<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2014.52007</article-id><article-id pub-id-type="publisher-id">JIS-45019</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  Illegal Access Detection in the Cloud Computing Environment
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>asim</surname><given-names>Alguliev</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Fargana</surname><given-names>Abdullaeva</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib></contrib-group><aff id="aff1"><addr-line>Institute of Information Technology ANAS, Baku, Azerbaijan</addr-line></aff><author-notes><corresp id="cor1">* E-mail:<email>director@iit.ab.az(AA)</email>;<email>farqana@iit.ab.az(FA)</email>;</corresp></author-notes><pub-date pub-type="epub"><day>20</day><month>02</month><year>2014</year></pub-date><volume>05</volume><issue>02</issue><fpage>65</fpage><lpage>71</lpage><history><date date-type="received"><day>15</day>	<month>December</month>	<year>2013</year></date><date date-type="rev-recd"><day>10</day>	<month>January</month>	<year>2014</year>	</date><date date-type="accepted"><day>18</day>	<month>January</month>	<year>2014</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
   
   In this paper detection method for the illegal access to the cloud infrastructure is proposed. Detection process is based on the collaborative filtering algorithm constructed on the cloud model. Here, first of all, the normal behavior of the user is formed in the shape of a cloud model, then these models are compared with each other by using the cosine similarity method and by applying the collaborative filtering method the deviations from the normal behavior are evaluated. If the deviation value is above than the threshold, the user who gained access to the system is evaluated as illegal, otherwise he is evaluated as a real user. 
  
 
</p></abstract><kwd-group><kwd>Cloud Computing; Masquerade Attack; Cloud Model; User Similarity; Collaborative Filtering</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>The emergence of the cloud computing technologies nowadays has significantly changed the way we use the computer means as well as the way we access and store our personal and business information. The new computing and communications paradigms based on these technologies cause the emergence of the new security problems. To be more precise, in comparison with the traditional technologies the nature of the threats brought by the cloud technologies to the organization infrastructure has changed. Thus, by the huge CSA (The Cloud Security Alliance) which is actively operating in the area of the standardization of the security issues of cloud technologies classifies the main threats brought by this technology as follows [<xref ref-type="bibr" rid="scirp.45019-ref1">1</xref>] :</p><p>• Threat 1. Abuse and Nefarious Use of Cloud Computing;</p><p>• Threat 2. Insecure Interfaces and APIs;</p><p>• Threat 3. Malicious Insiders;</p><p>• Threat 4. Shared Technology Issues;</p><p>• Threat 5. Data Loss or Leakage;</p><p>• Threat 6. Account or Service Hijacking;</p><p>• Threat 7. Unknown Risk Profile.</p><p>Among these threats the 1st and the 3rd threats can be implemented in each layer of the cloud computing SPI (Service Platform Infrastructure) model. In both of these threats in order to use the resources illegally the attacker tries to present himself to the system as a legitimate user by capturing legitimate user’s identity information. These threats are known as masquerade attacks in the literature sources [<xref ref-type="bibr" rid="scirp.45019-ref2">2</xref>] . Moreover, according to the cybercrime watch survey [<xref ref-type="bibr" rid="scirp.45019-ref3">3</xref>] conducted by the organization CERT in 2010, the first place among the top 5 electronic crimes belongs to viruses, worms and other malicious codes, the second part takes the unauthorized access.</p><p>The Twitter incident committed by the French hacker can be introduced as an example of this type of attacks. Several Twitter corporate and personal documents were leaked to the technological website called “The TechCrunch” [<xref ref-type="bibr" rid="scirp.45019-ref4">4</xref>] [<xref ref-type="bibr" rid="scirp.45019-ref5">5</xref>] and customers’ accounts including the account of the US President Barack Obama were illegally accessed [<xref ref-type="bibr" rid="scirp.45019-ref6">6</xref>] [<xref ref-type="bibr" rid="scirp.45019-ref7">7</xref>] . The attacker used a Twitter administrator’s password in order to gain access to Twitter’s corporate documents hosted on Google’s infrastructure as Google Docs. The damage was significant both for Twitter and for its customers.</p><p>There are number of research works devoted to the discovery of masquerade attacks. In one of these studies [<xref ref-type="bibr" rid="scirp.45019-ref8">8</xref>] in order to discover the masqueraders a new approach has been presented. This approach implements the comparison between the two users’ command sequence. This method is based on the similarity measured between the 10 most recent commands and a user’s profile. But this approach is not suitable for cloud infrastructure because cloud systems are heterogeneous systems [<xref ref-type="bibr" rid="scirp.45019-ref9">9</xref>] [<xref ref-type="bibr" rid="scirp.45019-ref10">10</xref>] . Here the virtual machines which form cloud systems are executes under the different operating systems (Windows, Linux, UNIX, Network). It is also likely that different commands are used for the same operation. For this reason, it is impossible to evaluate similar users by their command sequence.