More Web Proxy on the site http://driver.im/

research-article

Cloud-of-Things meets Mobility-as-a-Service

Authors:

Franco Callegati,

Saverio Giallorenzo,

Marco PrandiniAuthors Info & Claims

Computers and Security, Volume 74, Issue C

Pages 277 - 295

https://doi.org/10.1016/j.cose.2017.10.006

Published: 01 May 2018 Publication History

Abstract

Mobility-as-a-Service (MaaS) applies the everything-as-a-service paradigm of Cloud Computing to transportation: a MaaS provider offers to its users the dynamic composition of solutions of different travel agencies into a single, consistent interface. Traditionally, transits and data on mobility belong to a scattered plethora of operators. Thus, we argue that the economic model of MaaS is that of federations of providers, each trading its resources to coordinate multi-modal solutions for mobility. Such flexibility comes with many security and privacy concerns, of which insider threat is one of the most prominent. In this paper, we revise and extend previous work where we classified the potential threats of individual operators and markets of federated MaaS providers, proposing appropriate countermeasures to mitigate the problems. In addition, we consider the emerging case of Cloud-of-Things (CoT) for mobility, i.e., networks of ubiquitous, pervasive devices that provide real-time data on objects and people. Automation and pervasiveness of CoT make an additional attack surface for insiders. In an effort to limit such phenomenon, we present an overlay networking architecture, based on gossip protocols, that lets users share information on mobility with each other. A peculiarity of the architecture is that it both constrains the quality and quantity of data obtainable by insiders, optimizing the routing of requests to involve only users that are able to answer them.

References

[1]

Q. Althebyan, Design and analysis of knowledge-base centric insider threat models, 2008.

[2]

Q. Althebyan, R. Mohawesh, Q. Yaseen, Y. Jararweh, Mitigating insider threats in a cloud using a knowledgebase approach while maintaining data availability, 2015.

[3]

K. Ashton, That Internet of Things thing, RFiD J., 22 (2009) 97-114.

[4]

D. Bandyopadhyay, J. Sen, Internet of things: applications and challenges in technology and standardization, Wireless Personal Commun, 58 (2011) 49-69.

Digital Library

[5]

M. Bishop, Position: insider is relative, 2005.

[6]

S. Boyd, A. Ghosh, B. Prabhakar, D. Shah, Randomized gossip algorithms, IEEE/ACM Trans. Netw, 14 (2006) 2508-2530.

Digital Library

[7]

R. Buyya, C.S. Yeo, S. Venugopal, J. Broberg, I. Brandic, Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility, FGS, 25 (2009) 599-616.

Digital Library

[8]

R. Buyya, R. Ranjan, R.N. Calheiros, Intercloud: utility-oriented federation of cloud computing environments for scaling of application services, in: AAPP, Springer, 2010, pp. 13-31.

Digital Library

[9]

F. Callegati, A. Campi, A. Melis, M. Prandini, B. Zevenbergen, Privacy-preserving design of data processing systems in the public transport context, Pac. Asia J. Association Information Syst (2015) 7.

[10]

F. Callegati, S. Giallorenzo, A. Melis, M. Prandini, Insider threats in emerging mobility-as-a-service scenarios, 2017.

[11]

F. Callegati, M. Gabbrielli, S. Giallorenzo, A. Melis, M. Prandini, Smart mobility for all - a global federated market for mobility-as-a-service operators, 2017.

[12]

T. Casey, A field guide to insider threat, 2015.

[13]

Y. Cho, G. Qu, Y. Wu, Insider threats against trust mechanism with watchdog and defending approaches in wireless sensor networks, 2012.

[14]

W.R. Claycomb, A. Nicoll, Insider threats to cloud computing: directions for new research challenges, 2012.

[15]

C. Dai, D. Lin, E. Bertino, M. Kantarcioglu, SDM, an approach to evaluate data trustworthiness based on data provenance, Springer, Berlin, Heidelberg, 2008.

Digital Library

[16]

N. Damianou, N. Dulay, E. Lupu, M. Sloman, The ponder policy specification language, in: London, UK, Springer-Verlag., UK, 2001, pp. 18-38.

