Towards port-knocking authentication methods for mobile cloud computing

Author’s Accepted Manuscript Towards Port-Knocking Authentication Methods for Mobile Cloud Computing Suleman Khan, Muhammad Shiraz, Laleh Boroumand, Abdullah Gani, Muhammad Khurram Khan www.elsevier.com/locate/jnca

PII: DOI: Reference:

S1084-8045(17)30281-3 http://dx.doi.org/10.1016/j.jnca.2017.08.018 YJNCA1964

To appear in: Journal of Network and Computer Applications Received date: 27 February 2017 Revised date: 1 August 2017 Accepted date: 25 August 2017 Cite this article as: Suleman Khan, Muhammad Shiraz, Laleh Boroumand, Abdullah Gani and Muhammad Khurram Khan, Towards Port-Knocking Authentication Methods for Mobile Cloud Computing, Journal of Network and Computer Applications, http://dx.doi.org/10.1016/j.jnca.2017.08.018 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting galley proof before it is published in its final citable form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Towards Port-Knocking Authentication Methods for Mobile Cloud Computing Suleman Khan a*, Muhammad Shiraz b, Laleh Boroumand c, Abdullah Gani c, Muhammad Khurram Khand a

School of Information Technology, Monash University Malaysia

b

Federal Urdu University of Arts, Science & Technology. Author, Islamabad, Pakistan

c

Center for Mobile Cloud Computing Research (C4MCCR), University of Malaya, Kuala Lumpur, Malaysia

d

King Saud University, KSA.

*

Corresponding author: (Suleman khan), ([email protected])

Abstract Mobile cloud computing (MCC) is an increasingly popular research topic, partly due to the widespread adoption of mobile devices and cloud services among individual and organizational users. Security and privacy of data-at-rest and data-in-transit are two of several key issues that need to be addressed. Traditional authentication models employ third-party security monitoring mechanisms, which generally require complicated and resource-intensive mechanisms for ensuring security measures. These mechanisms are not adaptive for MCC deployment; thus, it requires lightweight authentication methods. This paper reviews existing port-knocking authentication methods by analyzing the mechanism and classifying the methods into a thematic taxonomy. Current port-knocking authentication methods are compared based on static or dynamic knocked sequences, which tend to solve the Network Address Translation (NAT) knock and Denial of Service (DoS) knock attacks. Finally, we discuss the issues and challenges in implementing port-knocking for MCC. Index Terms—Mobile Cloud Computing, Port-Knocking, Authentication, Denial-of-Services

1 INTRODUCTION Recent advances in mobile computing technologies have resulted in significant increases in storage capacity, processing capacity, etc. Similarly, wireless network technologies are becoming much faster with lower latency (e.g. LTE) and are deployed in an increasing array of applications [1]. In recent years, smart mobile devices (SMDs) have replaced a number of handheld devices in all-in-one computing and communication devices. It is reported that an average of 1,600 new applications is uploaded to the app stores daily [2], and an average SMD user downloads 37 applications per year [3]. These applications range from web browsing, communication, personal health tracker, mobile banking, and social network to entertainment [4], [5], [6], [7]. However, despite recent advancements, hardware limitations in terms of storage capacity, processor power, battery life, etc necessitate the need for off-device storage and computation offloading. Cloud computing offers utility computing [8] with resource flexibility, agility, and scalability [9] for mitigating resource constraints on client devices, including SMDs. MCC employs off-device storage and computational offloading to cloud server nodes for alleviating the resource constraints in SMDs. However, a number of issues are associated with accessing the services and resources of computational clouds on a demand basis, such as a lightweight application execution framework, scalability of services and resources, privacy of data stored in cloud data centers and security of data communication in the mobile cloud computing and similar environments such as Internet-of-Things [10, 104, 105]. Security is challenging in mobile cloud computing because of its mobile nature, wireless access medium, heterogeneity of computing and communication environment, and the variety of client devices (and specifications) [11,12]. Currently, authentication is employed as a primary state of security to guarantee the sole authorized user

access to their related domain of resources [2,13, 106, 107, 108]. Port-knocking [14] is an authentication method wherein user validity is evaluated through sending packets to the sequentially closed port of the server. Indeed, the order of ports is used as a password in port knocking. Applying the port-knocking authentication to MCC provides a lightweight authentication mechanism, which is compatible with the MCC structure and runs with other lightweight applications on SMDs. For example, the knowledge center of Rackspace [15], an open cloud company, reported that the testing process of port-knocking authentication on their cloud servers is ongoing. Port-knocking deployments need to take into consideration the nature of the cloud services (e.g. public or private cloud). Knock sequences are like passwords that usually remain private. However, unlike a password, knock sequences cannot be easily encrypted. In this paper, we review existing port-knocking authentication methods published between 2009 and 2015 and present a thematic taxonomy. A total of 93 publications were located by searching on Google Scholar and academic databases such as ScienceDirect, IEEE Xplore, and ACM Digital Library, using keywords such as port-knocking authentication, port knocker, static and dynamic knocking. We then identify several challenges in implementing portknocking for MCC as well as future research directions. The remainder of this paper is organized into the following sections. Section 2 describes fundamental concepts of MCC and authentication methods. Section 3 presents a thematic taxonomy for port-knocking and reviews the existing methods based on the taxonomy. Section 4 compares the methods that rely on their capability to eliminate the issues of basic port-knock authentication. Finally, Section 5 concludes this paper.

2 BACKGROUND Mobile cloud computing is a distributed computing model that extends cloud computing through supporting mobility and serving services to SMDs [16,17]. Sanaei et al. [18] define MCC as “The design of small, powerful devices enables mobility in wireless networks that support a trend toward computing on the go, known as mobile computing” by integrating several existing descriptions of MCC (see [8,19]). The uniqueness of MCC depends on rich mobile computing technology that leverages unified elastic resources of varied clouds and network technologies toward unrestricted functionality, storage, and mobility to serve a multitude of mobile devices. Figure 1 illustrates a logical view of communication between clients and cloud servers. In this figure, the request sent by the client is transferred in the form of cloudlet through wireless network technology until received by a cloud broker [20,21]. The cloud broker is a module that distributes the incoming request between cloud servers to retrieve the information from the storage cloud or processes them in the computational cloud. Finally, the results are returned to the SMDs. Therefore, all the processes that need a complex operation are outsourced to the cloud-end to enable intensive mobile applications on SMDs. FIGURE 1 GENERAL MODEL OF MOBILE CLOUD COMPUTING

2.1 Mobile Cloud Computing: Challenges Although MCC has considerable advantages, it has its own challenges, as presented schematically in Figure 2. The challenges are studied under three categories – client, communication, and cloud end.

2.1.1Client Issues Cloud users face security challenges due to the use of mobile applications that include mobile application security and privacy. The client-side issues are studied under two visions – mobile application security and the issue of user privacy. Mobile application security: Although the security for mobile applications could be provided easily via installing and running security software for detecting threats, security scanning software is energy consuming. Therefore, this part of

the operation could be assigned to the cloud where malware detection as a service (MDaaS) is offered [22]. The CloudAV platform addresses this challenge by running the host agent as a lightweight process in the mobile device for storing the file activity in its cache. Then, if file identification does not exist in the cache for verification, it means that the agent transferred the file to the cloud for more analysis. The efficiency of this method is improved during the time of high activities such as browsing and audio playback [23]. Privacy: The user privacy might be violated because of the use of applications that utilize a smartly based tracking scheme through the use of Location Based Services (LBS) [24]. These tracking schemes support both indoor and outdoor tracking, which is performed through the use of sensors, Wi-Fi radio fingerprint methods [25] and Geographical Position Systems (GPS), respectively. To eliminate this issue both [18] and [26] worked on the Location Trusted Server (LTS), which is placed between the mobile client and LBS for gathering information about users without identifying them.

2.1.2 Communication Issues The second group of challenges belongs to the communication part, which is classified as low bandwidth, availability, and heterogeneity. Bandwidth: Bandwidth (BW) limitation is considered as one of the main problems in communication channels due to the fact that it affects the performance of the network. Sharing the available BW is a method that has often been proposed for overcoming this issue [27]. Meanwhile, the sharing, distribution policy needs to be applied. The distribution policy determines how much BW from which network (e.g. WiMAX, Wi-Fi) and which portion of time is allocated to the users [28]. Availability: The second issue in this group is the availability issue. Being system accessible and usable even if it faces misbehavior, it supports the availability for authorized users based on their demand. Sometimes, traffic congestion, network failure and problems with signal coverage reduce the availability rate of MCC. Therefore, in some cases, mobile nodes that cannot connect to the cloud directly could use their neighbor's connectivity through ad-hoc behavior [29]. Heterogeneity: The heterogeneity of different radio access technologies (e.g. WiMAX, WLAN, and GPRS) is another issue. Therefore, MCC is required for Heterogeneous Access Management (HAM) for controlling the allocation of radio resources across a wide range of RATs. Many factors effect HAM decisions, such as user location information [31], user preference [32], and service level agreements [33]. In [18], a study on heterogeneity in MCC is presented, which shows a clear view of heterogeneity and its challenges for MCC.

