Skip to main content
SpringerLink
Log in

Formal modeling and verification of security controls for multimedia systems in the cloud

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Organizations deploy the Security Information and Event Management (SIEM) systems for centralized management of security alerts for securing their multimedia content. The SIEM system not only preserves events data, generated by devices and applications, in the form of logs but also performs real-time analysis of the event data. The SIEM works as the Security Operation Centre (SOC) in an organization, therefore, errors in the SIEM may compromise the security of the organization. In addition to focusing on the architecture, features, and the performance of the SIEM, it is imperative to carry out a formal analysis to verify that the system is impeccable. The ensuing research focuses mainly on the formal verification of the OSTORM a SIEM system. We have used High-Level Petri Nets (HLPN) and Z language to model and analyze the system. Moreover, Satisfiability Modulo Theories Library (SMT-Lib) and Z3 solver are used in this research to prove the correctness of the overall working of the OSTORM system. We demonstrate the correctness of the underlying system based on four security properties, namely: a) event data confidentiality, b) authentication, c) event data integrity, and d) alarm integrity. The results reveal that the OSTORM system functions correctly.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Alam Q, Tabbasum S, Malik S, Alam M, Tanveer T, Akhunzada A, Khan S, Vasilakos A, Buyya R (2016) Formal verification of the xDAuth protocol

  2. Alienvault OSSIM http://www.alienvault.com. Accessed 13 Mar 2015

  3. Allen R, Garlan D (1997) A formal basis for architectural connection. ACM Trans Softw Eng Methodol 6(3):213–249

    Article  Google Scholar 

  4. Alruwaili FF, Gulliver TA (2014) SOCaaS: security operations center as a Service for Cloud Computing Environments. International Journal of Cloud Computing and Services Science (IJ-CLOSER) 3(2):87–96

    Google Scholar 

  5. Baier C, Katoen J-P (2008) Principles of model checking, vol 26202649. MIT press, Cambridge

    MATH  Google Scholar 

  6. Barrett CW, Sebastiani R, Seshia SA, Tinelli C (2009) Satisfiability modulo theories. Handbook of satisfiability 185:825–885

    Google Scholar 

  7. Barrett C, Stump A, Tinelli C (2010) The SMT-LIB standard: version 2.0. Available at www.SMT-LIB.org

  8. Barrett C, Stump A, Tinelli C (2010) The satisfiability modulo theories library (smt-lib) 15:18–52. www.SMT-LIB.org

  9. Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:117–148

    Article  Google Scholar 

  10. Bjorner N (2017) Z3. https://github.com/z3prover/z3/. Accessed 10 Apr 2015

  11. Blanchet B (2001) Abstracting cryptographic protocols by prolog rules. In: Static Analysis. Springer, pp 433–436

  12. Bussa T, Kavanagh KM, Rochford O (2016) Gartner, magic quadrant for security information and event management

  13. Chaput SR, Ringwood K (2010) Cloud compliance: a framework for using cloud computing in a regulated world. In: Cloud Computing. Springer, pp 241–255

  14. Cyber Security Lab (Cybersec.com.pk)

  15. De Moura L, Bjørner N (2008) Z3: an efficient SMT solver. In: Tools and Algorithms for the Construction and Analysis of Systems. Springer, pp 337–340

  16. Dimitrios K (2014) Security information and event management systems: benefits and inefficiencies. U. Piraeus

  17. Dutertre B, De Moura L (2006) The yices SMT solver http://yices.csl.sri.com/papers/tool-paper.pdf.

  18. Forouzan BA (2007) Cryptography & network security. McGraw-Hill, Inc.

  19. Gai K, Qiu M, Tao L, Zhu Y (2015) Intrusion detection techniques for mobile cloud computing in heterogeneous 5G. Security Commun Netw:1–10

  20. GmbH A (2015) RSYSLOG: the rocket-fast system for log processing http://www.rsyslog.com/

  21. Gordon AD, Jeffrey A, Haack C (2002) Cryptyc: cryptographic protocol type checker. Software available at http://cryptyc.cs.depaul.edu

