Forensics Journal - Stevenson University 2015 | Page 29
FORENSICS JOURNAL
to be trustworthy service providers. Some malicious cloud providers
may not offer trustworthy services, and as a result, have access to the
sensitive information the consumers are storing on the cloud server.
dependent on their databases. If a current database possesses up-todate signatures and hacker techniques then a signature-based system
is extremely efficient in detecting network intrusions (Brox, 2002).
Despite its efficiency in detecting network intrusions, the signaturebased system does have shortcomings. The first disadvantage is that
attackers continually learn new techniques to access networks. If
the signature is not stored in the IDS database, it will not be able to
detect the attack and alert the network administrator (Brox, 2002).
The second disadvantage is the lag time it takes to identify the attacks.
If the threat does not match any of the current signatures in the
database, the attack may go undetected for an increased amount of
time before it is identified (Brox, 2002).
THE IMPORTANCE OF SECURITY IN THE CLOUD
Cloud-based networks are becoming a critical component of
the nation’s economy. For cloud providers, security is an integral
component of their business plan: adequate fraud detection and
prevention measures reassure the customer base. Customers will
not want to store data or financial information where a potential
theft threat exists. Many users and businesses generate large amounts
of data on a daily basis. According to ScienceDaily.com, “90% of
all the data in the world has been generated over the last two years”
(SINTEF, 2013). More data equates to a higher risk of a data fraud
attack and a greater need for data security (Makryllos, 2014). The
cloud provider and user may fall victim to the costly consequences
of data fraud if proper security controls are not established.
Anomaly-based systems identify changes in a network. Network
administrators are able to adjust the security threshold so the IDS
does not generate an excessive amount of benign alerts. Anomalybased systems require more hardware and skilled personnel
but ultimately provide more effective protection against hacker
intrusions (Brox, 2002). Because the anomaly-based system uses
the combination of hardware and skilled personnel, there is an
added element of defense to identify new and emerging types of
attacks (Brox, 2002). A common disadvantage with the system is
that it is more reliant on company personnel and is labor-intensive,
but the system’s effectiveness offers a valuable defense from
unauthorized intruders.
Security measures need to be stronger as cloud computing makes
its transition from a new technology to an everyday technology
(Makryllos, 2014). As technology advances, so do the tools and
techniques used for fraud (Makryllos, 2014). Strong fraud prevention
practices and detection techniques are necessary to maintain data
security and adapt to sophisticated data fraud attacks.
FRAUD DETECTION IN THE CLOUD
IDS are considered to be reactive security systems which require a
network intrusion before the intrusion is detected. As the technology
advances, the world of computer forensics has introduced a more
active intrusion detection system, Network Forensic Analysis Toolkit
(NFAT) (Volonino, Anzaldva & Godwin, 2007). NFAT systems are
used to “record network traffic related to an intrusion and provide the
tools to perform forensic analysis of the event” (Volonino, Anzaldva
& Godwin, 2007). NFATs differ from IDS because NFATs are able
to recreate and record how the network intrusion occurred. This
feature is particularly beneficial for network administrators, such as
cloud providers. System administrators benefit from these tools by
recreating the incident to learn how the incident occurred and what
security measures could prevent the incident from occurring again in
the future (Volonino, Anzaldva, & Godwin, 2007).
The Internet and cloud-based networks are vulnerable infrastructures.
Advancements in technology allow criminals to target victims and
access an abundance of information and resources across the globe.
Because the Internet connects people on a global level, it is important
to maintain proper security measures in order to protect sensitive
information. An important factor in maintaining Internet security
is the ability to detect network threats and intrusions in a timely
manner. The market provides various tools and detection systems to
ensure that network intrusions are identified on a timely basis and
network security is maintained.
Intrusion detection systems (IDS) are used to detect unauthorized
users on a network by recognizing anomalies, out-of-the ordinary
activity, or registering activity that differ from an established baseline
(Volonino, Anzaldua, & Godwin, 2007). A successful IDS is able
to recognize unauthorized use, misuse, and abuse occurring on a
computer network (Mukherjee, Heberlein, & Levitt, 1994). Intrusion
detection systems can be categorized into two types: signature-based
and anomaly-based.
Network Forensic Analysis Toolkits allow system administrators to
detect and monitor a network security breach in real-time. Because
the NFAT detects and monitors in real-time, this reduces the lag time
between a network attack and a detection alert. System administrators
may benefit from this by quickly identifying cyber intrusions
(Volonino, Anzaldva, & Godwin, 2007). NFAT systems allow
network administrators to protect the network from the attack while
it is occurring. With real-time detection systems, the administrators
have the ability to identity that an attack is occurring and attempt to
counter the attack before damage transpires (Volonino, Anzaldva, &
Signature-based systems, similar to antivirus software, attempt to
identify known threats by triggering the IDS when a particular threat
has the same signature as one of the threats in its database (Volonin