, Circuits Syst.
First Author et al.: Title 3

ICMDCS 2017, vol. 2017-Janua, pp. 1–5, 2017. evaluator and accredited researcher of the Senescyt
[31] T. T. Moises, M. G. Enrique, and O. T. Antonio, “An with No. REG-INV. 16-01530. He is a Computer Science
approach of efficient security algorithms for distribute Engineer. He obtained his MSc. In ICT at the National
architectures,” 2017 Int. Conf. Energy, Commun. Data Polytechnic School. He completed his doctoral stay at
the Department of Information Technology and
Anal. Soft Comput. ICECDS 2017, pp. 22–25, 2018.
Communications of the Polytechnic University of
[32] A. R. Gadekar, M. V. Sarode, and V. M. Thakare, Cartagena UPCT, Spain. He obtained the degree of PhD.
“Cloud Security and Storage Space Management using In Information Technology at the University of
DCACrypt,” 2018 Int. Conf. Information, Commun. Guadalajara, Mexico. He has published 70 scientific
Eng. Technol. ICICET 2018, pp. 1–4, 2018. articles in journals and conference proceedings in
[33] Z. Yan, M. Wang, Y. Li, and A. V. Vasilakos, database EEE Xplore, ACM Digital, ScienceDirect,
“Encrypted Data Management with Deduplication in Springer, among others indexed in Scopus, EI
Cloud Computing,” IEEE Cloud Comput., vol. 3, no. Compendex, Scimago, Web of Science,. He has worked
2, pp. 28–35, 2016. in public and private institutions at an operational,
[34] W. Song, H. Zou, H. Liu, and J. Chen, “A practical tactical and strategic level in Ecuador, Colombia and
group key management algorithm for cloud data Peru. His research areas are: Strategic alignment of ICT,
Distributed systems, Networks, Security and
sharing with dynamic group,” China Commun., vol.
cryptography, Cybersecurity, Cyberbullying, Blockchain
13, no. 6, pp. 205–216, 2016.
technologies and applications.
[35] J. Yan, Y. Zhang, and X. Liu, “Secure multi-keyword
search supporting dynamic update and ranked Second B. Author: Cynthia Guaigua is
retrieval," in China Communications,” China student on of Computer Science at the
Commun., vol. 13, no. 10, pp. 209–221, 2016. Salesian Polytechnic University,
[36] T. K. Dang, C. D. M. Pham, and T. L. P. Nguyen, “A Guayaquil, Ecuador.
pragmatic elliptic curve cryptography-based extension
for energy-efficient device-to-device communications
in smart cities,” Sustain. Cities Soc., vol. 56, no.
February, 2020.
[37] R. Amin, S. Kunal, A. Saha, D. Das, and A. Alamri,
“CFSec: Password based secure communication
Third C. Author: Enrique Mafla is a
protocol in cloud-fog environment,” J. Parallel professor in the Informatics and
Distrib. Comput., vol. 140, pp. 52–62, 2020. Computer Science Department, at
[38] L. F. A. Roman and P. R. L. Gondim, “Authentication Escuela Politecnica Nacional in Quito,
protocol in CTNs for a CWD-WPT charging system in Ecuador. He got his MSc and PhD degre
a cloud environment,” Ad Hoc Networks, vol. 97, p. es in computer science at Purdue
102004, Feb. 2020. University, West Lafayette. Dr. Mafla has
[39] M. Zhang and Y. Zhang, “Certificateless anonymous published in IEEE Computer, USENIX Journal on
user authentication protocol for cloud computing,” Computing Systems, Computer Networks and ISDN
Proc. - 2015 Int. Conf. Intell. Transp. Big Data Smart Systems, and proceedings of international IEEE, ACM
and Springer conferences. Dr. Mafla has been a visiting
City, ICITBS 2015, pp. 200–203, 2016,.
professor at the University of Florida and worked for the
[40] V. Kumar, M. Ahmad, D. Mishra, S. Kumari, and M.
Food and Agriculture Organization of the United Nations
K. Khan, “RSEAP: RFID based secure and efficient in Rome and Accra. He has been a consultant in the FAO
authentication protocol for vehicular cloud and projects funded by the Interamerican Development
computing,” Veh. Commun., vol. 22, 2020. Bank. His research interests include distributed systems,
[41] M. Vajaranta, V. Viitamaki, A. Oinonen, T. D. cryptography, networking, and blockchain technologies
Hamalainen, A. Kulmala, and J. Markunmaki, and applications
“Feasibility of FPGA Accelerated IPsec on Cloud,”
Proc. - 21st Euromicro Conf. Digit. Syst. Des. DSD
2018, pp. 569–572, 2018.
[42] T. Ylonen, “SSH key management challenges and
requirements,” 2019 10th IFIP Int. Conf. New
Technol. Mobil. Secur. NTMS 2019 - Proc. Work.,
2019.

First A. Author: Moises Toapanta is


professor on of Computer Science at the
Salesian Polytechnic University,
Guayaquil, Ecuador. Coordinator
research group: “Computing, Security
and Information Technology for a
Globalized World” “CSITGW”. He is an