</p><p>In the other approach a sequence alignment method, which is broadly used in bioinformatics, is applied to discover the illegal accesses [<xref ref-type="bibr" rid="scirp.45019-ref11">11</xref>] [<xref ref-type="bibr" rid="scirp.45019-ref12">12</xref>] . As it can be seen most of the studies are focused on the detection of unusual or variable command sequence applied by the users.</p><p>Generally, the legitimate users of the computer system are familiar with the files on that system and are aware of their location. Any search for the specific files is likely to be targeted and limited here. A masquerader, however, who gets access to the victim’s system illegitimately is unlikely to be familiar with the structure and the contents of the file system. For this, his search is likely to be widespread and untargeted as well as the type and sequence of commands applied by the users in the system are being different. Taking this into account, the user’s profile reflecting his search behavior is created at [<xref ref-type="bibr" rid="scirp.45019-ref13">13</xref>] [<xref ref-type="bibr" rid="scirp.45019-ref14">14</xref>] and the one-class modeling technique is developed in order to detect the illegal intrusion.</p><p>However it should be noted that, when the attacker is being more deeply familiar with the genuine user’s behavior he can more accurately imitate him in the system. In this case, the above mentioned methods lose their influence and the detection of the illegal accesses by that way does not allow obtaining good results.</p><p>Typically, a user who gains access to the cloud system by masquerading under the genuine user always has a unique interest on the selected target resources. In this case the detection of the illegal accesses by modeling the user’s specific interest may allow obtaining significant results.</p><p>In this paper we created a profile which reflects the interest behavior of each user and this profile is considered as a cloud model. This cloud model reflects not a command sequence used by the user but the statistical characteristics of the operations conducted by the users. According to this method, in order to discover the illegal attack the normal behavior of a user is modeled as a cloud model first; then these models are compared and the deviations from this behavior are evaluated. If the deviation value becomes above the threshold the user who gained access to the system is evaluated as the illegal user.</p></sec><sec id="s2"><title>2. Masquerade Attack Detection System</title><p>Masquerade attacks refer to attacks that use a fake identity in order to gain unauthorized access to the personal computer information through the legitimate access identification.</p><p>The most common information which can be used to detect the masquerade attacks is contained within the actions the masquerader performs. This set of actions is known as a behavioral profile. The masquerade detection techniques are based on the premise that when a masquerader attacks the system he will sufficiently deviate from the user’s behavior. In other words, at first the normal behavior of the user is modeled as a profile there, then this profile is compared with his current behavior and the obtained deviation cases are considering as masquerader attacks.</p><p>In this paper we propose a new approach for detecting a masquerader in the cloud environment. This approach is schematically described in  <xref ref-type="fig" rid="fig1">Figure 1</xref>.</p><p>According to the architecture the masquerade detection is implemented in two phases:</p><p>1) Profile creating phase. The genuine user data collected and on the basis of the colleccted information a behavioral profile is created for each user. This phase consists of two components. The Event logs implements the collection of the information on all events during the session. The Feature Extraction Tool generates the feature vector based on cloud model for the user.</p><p>2) Detection phase. The new user profile generating on the basis of the new user records and compared with the genuine user profile. There similarity value calculation block for each input vector there calculates the cosine similarity value. The similarity value here varies between 0 and 1.</p><p>If similarity value is high, then the input data become very close to the user profile and if it becomes very low, then it is estimated as very different. According to the input data, the detection module classifies all users as genuine or imposter. For this purpose, first of all by using filtering formula it calculates the deviation value and on the basis of the accepted threshold value in the system it makes a decision determining the user as genuine or imposter.