2.1.3 Cloud End Issues Cloud-end issues are divided into offloading, security challenges, (integrity and digital right management), enhancing the efficiency, and context-aware applications [34, 35]. Offloading: The offloading mechanism refers to the process of migrating highly computational part of an application to the cloud while running on the resource scarcity device such as a mobile or smartphone. The offloading of an application towards cloud resources saves mobile energy in terms of its battery lifetime [103]. The main issue about offloading is making decisions about when offloading should be done and which part of the application should be offloaded [36]. To determine the entire knowledge related to the application offloading [10] it categorizes application offloading frameworks into two groups – local [37,38] and centralized [39,40] – resource utilization models, and compares them based on the following parameters: scope of offloading; the approach to partitioning [112], which contains dynamic [41,42] or static [43] approaches; migration support; migration granularity, which investigates the offloading that happens in applications or at the system level [38][111]; developer support; pattern of migration; and execution monitoring, which can be centralized or decentralized [10]. Security: Although the claimed benefit of mobile cloud computing could convince an enterprise to choose MCC services, the security issues make them doubtful about fully outsourcing the resources and infrastructure. Wald [44] discussed the need for asking critical questions about the cloud computing security. It is reported in a work done in [45] that users expect the MCC environment to support identification, privacy, integrity and the provision of service. Integrity: Regardless of whether the data modification happened intentionally or unintentionally they could reduce data accuracy. Therefore, cloud providers are responsible for supporting the integrity of the data. Moreover, some approaches check the integrity of data remotely, which are recently classified by [46] in which Remote Data Auditing (RDA) methods are categorized into three groups such as Provable Data Possession (PDP)-based methods [47-49], Proof of Retrievability (PoR)-based methods[50], and Proof of Ownership (PoW)-based method [51]. Digital Management: All the digital contents have been distributed legally in the cloud so content providers need to protect them from illegal access. They try to achieve this goal by using Mobile Digital Management (MDM) schemes. This type of management scheme should be considered for both mobile devices and data units [53]. Enhancing the Efficiency of Data Access: While users expect to access the data efficiently, meeting their demand becomes increasingly challenging. Increasing cloud services that lead to a dramatic increase in access requests could indicate to the provider that they need to consider a practical scheme for having efficient access [102,109]. This issue could be solved by concentrating on the I/O operation and minimizing it [54,55]. Also, indexing and query

formulation for massive data help in providing efficient access [56]. Context-aware applications: Context-aware applications are compatible and integrate with Context-aware Information Systems (CIS) [57]. Because of the frequent location and direction changes of mobile devices, the information is required for mobility management to make real-time decisions during the execution of application [110]. The HandOver (HO) is the supportive process that makes a decision for switching to any available communication link based on the information gathered from initiation and preparation phase of the HO process [58]. However, dealing with context-aware application in the MCC infrastructure is a challenging task.

2.2Authentication of Mobile Cloud Computing The authentication process is considered as an agreement for both service providers and enterprises to ensure that only the authorized user can gain access to the resources and data. Authentication is inadequate for keeping clouds secure but it is the primary mandatory step [59]. After that, the authorization domain of the user’s activities is determined and the credit of the user is calculated in the accounting process. In [60], an authentication scheme is proposed for cloud users that use a combination of implicit authentication [61] and TrustCube [62]. In the proposed scheme, whenever the web server receives a request from a mobile user, it redirects all the details of it to the Integrated Authentication (IA) service. The IA services send an inquiry based on the access policy and extract the information to the IA server. A report is generated on the server, which depends on the received inquiry and transfers it back to the IA services where the last decision about the authentication is done and the results are sent back to the web server. Google provides a Single sign On (SSO) [18], [63] to related applications in the cloud, wherein users authenticate once and the related information is used for the next attempt to access a related application. Although both of these methods provide an authentication security phase, utilizing third parties along the authentication method is a drawback because of a security breach, which could occur due to the repetitive transfer of the information.

3 REVIEW OF PORT-KNOCKING AUTHENTICATION METHODS Port-knocking is a strategy used to grant remote access without requiring the port to be constantly left open. It works on ports that are controlled by a Firewall (FW) [64]. The FW exists in both software and hardware form and is located between the trusted and untrusted networks to control the flow of traffic and implementing the access control policy through its rules as its main goal. Whenever a packet arrives the FW chooses one of the following actions – "Allow", "Reject" or "Drop" – by using the IP addresses and port number of both the source and the destination.

MCC Issues

Mobile App Security

Privacy

Communication Issues

Cloud End Issues

Client Issues

Availability

Low Bandwidth

Offloading

Security

Integrity

Data Access

Heterogeneity

Context-Aware

Digital Right Management

FIGURE 2 ISSUE OF MOBILE CLOUD COMPUTING The “Allow” action allows the packets to cross the FW and the user is provided access to the requested service. Both the “Reject” and “Drop” actions prevent packets crossing the FW in non-silent and silent mode, respectively. This means that when the FW rejects a packet it sends back an ICMP-HOST-UNREACHABLE message to the packet generator, and then the user/attacker finds that a service is running but that it is not reachable. Whenever the FW drops a packet no notification is reported back to the user [65]. This action, which is employed by the port-knocking

methods, is known as a silent authentication model. Krzywinski [15] proposed a port-knocking authentication method that provides an extra lightweight layer of security for networks. In this method, the authenticating process is performed on closed ports. Indeed, clients (portknocker) send non-reply synchronized (SYN) packets to the specific closed ports of the server’s FW consecutively called the knocked process. Meanwhile, the server logs the incoming packets through storing information in its buffers. Therefore, the port sequences password is used as a password. In fact, this method uses a secret key for authentication, which is a sequence of ports; this secret key is defined statically or dynamically. Whenever the valid sequence is determined, an appropriate port is opened for the port knocker (that generates the sequence) that requires using the services [14]. The simplest type of port-knocking authentication process is illustrated in Figure 3. In this figure, a personal computer as a port knocker starts the knocking process and the process is expected to be completed after transferring four TCP synchronization packet numbers – 2345, 3456, 3478, and 4734 – to a destination which has the 175.139.128.11 IP address. In the simple version of port-knocking, a port sequence is defined for both the client and server statically. Meanwhile, a port knock daemon sits on the server buffers and checks the sequence when it is completed. If the port order is similar to the predefined sequence, then the action is triggered on the server side based on the request of the user. This request could be a demand for SSH or HTTP.

Figure 3 Basic Port Knocking Authentication Model Therefore, the port that is assigned to them opens temporarily and after receiving another knock sequence the port would close again. Otherwise, the buffer is flushed and the memory space is unallocated. Hence, the port in this system is kept open based on the user’s demand for a period of time; the vulnerability of the system is reduced in comparison to the situation in which ports always remain open for authorized users to offer services. The following factors point out the weakness of the simple port-knocking model and highlight the necessity of combining it with other security methods to make it more complex and secure. Table 1 lists these factors and their side effects. Plain text port sequence: The packets sent for validating the user’s identity contain a port number in plain text format, which helps the attackers to find a valid sequence with simple traffic scanning or sniffing. Therefore, the port numbers need to be encrypted during the transition. Network Address Translate (NAT) Knock: The network address translation for mapping a public IP to multiple local users, results in a well-known attack called the NAT-knock attack. In this case, when the server determines a valid sequence, a port is opened for the public IP address. Consequently, the users who utilize that public IP address can have access to the open port even if they are not permitted to use the offered services through that port [66]. Denial of Service (DoS) knock attacks: The DoS knocking attack is considered as being a great concern in portknocking. Attackers can send packets to the random ports in the knocking range. Hence, the server allocates a buffer for monitoring the sequence of knocking because, in the first step, the validity of the user is not checked. Therefore, the buffers of servers could be occupied with an incorrect request, which is transferred by malicious users. DoS knock attacks affect the port-knocking performance due to buffer overload [67,68]. Appropriate port range: The port range is a factor that has an effect on the performance if it is not chosen properly. If the selected range is too short, sniffers can find the range easily by capturing the traffic. On the other hand, the wide range increases the possibility of a DoS knocking attack. Providing a balance between the range and prevention of attack is an issue that is expected to be solved in an improved version of port-knocking [69].

TABLE 1 WEAKNESS OF A BASIS PORT-KNOCKING ON SECURITY & PERFORMANCE OF THE NETWORK Weakness of simple port-knocking model

Effect on the network

Plain text port sequence

Increases the probability of sniffing and scanning the traffic by attackers. (Security problem)

Network Address Translate (NAT) Knock

Decreases the security due to opening the services for all mapped IP users. (Security problem)

Denial of Service (DoS) knocks attacks

Buffer overloading due to the malicious user’s request. (Performance problem)

Select the appropriate range of ports

Selecting a short range leads to capturing the traffic. Selecting a wide range causes the DoS knocking attack. (Security problem)

Out of order packet delivery

Causes misbehaviour of users validation. (Performance, Security problem )

Lack of association between authentication and

Hijacks the connection by blocking further

connection

transmission from a user. (Security problem)

The host behind the firewall

Authorized users’ malfunction due to not having adequate permission. (Performance problem)

Out of order packet delivery: The sequence of ports is used for evaluating the validity of the authorized users. In the high traffic Internet backbone routers, the probability of delivery of packets sequentially is not high [70]. Lack of association between authentication and connection: The gap between starting of the connection and opening of the port (port-knocking) provides an opportunity for an attack to perform hijack attack on the connection by blocking further transmission from a user [70]. The host behind the Firewall (FW): In some cases, users without the administrator privilege cannot gain access to the closed port of the hosts located behind the firewall. Therefore, it leads to a malfunction in the knocking process. Advanced port-knocking methods are employed to address the above issues of simple port knocking methods [62].