Digital Library

[17]

S. De Capitani di Vimercati, S. Foresti, P. Samarati, Data security issues in cloud scenarios, 2015.

[18]

S.C. Di Vimercati, S. Foresti, P. Samarati, Data protection in cloud scenarios, in: Revised selected papers of the 10th international workshop on data privacy management, and security assurance, vol. 9481, Springer-Verlag New York, Inc., 2015, pp. 3-10.

Digital Library

[19]

G. Doss, G. Tejay, Developing insider attack detection model: a grounded approach, 2009.

[20]

N. Dragoni, S. Giallorenzo, A. Lluch-Lafuente, M. Mazzara, F. Montesi, R. Mustafin, Microservices: yesterday, today, and tomorrow, in: Present and Ulterior Software Engineering, 2017, pp. 195-216.

[21]

S. Dustdar, R. Pichler, V. Savenkov, H.-L. Truong, Quality-aware service-oriented data integration: requirements, state of the art and open challenges, SIGMOD Rec, 41 (2012) 11-19.

Digital Library

[22]

H. Eldardiry, E. Bart, J. Liu, J. Hanley, B. Price, O. Brdiczka, Multi-domain information fusion for insider threat detection, 2013.

[23]

M.D. Ernst, Static and dynamic analysis: Synergy and duality, 2003.

[24]

C. Falge, B. Otto, H. sterle, Data quality requirements of collaborative business processes, 2012.

[25]

S. Fickas, G. Kortuem, Z. Segall, Software organization for dynamic and adaptable wearable systems, in: Digest of papers. First international symposium on wearable computers, 1997, pp. 56-63.

Digital Library

[26]

L. Flynn, G. Porter, C. DiFatta, Cloud service provider methods for managing insider threats: analysis phase ii, expanded analysis and recommendations, 2014.

[27]

M. Gertz, S. Jajodia, Handbook of database security: applications and trends, Springer, 2007.

Digital Library

[28]

S. Giallorenzo, Real-World Choreographies, 2016.

[29]

H.G. Goldberg, W.T. Young, A. Memory, T.E. Senator, Explaining and aggregating anomalies to detect insider threats, 2016.

[30]

P. Groth, M. Luck, L. Moreau, A protocol for recording provenance in service-oriented grids, 2004.

[31]

J. Gubbi, R. Buyya, S. Marusic, M. Palaniswami, Internet of things (IOT): a vision, architectural elements, and future directions, Future Generation Comput. Syst, 29 (2013) 1645-1660.

Digital Library

[32]

Z.J. Haas, J.Y. Halpern, L. Li, Gossip-based ad hoc routing, IEEE/ACM Trans. Netw, 14 (2006) 479-491.

Digital Library

[33]

L. He, P. Yue, L. Di, M. Zhang, L. Hu, Adding geospatial data provenance into SDI a service-oriented approach, AEORS, 8 (2015) 926-936.

[34]

T.S. Heydt-Benjamin, H.-J. Chae, B. Defend, K. Fu, Privacy for public transportation, 2006.

[35]

S.M. Ho, J.T. Hancock, C. Booth, M. Burmester, X. Liu, S.S. Timmarajus, Demystifying insider threat: Language-action cues in group dynamics, 2016.

[36]

J. Holler, V. Tsiatsis, C. Mulligan, S. Avesand, S. Karnouskos, D. Boyle, From machine-to-machine to the internet of things: introduction to a new age of intelligence, Academic Press, 2014.

Digital Library

[37]

V.C. Hu, D. Ferraiolo, R. Kuhn, A.R. Friedman, A.J. Lang, M.M. Cogdell, Guide to attribute based access control (ABAC) definition and considerations (Draft), NIST Special Publication, 2013.

[38]

J. Hunker, C.W. Probst, Insiders and insider threats an overview of definitions and mitigation techniques, JoWUA, 2 (2011) 4-27.

[39]

M. Jelasity, A. Montresor, O. Babaoglu, Gossip-based aggregation in large dynamic networks, ACM Trans. Comput. Syst, 23 (2005) 219-252.

Digital Library

[40]

A. Kamra, E. Terzi, E. Bertino, Detecting anomalous access patterns in relational databases, The VLDB J., 17 (2008) 1063-1077.

Digital Library

[41]

M. Kandias, N. Virvilis, D. Gritzalis, The insider threat in cloud computing, Springer, 2013.

[42]

K. Kuikkaniemi, A. Poikola, H. Honko, Mydata a nordic model for human-centered personal data management and processing, 2014.