</p></sec><sec id="s3"><title>3. User Profile Generation</title><p>In order to recognize the anomalous behavior for the detection system, first it must form a user profile to characterize a normal behavior. In this section we will describe the model underlying our approach to the user profiling and will discuss the implementation details of how profiles are formed from the user’s interest data.</p><sec id="s3_1"><title>3.1. Data Collection</title><p>The detection of the masquerade attacks is carried out on the basis of operations performed by the masqueraders in the system. This set of operations forms a user’s behavior profile.</p><p>Based on these real data, it is possible to construct the interest profile in terms of the cloud model. This interest profile also can be called the feature vector of the user.</p></sec><sec id="s3_2"><title>3.2. Feature Vector Construction</title><p>There every action of the user has a score which can be regarded as a drop of interest cloud, but the score value of all operations is regarded as an interest cloud. The cloud uses expectation<inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\713affe6-4d47-4529-a50a-cc7d0348c129.png" xlink:type="simple"/></inline-formula>, entropy <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\20939052-56e9-429e-84b6-df5ad14cbc5f.png" xlink:type="simple"/></inline-formula> and excess entropy <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\429c6bac-252a-47c4-b253-33a5637440af.png" xlink:type="simple"/></inline-formula> to represent one digital value. Together these three digital characteristics of <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\cce1b5a8-7e65-4a84-ae93-d23c4b68bfc2.png" xlink:type="simple"/></inline-formula>-th user’s interest cloud form the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\ffd5d43b-b1a0-4f60-bbe1-db53402f9ee7.png" xlink:type="simple"/></inline-formula>-th characteristic cloud vector. While computing the similarity between users <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\5e688c90-f228-4dbb-b8ed-ef428395efea.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\51152367-c864-4427-9f03-6b4cdeb17ba6.png" xlink:type="simple"/></inline-formula> we can judge from similarity between vector <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\2e9ba463-c9f4-42cf-bd6b-9dab05dd4f46.png" xlink:type="simple"/></inline-formula> and<inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\04756c6f-9a3c-4e4d-a82f-0329a8483a5b.png" xlink:type="simple"/></inline-formula>. The key innovation there is getting characteristic vector <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\b2ad8a8c-a17d-4a9a-8ecd-d3f9adb6e18f.png" xlink:type="simple"/></inline-formula> of the user’s interest cloud.</p><p>Assume that matrix <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\b647b24a-f590-4b03-8bec-212609a97ec8.png" xlink:type="simple"/></inline-formula> represents the score data set of operations used by the users. Here, <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\b6743ad7-78fc-464d-bc28-d0226742b356.png" xlink:type="simple"/></inline-formula>implies the users, <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\34ac1222-681b-4924-a9ef-a31eb4057509.png" xlink:type="simple"/></inline-formula>the operations used by the users,<inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\2469fcc2-8e45-4023-9727-46368dd0f848.png" xlink:type="simple"/></inline-formula>—the score value of the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\fe5f1f74-f976-4e8d-a9eb-d369cfedd275.png" xlink:type="simple"/></inline-formula>-th operation used by the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\a04ee93a-d2f1-4239-b57a-11a663024da5.png" xlink:type="simple"/></inline-formula>-th user. This assumption can be represented as follows in figure 2:</p><p>In order to get the cloud feature vector <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\4c402258-3763-4004-94f5-0577ef0d4a13.png" xlink:type="simple"/></inline-formula> of the user we need a backward cloud generator.</p><p>Assume that a set of score values used operations denoted as<inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\c03378b4-71f5-40de-88fb-e408c12d0282.png" xlink:type="simple"/></inline-formula>. Then an algorithm to determine the digital value <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\df0a8f47-9e0b-4f56-ac8d-1bb3d310b3e2.png" xlink:type="simple"/></inline-formula> can be constructed as follows:</p><p>Input: a set of score values of operations <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\d4389736-1772-4974-a213-ab6364765a66.png" xlink:type="simple"/></inline-formula></p><p>Output: <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\c1c6ff01-2010-4f90-9836-931713713259.png" xlink:type="simple"/></inline-formula>numerical characteristics 1) The calculation of the average <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\4e8e0958-f259-41c1-82fc-c5b174172831.png" xlink:type="simple"/></inline-formula> score value, according to score value of the number of <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\f32f0b5a-93c2-4900-b394-4dc60b898db8.png" xlink:type="simple"/></inline-formula> operations applied by the user</p><disp-formula