3.1Compatibility of Port-Knocking for Mobile Cloud Computing This section presents a theoretical discussion on the integrity of port-knocking authentication with the MCC. Figure 4 shows the MCC model in which the request of the client is transferred to the Cloud Gateway (CGW), which is located between the client and the cloud-end (cloud servers). The CGW has a firewall and intrusion detection system as well as servers. Also, for each VM, which is hosted on each server, a virtual firewall is expected to be configured to monitor the traffic based on its rules [100], [101]. Therefore, the MCC has the potential to be secured by port-knocking authentication. Through using this authentication method the interference by the third parties used in previous methods is eliminated. Further, port-knocking authentication is flexible enough to combine with other security concepts based on the level of security that is required by the applications.

Figure 4 Port Knocking in Mobile Cloud Computing Environment In addition, there is no concern about the complexity of the aggregate security model due to the security-as-a-service that is offered by the MCC servers. This kind of service is suitable for SMDs, in which the CPU and battery power have limited capacity to handle complicated operations immediately. In addition, this kind of authentication is integrated with a heterogeneous environment in which various types of SMD connect to the servers due to the simplicity of installation and configuration of the port knocker software. Therefore, both the client and server side are compatible with the port-knocking authentication model. In the MCC, when smart devices start the authentication process as a port knocker, the CGW receives the mobile user’s request. In each packet, a static passphrase is defined in both the port knocker and the CGW that is used for verifying the validity of the packets besides the sequence of ports, which knock. If the port-knocking process is done successfully then the service broker module in the CGW decides which server is capable of answering the request of the user; then, the second phase of authentication is triggered otherwise the request is dropped and the buffer flushed. In the second phase, another port-knock process is triggered in which the CGW is a port knocker and the cloud server monitors the knock sequence. Three dynamic knocks are transferred to the cloud server’s firewall for passing this stage and the pass-phrase is selected randomly from a pass-phrase pool. Finally, the VPN connection is triggered to have a safe connection. The connection remains valid for a predefined period, after which, the session is closed. If the client wants to use this connection for more, the SYN packet is transferred before the termination. The proposed model has some advantages that are mentioned below:  This method is a service platform and application independent, which means that any SMD with the correct client software can take advantage of its protection  It helps to eliminate DOS-knocking and NAT-knocking through using a pass-phrase and VPN connection.  It distributes the authentication process between cloud servers, which have their own firewall and intrusion. It prevents security breaches due to the elimination of the third party, and, notwithstanding the advantages of port knocking, the port range issue has not been investigated yet. Therefore, this issue is challenging for MCC, which enables access to a wide spread of services and resources of cloud data centers for resources constraint SMDs. Short range allocation to the port knocking process makes it vulnerable by increasing the chance of sniffers to capture and decrypt the packets and find the port sequences. Moreover, selecting the long range requires more buffers to monitor them and imposes a load on the server side.

3.2Taxonomy of Port-Knocking Authentication Methods Figure 5 depicts the proposed thematic taxonomy of the port-knocking authentication methods, which are categorized based on static or dynamic knock sequences. The static knock sequence refers to methods that are using predefined ports in the initialization step. Afterward, the port knocker uses the same sequence for connecting to the server [71]. The dynamic methods use random generator modules in both the client and server to authenticate. The packets and the key of the random generating algorithm are transferred to the destination ports [72], [14]. The random generator module in the server side regenerates the sequence based on the received key and compares them with the buffered sequence. Hence, the dynamic methods promise a high level of security as well as complexity [14]. The static and dynamic knock sequence methods are categorized on the basis of the type of utilized knock sequence (plain or cipher knock sequences). Advanced port-knocking methods, which utilize encrypted knock sequences instead

of plain ones that are used in the primary port-knocking methods, are classified into static-cipher or dynamic-cipher groups [71,73,74]. Until this level of classification, methods that are a member of the dynamic-cipher group are highly secure compared to the plain knock sequence methods. The final level classifies the methods based on their ability to face the NAT and DoS attack that was mentioned in the challenges to the basic port-knocking method. Methods that are able to cover both of these attacks, and also belong to the cipher-dynamic branch, count as the most powerful portknocking methods due to the high security provided by the use of encryption that renders the network immune against NAT and DoS attacks [70].

FIGURE 5 TAXONOMY OF PORT KNOCKING AUTHENTICATION METHODS The below mention section 3.2.1 explains scenario based examples to describe port knocking process on client and server side for the better understanding of port knocking schemes mention in rest of the sections below.

FIGURE 6 PORT KNOCKING PROCESS ON THE CLIENT SIDE

3.2.1Port Knocking Process Examples This section provides a description of port knocking process through scenario-based examples for both client and server side. Figure 6 illustrates the steps for port knocking process at the client side while figure 7 illustrates the steps for port knocking process at the server side.

Port knocking process at client side: A user who wants to use SSH on port 22 needs to be authenticated first by using port knocking. The port knocking file configuration sets three knock sequences. The TCP packets should be sent in order for the port numbers 2345, 2567, and 3743 in the static knock case to verify the user as an authorized one. Whereas port numbers are generated randomly from 2000 to 4000 in the case of dynamic knocking, TCP packets from the port knocker are transferred to the generated port in the server knock module. Figure 6 shows the flowchart that shows the port knocking authentication process on the client side. The flowchart covers both the static and dynamic ports knocking method; therefore, in the first step, it checks that the knocking process is performed statically or dynamically. If it is the static method then the invariable port numbers are fetched from the configuration file. If the static knocking uses a cipher knock sequence then the port numbers are encrypted using encryption keys. Then three knock packets are transferred to the server as well as the encryption key. Otherwise, the plain knock sequence is transferred to the server, in which the client remains in the waiting status to be verified by the server. If the knocking process is a dynamic one, the random generator module generates three random port numbers. Also, if it uses a cipher knocking method, the random numbers are encrypted. Then the authentication packet, random generator key, and encryption key are transferred to the server and the user waits for confirmation of results. Port knocking process at server side: Figure 7 shows the

a flowchart that shows the port knocking authentication process on the server side. A knock module in the server monitors the ports, which are allocated to the knocking process and buffers the incoming traffic. When the port knocking is completed by the port knocker, it compares the knock sequence with a predefined sequence in the case of static knocking or regenerates the sequence based on the random generator key and compares it with the received one in the case of dynamic knocking. The true value of the comparison indicates a valid user. Therefore, the server sends an acknowledgment packet to the authenticated client and opens port number 22 for SSH Service. The following section reviews the advanced port-knocking methods based on the proposed taxonomy. Advanced port-knocking methods include the methods that combine the basic port-knock with other security methods or attach additional features to basic port-knocking to make it more secure.

3.2.2Static Knocked Sequence Methods The static knock sequence methods are divided into two main categories such as static plain port knock sequence and static cipher port knock sequence as shown in the proposed taxonomy in figure 5. The static plain port knock sequence method contains basic port-knocking authentication in which packets are sent towards predefined closed ports sequentially and the knock module in a server-side buffer without sending any acknowledgments. Then, this module compares the sequence of the packets with the predefined close ports; if they are the same it means that the authentication is performed successfully. There is no encryption method for port sequences, which use a predefined sequence for any connection attempt; hence this is known as the static-plain port knock method. However, in static cipher port knock sequence method, the cryptographic hashes are used inside port knock sequences. It helps in preventing packets from sniffing during the transfer from source to the destination system. The static cipher port knock sequence assists security servers to provide useful information in generating replays for the attack traffic by repeating port knock sequences. Many methods use static cipher port knocking which keeps packets save from being spoofed. Below in this section, our main consideration will be to evaluate static cipher port knock sequence methods in detail. Static-Cipher Knock Methods: The method silent knock [73] combines TCP stenography [75] and a fast cryptographic Message Authentication Code (MAC) [76]. It offers lightweight authentication that imposes minimal computational overheads on the system. MAC is a segment of information that provides both the authentication and integrity of the message. It is generated by block ciphers, which means it operates on n-bits blocks of data and also uses a symmetric secret key that is used for modifying the message [77]. Silent knock composes two programs, which are knocked and knockProxy. The knock is deployed on the server side between the TCP/IP stack and client. When a client sends SYN packets, the knocked verifies them based on their IP address and retrieves steno go text using a stenographic algorithm and a counter, which belongs to the IP address. If the result of the verification is a success, then the packet passes the knock and reaches the TCP/IP stack; otherwise, it will be dropped. The second program runs on the client side and reads a configuration file to figure out which server offers the silent knock for which service. In addition, it collects a shared secret key and counter from this file. Then, the knock proxy computes a MAC and encodes the above information and sends it to the knock. The silent knock is a lightweight method, which protects the network against a reply attack of the global active adversary through using an incremental counter for each attempt to access. The experimental results in [18] show that the average response time is increased when using knocked in comparison with only using SSH. Therefore, administrators need to figure out whether or not the cost of delay imposed by the silent knock to the network is affordable.

