A multi-agent security framework for cloud data storage

Abstract

In the last years, cloud computing has emerged as a new information technology (IT) model. Which provides an easy way for data processing and storage remotely through a network. Nowadays, cloud storage has become an attractive storage scheme for users to store their data. When users store their files remotely in a cloud storage system, they still worried about the security of their files and the guarantee of the confidentiality and the integrity of them. In this work, we propose a multi-agent framework to provide cloud data storage security. The proposed multi-agent framework enables the security of data in cloud storage by providing both integrity and confidentiality of data. For this purpose, we proposed a client-side encryption method, which is based on the use of both AES and RSA algorithms, it provides the confidentiality and privacy of data besides the performance. Proof of retrievability based on the use of hash function is adopted in our multi-agent framework, to enable data integrity check.

Keywords

Cloud computing cloud data storage multi-agent system encryption integrity confidentiality

1. Introduction

During the last years, information technology has widely developed, aiming to increase the power of the computing resources and to decrease their costs, which led to the situation where big data can be collected, stored and treated.

In that context, cloud computing rapidly appears as IT solution of choice for many companies and individuals. According to the national institute of standards and technology: “cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” [13].

Cloud storage is a model of networked online storage where data is stored on multiple virtual servers [16], it enables the users to store and manage their data remotely in the cloud. Due to cloud computing characteristics, like the multi-tenancy nature, the virtualization and the outsourcing of sensitive data. The users of cloud storage are perplexed about how security can be guaranteed in the cloud storage system. Moreover, they are worried about hosting their sensitive data in the cloud storage systems. The characteristics of cloud computing can create a serious data risk as the same resources are used among the different users [1].

The existing cloud storage systems use a cloud side encryption technique, to provide the confidentiality of the stored data, which means that they are capable to reach the real data of the user. Besides almost of them do not provide a technique and a way to allow the users to check the correctness of their data. There is always a big concern of whether the cloud storage provider can access to our data without our permission and reveal them to unauthorized entities and also if he stores our data correctly in its virtual servers. The data security is the biggest challenge for cloud storage providers. This term means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability [8].

Motivated by these raised facts and in order to provide the security of data in the cloud storage systems, we propose in this research a multi-agent framework of security. The proposed multi-agent framework based on the use of encryption techniques to provide the integrity and the confidentiality of data. A client side encryption method is proposed to protect the data of the user at the cloud servers. It is based on the use of both RSA and AES algorithms, which are used to guarantee the confidentiality and privacy of data. A proof of retrievability based on the use of hash function is adopted, to provide data integrity, and to guarantee that the data are still intact in the cloud storage systems.

The rest of this paper is organised as follows. Section 2 briefly reviews some related works. Section 3 presents the proposed multi-agent framework. In Section 4, we propose an implementation and use case using the jade platform. Section 5 discusses the performance of our proposed multi-agent framework. Finally, a conclusion and future works are given in Section 6.

2. Literature review

In the literature, many works used the multi-agent system to provide the cloud computing security. The use of multi-agent system comes with different techniques and methods, which can be classified into encryption methods, identity and access management (IAM) techniques, intrusion detection systems and trust and monitoring methods.

From an encryption methods perspective, many works have been proposed, because the encryption of data is the core of the confidentiality. Islam and Habiba [11] proposed an agent-based framework for providing security to data storage in cloud. Their proposal contains three different layers, the user layer, the cloud service provider layer and the storage layer. For each layer, ants are used to maintain the security in the cloud system. In their work they based on the use of encryption techniques, fist they classified the security into many levels then they applied a different algorithm for each security level. The classification of security into many levels increase their system performance. Rhazlane et al. [21] proposed an intelligent multi-agent system based solution for data protection in the cloud. Their solution is based on the encryption process before storage, it allows selective data encryption at the column level with a possibility of performing the encryption process on one part of the data using different encryption keys, they used an approach that uses a cryptographic system based on encryption keys stored in the data owner side, who constantly keeps the encrypted data at the server level and performs decryption only on the client side.

From an IAM perspective, several contributions have been proposed, IAM remains one of the greatest challenges. Alguliev and Abdullayeva [19] proposed an identity management based security architecture of cloud computing, they used multi-agent system to create an identity federation process over a federation cloud. In their work, they based on the use of single sign-on technique that allows the users to authenticate at a single identity provider and gain access to all cloud service providers in a federation with identity providers without providing any additional information. Zhou and Qin [5] proposed a security framework for cloud data storage based on multi-agent system, the proposed cloud security framework can be divided into two layers: one is a cloud data storage layer, and the other is the proxy service layer based on multi-agent. To achieve their goal, they set an access control policy of cloud-based data in a confidentiality agent, which is able to define corresponding mathematical formulas for each user’s access structure. The formula formed by the data access control policy is defined as security formula.

From an intrusion detection perspective, several approaches have been proposed. Muthurajkumar et al. [20] proposed an agent-based intelligent approach for the malware detection for infected cloud data storage files. The main objective of their work is to detect malware infected files while transmitting the files from server to client and to provide a secure way to transfer files among users. To achieve their goal, the malwares are first classified based on their families and then they are compared with exact matching algorithm and maximum matching algorithm. By using this technique in their work, the presence of malwares are detected. Achbarou et al. [14] proposed a multi agent approach based intrusion detection system (IDS). The IDS is used for detecting and preventing attacks in the cloud environment. Their solution is structured around three main interacting layers and seven agents interact in their approach, they used two special agents, the intrusion detection agent is an intelligent IDS that can detect two signals, one of which is known intrusion and another intrusion unknown, and the intrusion prevention agent. This agent performs some preventive services like blocking of suspicious traffics.