id="scirp.45019-formula115857"><label>(1)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\30a474d6-c5d0-4ad1-b145-676ceed3237c.png"  xlink:type="simple"/></disp-formula><p>2) Absolute central moment calculation</p><disp-formula id="scirp.45019-formula115858"><label>(2)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\6d5d4201-0cc4-4fb9-b377-e19f3791d89c.png"  xlink:type="simple"/></disp-formula><p>3) The calculation of the variance of the event</p><disp-formula id="scirp.45019-formula115859"><label>(3)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\5d45c022-58d5-45ed-a630-e7e9f0038d6f.png"  xlink:type="simple"/></disp-formula><p>4) The calculation of the mean operation value</p><disp-formula id="scirp.45019-formula115860"><label>(4)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\63481eef-5959-4dd9-909f-32d45d2f60c3.png"  xlink:type="simple"/></disp-formula><p>5) The calculation of the dispersion of operations</p><disp-formula id="scirp.45019-formula115861"><label>(5)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\fa065caa-aa7e-42ff-ba1b-deb6b49ec5f8.png"  xlink:type="simple"/></disp-formula><p>6) The calculation of the entropy</p><disp-formula id="scirp.45019-formula115862"><label>(6)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\df79c567-51ea-4bf2-ae73-9c391ac656fa.png"  xlink:type="simple"/></disp-formula><p>In this work the characteristic vector <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\57ac0b5c-195d-4a10-829e-64f0986c9ac7.png" xlink:type="simple"/></inline-formula> of the user cloud is determined by the above mentioned algorithm.</p></sec></sec><sec id="s4"><title>4. Detecting Anomalous Behavior</title><p>For the detection of the anomalous behavior in the cloud infrastructure first of all let us provide comparison of the cloud vectors. Let the vector <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\c28cb0ce-90a5-47c7-8470-8d82b926eecb.png" xlink:type="simple"/></inline-formula> present the cloud of <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\ad28b1c8-fef3-444e-b8cb-1482b41943dc.png" xlink:type="simple"/></inline-formula>-th user, then the similarity between the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\ccbf096a-2c14-464f-9f3e-c8ae7994dfc6.png" xlink:type="simple"/></inline-formula>-th and the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\b47805a9-a0a9-47dc-b39b-82a2ff4b98a4.png" xlink:type="simple"/></inline-formula>-th users is labeled as <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\2a210b29-a755-48d2-8d82-8ce06ff98b61.png" xlink:type="simple"/></inline-formula> and is calculated as follows:</p><disp-formula id="scirp.45019-formula115863"><label>(7)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\0b1e2f33-2311-4757-8e71-c749beb14c0d.png"  xlink:type="simple"/></disp-formula><p>where<inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\5f78c192-d5b7-493e-961d-0bcf3c174db7.png" xlink:type="simple"/></inline-formula>.</p><p>After the calculation of the similarity measure the detection module in <xref ref-type="fig" rid="fig1">Figure 1</xref> classifies the input vector and identifies the access as normal or anomalous. For the implementation of this process the following method is proposed.</p></sec><sec id="s5"><title>5. Classifying User Behavior</title><p>It should be noted here that even between the input data of the user and his own profile deviation cases can be take place. In order to accept the decision about normal or anomalous accesses it is necessary to calculate the degree of this deviation value. This deviation value can be calculated via following filtration formula:</p><disp-formula id="scirp.45019-formula115864"><label>(8)</label><graphic position="anchor" xlink:href="htmlimages\5-7800186x\cdb07c43-b96a-4d31-8b06-4d08cc6c03dd.png"  xlink:type="simple"/></disp-formula><p>Here<inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\8ca68403-29e9-4a7c-834d-f833c7b240c5.png" xlink:type="simple"/></inline-formula>—is a weight ratio, which represents the similarity value between the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\8c9db621-4afe-4a43-b707-5fb63adfa1e9.png" xlink:type="simple"/></inline-formula>-th and the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\86f10043-35a0-4642-9e94-6ae1fed1d2d8.png" xlink:type="simple"/></inline-formula>-th users;<inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\12aa84fc-6322-4c01-b893-4da1cee89229.png" xlink:type="simple"/></inline-formula>—is a score value of the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\05fe9145-ddc7-4d11-b600-c15b31b72cf9.png" xlink:type="simple"/></inline-formula>-th operation used by the <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\bcc1b1b3-0d91-4391-8ffa-4ee8b712bbca.png" xlink:type="simple"/></inline-formula>-th user.</p><p>The classification of the users here fulfilled on the basis of the threshold value accepted in the system. If <inline-formula><inline-graphic xlink:href="tmlimages\5-7800186x\fdf38138-eedf-4b8f-9454-eb1dcf12177d.png" xlink:type="simple"/></inline-formula> becomes less than the threshold value, then the system evaluates the user as genuine, otherwise he is evaluated as anomalous.