FIGURE 7 PORT KNOCKING PROCESS ON THE SERVER SIDE

Extension of the port-knocking client-server architecture with Network Time Protocol (NTP) [74] extends one-time knocking based on two enhancements. First, using the NTP synchronization [78], which synchronizes the knocker entity and knock daemon entity with each other through using a clock with minimal inconsistency. Also, it enhances the previous method through using the one-way hash function to ensure that they have a secret sequence of knocks. The one-way hash function takes an arbitrary length input and generates a message digest or hash that is a fixed length output. The benefit of the one-way hash function is that it is generated and computed easily; however, it is complex to invert. In this method, both entities have a pre-shared key that is used as a hash function input as well as client IP address and time stamp. The hash result is a knock sequence that means that each 16 bits belong to each port (first 16 bits indicate the first port, while the second 16 bits determine the second port). After initiating the knock hash sequence, the knock packets are transferred to the server that has the time stamp, IP and shared a key. Then the server computes the hash key itself and compares it with the knock sequence that is buffered. The similarity between them triggers an action, which is defined for successful authentication. Secure Port-knock-Tunneling (SPKT) [79] contains two phases for authenticating users; the first one is a modified port-knocking, which overcomes the DoS knock attack, while the second one is a connection based on tunneling that prevents the network from a NAT knock attack. Each packet has a pass-phrase; therefore, besides the sequence of ports, the pass-phrase is checked. If the passphrase is similar to the predefined one and the sequence is valid, then the second phase is started thereby triggering a VPN connection. Hence, a unique username and password are required for users and there is no concern about the NAT knock attack. If the pass-phrase is the same for all packets that belong to the knocking process it could be hacked through packet capturing. Otherwise, the server needs to keep different passphrases for packets, and, in the case of a large length sequence, it imposes a load on the server. Therefore, the SPKT beside counter backing the DOS-knocking and NAT-knocking attacks provides enhancement for protection level of the authentication process by using tunneling and port knocking authentication schemes. Moreover, the reliability is achieved for SPKT by using four knocking scheme within specified time span otherwise, the process has to be restarted again. The simple port-knocking method against a TCP replay attack and port scanning employs authentication based on the port-knocking. In this method, the steps for connecting to the server are reduced in comparison with the basic portknocking authentication; also, the firewall verification is eliminated [80]. The proposed method works in three basic steps such as (a) establishing a connection, (b) authentication, and (c) accessing a server. In the first step, the user starts attempting to make a connection with the server. In the second step, an authentication scheme on the server is selected to find an authorized user and then the services are started by the user by information him. In the third step, the user accesses the services on the server by accessing the pre-defined ports [80]. In fact, in this method when the client sends packets that determine the port sequence the server verifies them and if the sequence is correct the SSH service is started. Then, the client connects to the server with a predefined SSH port; otherwise, the packet is dropped. This method is suitable for administrative tasks, which are required to perform remotely without suffering from firewall restrictions. The proposed method is simple and performs efficiently by using UDP packets which do not require handshaking process for its establishment of the connection with the server. However, it the hand-shaking

process is required for TCP packets for its initial session development with the server. Moreover, SSH is configured to start and stop the services once the port knocks. It helps to mitigate attacks when attackers what to replay the attacks while not having any knowledge about that are running or stopped. The SSH configuration on different ports can also help to detect port scanning attacks which add another level of protection for the services. TABLE 2 STATIC CIPHER PORT-KNOCKING METHOD DESCRIPTION Static Cipher Port Knocking Method [73] [74] [79]

[80]

Description Introduction formal security model to provide undetectable authentication for port knocking Proposed client-server architecture with network timing protocol synchronization A mechanism provided to secure port knock tunneling to mitigate NAT and DOS knocking attacks Simple port knocking method used UDP packets and SSH configuration for starting and stopping different services

3.2.3Dynamic Knocked Sequence Methods The dynamic knocked sequence is divided into two main categories such as dynamic plain knock sequence and dynamic cipher knock sequence. The dynamic plain knock sequence method depends specifically on the application and level of security it requires. However, a most dynamic cipher knock method is used which creates different knock for each of the session. The dynamic creation of knock will notify a target resource on the replay of knock by the attacker. The dynamic cipher knock sequence is used by generating dynamic knocks for the different session whenever it is required. Moreover, it provides support for the maximum level of security in the authentication phase. Below in this section, our main consideration will be on evaluating different dynamic cipher knock sequence methods in detail. Dynamic-Cipher Knock Methods: In [71], the remote server management method is proposed, which uses dynamic port-knocking and forwarding. The administrator sends a sequence of port numbers to the server for knocking, and, after the port validation access, a port will be opened to access the specific service and another port knocking process is triggered for closing the opened port. This scheme needs high security due to focusing on the administrative tasks, and, therefore, the knock sequence is defined dynamically. In addition, this method provides the possibility of a server to serve in different ports because the probability of an attack to the service offered at the fixed port is increased after multiple accesses. Three main packets (P1, P2, and P3) are used for the above goals. P1 contains the encrypted port number and initial sequence number, which is generated randomly by running the client port-knock program. This message is encrypted with a password hash, which is used as a unique password for each user and the server has a copy of the password. After receiving P1, the server SYN packets are sent to the destination ports and are defined in P1. P2 is another packet sent by the client for checking the knock sequence and the server replies to it with P3, which has the user password hash and port number, which is assigned to the required service for this user. Then the client can access the required service using the assigned port. Any other request to use that port without leaving behind the knocking process is dropped. The length of the knock sequence is three in this method because of prevention from out of order delivery; however, there is no insurance in the high delay network that they reach the destination in order. The European Fusion Development Agreement (EFDA) community has a lot of distributed fusion laboratories that are required to communicate with each other while considering an access control solution that can support security as well [81]. Therefore, in [84] a security infrastructure for this community, which is called the EFDA Federation, is proposed. In fact, this paper concentrates on two phases. The first one integrates the RSA SecureID with the EFDA federation and the second one is about the port-knocking control access technique. RSA stands for Rivest, Shamir, and Adelman, and works on a public key encryption technology [82,83]. The port-knocking process traverses the following steps; First, the client sends a request of port-knocking to the Public Administration Performance Index (PAPI) STAgent [84]. Then the request delivers from the STAgent to the Power of Attorney (PoA). If the client is authorized, the PoA transfers the service token. Finally, the port-knocking package, which contains the sequence and service tokens, is transferred to the client and it makes a connection based on this package. As a result, the EFDA Federation provides easy user management, authentication integration, security

policies, and access control for different resources. The advanced port-knocking authentication scheme with Quadratic Residue Ciphers (QRC) using AES [85] method randomizes the source IP address and port number during the port-knocking process through the help of QRC [86,87]. The port-knocker sends an SMS that requests the One Time Password (OTP) to the SMS server. The OTP is generated based on a time factor, and, therefore, there is no chance of having a duplicate of the OTP for the same user ID and this is protected from DoS attacks. The SMS server replies to the knocker with the message that contains a timestamp that is used for authenticating the OTP. The second field of the SMS is a One Time key that is 256 bits, which is used by the advanced encryption standard (AES) [88,89] to encrypt the knock sequence. The last field is a random number "R" that is generated by the Pseudo Random Number Generator (PRNG) [90,91], which is used as a key in the QRC. This SMS is also forwarded to the server, which performs authentication in the next step.In this method, the client IP address is changed dynamically to mitigate the risk of attack. In fact, the OTP and the last 8 bits of the IP address (last octet) are employed by the AES encryption method to generate the knock sequence. Each time, these bits are XORing with R to generate a new IP address. This process continues until the completion of the knocking sequence. On the other side, the server has R, OTP, and other values, which are used in the encryption and it generates the knock sequence and compares it to the received one. If they are similar it means that the authentication phase is successful. In the proposed method [70], an OTP is used to generate tokens for the server to authenticate the user before implementing dynamic rules in the firewall. The one-time knocking framework uses the Single-Page Application (SPA) and IPsec [70] method that consists of an SMS server which hosts a Random Number Generator (RNG). The proposed method uses CDMA or GSM as an out-band channel to perform two-factor authentication against brute force password and online & offline dictionary attacks. In the initial step of the one-time knocking framework, the user sends an SMS to the server and the server identifies it by the user’s number, which was previously registered in the server. This phase helps in the prevention of a DoS attack. Then, the server generates an OTP and sends it back to the client through the same Out of Band (OOB) channel that is used by the client. This message contains a time stamp, random port as well as OTP. The random port and OTP are transferred to the SPA client as an input value that is used by the Key Derivation Function (KDF) [92]. Four keys are prepared by this function – k1; k2; k3; k4 – which are used in that order for data encryption, MAC calculation for SPA and the two last for IPSec VPN connection [93-95]. Therefore, the one-time knocking framework provides strong associations between SPA or port knocking and post authentication connectivity between server and client to stop adversaries from attacking the session through a Man-in-the-Middle attack. Network security using hybrid port-knocking [96] employs three concepts – port-knocking, stenography, and mutual authentication – and, for that reason, it is called a hybrid port-knocking. The following six main steps are performed to have a complete hybrid knock. Traffic monitoring and traffic capturing are the two first steps, which are common with all port-knocking processes. In traffic monitoring step, the port knocking server is installed in the network behind the firewall to monitor the incoming traffic towards the gateway such as a firewall. However, in traffic capturing step, the port knocking server only captures a traffic for further processing which only contains a payload of an image. The third step belongs to image processing, which is done for identifying the knocker. Each packet has an image as a payload that contains information, which is hidden through the use of stenography, and, therefore, in this step, this image is accepted for processing. With the inclusion of this step, the DoS knock attack cannot occur. The fourth and fifth steps are client authentication and server authentication in which the port-knock server attaches a random encrypted number to the payload and sends it back to the client; then the client is identified with this public key. Therefore, the probability of a NAT knock attack is decreased. The sixth and last step is responsible for the closing of the port. Whenever a user sends a request to close the port after accessing the required service or server or it is decided to close the port for security reasons, the port, which is open through the successfully knocked process, is closed. TABLE 3 DYNAMIC CIPHER PORT-KNOCKING METHOD DESCRIPTION Dynamic Cipher Port Knocking Method [71]