From a trust and monitoring perspective, several works have been proposed, Sianipar et al. [6] proposed the construction of agent-based trust in cloud infrastructure, their system detect unauthorized access by verifying and monitoring the integrity of cloud infrastructure security relevant parts. In this work, they based on the use of trusted boot with TPM (Trusted Platform Module) to perform integrity verification at boot-time, their solution also monitors access to security relevant parts, such as hardware/software configuration, to be able to detect any changes at run-time. Venkateshwaran et al. [7] proposed a security framework for agent-based cloud computing. The proposed framework consists of various modules includes a security agent, serving as front end authenticator and trust analyzer of a cloud. To maintain the trust in agents’ interaction, a trust model is used. When a trusted communication happens, the trust degree of the agent gets increase. Similarly, when a non-trusted communication happens, the trust degree of the agent gets decrease.

As we notice, several techniques for cloud security have been proposed. It becomes necessary to choose the most suitable technique, to provide the security of data in cloud storage and to fulfil all the security properties, such as confidentiality and integrity.

3. A multi-agent framework for cloud data storage security

The data security is the biggest challenge for cloud providers. In this section we present our solution, which is based on the use of encryption techniques to provide the security in cloud storage systems. First; we present the multi-agent framework architecture, after that; we describe the multi-agent framework and we explain how it works, and then; we present the proposed encryption and the integrity check methods respectively, which are used to guarantee the confidentiality and integrity of data in cloud storage systems.

3.1 The multi-agent framework architecture

The structure of the cloud storage system consists of four layers: the storage (physical) layer; it contains the physicals storage, the management (virtual) layer; it is the core of cloud storage, the application interface layer (API); it is used to access the cloud storage system, and the access layer; which is used for the access control [3]. To achieve our goal, and to guarantee the security of data in cloud storage, we used a group of agents, which are distributed among the different storage layers and they collaborate between them to ensure the security of data in the cloud storage. Figure 1 presents the multi-agent framework architecture. The description of agents and the tasks of each one of them are defined as follows:

Figure 1.

The multi-agent framework architecture.

The data owner (DO): The data owner layer represents a cloud user, who wants to store its data in a cloud storage system. In this level, we used four types of agents, which are defined as the following:

•

Interface agent: This agent is responsible of presentation for data and the interaction with the user. Its first job is to authenticate the user with the help of the authenticator agent; it also interacts with the encryption agent and/or the proxy agent during the interaction. It contains the following modules: posting module, an analyzer module, communication module and knowledge base. Figure 2 represents the interface agent.

Figure 2.

The interface agent.

•

Proxy agent: This agent is an intermediary between the agents at data owner layer and the other agents of the system. It is responsible for passing the requests of the user and the reception of the responses, through the mobile agent. Therefore, it interacts with the interface agent. This agent contains the following modules: processing module, communication module and knowledge base. Figure 3 represents the proxy agent.

Figure 3.

The proxy agent.

•

Authenticator agent: This agent is responsible for the authentication of the user; it is requested by the interface agent, to authenticate the user. This agent contains the following modules: processing module, communication module and knowledge base. Figure 4 represents the authenticator agent.

Figure 4.

The authenticator agent.

•

Mobile agent: This agent is the channel of communication between the data owner layer and the cloud provider layer. Its job is to move between the two layers and carry the requests and responses. It is used to provide a safe communication and to reduce the traffic. This agent contains the following modules: processing module, communication module and knowledge base. Figure 5 represents the mobile agent.

Figure 5.

The mobile agent.

•

Encryption agent: This agent is responsible of the encryption operation, it encodes the data, using the user’s secret key before sending them to the cloud provider, and it is also responsible of the generation of the hash code and the digital signature of the user’s file. In the other way, this agent is used to decode the user’s data, to make them readable. It contains the following modules: an encryption module, communication module and knowledge base. Figure 6 represents the encryption agent.

Figure 6.

The encryption agent.

The cloud provider (CP): this layer represents a cloud provider, which provides data storage service to the customers. In this level, we used one agent:

•

Cloud provider agent: this agent works on behalf of the cloud storage provider. It interacts with the mobile agent of the data owner layer, and then he executes the request of the data owner. After that, he returns the result to the mobile agent. This agent contains the following modules: processing module, communication module and knowledge base. Figure 7 represents the cloud provider agent.

Figure 7.

The cloud provider agent.

3.2 The multi-agent framework description

The proposed multi-agent framework allows the user to store its data in cloud storage and it enables the security to them. To reach this goal, the agents collaborate and interact between them.

To store its data in cloud storage, the user authenticates himself through the interface agent, with the help of the authenticator agent. Then, the interface agent posts the interface. Now the user can select any file and ask to store it. The interface agent asks the encryption agent to perform the encryption operation. After that, it asks the proxy agent to send the encrypted file to the cloud storage. The proxy agent requests the mobile agent, which moves to the cloud storage, and carries the encrypted file. In the cloud storage level, the mobile agent asks to the cloud provider agent to store the encrypted file. After the storage operation, it moves again to the data owner layer and informs the proxy agent, which notifies the interface agent that the file is stored correctly. Figure 8 shows the sequence diagram which summarizes the interaction between the agents to store a file, where the steps are as follows:

Figure 8.