</p><p>The operation flow (<xref ref-type="fig" rid="fig3">Figure 3</xref>) that covers the above cases can be constructed as follows:</p></sec><sec id="s6"><title>6. Existing Masquerade Datasets</title><p>There are numbers of datasets which enable to evaluate the performance of the masquerader attack detection techniques.</p><p>SEA dataset. Most papers about the masquerader detection use this dataset [<xref ref-type="bibr" rid="scirp.45019-ref14">14</xref>] with its associated configuration. The SEA consists of the commands collected from the UNIX account audit data. Among all fields of audit data provided by account only the username and the command were taken. The data describe 50 different users each issuing 15,000 commands. The first 5000 commands are considered as genuine. The remaining 10,000 commands of each user are divided into 100 blocks consisting of 100 commands each.</p><p>Greenberg dataset. This dataset [<xref ref-type="bibr" rid="scirp.45019-ref15">15</xref>] contains the data from 168 UNIX users. Users are classified into four groups: novice programmers, experienced programmers, computer scientists and non-programmers. The data are stored in the plain text files that record the following information: the session start and end times, the command line as entered by the user, the current working directory, any alias expansion of the previous command, an indication whether the line entered has a history expansion or not, and any error detected in the command line.</p><p>Purdue University dataset. Purdue or just PU dataset [<xref ref-type="bibr" rid="scirp.45019-ref16">16</xref>] consists of the UNIX command histories of 4 users of the Purdue Millennium Lab, collected in four months. A few works use this dataset and this may be due to its low number of users.</p><p>RUU dataset. This dataset was collected by Columbia IDS group [<xref ref-type="bibr" rid="scirp.45019-ref17">17</xref>] and consists of Windows commands. The dataset was collected from 34 normal volunteer users and 14 masquerade users. They model how normal users typically search a file system and use these models to detect the unusual searches that may be considered as masquerades. The dataset includes the records of the search conducted by the masquerader who should perform a specific task to find any data useful for his financial gain on a previously unknown file system within 15 minutes.</p><p>This datasets suffer partially or fully from the several deficiencies which prevent their adoption for the cloud environments. In this perspective, their most significant weakness is the lack of real masquerade data. No command sequence was issued by the attackers, only the RUU dataset includes the real masquerades but they are predefined limited scenario. The main shortcomings of these datasets are:</p><p>• The cloud systems are heterogeneous and the user audits may be distributed among VMs running distinct (e.g., Windows, Linux, and network) operating systems.</p><p>• The absence of the command arguments and other useful details such as when the user commands were issued, the duration of each user’s session and the type of operations implemented by the users in the system.</p><p>• They are not suitable for training or testing any cloud detection systems because of their small size.</p><p>• Any efficient Cloud dataset should coverage for attacks in all cloud service models (SaaS, PaaS, and IaaS).</p><p>At present, there is no standard dataset allowing to test the masquerade attacks detection techniques in the cloud infrastructure. This relates to a necessity of special tools for the access of the cloud infrastructure, a necessity of special permissions, with distributions of audit data across different environments (e.g., Windows, Linux, and network), with necessity of a huge size of the audit data for cloud systems (more than 20 GB). At feature it would be significant to provide investigations in this area to create such datasets.</p></sec><sec id="s7"><title>7. Conclusion</title><p>In this paper, for the detection of the masquarade attacks in the cloud infrastructure collaborative filtering algorithm based on the cloud model is proposed. One of the advantages of this model is the identification of the similarity between the users on the basis of the cloud model. While using the similarity measurement method based on the cloud model, it does not require a strict comparison between the score value of operations used by different users. Here we provide the calculation of the statistic features of the score values of all operations used by the user at the access point, then we provide a comparison of statistics features of the input data and based on these we determine the similarity between the input data.</p></sec><sec id="s8"><title>8. Future Work</title><p>Future work will focused on providing experiments to prove the effectiveness of implementation of collaborative filtering algorithm constructed on the cloud model onto illegal access detection problem in the cloud computing environment.</p></sec></body><back><ref-list><title>References</title><ref id="scirp.45019-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Cloud Security Alliance (2010) Top Threats to Cloud Computing.  