[84] [85]

Description Use remote server management for dynamic port knocking which requires high security due to focus on administrative task Federation infrastructure for port knocking is provided in which client makes a connection based on the public administration performance index. Secure port knocking authentication scheme

[70]

[96]

[97]

using AES which cannot be detected or disturbed by the spoofed packets Use one-time password to generate authorizes tokens to authenticate the client before implementing rules for the firewall. Hybrid port-knocking used to mitigate attacks while using port-knocking, mutual authentication, and steganography. A service knocking communication is proposed that not use open ports for applications which hide services to attack.

There are three dynamic-cipher knocked methods that overcome the DoS knock that includes dynamic knocking and forwarding port, secureID integration in EFDA, and Advanced port knocking authentication scheme. However, the hybrid port-knocking and one time knocking are able to solve both DoS and NAT knock attacks [73,96,68], another method, as proposed in [97] for the port-knocking, has a significant difference from the other method due to its monitoring of open ports instead of closed ports. The open ports are used to serve the public service and capture the knock sequence. In fact, it monitors and recognizes the structure of the packets, which are transferred for knocking. After, the identification of a valid sequence, a particular port that is allocated to the specific service is opened. Because of monitoring the open ports, it overcomes the "host behind the FW" issue. Also, three useful fields exist in the packets – sequence length, sequence order, and sequence reset. The first one presents how many packets should arrive to have a complete knock sequence, while the second one presents the order of receiving a packet in the knock sequence. Therefore, even if the packets in unreliable networks reach the destination out of order, with these fields, the knocking process is done successfully. The last one is used for flushing the buffer due to the present time arrival of the dependent packets. Therefore, if the sequence is not completed before the time, the sequence is reset. This method needs at least one public service to have an open port. The packets play a significant role in proposed solution due to its impact on the network traffic because of its packet size.

4 COMPARISON OF PORT-KNOCKING AUTHENTICATION METHODS This section compares the current port knocking authentication methods. The comparison parameters include the platform (supported OS), protocols, third party dependency, plain text ports, NAT attack, DoS attack, out of order packet delivery. Table 4 shows the comparison results. The methods are implemented in the Linux or Windows platform and they use TCP or UDP protocol for sending synchronization packets. Some of the methods did not mention which platform or protocols they used; therefore, the “n/a” value in the table means there is no available information. Fourth, the next column shows the issues existing in the basic port knocking authentication. The value “yes” represents that the specified issue is addressed by the corresponding port knocking method and the value “no” means the method does not address the issue. Methods that address the plain text port are subjected to eavesdropping attacks in which the content of the packet is captured by anonymous users [98]. Whereas methods that prevent NAT attacks are suitable for networks that use network address translation to map a private IP to a public one [66]. Also, methods that cover a DoS knocked attack to assist in keeping the server available [67]. Out of order packet, delivery issues are solved through adding a sequence number field in the packet that helps the authentication process in the high delay networks. However, all of the proposed techniques do not consider plain text while using the encrypted port. The NAT knock attack is mitigated by using a shared key or VPN connection, while the DoS knock attack is reduced through using a pass-phrase or using an SMS server as a third party for authenticating the user who starts the port-knocking authentication. Therefore, the

TABLE 4 COMPARISON OF PORT-KNOCKING AUTHENTICATION Title

Remote Server Management using Dynamic Portknocking and Forwarding Silent knock: Practical, probably undetectable authentication Network security using hybrid portknocking One-time knocking framework using SPA and IPSec Securing remote services integrating secure ID Strong Authentication technology in EFDA-Federation Infrastructure Extension of a portknocking clientserver architecture with NTP synchronization Advanced portknocking authentication scheme with QRC using AES Service-knocking communication SPKT: Secure portknock-tunneling, an enhanced port Security authentication mechanism

Platform (Supported OS)

Protocols

Issues of basic port knocking authentication Plain text ports

NAT attack

DoS attack

Out of order packet delivery

Third Party Dependency

Linux & Win32

UDP & TCP

Yes

No

Yes

No

No

Linux

TCP

Yes

Yes

Yes

No

No

Linux

TCP

Yes

Yes

Yes

No

No

NA

NA

Yes

Yes

Yes

No

Yes Use SMS server

Linux

NA

Yes

No

Yes

No

Yes Use PoA

Windows

TCP

Yes

Yes

No

No

No

NA

NA

Yes

No

Yes

No

Yes Use SMS server

NA

TCP

Yes

No

No

Yes

No

NA

UDP

Yes

Yes

Yes

No

No

Title

Simple Portknocking Method Against TCP Replay Attack and Port Scanning

Platform (Supported OS)

NA

Protocols

NA

Issues of basic port knocking authentication Plain text ports

NAT attack

DoS attack

Out of order packet delivery

Yes

No

Yes

No

Third Party Dependency

No

aforementioned port-knocking authentication method [67] finds the sequence numbers for the packets and also mitigates out of order delivery of packets. However, most the port-knocking authentication methods focus on the range and length of the knock sequence. Third-party dependency is a serious drawback of the authentication methods for MCC. One of the issues that arise due to the use of a third party in the MCC is the availability issue; because in the case of using a third party to authenticate, two types of server need to be available – the main server and the authentication server. The second concern is the man-in-the-middle attack, which leads to security breaches and happens because of the packet exchange between the third-party and cloud servers [99]. The third party dependency attribute shows the behavior of the port knocking methods for the dependency on another party for the port knocking authentication methods. Three methods that use the SMS server and PoA are not eligible in the case of cloud computing because they do not address the dependency problem while the other advanced port-knocking methods are not effected through third party dependency. Therefore, the port knocking methods that employ third party dependency are represented with the values “yes”, whereas the methods that solve the third party dependency are shown with the value “no”.

5 CONCLUSION This paper proposed a thematic taxonomy for the basic and advanced port knocking authentication. In the taxonomy, current port knocking methods are classified into static and dynamic knock sequences. The port knocking authentication methods were compared on the basis of significant parameters that describe the commonalities and differences in the current methods. Furthermore, we discussed the integrity and suitability of the port knocking authentication method for MCC. We concluded that port knocking provides a lightweight application layer solution for addressing the security issues in MCC. Therefore, it provides a suitable security layer to ensure authentic communication between SMDs and MCC. Furthermore, the independence of features in the application and operating platform of port knocking methods advocate its usage for securing communication in MCC. Although port-knocking is an appropriate method for authentic communication in MCC, selecting the appropriate range of ports for allocation to the authentication process is challenging. Short range allocation to the port knocking process is vulnerable to man-in-the-middle attacks and the long-range allocation involves the overhead of buffer management on the server node. Therefore, the virtualization ability of MCC can be employed to fill this gap. As a future work, it is intended to use a virtualization concept to implement the virtual port knocking authentication methods which reduce the imposed load of buffering on cloud gateway. Moreover, the dynamic length is expected to be applied in each attempt of authentication which makes the port knocking authentication more flexible and secure for each server in the MCC. Furthermore, we are planning to use software-defined networks technology to overcome the problems faced by MCC in terms of port-knocking authentication.

ACKNOWLEDGMENT This work is partially funded by Malaysian Ministry of Higher Education under the University of Malaya High Impact Research Grant UM.C/625/1/HIR/MOE/FCSIT/03.