The interaction of agents to store a file.

•

Step 01: the user provides its username and password to the interface agent.

•

Step 02: the interface agent asks the authenticator agent to verify the user’s identity.

•

Step 03: the authenticator agent checks the user’s identity, and returns the result.

•

Step 04: if the identity is correct, the access is allowed, else, it is rejected.

•

Step 05: the user asks the interface agent to send a file to the cloud storage.

•

Step 06: the interface agent asks the encryption agent to perform the encryption.

•

Step 07: the encryption agent encodes the file and informs the interface agent.

•

Step 08: the interface agent asks the proxy agent to send the file to the cloud storage.

•

Step 09: the proxy agent requests the mobile agent to carry the user’s file to the cloud.

•

Step 10: the mobile agent moves to the cloud and asks the cloud provider agent.

•

Step 11: the cloud provider agent stores the file and notifies the mobile agent.

•

Step 12: the mobile agent backs to the data owner and informs the proxy agent.

•

Step 13: the proxy agent notifies the interface agent that the file is stored successfully.

•

Step 14: the interface agent informs the user that its file is now in the cloud storage.

To turn over the data, the user can demand to retrieve a required file through the interface agent with the help of the proxy agent, which requests the mobile agent to move to the cloud storage and retrieve the required file with the help of the cloud provider agent. The cloud provider agent returns the required file to the mobile agent. Which moves again to the data owner side and gives the required file to the proxy agent. The interface agent asks the encryption agent to decode the retrieved file. Then it posts it to the user. Figure 9 shows the sequence diagram which summarizes the interaction between the agents to retrieve a file, where the steps are as follows:

Figure 9.

The interaction of agents to retrieve a file.

•

Step 01: the user provides its username and password to the interface agent.

•

Step 02: the interface agent asks the authenticator agent to verify the user’s identity.

•

Step 03: the authenticator agent checks the user’s identity, and returns the result.

•

Step 04: if the identity is correct, the access is allowed, else, it is rejected.

•

Step 05: the user asks the interface agent to retrieve a file from the cloud storage.

•

Step 06: the interface agent asks the proxy agent to retrieve the file from the cloud.

•

Step 07: the proxy agent orders the mobile agent to move and retrieve the file.

•

Step 08: the mobile agent moves to the cloud side and asks the cloud provider agent.

•

Step 09: the cloud provider agent returns the file to the mobile agent.

•

Step 10: the mobile agent backs to the data owner and informs the proxy agent.

•

Step 11: the proxy agent passes the file to the interface agent.

•

Step 12: the interface agent asks the encryption agent to decrypt the file.

•

Step 13: the encryption agent decrypts the file and informs the interface agent.

•

Step 14: the interface agent posts the file to the user.

The user can also check if its data still intact in the cloud storage side. Therefore, he can select any file and ask to check its correctness through the interface agent with the help of the proxy agent, which asks the mobile agent to move to the cloud storage and retrieve the hash code of the required file. The mobile agent moves to the cloud storage side and retrieves the required hash code with the help of the cloud provider agent. Now the mobile agent moves again to the data owner side and gives the retrieved hash code to the proxy agent, which informs the interface agent. The interface agent asks the encryption agent to verify the integrity of the required file and informs the user with the result of the check. Figure 10 shows the sequence diagram which summarizes the interaction between the agents to check a file, where the steps are as follows:

Figure 10.

The interaction of agents to check a file.

•

Step 01: the user provides its username and password to the interface agent.

•

Step 02: the interface agent asks the authenticator agent to verify the user’s identity.

•

Step 03: the authenticator agent checks the user’s identity, and returns the result.

•

Step 04: if the identity is correct, the access is allowed, else, it is rejected.

•

Step 05: the user selects a file and asks the interface agent to check its integrity.

•

Step 06: the interface agent asks the proxy agent to check the file’s integrity.

•

Step 07: the proxy agent requests the mobile agent to retrieve the required hash code.

•

Step 08: the mobile agent moves to the cloud storage side and asks the cloud provider agent.

•

Step 09: the cloud provider agent returns the generated hash to the mobile agent.

•

Step 10: the mobile agent backs and returns the hash code to the proxy agent.

•

Step 11: the proxy agent passes the generated hash code to the interface agent.

•

Step 12: the interface agent asks the encryption agent to perform the verification.

•

Step 13: the encryption agent verifies the file and informs the interface agent.

•

Step 14: the interface agent informs the user by the result of the check.

Figure 11.

The communication: data owner to cloud provider.