[43]

S.E. Madnick, R.Y. Wang, Y.W. Lee, H. Zhu, Overview and framework for data and information quality research, J. Data Inf. Quality, 1 (2009) 2:1-222.

Digital Library

[44]

M.V. Mahoney, A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic, 2003.

[45]

S. Mathew, M. Petropoulos, H.Q. Ngo, S. Upadhyaya, A data-centric approach to insider attack detection in database systems, 2010.

[46]

S. Mirri, A. Melis, C. Prandi, M. Prandini, Crowdsensing for smart mobility through a service-oriented architecture, 2016.

[47]

S. Mirri, A. Melis, C. Prandi, M. Prandini, A service-oriented approach to crowdsensing for accessible smart mobility scenarios, 2016.

[48]

S. Mirri, A. Melis, C. Prandi, M. Prandini, A microservice architecture use case for persons with disabilities, 2016.

[49]

B.R. Mistry, A. Desai, Privacy preserving heuristic approach for association rule mining in distributed database, 2015.

[50]

D. Molnar, B. Livshits, P. Godefroid, P. Saxena, Automatic context-sensitive sanitization, 2014.

[51]

F. Montesi, Choreographic Programming, 2013.

[52]

A. Moser, C. Kruegel, E. Kirda, Limits of static analysis for malware detection, in: ACSAC, 2007, pp. 421-430.

[53]

M. Mouly, M.-B. Pautet, T.F. By-Haug, The GSM system for mobile communications, 1992.

Digital Library

[54]

H. Mun, K. Han, C. Yeun, K. Kim, Yet another intrusion detection system against insider attacks, 2008.

[55]

M.E. Nergiz, M. Atzori, C. Clifton, Hiding the presence of individuals from shared databases, 2007.

[56]

N. Nostro, A. Ceccarelli, A. Bondavalli, F. Brancati, Insider threat assessment: a model-based methodology, ACM SIGOPS, 48 (2014) 3-12.

Digital Library

[57]

E. Petac, A.-O. Petac, About security solutions in fog computing, Ovidius University Annals, Economic Sciences Series, 16 (2016) 380-385.

[58]

S. Pippuri, S. Hietanen, K. Pyyhtid', MaaS Finland. http://maas.fi/

[59]

M.D. Preda, S. Giallorenzo, I. Lanese, J. Mauro, M. Gabbrielli, AIOCJ: a choreographic framework for safe adaptive distributed applications, in: SLE, Springer, 2014, pp. 161-170.

[60]

B. Rochwerger, D. Breitgand, E. Levy, A. Galis, K. Nagin, I.M. Llorente, The reservoir model and architecture for open federated cloud computing, IBM JRD, 53 (2009).

Digital Library

[61]

R. Roman, J. Zhou, J. Lopez, On the features and challenges of security and privacy in distributed internet of things, Comput. Netw, 57 (2013) 2266-2279.

Digital Library

[62]

R. Salpietro, L. Bedogni, M. Di Felice, L. Bononi, Park here! a smart parking system based on smartphones' embedded sensors and short range communication technologies, 2015.

[63]

R. Sandhu, Attribute-based access control models and beyond, in: ASIACCS, 2015, pp. 677.

Digital Library

[64]

R.S. Sandhu, E.J. Coynek, H.L. Feinsteink, C.E. Youmank, Role-based access control models yz, IEEE Comput, 29 (1996) 38-47.

Digital Library

[65]

B.G. Schlicher, L.P. MacIntyre, R.K. Abercrombie, Towards reducing the data exfiltration surface for the insider threat, 2016.

[66]

B. Schneier, Secrets and lies: digital security in a networked world, John Wiley & Sons, 2011.

[67]

A. Shabtai, Y. Elovici, L. Rokach, A survey of data leakage detection and prevention solutions, Springer, 2012.

Digital Library

[68]

N. Shatnawi, Q. Althebyan, W. Mardini, Detection of insiders misuse in database systems, 2011.

[69]

G. Silowash, D. Cappelli, A. Moore, R. Trzeciak, T.J. Shimeall, L. Flynn, Common sense guide to mitigating insider threats 4th edition, 2012.

[70]

Y.L. Simmhan, B. Plale, D. Gannon, A survey of data provenance techniques, 2005.

[71]

Y.L. Simmhan, B. Plale, D. Gannon, A survey of data provenance in e-science, SIGMOD Rec, 34 (2005) 31-36.

