Abstract
Forensic investigation in cloud computing systems faces various legal, technical and organizational challenges. In this work, we focus on the technical issues of cloud forensics, specifically event correlation—a technique used to expose the relation between two or more cloud events. Event correlation in cloud is relatively at its early stages. We categorize the cloud event correlation in to two stages. In the first stage, we consider the events from the perspective of single artifact and perform correlation (homogeneous correlation). In the second stage, we collect the events from multiple artifacts and then perform correlation (heterogeneous correlation). The proposed approach helps automate the detection of incidents from cloud evidences and also speedup the event interpretation process by the investigator.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
NIST (2014) NIST cloud computing forensic science challenges. [Online]. http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006
Kliger S et al (1995) A coding approach to event correlation. Integr Netw Manag 95:266-277
Gladyshev P, Patel A (2005) Formalising event time bounding in digital investigations. Int J Digit Evid 4(2):1-14
Kavulya SP et al (2012) Failure diagnosis of complex systems. Resilience assessment and evaluation of computing systems. Springer, Berlin
Dayan T (2012) Event correlation in cloud computing. US Patent Application 12/841,371
Ficco M (2013) Security event correlation approach for cloud computing. Int J High Perform Comput Netw 1 7(3):173-185
Bohra AEH, Chaudhary V (2010) VMeter: power modelling for virtualized clouds. In: 2010 IEEE International Symposium on Parallel and Distributed Processing, Workshops and Phd Forum (IPDPSW)
Yi S, Kondo D, Andrzejak A (2010) Reducing costs of spot instances via checkpointing in the amazon elastic compute cloud. In: Proceedings of 2010 3rd IEEE International Conference on Cloud Computing (CLOUD)
Ficco M, Rak M, Di Martino B (2012) An intrusion detection framework for supporting SLA assessment in cloud computing. In: 2012 Fourth IEEE International Conference on Computational Aspects of Social Networks (CASoN)
Garfinkel SL (2006) Forensic feature extraction and cross-drive analysis. Digit Investig 3:71-81
Case A et al (2008) FACE: automated digital evidence discovery and correlation. Digit Investig 5:S65-S75
Zeng Y, Hu X, Shin KG (2010) Detection of botnets using combined host-and network-level information. IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Flaglien A, Franke K, Arnes A (2011) Identifying malware using cross-evidence correlation. Advances in digital forensics VII. Springer, Berlin
Kumar R et al (2014) Open source solution for cloud computing platform using OpenStack. Int J Comput Sci Mob Comput 3(5):89-98
Ahmad M (2011) Security risks of cloud computing and its emergence as 5th utility service. Information security and assurance. Springer, Berlin
Tiffany M (2002) A survey of event correlation techniques and related topics. Research paper, Georgia Institute of Technology
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kumar Raju, B.K.S.P., Geethakumari, G. Event correlation in cloud: a forensic perspective. Computing 98, 1203–1224 (2016). https://doi.org/10.1007/s00607-016-0500-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00607-016-0500-2