3.3 The proposed encryption method

The encryption of data is one of the confidentiality techniques. It guarantees that only who has the keys can reach the real data. Confidentiality can be achieved through proper encryption technique: symmetric and asymmetric algorithms [15]. Furthermore, there are three levels of secrecy named: the communication channel encryption (CCE), CCE and server side encryption (SSE), and the last one is the highest level, named client-side encryption (CSE) [23]. In our multi-agent framework, we propose a client side encryption method. It is based on the use of both RSA and AES algorithms. RSA algorithm along with digital signature is applied for providing cloud data security [12]. It can be used for public and private key exchange, generated digital signatures, or encryption of small size blocks of data [22]. In our proposed method, we used RSA algorithm to generate the digital signature (RSA-DS) of the user’s file. This digital signature is used to authenticate the user during the interaction with the cloud storage provider. We also used RSA algorithm to exchange messages and to encode/decode small size files (the digital signature and the hash code) exchanged between the data owner and the cloud provider. Figure 11 shows the communication from the data owner to the cloud using the RSA algorithm, and Fig. 12 shows the communication from the cloud to the data owner using the RSA algorithm. AES algorithm is selected by the researchers as a technique for data encryption and decryption [9]. Thus, AES algorithm is used to encode/decode the file of the data owner in its side, to enable the highest level of secrecy. The encryption method contains three steps, which are explained in the following. Table 1 defines the used annotations.

Table 1
Annotations of the proposed encryption method

Annotation	Definition
F/F1	File/encrypted file of the data owner.
Encrypt()/Decrypt()	Algorithms to encode/decode a file or a message.
RandKey()	Function to generate an AES key.
PairKey()	Function to generate an RSA pair key.
Hash()	Function to generate a hash code.
Sign()	Function to sign data with RSA.
Request()	Function to request a file.
Send()	Function to send a file or a message.
Cancel()	Function to annul the current operation.
Verify()	Function to verify a digital signature.
Store()	Function to store a file.
Compare()	Function to compare two hash codes.
CPPub/CPPrivate	RSA public key/private key of cloud provider.
DOPub/DOPrivate	RSA public key/private key of the data owner.
DOAES	AES secret key of the data owner.

Figure 12.

The communication: cloud provider to data owner.

Step 1: key generation and sharing: The data owner uses RSA algorithm to generate a pair key (DOPrivate, DOPub) and uses AES algorithm to generate a secret key (DOAES) for himself. Cloud provider also uses the RSA algorithm to generate a pair key for himself (CPPrivate, CPPub). For the keys sharing, only the public keys of both cloud provider and data owner are exchanged between them.

Step 2: storage: the data owner encrypts its file (F) using its secret key (DOAES): F1 $=$ Encrypt (F, DOAES), then he generates its hash code, hashF1 $=$ Hash (F1) and then he stores it locally: Store (hashF1). After that; he signs the generated hash code with its private key (DOPrivate), signF1 $=$ Sign (hashF1, DOPrivate). The generated signature is encrypted with the public key of the cloud provider (CPPub), shared with the data owner: Encrypt (signF1, CPPub). Now the encrypted file (F1) and the encrypted digital signature are appended into one file, Ffinal $=$ F1 && Encrypt (signF1, CPPub) and the result Ffinal is sent to the cloud provider through the mobile agent: Send (Ffinal). The cloud provider decrypts the received package, using its private key; signF1 $=$ Decrypt (Encrypt (signF1, CPPub), CPPrivate), then he verifies the signature, using the user’s public key (DOPub); Verify (signF1, DOPub). The verification allows the cloud provider to guarantee that the received file is sent by the real data owner and it is not altered during the transfer. Thus, he can store the encrypted file (F1), Store (F1), else the request is cancelled. Figure 13 presents the storage process.

Figure 13.

The storage process.

Step 3: retrieving: To retrieve the data from the cloud storage, the data owner requests the required file (F1) from the cloud provider, accompanied with its encrypted digital signature, Request (F1, Encrypt (signF1, CPPub)). The cloud provider receives the package, and verifies the digital signature; Verify (signF1, DOPub), if the digital signature is correct, the cloud provider responds and sends the file to the data owner: Send (F1), else the request is cancelled. The file transferred to the data owner is encrypted by its secret key (DOAES). Thus, only the data owner can decrypt it. After receiving the encrypted file, he uses its secret key (DOAES) to decrypt it, F $=$ Decrypt (F1, DOAES). Figure 14 presents the retrieving process. Algorithm 1 presents the encryption method steps.

Algorithm 1 Steps of the proposed encryption method

1: Key Generation and Sharing

2: Data Owner: DOPub, DOPrivate

=

PairKey ();

3: DOAES

=

RandKey ();

4: Cloud: CPPub, CPPrivate

=

PairKey ();

5: Cloud (share with) Data Owner: CPPub;

6: Data Owner (share with) Cloud: DOPub;

7: Storage

8: Data Owner: F1

=

Encrypt (F, DOAES);

9: hashF1

=

Hash (F1);

10: Store (hashF1);

11: signF1

=

Sign (hashF1, DOPrivate);

12: Ffinal

=

F1 && Encrypt (signF1, CPPub);

13: Data Owner (give) Cloud: Send (Ffinal);

14: Cloud: signF1

=

Decrypt (Encrypt (signF1, CPPub),CPPrivate);

15: Verify(signF1, DOPub){

16: If (signF1 is correct) Then

17: Store(F1);

18: Else

19: Cancel () }

20: Retrieving

21: Data Owner (demand) Cloud: Request (F1, Encrypt (signF1, CPPub));

22: Cloud: signF1

=

Decrypt (Encrypt (signF1, CPPub), CPPrivate);

23: Verify(signF1, DOPub){

24: If (signF1 is correct) Then

25: Cloud (give) Data Owner: Send (F1);

26: Data Owner: F

=

Decrypt (F1, DOAES);

27: Else

28: Cancel () ; }

Figure 14.

The retrieving process.

3.4 The proposed data integrity check method

Data integrity is one of the most critical elements in any information system. Generally, data integrity means protecting data from unauthorized deletion, modification, or fabrication [24]. Data Integrity is very important among the other cloud challenges. It gives the guarantee that data is of high quality, correct, unmodified [10]. There are two basic methods to provide such integrity: proof of retrievability and proof of data possession [4].

In our proposed integrity check method, we adopted the use of a proof of retrievability, which is based on the use of hash function, to ensure the integrity of the user’s file in the cloud storage. A hash function takes a data of variable length and produces a data of fixed length. It produces small and static length data, which is unique for each data. Any kind of change to any bits in the data consequences is a huge alteration to the hash code [17]. To allow the integrity check, the data owner computes a hash code of the whole file and stores it locally before outsourcing the file to cloud provider. Whenever the data owner needs to check the integrity of a file; he sends a request to retrieve its hash code from the cloud provider and asks to recompute the hash code of the required file. The cloud provider responds with the required hash code to the data owner, then the last can compare the re-computed hash code with the previously stored value, in order to check the file concreteness. There are two types of integrity check. In public check the user requests another entity to perform the check. In our multi-agent framework, we used a private check; where the data owner is the responsible for the check of the integrity [2]. Thus, for each data owner, there is a local repository, which is used to store the generated hash codes. This repository is used during the integrity check process. Like in Fig. 15, the integrity check method contains four steps, which are explained in the following:

Figure 15.

The integrity check method.

Step 1: pre-processing: the data owner generates a hash code of the encrypted file (F1), hashF1 $=$ Hash (F1), before sending the file to the cloud provider.

Step 2: integrity establishment: In this step, the generated hash code is stored in the local machine of the data owner in a dedicated repository: Store (hashF1).

Step 3: upload: In this step, only the file of the data owner is uploaded to the cloud storage server: Send (F1).

Step 4: verification: In this step, the data owner requests the hash code of the required file, accompanied with its digital signature, Request (Hash (F1), Encrypt (signF1, CPPub)). The cloud provider verifies the digital signature, using the user’s public key, Verify (signF1, DOPub). If it is correct, he responds with the requested hash code to the data owner: hashF2 $=$ Hash (F1) and Send (Encrypt (hashF2, DOPub). The data owner compares the locally stored copy of the hash code in its repository with the received one from the cloud storage provider, Decrypt (Encrypt (hashF2, DOPub), DOPrivate) and Result $=$ Compare (hashF2, hashF1). If they match, then the file is considered as intact, else, it is considered as not intact. Figure 16 presents the integrity check process. Algorithm 2 presents the integrity check method steps.

Figure 16.

The integrity check process.

Algorithm 2 The integrity check method steps

1: Pre-Processing

2: Data Owner: hashF1

=

Hash(F1);

3: Establishment

4: Data Owner: Store (hashF1);

5: Upload

6: Data Owner (give) Cloud: Send (F1);

7: Cloud: Store (F1);

8: Verification

9: Data Owner (demand) Cloud : Request (Hash (F1), Encrypt (signF1, CPPub));

10: Cloud: signF1

=

Decrypt (Encrypt (signF1, CPPub), CPPrivate);

11: Verify(signF1, DOPub) {

12: If(signF1 is correct) Then

13: hashF2

=

Hash (F1);

14: Encrypt (hashF2, DOPub);

15: Cloud (give) Data Owner: Send (Encrypt (hashF2, DOPub));

16: Data Owner: hashF2

=

Decrypt(Encrypt(hashF2,DOPub),DOPrivate);

17: Result

=

Compare (hashF1, hashF2);

18: Else

19: Cancel (); }

Figure 17.

The jade multi-agent framework simulation.

Figure 18.

The interaction of agents during the task: add file to the cloud.

Figure 19.

Add file to cloud storage.

4. Implementation and case study

In this section, we simulated the proposed architecture in our local machine. Because we are interested in the cloud storage system, we did not implement the whole cloud system, but we simulated only the cloud storage using the jade platform, jade is a java platform for multi-agent system. Thus, we used MySQL database to store the data and we have assumed that the cloud provider and the data owner are in the same system domain and sharing the uniform system parameters. Figure 17 shows the implemented jade platform, where, container-1 reflects the data owner and container-2 reflects the cloud provider.

Figure 20.

The interaction of agents during the task: check the file’s correctness.

Figure 21.

The integrity check notification.

Figure 22.

The agents interaction when trying to add a file during attack.

Add file to the cloud: to store a file in the cloud, the data owner selects a file from its local device through the interface agent and demands to store it in cloud storage. Figure 19 shows the GUI for the task: add file to the cloud. The interaction between the agents, to perform this task, is captured using the jade sniffer tool and it is shown in Fig. 18.

Check the file’s correctness: to show the integrity check technique, we have assumed that the cloud provider deleted the required file. Thus, we deleted the file from the database (MySQL), then; we performed the integrity check. The result of the check indicates that the file was altered and the data owner can contact the cloud provider. The interaction between the agents, to perform the check task is shown in Fig. 20. The interface agent posts the result of the data integrity check. Figure 21 shows the notification that the file was altered.