Digital Library

[72]

L. Spitzner, Honeypots: catching the insider threat, 2003.

[73]

V. Stavrou, M. Kandias, G. Karoulas, D. Gritzalis, Business process modeling for insider threat monitoring and handling, Springer International Publishing, Cham, 2014.

[74]

W.-T. Tsai, X. Wei, Y. Chen, R. Paul, J.-Y. Chung, D. Zhang, Data provenance in SOA: security, reliability, and integrity, SOCA, 1 (2007) 223-247.

[75]

V.B. Velpula, D. Gudipudi, Behavior-anomaly-based system for detecting insider attacks and data mining, IJRTE, 1 (2009) 261-266.

[76]

K. Xu, H. Xiong, C. Wu, D. Stefan, D. Yao, Data-provenance verification for secure hosts, DSC, 9 (2012) 173-183.

Digital Library

[77]

H. Zhang, W. Banick, D. Yao, N. Ramakrishnan, User intention-based traffic dependence analysis for anomaly detection, in: 2012 IEEE symposium on security and privacy workshops, 2012, pp. 104-112.

Digital Library

[78]

H. Zhang, D.D. Yao, N. Ramakrishnan, Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery, 2014.

[79]

P. Zhou, Y. Zheng, M. Li, How long to wait?: predicting bus arrival time with mobile phone based participatory sensing, 2012.

Cited By

Chu KGuo W(2024)Privacy-Preserving Federated Deep Reinforcement Learning for Mobility-as-a-ServiceIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.331735825:2(1882-1896)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1109/TITS.2023.3317358
Chu KGuo W(2024)Multi-Agent Reinforcement Learning-Based Passenger Spoofing Attack on Mobility-as-a-ServiceIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.337928321:6(5565-5581)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TDSC.2024.3379283
Mandal SKhan D(2023)Enhanced-Longest Common Subsequence based novel steganography approach for cloud storageMultimedia Tools and Applications10.1007/s11042-022-13615-382:5(7779-7801)Online publication date: 1-Feb-2023
https://dl.acm.org/doi/10.1007/s11042-022-13615-3
Show More Cited By

Recommendations

Cloud service engineering
ICSE '10: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2

Building on compute and storage virtualization, Cloud Computing provides scalable, network-centric, abstracted IT infrastructure, platforms, and applications as on-demand services that are billed by consumption. Cloud Service Engineering is the ...
Insider Attacks in Cloud Computing
TRUSTCOM '12: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications

The computer-security industry is familiar with the concept of a Malicious Insider. However, a malicious insider in the cloud might have access to an unprecedented amount of information and on a much greater scale. Given the level of threat posed by ...
Tackling Insider Threat in Cloud Relational Databases
UCC '12: Proceedings of the 2012 IEEE/ACM Fifth International Conference on Utility and Cloud Computing

Cloud security is one of the major issues that worry individuals and organizations about cloud computing. Therefore, defending cloud systems against attacks such asinsiders' attacks has become a key demand. This paper investigates insider threat in ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 74, Issue C

May 2018

398 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 May 2018

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chu KGuo W(2024)Privacy-Preserving Federated Deep Reinforcement Learning for Mobility-as-a-ServiceIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.331735825:2(1882-1896)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1109/TITS.2023.3317358
Chu KGuo W(2024)Multi-Agent Reinforcement Learning-Based Passenger Spoofing Attack on Mobility-as-a-ServiceIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.337928321:6(5565-5581)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TDSC.2024.3379283
Mandal SKhan D(2023)Enhanced-Longest Common Subsequence based novel steganography approach for cloud storageMultimedia Tools and Applications10.1007/s11042-022-13615-382:5(7779-7801)Online publication date: 1-Feb-2023
https://dl.acm.org/doi/10.1007/s11042-022-13615-3
Campolo CCuzzocrea DGenovese GIera AMolinaro ADe Rango FCalafate CVoznak M(2019)An OMA lightweight M2M-compliant MEC framework to track multi-modal commuters for MaaS applicationsProceedings of the 23rd IEEE/ACM International Symposium on Distributed Simulation and Real Time Applications10.5555/3395101.3395140(215-222)Online publication date: 7-Oct-2019
https://dl.acm.org/doi/10.5555/3395101.3395140

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents