Date of Award

Fall 12-1-2016

Document Type


Degree Name

Doctor of Science in Information Systems


Business and Information Systems

First Advisor

Yong Wang

Second Advisor

Jun Liu

Third Advisor

Mark Hawkes

Fourth Advisor

Deepak Turaga


Cloud computing has become big business with organizations spending millions of dollars creating and deploying cloud solutions. However, adoption of this multi-tenant and dynamic technology has been slowed by security concerns. In this dissertation, to help increase adoption by reducing security risks, we examine three research questions. First, how can we detect attacks on cloud tenant instances without specific knowledge of tenant applications? Second, how can we assist cloud providers with interpretation of the alert output from security controls in an IaaS cloud environment to improve security? And, third, how can we help protect cloud tenants from insider data theft attacks? To answer these questions, we utilize the design science research methodology to accomplish the objective of creating and demonstrating a new system composed of novel security controls addressing each research question. We posit a system comprised of three security control artifacts to assist cloud providers with improving their overall security posture. Our proposed system consists of three components: A Hypervisor-based Cloud Intrusion Detection System (HCIDS), a Streaming Cloud Intrusion Monitoring and Classification System (SCIMCS), and a system for detecting insider attacks within cloud computing environments. First, HCIDS utilizes data from hypervisors running on cloud controller nodes to detect and classify abnormal usage. Instantiation and demonstration of the system reveals a 100 percent detection rate for denial of service attacks from and against virtual machines. Second, SCIMCS addresses the problem of information overload from alerts generated by security controls in dynamic multi-tenant cloud environments. Implementation and evaluation of this approach divulges an average message reduction rate of 95.9 percent based on our experimentation. Third, the system for detecting insider data theft examines node system state and anomalies in network bytes transmitted as well as number of active user counts to detect virtual machine and data store theft. This approach demonstrates a 100 percent detection rate for data theft and unapproved logins on cloud nodes. Each of these components plays a unique role in improving the overall security posture in Infrastructure as a Service (IaaS) Cloud Computing Environments. The combination of each approach makes up an overall system that addresses intrusion detection v while preserving privacy, information overload from a plethora of controls deployed in a defense in depth strategy, and the concern of insider data theft. Furthermore, each component is designed, instantiated, demonstrated and communicated at respected conferences.