REFERENCES 1. 2. 3. 4.

5. 6. 7. 8. 9. 10.

11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21.

22. 23. 24. 25. 26. 27.

Bahl, P., et al., Advancing the state of mobile cloud computing, in Proceedings of the third ACM workshop on Mobile cloud computing and services2012, ACM: Low Wood Bay, Lake District, UK. pp. 21-28. Cohen, E. and S.A. Cohen, Authentication: Hot and cool. Annals of Tourism Research, 2012. 39(3): pp. 1295-1314. Available from: http://www.abiresearch.com/press/smartphone-users-worldwide-will-download-37-apps-o. access 2012. Zhang, B., et al., Mobile phone based social relationship identification for target vaccination in mobile healthcare, in Proceedings of the Third International Workshop on Sensing Applications on Mobile Phones, 2012, ACM: Toronto, Ontario, Canada. pp. 1-5. Al Mutawa, N., I. Baggili, and A. Marrington, Forensic analysis of social networking applications on mobile devices. Digital Investigation, 2012. 9, pp. S24-S33. Gu, J.-C., S.-C. Lee, and Y.-H. Suh, Determinants of behavioral intention to mobile banking. Expert Systems with Applications, 2009. 36(9): pp. 11605-11616. Nakatsu, R. and M. Rauterberg, Entertainment computing: Inaugural Editorial. Entertainment Computing, 2009. 1(1): pp. 1-7. Buyya, R., et al., Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 2009. 25(6): pp. 599-616. Armbrust, M., et al., A view of cloud computing. Commun. ACM, 2010. 53(4): pp. 50-58. Shiraz, M.; Gani, A; Khokhar, R.H.; Buyya, R., "A Review on Distributed Application Processing Frameworks in Smart Mobile Devices for Mobile Cloud Computing," Communications Surveys & Tutorials, IEEE , vol.15, no.3, pp.1294,1313, Third Quarter 2013. Khan, A.N., et al., Towards secure mobile cloud computing: A survey. Future Generation Computer Systems, 2013. 29(5):pp. 1278-1299. Mark D. Ryan, Cloud computing security: The scientific challenge, and a survey of solutions, Journal of Systems and Software, Volume 86, Issue 9, September 2013, pp. 2263-2268 Altinkemer, K. and T. Wang, Cost and benefit analysis of authentication systems. Decision Support Systems, 2011. 51(3): pp. 394-404. Krzywinski, Port Knocking: Network Authentication Across Closed Ports, in SysAdmin Magazine 2003. p. 6. Support, R. Port Knocking. 2013; Available from: http://www.rackspace.com/knowledge_center/article/portknocking, access January 11, 2013. Weiguang, S. and S. Xiaolong. Review of Mobile cloud computing. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on. 2011. Han, Q. and A. Gani. Research on mobile cloud computing: Review, trend and perspectives. In Digital Information and Communication Technology and it's Applications (DICTAP), 2012 Second International Conference on. 2012. Sanaei, Z.; Abolfazli, S.; Gani, A; Buyya, R., "Heterogeneity in Mobile Cloud Computing: Taxonomy and Open Challenges," Communications Surveys & Tutorials, IEEE , vol.16, no.1, pp.369-392, First Quarter 2014. Satyanarayanan, M., Mobile computing: the next decade, In Proceedings of the 1st ACM Workshop on Mobile Cloud Computing & Services: Social Networks and Beyond2010, ACM: San Francisco, California. pp. 1-6. Calheiros, R.N., et al., CloudSim: a toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms. Softw. Pract. Exper., 2011. 41(1): pp. 23-50. Wickremasinghe, B., R.N. Calheiros, and R. Buyya. CloudAnalyst: A CloudSim-Based Visual Modeller for Analysing Cloud Computing Environments and Applications. In Advanced Information Networking and Applications (AINA),. 2010. Patel, A., et al., An intrusion detection and prevention system in cloud computing: A systematic review. Journal of Network and Computer Applications, 2013. 36(1): p. 25-41. Portokalidis, G., et al., Paranoid Android: versatile protection for smartphones, In Proceedings of the 26th Annual Computer Security Applications Conference2010, ACM: Austin, Texas. pp. 347-356. Park, K., H. Shin, and H. Cha, Smartphone-based pedestrian tracking in indoor corridor environments. Personal and Ubiquitous Computing, 2013. 17(2): pp. 359-370. Bahl, P. and V.N. Padmanabhan. RADAR: An in-building RF-based user location and tracking system. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE. 2000. Bettini, C., S. Mascetti, and X.S. Wang, Privacy Protection through Anonymity in Location-based Services, in Handbook of Database Security, M. Gertz and S. Jajodia, Editors. 2008, Springer US. pp. 509-530. Xin, J. and K. Yu-Kwong. Cloud Assisted P2P Media Streaming for Bandwidth Constrained Mobile Subscribers. In 16th International Conference on. Parallel and Distributed Systems (ICPADS), 2010.

28.

29.

30.

31.

32. 33. 34. 35. 36. 37. 38. 39. 40.

41. 42.

43. 44. 45. 46. 47.

48. 49. 50. 51.

Jung, E., et al., User-profile-driven collaborative bandwidth sharing on mobile phones, In Proceedings of the 1st ACM Workshop on Mobile Cloud Computing Services: Social Networks and Beyond2010, ACM: San Francisco, California. pp. 1-9. Huerta-Canepa, G. and D. Lee, A virtual cloud computing provider for mobile devices, In Proceedings of the 1st ACM Workshop on Mobile Cloud Computing & Services: Social Networks and Beyond 2010, ACM: San Francisco, California. pp. 1-5. Gambs, B., O. Heen, and C. Potin, A comparative privacy analysis of geosocial networks, In Proceedings of the 4th ACM SIGSPATIAL International Workshop on Security and Privacy in GIS and LBS2011, ACM: Chicago, Illinois. pp. 33-40. Pawar, P., et al., Towards location based QoS-aware network selection mechanism for the nomadic mobile services, In Proceedings of the 6th IEEE Conference on Consumer Communications and Networking Conference2009, IEEE Press: Las Vegas, NV, USA. pp. 641-645. Ormond, O., P. Perry, and J. Murphy. Network selection decision in wireless heterogeneous networks. In Personal, Indoor and Mobile Radio Communications, PIMRC ,2005. Xu, Y., J. Bigham, and L. Cuthbert. Resource management for service providers in heterogeneous wireless networks. In Wireless Communications and Networking Conference, 2005. Rong, C., S.T. Nguyen, and M.G. Jaatun, Beyond lightning: A survey on security challenges in cloud computing. Computers & Electrical Engineering, 2013. 39(1): pp. 47-54. Zhang, Q., L. Cheng, and R. Boutaba, Cloud computing: state-of-the-art and research challenges. Journal of Internet Services and Applications, 2010. 1(1): pp. 7-18. Kumar, K. and L. Yung-Hsiang, Cloud Computing for Mobile Users: Can Offloading Computation Save Energy? Computer, 2010. 43(4): pp. 51-56. Messer, A., et al. Towards a distributed platform for resource-constrained devices. Distributed Computing Systems, 2002 Qingfeng, L., et al. An Optimized Solution for Mobile Environment Using Mobile Cloud Computing. Wireless Communications, Networking and Mobile Computing, 2009. Cuervo, E., et al., MAUI: making smartphones last longer with code offload, in International Conference on Mobile Systems, Applications, and Services, 2010. pp. 49-62. Liu, J., K. Kumar, and Y.-H. Lu, Tradeoff between energy savings and privacy protection in computation offloading, In Proceedings of the 16th ACM/IEEE international symposium on Low power electronics and design2010, ACM: Austin, Texas, USA. pp. 213-218. Chun, B.-G., et al., CloneCloud: elastic execution between mobile device and cloud, In Proceedings of the sixth conference on Computer systems 2011, ACM: Salzburg, Austria. pp. 301-314. Giurgiu, I., et al., Calling the cloud: enabling mobile phones as interfaces to cloud applications, In Proceedings of the ACM/IFIP/USENIX 10th international conference on Middleware2009, Springer-Verlag: Urbana, IL, USA. pp. 83102. Dou, A., et al., Misco: a MapReduce framework for mobile systems, In Proceedings of the 3rd International Conference on PErvasive Technologies Related to Assistive Environments2010, ACM: Samos, Greece. pp. 1-8. Wald, H., Cloud Computing: Silver Lining or Storm Ahead?, in IAnewaletter: The Newsletter for Information Assurance Technology Professionals2010. Michael, B. and G. Dinolt, Cloud Computing: Silver Lining or Storm Ahead?, In IA newsletter The Newsletter for Information Assurance Technology Professionals2010. M. Sookhak, H. Talebian, E. Ahmed, A. Gani, and M. K. Khan, “A review on remote data auditing in single cloud server: Taxonomy and open issues,” J. Netw. Comput. Appl., vol. 43, pp. 121–141, May 2014. E. Esiner, A. Kachkeev, A. Küpçü, and Ö. Özkasap, “Flexlist: optimized skip list for secure cloud storage,” 2013, http://www.techrepublic.com/resource-library/whitepapers/flexlist-optimized-skip-list-for-secure-cloud-storage/ accessed 11 July, 2017. C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, “Dynamic provable data possession,” Proc. 16th ACM Conf. Comput. Commun. Secur. - CCS ’09, pp. 213, 2009. L. Chen, “Using algebraic signatures to check data possession in cloud storage,” Futur. Gener. Comput. Syst., vol. 29, no. 7, pp. 1709–1715, Sep. 2013. J. Yuan and L. Rock, “Proofs of Retrievability with Public Verifiability and Constant Communication Cost in Cloud Categories and Subject Descriptors.”m In ACM proceeding of cloud computing, Hangzhou, China, 2013. J. Yuan and S. Yu, “Secure and constant cost public cloud storage auditing with deduplication,” IEEE Conf. Commun. Netw. Secur., pp. 145–153, Oct. 2013.

52. 53. 54.

55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80.

M. Sookhaka, A. Akhunzadaa, A. Gani, and M. Khan, “Towards Dynamic Remote Data Auditing in Computational Clouds,” The Scientific World Journal, Volume 2014 (2014), Article ID 269357, 12 pages. Peng, Z., et al. Phosphor: A Cloud Based DRM Scheme with Sim Card. In Web Conference (APWEB), 2010 12th International Asia-Pacific. 2010. Young Jin, N. Cost-Aware Virtual USB Drive: Providing Cost-Effective Block I/O Management Commercial Cloud Storage for Mobile Devices. In Computational Science and Engineering (CSE), IEEE 13th International Conference on 2010, Hong Kong, China. Rosenblum, M. and J.K. Ousterhout, The design and implementation of a log-structured file system. ACM Trans. Comput. Syst., 1992. 10(1): pp. 26-52. Shen, J., S. Yan, and X.-S. Hua, The e-recall environment for cloud based mobile rich media data management, ACM multimedia workshop on Mobile cloud media computing 2010, ACM: Firenze, Italy. pp. 31-34. Du, W. and L. Wang, Context-aware application programming for mobile devices, In Proceedings of the 2008 conference2008, ACM: Montreal, Quebec, Canada. pp. 215-227. Neves, P., et al., Context-aware media independent information server for optimized seamless handover procedures. Computer Networks, 2011. 55(7): pp. 1498-1519. Meyer, R., Secure authentication on the Internet. SANS Information Security Reading Room, 2007. Chow, R., et al., Authentication in the clouds: A framework and its application to mobile users, In Proceedings of the 2010 ACM workshop on Cloud computing security workshop2010, ACM: Chicago, Illinois, USA. pp. 1-6. Jakobsson, M., et al., Implicit authentication for mobile devices, In Proceedings of the 4th USENIX conference on Hot topics in security2009, USENIX Association: Montreal, Canada. pp. 9-9. Song, Z., et al., TrustCube: An Infrastructure that Builds Trust in Client, in Future of Trust in Computing, D. Gawrock, et al., Editors. 2009, Vieweg Teubner. pp. 68-79. De Clercq, J. and G. Grillenmeier, 9 - Single Sign-On, in Microsoft Windows Security Fundamentals2007, Digital Press: Burlington. pp. 533-579. Nurika, O., et al. Review of various firewall deployment models. In Computer & Information Science (ICCIS), 2012 International Conference on,2012, Kuala Lumper, Malaysia White, L.J. and H.K.N. Leung. A firewall concept for both control-flow and data-flow in regression integration testing. In Software Maintenance, 1992. Tobkin, C. and D. Kligerman, Chapter 5 - Applying Network Address Translation, in Check Point NG / AI2004, Syngress: Burlington. pp. 259-283. Prowell, S., R. Kraus, and M. Borkin, Chapter 1 - Denial of Service, in Seven Deadliest Network Attacks 2010, Syngress: Boston. pp. 1-21. Worth, D., COK: Cryptographic one-time knocking. Talk slides, Black Hat USA, 2004: pp. 19-25. Doyle, M., Implementing a Port Knocking System in C, In J. William Fulbright College of Arts and Sciences 2004, Arkansas. Jiun-Hau, L., et al. One-Time Knocking framework using SPA and IPsec. In Education Technology and Computer (ICETC), 2010. D., I. Port Knocking: Beyond the Basics. Repository SANS Institute, 2005. Park, S.K. and K.W. Miller, Random number generators: good ones are hard to find. Commun. ACM, 1988. 31(10): pp. 1192-1201. Vasserman, E., N. Hopper, and J. Tyra, SilentKnock: practical, provably undetectable authentication. International Journal of Information Security, 2009. 8(2): pp. 121-135. Popeea, T., et al. Extension of a port knocking client-server architecture with NTP synchronization. In Roedunet International Conference (RoEduNet), 10th. 2011. Dhobale, D.D., et al. Steganography by hiding data in TCP/IP headers. In Advanced Computer Theory and Engineering (ICACTE), 2010. Rajagopalan, M., et al. Authenticated system calls. In Dependable Systems and Networks, 2005. DSN 2005. Jeanquie, S., An analysis of port knocking and single packet authorization, 2006, Royal Holloway College, University of London: London. Hou, C., et al., Improvement of NTP synchronization accuracy for switch-oriented power monitoring networks. Dianli Zidonghua Shebei/Electric Power Automation Equipment, 2013. 33(1): pp. 148-152. Mehran, P., E.A. Reza, and B. Laleh. SPKT: Secure Port Knock-Tunneling, an enhanced port security authentication mechanism. In Computers & Informatics (ISCI), 2012. Ali, F.H.M., R. Yunos, and M.A.M. Alias. Simple port knocking method: Against TCP replay attack and port scanning. In Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012.

81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92. 93. 94. 95.

96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108.

Castro, R., et al., Securing MDSplus in a multi-organisation environment. Fusion Engineering and Design, 2010. 85(3–4): pp. 614-617. Chang, C.-C. and S.-J. Hwang, A simple approach for generating RSA keys. Information Processing Letters, 1997. 63(1): pp. 19-21. Sedlak, H. and U. Golze, An RSA cryptography processor. Microprocessing and Microprogramming, 1986. 18(1–5): pp. 583-590. Castro, R., et al., PAPI based federation as a test-bed for a common security infrastructure in EFDA sites. Fusion Engineering and Design, 2008. 83(2–3): pp. 486-490. Srivastava, V., et al. Advanced port knocking authentication scheme with QRC using AES. In Emerging Trends in Networks and Computer Communications (ETNCC), 2011. Zhu, H., et al. A new chaos-based image encryption scheme using quadratic residue. In Systems and Informatics (ICSAI), International Conference on 2012, Yantai, China Thomas W. Cusick, Cunsheng Ding, and R. Ari, Chapter 2 Stream ciphers, in North-Holland Mathematical Library, Editors. 2004, Elsevier. pp. 11-43. Kulikowski, K.J., M.G. Karpovsky, and A. Taubin, Robust codes and robust, fault-tolerant architectures of the Advanced Encryption Standard. Journal of Systems Architecture, 2007. 53(2–3): pp. 139-149. Phan, R.C.W., Impossible differential cryptanalysis of 7-round Advanced Encryption Standard (AES). Information Processing Letters, 2004. 91(1): pp. 33-38. Sánchez, S., R. Criado, and C. Vega, A generator of pseudo-random numbers sequences with a very long period. Mathematical and Computer Modelling, 2005. 42(7–8): pp. 809-816. Karimi, H., S. Morteza Hosseini, and M. Vafaei Jahan, On the combination of self-organized systems to generate pseudo-random numbers. Information Sciences, 2013. 221(0): pp. 371-388. Smits, R., et al., BridgeSPA: improving Tor bridges with single packet authorization, In Proceedings of the 10th annual ACM workshop on Privacy in the electronic society2011, ACM: Chicago, Illinois, USA. pp. 93-102. H. Anne, et al., Chapter 6 - Deciding on a VPN, in Firewall Policies and VPN Configurations, Editors. 2006, Syngress: Burlington. pp. 267-304. Xenakis, C. and L. Merakos, IPsec-based end-to-end VPN deployment over UMTS. Computer Communications, 2004. 27(17): pp. 1693-1708. Khan, Z.A., et al. Performance Evaluation of Widely Used Portknoking Algorithms. In High Performance Computing and Communication & IEEE 9th International Conference on Embedded Software and Systems (HPCCICESS), 2012. Al-Bahadili H., H.A., Network security using hybrid port knocking. International Journal Of Computer Science and Network Security (IJCSNS), 2010. Alessandri, S., M. Fontanini, and N. Macia, Service-knocking communication, 2012, Seguridad Informática, WSegI. Peng, Z., et al. P-Coding: Secure Network Coding against Eavesdropping Attacks. In INFOCOM, 2010 Proceedings IEEE. 2010. Levi Albert, C.M.U., the problem of trusted third party in authentication and digital signature protocols, Turkey Scientific and Technological Research Council Fagui, L., et al. The Design and Application of Xen-based Host System Firewall and its Extension. In Electronic Computer Technology, 2009. khan, S., et al. A Comprehensive Review on Adaptability of Network Forensics Frameworks for Mobile Cloud Computing.,The Scientific World Journal, 2014. pp 1-27. Khan, S., et al. Forensic challenges in mobile cloud computing. In International Conference on Computer, Communications, and Control Technology (I4CT), 2014. pp.343,347. Shiraz, M., et al. Energy Efficient Computational Offloading Framework for Mobile Cloud Computing., 2015. pp 118 Choo, K. K. R., et al. Balancing Privacy with Legitimate Surveillance and Lawful Data Access., 2015. Cloud Computing, IEEE, 2(4), 8-13. Yang, Yanjiang, et al. On Lightweight Security Enforcement in Cyber-Physical Systems. Lightweight Cryptography for Security and Privacy. Springer International Publishing, 2015. 97-112. Tep, Kin Suntana, et al. A Taxonomy of Cloud Attack Consequences and Mitigation Strategies: The Role of Access Control and Privileged Access Management. Trustcom/BigDataSE/ISPA, 2015 IEEE. Vol. 1. IEEE, 2015. Yang, Yanjiang, et al. Extended Proxy-Assisted Approach: Achieving Revocable Fine-Grained Encryption of Cloud Data. Computer Security--ESORICS 2015. Springer International Publishing, 2015. 146-166. Yang, Yanjiang, et al. Cloud based data sharing with fine-grained proxy re-encryption. Pervasive and Mobile

109. 110. 111. 112.

Computing (2015). Khan, Suleman, et al. Network forensics: Review, taxonomy, and open challenges. Journal of Network and Computer Applications (2016). Gani, Abdullah, et al. A review on interworking and mobility techniques for seamless connectivity in mobile cloud computing. Journal of Network and Computer Applications 43 (2014): 84-102. Shiraz, Muhammad, et al. A study on the critical analysis of computational offloading frameworks for mobile cloud computing. Journal of Network and Computer Applications 47 (2015): 47-60. Liu, Jieyao, et al. Application partitioning algorithms in mobile cloud computing: Taxonomy, review and future directions. Journal of Network and Computer Applications 48 (2015): 99-117.

Suleman Khan has received his Ph.D (Distinction) from University of Malaya, Malaysia in 2017. Before that he has completed several Master degrees including M.Sc.-CS, M.B.A., and M.S.-CS degrees from the University of Peshawar, IMSciences Peshawar, and Comsats Abbottabad in 2006, 2008, and 2011, respectively. Currently, Dr. Khan is a lecturer in Monash University Malaysia. He has authored over 35+ research peer review articles in different journals and international conferences. His research interests include Software defined networks, Network forensics, Internet-of-Things, Vehicular communications and Cloud computing security.

Muhammad Shiraz is an Assistant Professor at Department of Computer Science, Federal Urdu University of Arts, Sciences and Technology Islamabad, Pakistan. He has Completed Masters in Computer Science from Allama Iqbal Open University Islamabad Pakistan in 2007. Currently he is pursuing his PhD Candidature under Commonwealth Scholarship Program at Faculty of Computer and Information Technology University of Malaya, Malaysia. He is an active researcher in the Mobile Cloud Computing Research Group at FCSIT. His areas of interest include distributed applications design for Ubiquitous Networks, Distributed Systems, Lightweight Applications, Smart Client Applications and Optimization Strategies, Mobile Cloud Computing.He is reviewer of The Journal of Network and Computer Applications.

Laleh Boroumand received her M.S. degree in Computer Science from University of Malaya, Malaysia in 2015. Now, she is working toward the Ph.D degree in same University. Her main research interests are Network security, Authentication mechanisms, Optimization, and Cloud computing.

Abdullah Gani received the Teaching Certificate from Kinta Teaching College, Ipoh, the Diploma degree in computer science from ITM, the B.Phil. degree and the M.Sc. degree in information management from the University of Hull, U.K., and the Ph.D. degree in computer science from the University of Sheffield, U.K. He is a Professor with the Department of Computer System and Technology, Faculty of Computer Science and Information Technology, University of Malaya, Malaysia. He has vast teaching experience due to having worked in a number of educational institutions locally and abroad schools, including Malay Women Teaching College, Melaka, Ministry of Education, Rotterham College of Technology and Art, Rotterham, U.K., and the University of Sheffield. His interest in research began in 1983 when he was chosen to attend the three-month Scientific Research Course in RECSAM by the Ministry of Education, Malaysia. Since then, he has had over 150 academic papers published in proceedings and international journals with a top 10% ranking. He widely cited in Web of Science as well as Scopus databases. He actively supervises numerous students at all levels of study. His research interests includes self-organized systems, machine learning, reinforcement learning, and wireless related networks. He is currently working on mobile cloud computing with the High Impact Research Grant of USD 800 000 (RM2.5) from 2011 to 2016. He is also the Principal Investigator of “Al-Quran and Hadith Authentication Systems” with a grant of RM650, 000/-, and has received several grants over RM350,000. He is currently the Director of the Centre for Mobile Cloud Computing Research, which focuses on high impact research. The Centre has published over 60 papers in tier 1 and tier 2 ISI-indexed journals in the last five years. Internationally, he serves as a Visiting Professor with the King Saud University, Saudi Arabia, and Adjunct Professor with the COMSATS Institute of Information Technology, Islamabad, Pakistan. He is a Visiting Professor with the University Malaysia Sabah, Kota Kinabalu, Sabah, Malaysia, from 2015 to 2017. He serves as the Chairman of Industry Advisory Panel for Research Degree Program with UNITEN, Malaysia, from 2015 to 2017. He is a reviewer for several high quality journals, and the Editor-in-Chief

of the Malaysian Journal of Computer Science, an ISI-indexed journal. He was elected as a fellow of the Academy of Sciences Malaysia for Engineering and Computer Science discipline.

Muhammad Khurram Khan is currently working as a Full Professor at the Center of Excellence in Information Assurance (CoEIA), King Saud University, Kingdom of Saudi Arabia. He is one of the founding members of CoEIA and has served as the Manager R&D from March 2009 to March 2012. He developed and successfully managed the research program of CoEIA, which transformed the center as one of the best centers of research excellence in Saudi Arabia as well as in the region. He is the Editor-in-Chief of the well-esteemed ISI-indexed international journal Telecommunication Systems (Springer-Verlag) since 1993, with an impact factor of 1.163 (JCR 2013). Furthermore, he is the full-time Editor/Associate Editor of several ISI-indexed international journals/magazines, including IEEE COMMUNICATIONS MAGAZINE, Journal of Network & Computer Applications (Elsevier), IEEE ACCESS, Journal, Security & Communication Networks (Wiley), IEEE Consumer Electronics Magazine, PLOS ONE (USA), IET Wireless Sensor Systems, Electronic Commerce Research (Springer), Journal of Information Hiding and Multimedia Signal Processing, International Journal of Biometrics (Inderscience), Journal of Physical & Information Sciences, and Journal of Independent Studies and Research-Computing, etc. He has also been the Guest Editor of several international ISI-indexed journals of Springer-Verlag and Elsevier Science, etc. Moreover, he is one of the organizing chairs of more than 5 dozen international conferences and member of technical committees of more than 10 dozen international conferences. In addition, he is an active reviewer of many international journals. Prof. Khurram is an Adjunct Professor at Fujian University of Technology, China and an Honorary Professor at IIIRC, Shenzhen Graduate School, Harbin Institute of Technology, China. He has secured an outstanding leadership award at the IEEE International Conference on Networks and Systems Security 2009, Australia. He has been included in the Marquis Who’s Who in the World 2010 edition. Besides, he has received certificate of appreciation for outstanding contributions in “Biometrics & Information Security Research” at the AIT International Conference, June 2010, in Japan. He has been awarded a Gold Medal for the Best Invention & Innovation Award at 10th Malaysian Technology Expo 2011, Malaysia. Moreover, his invention recently received a Bronze Medal at the 41st International Exhibition of Inventions in Geneva, Switzerland, April 2013. In addition, he was awarded the best paper award from the Journal of Network & Computer Applications (Elsevier) in December 2015. Prof. Khurram is the recipient of the King Saud University Award for Scientific Excellence (Research Productivity) in May 2015. He is also a recipient of King Saud University Award for Scientific Excellence (Inventions, Innovations, and Technology Licensing) in May 2016. He has published over 260 research papers in the journals and conferences of international repute. In addition, he is an inventor of 10 US/PCT patents. He has

edited 7 books/proceedings published by Springer-Verlag and IEEE. He has secured several national and international research grants in the domain of information security. His research areas of interest are cybersecurity, digital authentication, biometrics, multimedia security, and technological innovation management. He has recently played a leading role in developing the BS Cybersecurity Degree Program and the Higher Diploma in Cybersecurity at King Saud University. He is a fellow of the IET (UK), fellow of the BCS (UK), fellow of the FTRA (Korea), senior member of the IEEE (USA), a member of the IEEE Technical Committee on Security & Privacy, and a member of the IEEE Cybersecurity community.