Attacks simulation: in this stage, we want to simulate two scenarios, the usurpation of identity; the user account can be hacked, and the attack during transfer. In both of them, the provided digital signature is not correct; the hacker does not have the private key, to generate the signature, and in the attack during transfer, the signature is altered. To simulate them, we provided an incorrect signature to the cloud provider. Figure 22 shows the agents interaction and Fig. 23 shows the result of the test.

Table 2

Response time of both client-server model and mobile agent model

Number of user	Response time in milli	Response time in milli
requests	seconds (client-server)	seconds (mobile agent)
1	101	103
2	111	114
3	152	131
4	177	149
5	191	164
10	217	196
15	225	201
20	314	204
25	474	217
30	701	279
35	811	411
40	961	561
45	1045	721
50	1122	886

Figure 23.

The attack notification.

5. Performance evaluation

We performed two kinds of evaluation. In the first one, we evaluated the use of mobile agent model in our proposed multi-agent framework, compared with the client-server model, where the response time is considered as the evaluation metric. In the second one, we evaluated our proposed encryption method, compared with both AES and RSA algorithms, where the encryption/decryption time is considered as the evaluation metric.

Figure 24.

Mobile agent vs client-server model performance.

5.1 Performance analysis of mobile agent model with client-server model

In this step, we evaluated the use of the mobile agent model in our proposed architecture, and it is compared with the client-server model. Thus, the performance evaluation is performed using both models. So, we implemented our proposed architecture (Fig. 1) using both mobile agent and client-server model. The scenarios of experiments are the request of the cloud storage by the user and the augmentation of the number of those requests each time. The response times for a different number of requests are measured, using each model and it is considered as the evaluation metric [18].

In the begin, it seems like the client-server model and mobile agent model have the same response time, but when we raise the number of the user’s requests, the response time of mobile agent is better than the client-server model. Figure 24 shows the results.

5.2 Performance analysis of the proposed encryption method

Figure 25.

The AES algorithm encryption/decryption time.

Figure 26.

The RSA algorithm encryption/decryption time.

In this step, we evaluated our proposed encryption method. Thus, the evaluation is performed theoretically and it is applied in the proposed encryption method separately of our proposed architecture. For that, we implemented our proposed encryption method and other existing methods, using java language. In this case, the scenarios of experiments are the encryption and decryption of many different size files, using our proposed method of encryption and the existing techniques like the RSA and AES algorithms. The encryption and decryption time is considered as the evaluation metrics.

Table 3

.Encryption/decryption time results

File size	AES algorithm		RSA algorithm		Our technique (AES $+$ RSA)
(kb)	Encryption	Decryption	Encryption	Decryption	Encryption	Decryption
32	12	5	400	853	562	5
64	14	6	430	1686	564	6
128	15	8	497	3312	565	8
256	16	12	603	6577	566	12
512	20	18	903	12940	570	18
1024	28	21	1185	25968	578	21

Figure 27.

Our technique (AES $+$ RSA) encryption/decryption time.

Figure 28.

AES algorithm vs our technique (AES $+$ RSA) encryption time.

We performed experiments on intel (r) core (tm) i5 3230 m cpu 2.6 ghz processor with 4 gb of ram on windows 8.1 operating system. We carried out experiments on 32 kb, 64 kb, 128 kb, 128 kb, 512 kb and 1024 kb size text files. In this paper, we used RSA pair key of 2048 bits. AES key of 128 bits, and we chose to apply the same RSA pair key of the data owner (2048 bits key), for the generation/verification of the digital signature (md5 with RSA). The RSA digital signature is applied on the hash code, which is generated by applying the sha-256 (secure hash algorithm) hash function on the user’s file. The application of sha-256 hash function generates a message digest of 32 bytes. The generation of the RSA digital signature of the user’s file is performed by applying the md5 with RSA digital signature on that hash code, the result is an RSA digital signature of 256 bytes size in each time.

In our client-side encryption method, we applied both AES and RSA algorithms. The use of RSA provides secure transmission, but it makes the encryption and decryption time very long and slow; because the user’s file is usually a big size file. To overcome this problem, we chose to apply the AES algorithm to encrypt and to decrypt the file of the user, in the user side, besides the exchange of its digital signature with the RSA algorithm, to secure the channel between the data owner and the cloud provider. Thus, for the encryption, the user encrypts two type of files, its file using the AES secret key, and the RSA digital signature using its RSA private key, so: Encryption Time $=$ file encryption time (with AES) $+$ digital signature (256 bytes) encryption time (with RSA).

The decryption of the RSA digital signature, which is used for the user’s authentication, is performed in the cloud side, so the user is not concerned by any task, and he decrypts only the received file from the cloud storage, with its AES secret key, so: Decryption Time $=$ file decryption time (with AES).

Figure 29.

AES algorithm vs our technique (AES $+$ RSA) decryption time.

Figure 30.

RSA algorithm vs our technique (AES $+$ RSA) decryption time.

Table 3 shows the encryption and decryption time using AES, RSA and our technique. Figure 25 represents the results of AES algorithm, Fig. 26 represents the results of RSA algorithm, and Fig. 27 represents the results of our technique (AES $+$ RSA).