  22. Hanna Y, Rajan H, Zhang W (2008) Slede: a domain-specific verification framework for sensor network security protocol implementations. In: Proceedings of the first ACM conference on Wireless network security. ACM, pp 109–118

  23. Hernan S, Lambert S, Ostwald T, Shostack A (2006) Threat modeling-uncover security design flaws using the stride approach. MSDN Magazine-Louisville:68–75

  24. Ihsan A, Saghar K, Fatima T (2015) Analysis of LEACH protocol (s) using formal verification. In: Applied sciences and Technology (IBCAST), 2015 12th International Bhurban conference on. IEEE, pp 254-262

  25. Jensen K (1983) High-level petri nets. Springer

  26. Jung M, Han K, Cho J (2015) Advanced verification on WBAN and cloud computing for u-health environment. Multimed Tools Appl 74(16):6151–6168

    Article  Google Scholar 

  27. Kim K, Fox GC (2011) Modeling, simulation, and practice of floor control for synchronous and ubiquitous collaboration. Multimed Tools Appl 53(1):213–236

    Article  Google Scholar 

  28. Kim JS, Garlan D (2006) Analyzing architectural styles with alloy. In: Proceedings of the ISSTA 2006 workshop on role of software architecture for testing and analysis. ACM, pp 70-80

  29. Malik SUR, Khan SU, Srinivasan SK (2013) Modeling and analysis of state-of-the-art VM-based cloud management platforms. IEEE Trans Cloud Comput 1(1):1–1

    Article  Google Scholar 

  30. MASSIF MASSIF http://www.massifproject.eu/docs. Accessed 12 Mar 2015

  31. McIver A, Meinicke L, Morgan C (2009) Security, probability and nearly fair coins in the cryptographers’ café. In: FM 2009: Formal methods. Springer, pp 41–71

  32. Meyer R (2007) Secure authentication on the internet Retrieved online Mar 27, 2012

  33. Mohammad M, Alagar V (2011) A formal approach for the specification and verification of trustworthy component-based systems. J Syst Softw 84(1):77–104

    Article  Google Scholar 

  34. Needham RM, Schroeder MD (1978) Using encryption for authentication in large networks of computers. Commun ACM 21(12):993–999

    Article  MATH  Google Scholar 

  35. Needham RM, Schroeder MD (1987) Authentication revisited. ACM SIGOPS Operating Systems Review 21(1):7–7

    Article  Google Scholar 

  36. Nets-Concepts H-lP (2000) Definitions and graphical notation. Final Draft International Standard ISO/IEC 15909

  37. Potts G (2006) OSSIM user guide the book of OSSIM open source software image map – OSSIM

  38. Saghar K, Henderson W, Kendall D (2009) Formal modelling and analysis of routing protocol security in wireless sensor networks. In: Proceedings of the 10th annual postgraduate symposium on the convergence of telecommunications, networking and broadcasting (PGNET 09). Pp 179-184

  39. Saghar K, Henderson W, Kendall D, Bouridane A (2010) Applying formal modelling to detect DoS attacks in wireless medium. In: communication systems networks and digital signal processing (CSNDSP), 2010 7th International symposium on. IEEE, pp 896-900

  40. Saghar K, Henderson W, Kendall D, Bouridane A (2010) Formal modelling of a robust wireless sensor network routing protocol. In: Adaptive Hardware and Systems (AHS), 2010 NASA/ESA conference on. IEEE, pp 281–288

  41. Si M, Miyazaki K, Otsuka A, Basin D (2010) How to evaluate the security of real-life cryptographic protocols? In: Financial Cryptography and Data Security. Springer, pp 182–194

  42. Storm Apache Storm http://storm.apache.org/documentation/Home.html. Accessed 10 Mar 2015

  43. Swift D (2006) A practical application of SIM/SEM/SIEM automating threat identification. Paper, SANS Infosec Reading Room, The SANS

  44. Tariq M, Saghar K (2015) Evaluation of a sensor network node communication using formal verification. In: Applied sciences and Technology (IBCAST), 2015 12th International Bhurban conference on. IEEE, pp 268–271

  45. Tobarra L, Cazorla D, Cuartero F (2007) Formal analysis of sensor network encryption protocol (snep). In: Mobile Adhoc and Sensor Systems, 2007. MASS 2007. IEEE International conference on. IEEE, pp 1–6

  46. Tobarra L, Cazorla D, Cuartero F, Diaz G, Cambronero E (2007) Model checking wireless sensor network security protocols: Tinysec+ leap. In: Wireless Sensor and Actor Networks. Springer, pp 95–106

  47. Triam Triam http://www.triam.com.pk. Accessed Mar 29 2015

  48. Trillium (2006) Trillium Pakistan (Pvt) Ltd. http://www.trillium-pakistan.com/. 2015

  49. Webster M, Dixon C, Fisher M, Salem M, Saunders J, Koay KL, Dautenhahn K, Saez-Pons J (2016) Toward reliable autonomous robotic assistants through formal verification: a case study

  50. Weldemariam K, Kemmerer RA, Villafiorita A (2011) Formal analysis of an electronic voting system: an experience report. J Syst Softw 84(10):1618–1637

    Article  Google Scholar 

  51. William S, Stallings W (2006) Cryptography and network security, 4/E. Pearson Education India

  52. Willrich R, De Saqui-Sannes P, Sénac P, Diaz M (2002) Multimedia authoring with hierarchical timed stream petri nets and java. Multimed Tools Appl 16(1–2):7–27

    Article  MATH  Google Scholar 

  53. Zhang P, Muccini H, Li B (2010) A classification and comparison of model checking software architecture techniques. J Syst Softw 83(5):723–744

    Article  Google Scholar 

  54. Zhang J, Liu Y, Auguston M, Sun J, Dong JS (2012) Using monterey phoenix to formalize and verify system architectures. In: Software Engineering Conference (APSEC), 2012 19th Asia-Pacific. IEEE, pp 644–653

  55. Zhao K, Shen W (2015)Parallel stimulus generation based on model checking for coherence protocol verification

  56. http://onlinelibrary.wiley.com/doi/10.1002/sec.393/full

  57. www.ijicic.org/ijicic-10-10056.pdf

Download references

Acknowledgements

This work has been possible by the funding provided by ICT R&D under the CDACDEA project. The SIEM as a service has been launched through the collaboration of Trillium Information Security Systems and the Cyber Security Lab at COMSATS Institute of Information Technology, Islamabad, Pakistan.

The authors extend their sincere appreciations to the Deanship of Scientific Research at King Saud University for its funding this Prolific Research Group (PRG-1436-16)

Author information

Authors and Affiliations

  1. Cyber Security Lab, Department of Computer Science, COMSATS Institute of Information Technology, Islamabad, Pakistan

    Masoom Alam, Saif-ur-Rehman Malik, Abid Khan, Shamaila Bisma Khan, Adeel Anjum, Nadeem Javed & Adnan Akhunzada

  2. Department of Computer Science & Software Engineering, International Islamic University, Islamabad, Pakistan

    Qaisar Javed

  3. Center of Excellence in Information Assurance (CoEIA), King Saud University, Riyadh, Saudi Arabia

    Muhammad Khurram Khan

Authors
  1. Masoom Alam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Saif-ur-Rehman Malik
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qaisar Javed
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Abid Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shamaila Bisma Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Adeel Anjum
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Nadeem Javed
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Adnan Akhunzada
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Muhammad Khurram Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Masoom Alam.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alam, M., Malik, SuR., Javed, Q. et al. Formal modeling and verification of security controls for multimedia systems in the cloud. Multimed Tools Appl 76, 22845–22870 (2017). https://doi.org/10.1007/s11042-017-4853-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-017-4853-0

Keywords

Search

Navigation