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf</mixed-citation></ref><ref id="scirp.45019-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Salem, M.B. and Stolfo, S.J. (2011) Data Collection and Analysis for Masquerade Attack Detection: Challenges and Lessons Learned. Columbia University Computer Science Technical Reports, Columbia University, 8 p.</mixed-citation></ref><ref id="scirp.45019-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">(2010) 2010 Cybersecurity Watch Survey: Cybercrime Increasing Faster than Some Company Defenses. CERT, 17 p.</mixed-citation></ref><ref id="scirp.45019-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Arrington, M. (2009) In Our Inbox: Hundreds of Confidential Twitter Documents.  
http://techcrunch.com/2009/07/14/in-our-inbox-hundreds-of-confidential-twitter-documents/</mixed-citation></ref><ref id="scirp.45019-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Takahashi, D. (2010) French Hacker Who Leaked Twitter Documents to TechCrunch Is Busted.  
http://venturebeat.com/2010/03/24/french-hacker-who-leaked-twitter-documents-to-techcrunch-is-busted/</mixed-citation></ref><ref id="scirp.45019-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Danchev, D. (2009) ZDNET: French Hacker Gains Access to Twitter’s Admin Panel.  
http://www.zdnet.com/blog/security/french-hacker-gains-access-totwitters-admin-panel/3292</mixed-citation></ref><ref id="scirp.45019-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">Allen, P. (2010) Obama’s Twitter Password Revealed after French Hacker Arrested for Breaking into U.S. President’s Accoun.  
http://www.dailymail.co.uk/news/article-1260488/Barack-Obamas-Twitter-password-revealed-French-hacker-arrested.html</mixed-citation></ref><ref id="scirp.45019-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Lane, T. and Brodley, C.E. (1997) Sequence Matching and Learning in Anomaly Detection for Computer Security. Proceedings of the AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, AAAI Press, 43-49.</mixed-citation></ref><ref id="scirp.45019-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Alguliev, R.M. and Abdullayeva, F.C. (2013) Identity Management Based Security Architecture of Cloud Computing on Multi-Agent Systems. Proceedings of the Third International Conference on Innovative Computing Technology, London, 29-31 August, 123-126. http://dx.doi.org/10.1109/INTECH.2013.6653643</mixed-citation></ref><ref id="scirp.45019-ref10"><label>10</label><mixed-citation publication-type="journal" xlink:type="simple"><name name-style="western"><surname>Eliquliyev</surname><given-names> R.M. and Abdullayeva</given-names></name>,<name name-style="western"><surname> F.C. </surname><given-names>  </given-names></name>,<etal>et al</etal>. (<year>2013</year>)<article-title>Bulud texnologiyalarenen tehlükesizlik problemlerinin tedqiqi ve analizi</article-title><source> Informasiya Texnologiyalare Problemleri</source><volume> 1</volume>,<fpage> 3</fpage>-<lpage>14</lpage>.<pub-id pub-id-type="doi"></pub-id></mixed-citation></ref><ref id="scirp.45019-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Coull, S.E., Branch, J., Szymanski, B. and Breimer, E. (2003) Intrusion Detection: A Bioinformatics Approach. Proceedings of the 19th Annual Computer Security Applications Conference, Las Vegas, 8-12 December 24-33.</mixed-citation></ref><ref id="scirp.45019-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">Coull, S.E. and Szymanski, B.K. (2008) Sequence Alignment for Masquerade Detection. Computational Statistics and Data Analysis, 52, 4116-4131. http://dx.doi.org/10.1016/j.csda.2008.01.022</mixed-citation></ref><ref id="scirp.45019-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Stolfo, S.J., Salem, M.B. and Keromytis, A.D. (2012) Fog Computing: Mitigating Insider Data Theft Attacks in the Cloud. Proceedings of the IEEE Symposium on Security and Privacy Workshops, San Francisco, 125-128.</mixed-citation></ref><ref id="scirp.45019-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">http://www.schonlau.net/intrusion.html</mixed-citation></ref><ref id="scirp.45019-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Greenberg, S. (1988) Using Unix: Collected Traces of 168 Users. Report, University of Calgary.</mixed-citation></ref><ref id="scirp.45019-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">Lane, T. and Brodley, C.E. (1997) An Application of Machine Learning to Anomaly Detection. Proceedings of the 20th National Information Systems Security Conference, 14 February, 366-380.</mixed-citation></ref><ref id="scirp.45019-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">Salem, M.B. and Stolfo, S.J. (2011) Modeling User Search Behavior for Masquerade Detection. Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, 181-200.</mixed-citation></ref></ref-list></back></article>