5.2.1 AES algorithm compared to our technique (AES

+

RSA)

For the encryption, as in Fig. 28, the use of our technique increases the encryption time compared with using AES algorithm, with a simple difference between them, which represents the needed time for the encryption of the digital signature (256 bytes) with RSA algorithm, that is the same in each time and it is performed in only 550 ms.

For the decryption, like in Fig. 29, the use of AES algorithm or our combined technique (AES $+$ RSA) to decrypt the user’s files, takes the same time in both of them.

5.2.2 RSA algorithm compared to our technique (AES $+$ RSA)

For the decryption time, our technique (AES $+$ RSA) is better than the RSA algorithm, like in Fig. 30, the decryption time of our technique even did not figure in the graph.

For the encryption, as shown in Fig. 31, in the begin; the use of RSA algorithm seems better than our technique (AES $+$ RSA) in the encryption time, but when we pass for big size files, RSA algorithm is slower compared with our technique (AES $+$ RSA).

Figure 31.

RSA algorithm vs our technique (AES $+$ RSA) encryption time.

5.2.3 AES vs RSA vs our combined technique (AES

+

RSA)

For the encryption, as shown in Fig. 32, our proposed encryption method takes a medium level between the two other algorithms. Thus we can say that we provided a strong encryption method besides the performance.

Figure 32.

AES algorithm vs RSA algorithm vs our technique (AES $+$ RSA) encryption time.

For the decryption, like in Fig. 33, our proposed technique and the AES algorithm take the same decryption time, and when we compared them with RSA, they did not even figure in the graph.

Figure 33.

AES algorithm vs RSA algorithm vs our technique (AES $+$ RSA) decryption time.

6. Conclusion

In cloud storage systems, there is always a big concern about data security. The main aim of this research paper is the proposition of a multi-agent framework to provide data security in the cloud storage systems. The proposed multi-agent framework is based on the use of the multi-agent systems paradigm as a development methodology, and encryption techniques to maintain the data security. Our proposition enables both integrity and confidentiality of data. In the first phase, contrary to the existing cloud storage techniques, which encode the user’s files in its side, we proposed a client-side encryption method, and unlike the others related works, we used both symmetric and asymmetric algorithms. RSA algorithm is used to verify the user’s authenticity using its digital signature, and to secure the communication, all messages and small size files exchanged between the data owner and the cloud provider are protected with RSA algorithm. While AES algorithm is used to encode and decode the files of the user on its side. The combination of both AES and RSA algorithms in our encryption method provides a stronger way to ensure the confidentiality of data, and it increases the performance of the encryption method. In the second phase, because almost of existing cloud storage providers do not allow data integrity check in their systems, we proposed an integrity check method, which provides a proof of retrievability based on hash function. The hash function generates a hash code for each file of the user. The generated hash code is stored in the data owner side in a dedicated repository, and it is used for integrity check purpose. The comparison of the generated hash code by the cloud provider and the stored one locally enables data integrity check. The main contributions of the paper are:

The proposition of a multi-agent architecture for cloud storage security.

The proposition of a client-side encryption method to provide the confidentiality of data.

The combination of both symmetric and asymmetric algorithms to provide a high security level besides the performance.

The proposition of an integrity check method to enable the data integrity.

The perspectives of this study are:

•

The use of mobile agents to supervise the virtual machines of the user in the cloud storage side and to guarantee their security.

•

The adaptation of our proposed multi-agent framework to allow data sharing, by introducing agents for keys management and sharing between the authorized users.

Footnotes

Authors’ Bios

Oussama Arki is a Ph.D. student at the Faculty of New Technologies of Information and Communication, University Constantine II-Abdelhamid Mehri, Algeria. He received his master’s degree in Information Systems and Web Technologies (2016) from University Constantine II-Abdelhamid Mehri. His research interests include Multi Agent Systems, Cloud Computing and Information Security.

Abdelhafid Zitouni is a professor of computer science in University Constantine II-Abdelhamid Mehri, Algeria. He received his PhD in computer science in 2008 from the University Mentouri of Constantine, Algeria. Dr. Abdelhafid Zitouni has published many articles in International Journals and Conferences. He supervises many Master and PhD students and peer-reviewed conference and journal papers. His research interests include Software Engineering, Cloud Computing, Multi Agent System, Software Design, and Software Reuse.

Ahmed Taki Eddine Dib is a Ph.D. in computer science at the Faculty of New Technologies of Information and Communication, University Constantine II-Abdelhamid Mehri, Algeria. He received his Master’s degree in Software Engineering (2013) from University Constantine 2. His research interests include Multi Agent Systems, Cloud Computing and Formal Methods.

References

Prakash

and Dasgupta

, Cloud Computing Security Analysis: Challenges and Possible Solutions, in: International Conference on Electrical, Electronics, and Optimization Techniques (ICEEOT), Chennai, India, 3–5 March 2016, pp. 54–57.

Desai

C.V.

and Jethava

G.B.

, Survey on data integrity checking techniques in cloud data storage, International Journal of Advanced Research in Computer Science and Software Engineering (IJARCSSE) 4(12) (2014), 292–295.

Zhe

Qinghong

Naizheng

and Yuhan

, Study on Data Security Policy Based On Cloud Storage, in: IEEE 3rd International Conference on Big Data Security on Cloud, Beijing, China, 26–28 May 2017, pp. 145–149.

Yahya

Chang

Walters

R.J.

and Wills

G.B.

, Security Challenges in Cloud Storage, in: IEEE 6th International Conference on Cloud Computing Technology and Science, Singapore, Singapore, 15–18 December 2014, pp. 1051–1056.

Zhou

and Qin

, Security framework for cloud data storage based on multi-agent system, Computer Modelling & New Technologies 18(12) (2014), 548–553.

Sianipar

Saleh

and Meinel

, Construction of Agent-Based Trust in Cloud Infrastructure, in: IEEE/ACM 7th International Conference on Utility and Cloud Computing, London, UK, 8–11 December 2014, pp. 941–946.

Venkateshwaran

Malviya

Dikshit

and Venkatesan

, Security Framework for Agent-Based Cloud Computing, International Journal of Artificial Intelligence and Interactive Multimedia 3(3) (2015), 35–42.

Akter

Rahman

S.M.M.

and Hasan

Md.

, Information Security in Cloud Computing, International Journal of Information Technology Convergence and Services (IJITCS) 3(4) (2013), 13–22.

Ismail

and Yusuf

, Ensuring Data Storage Security in Cloud Computing with Advanced Encryption Standard (AES) and Authentication Scheme (AS), International Journal of Information System and Engineering (IJISE) 4(1) (2016), 18–39.

10.

Giri

M.S.

Gaur

and Tomar

, A survey on data integrity techniques in cloud computing, International Journal of Computer Applications 122(2) (2015), 27–32.

11.

Islam

Md.R.

and Habiba

, Agent Based Framework for providing Security to data storage in Cloud, in: 15th International Conference on Computer and Information Technology (ICCIT), Chittagong, Bangladesh, 22–24 December 2012, pp. 446–451.

12.

Hussein

N.H.

Khalid

and Khanfar

, A survey of cryptography cloud storage techniques, International Journal of Computer Science and Mobile Computing (IJCSMC) 5(2) (2016), 186–191.

13.

NIST Cloud Computing Standards Roadmap Working Group, NIST cloud Computing Standards Roadmap, NIST Special Publication 500-291 V2, 2013, pp. 1–102.

14.

Achbarou

, El Kiram

M.A.

, and Elbouanani

, Cloud security: A multi agent approach based intrusion detection system, Indian Journal of Science and Technology 10(18) (2017), 1–6.

15.

Yadav

and Sujata, Security issues in cloud computing solution of DDOS and introducing two-tier CAPTCHA, International Journal on Cloud Computing: Services and Architecture (IJCCSA) 3(3) (2013), 25–40.

16.

Balbudhe

P.O.

and Balbudhe

P.O.

, Cloud storage reference model for cloud computing, International Journal of IT, Engineering and Applied Sciences Research (IJIEASR) 2(3) (2013), 81–85.

17.

Parisha Khanna

Sharma

and Rizvi

, Hash function based data partitioning in cloud computing for secured cloud storage, Int Journal of Engineering Research and Application (IJERA) 7(7) (2017), 1–6.

18.

Punithavathi

, Mobile agent based secured authenticated reliable and fault tolerant mobile banking system, Ph.D. Dissertation, Anna University, 2011, pp. 1–134.

19.

Alguliev

R.M.

and Abdullayeva

F.C.

, Identity management based security architecture of cloud computing on multi-agent systems, in: Third International Conference on Innovative Computing Technology (INTECH 2013), London, UK, 29–31 August 2013, pp. 123–126.

20.

Muthurajkumar

Vijayalakshmi

Ganapathy

and Kannan

, Agent based intelligent approach for the malware detection for infected cloud data storage files, in: Seventh International Conference on Advanced Computing (ICoAC), Chennai, India, 15–17 December 2015, pp. 1–5.

21.

Rhazlane

Badir

Harbi

and Kabachi

, Intelligent Multi Agent System based Solution for Data Protection in the Cloud, in: IEEE/ACS 13th International Conference of Computer Systems and Applications(AICCSA), Agadir, Morocco, 29 November–2 December 2016, pp. 1–7.

22.

Tikore

S.V.

Pradeep

K.D.

and Prakash

B.D.

, Ensuring the Data Integrity and Confidentiality in Cloud Storage Using Hash Function and TPA, International Journal on Recent and Innovation Trends in Computing and Communication 3(5) (2015), 2736–2740.

23.

Moia

V.H.G.

and Henriques

M.A.A.

, Security requirements for data storage services on public clouds, in: XXXIII Brazilian Symposium on Telecommunications, Juiz de Fora-Minas Gerais, Brazil, 1–4 September 2015, pp. 1–5.

24.

Sun

Zhang

Xiong

and Zhu

, Data security and privacy in cloud computing, International Journal of Distributed Sensor Networks 10(7) (2014), 1–9.

A multi-agent security framework for cloud data storage

Abstract

Keywords

1. Introduction

2. Literature review

3. A multi-agent framework for cloud data storage security

3.1 The multi-agent framework architecture

Table 1 Annotations of the proposed encryption method

5.2 Performance analysis of the proposed encryption method

5.2.2 RSA algorithm compared to our technique (AES + RSA)

Footnotes

Authors’ Bios

References

Table 1
Annotations of the proposed encryption method

5.2.2 RSA algorithm compared to our technique (AES $+$ RSA)