A Novel Scheme for Malicious Nodes Detection in Cloud Markets Based on Fuzzy Logic Technique

— Cloud security vulnerabilities have recently become more prevalent around the world, posing a threat to cloud service providers’ (CSPs) ability to respond to client demands. In cloud market, the requests are announced by the client nodes to their CSP. A malicious node can alter a client’s request, resulting in the next cloud market collapse, decreased reliability, and data leaking. To identify malicious nodes in the cloud market, a novel fuzzy multiple criterion decision making scheme is suggested. Authentication test, trust level, traffic size, and node activity levels are all taken into consideration simultaneously as the major criteria for identifying malicious nodes. For each node, the CSP uses fuzzy Integral to generate a composite value based on these criteria. The malicious node is then removed from the cloud market using this composite value. The simulation results demonstrated the potential of the proposed method to prevent nodes in the cloud market from running malware or software that can be used to degrade quality of service by exhausting resources in the cloud market.


Introduction
Cloud-based IT services have seen a substantial increase in the twenty-first century [1,2].Due to the sensitivity of clients' information in cloud markets, these markets always have high-security requirements.While external attacks typically are limited in cloud market, internal attacks are often much more difficult to prevent and detect.For internal attacks, the attackers have legitimate access to clients' information on a regular basis, and may know how that information is used.Attackers may sell secret information to other clients in cloud market.
In cloud market, many services are provided to clients by remote servers through the wireless network [24].Clients get rich computing resources using cloud technology [24].New security techniques, such as firewalls, virus detection systems, and In [6], authors proposed new secure and privacy-preserving distributed deep learning (SPDDL) for fog-cloud computing.SPDDL delivers a superior security, efficiency, and functionality tradeoff.Furthermore, SPDDL can ensure the unforgeability of users' identities in the face of external threats.
Authors introduced in [7] new structure for detecting and preventing denial of service (DoS) attacks and other malicious activity at the network layer by integrating a network intrusion detection system (NIDS) into the Cloud architecture.Intrusion detection system (IDS) is accomplished by monitoring network traffic while maintaining service quality and performance.In IDS, machine learning algorithms use raw data for intrusion detection.However, accessing clients' data may create potential security and privacy risks.To solve this problem, authors proposed in [8] new deep neural network algorithms for data encryption.The proposed solution enables IDS to access clients' data without revealing users' sensitive data.Authors in [9] introduced the SOTA model (Service-Oriented Traceback Architectural) to mitigate two cloud technology threats: HTTP Denial of Service and XML Denial of Service.In this model, a back propagation neural network is employed to track down and detect the source of these attacks.
New IDS was proposed in [10] for identifying attacks in a virtualized cloud under changing environment.The proposed IDS monitors and quantifies the effect of resource adjustments using data collected from the cloud environment.By analyzing objective and subjective trust sources, Bayesian inference was employed in [11] to enable CSP to create credible trust relationships with guest Virtual Machines (VMs).Furthermore, a trust-based maximin game was designed between DoS attackers to minimize the cloud system's detection and hypervisor trying to maximize this minimization under limited budget of resources.
In [12], authors studied an attack scenario where malicious tenants use cloud resources to launch DoS attack targeting data center in cloud market.New approach was proposed for intrusion detection.The approach takes into account the status of virtual machine including CPU usage and network usage.Furthermore, information entropy is applied to monitor the status of virtual machines for detecting attacks in cloud environment.In [13].authors proposed new Collaborative Network Intrusion Detection System (C-NIDS).C-NIDS monitors network traffic for intrusion detection.C-NIDS uses Support Vector Machine (SVM) to detect network anomaly.Authors proposed new trust model based on virtual machines in [14].Fuzzy theory was used to calculate the trust value of cloud service providers.In order to protect sensitive information of IoT devices, a new detection system was proposed in [25].Deep learning was adopted in this system for securing sensitive data of IoT devices.Authors in [26] proposed a new technique for ensuring that a new node that requests to join the cloud does not constitute a threat to the cloud environment.The proposed scheme method checks if a node is running malware or software that could be used to launch an attack before allowing it to join the cloud.Authors discussed in [27] the risks to the cloud environment, as well as proposed detection solutions for malware in the cloud.Furthermore, they suggested a new multi-detection method for preventing malware from spreading in cloud environments.
Fuzzy evaluation engine is proposed in [15] to compute trust value for each resource in cloud market.The proposed evaluation model considered four service measurement indexes: availability, success rate, turnaround efficiency and feedback about a resource.
A new technique based on a genetic algorithm (GA) was proposed in [16] to deal with data integrity and privacy concerns in cloud market.Keys for encryption and decryption are generated using GA.These keys are integrated with a cryptographic algorithm to ensure privacy and integrity of data.Authors proposed new intelligent system with genetic algorithm in [17] to cope with cloud security.A list of users (trusted or un-trusted depend on behavior) is created using the services that provided by cloud.GA was used in [18] for protecting user's data in cloud market.Homomorphic encryption algorithm was used to support the operations in the encrypted domain.GA was customized in [19] for improving data encryption.The generated key is based on altering the population size, number of generations, and mutation rate.
Existing intrusion detection schemes in the cloud market are commonly limited in their ability to identify a wide range of threats.For instance, most of the aforementioned methods can only identify small set of attacks.In this work, we develop general intrusion detection framework to detect a variety of attacks in the cloud market.

System model
We model cloud market as network that has M clients divided into K clusters based on their geographical locations as in [20].The details of the clustering process, as well as its constraints, are outside the scope of this article.In addition to manage the market, the CSP controls network traffic.Clients use networked client devices including desktop computers, laptops, and cellphones to access CSP's resources.To communicate with the CSP, requests are sent via web browser.
To ensure the security of market transactions, we deploy both public-key infrastructure and symmetric-key encryption.To allow clients to participate in the cloud market, CSP employs public-key cryptography.For all trusted clients to encrypt and decode messages, CSP broadcasts the symmetric key.
Let M = {m 1 , m 2 ,…, m n } be the set of clients on which the security test of the clients is performed.Let P = {P(m 1 ), P(m 2 ),…, P(m n )} is the set of profiles for clients, where P(m i ), corresponds to the profile of i th client.A client's profile is a collection of attributes that include node ID, event time and location, and time since the last event in the market.CSP uses the proposed security scheme in the cloud market to detect malicious nodes and remove them from the market by informing trustworthy nodes to discard any messages from malicious nodes.

Intrusion detection using fuzzy logic
Independent assumption is not realistic in intrusion detection problem in cloud market due to some inherent among the attributes of an intrusion.For this problem, it is possible to utilize fuzzy logic in non-linear circumstances without assuming that one attribute of intrusion is independent of another.The hierarchical fuzzy integral [21,22] is proposed to detect intrusion in this work.

Fuzzy measure
Fuzzy measure G y is defined on P(X) of a finite set X satisfying the following properties [21][22][23]: and a sequence {H n } is monotone where lim ( ) (lim ) .
In [23], λ-Fuzzy is presented with the following properties: Definition 1: Assume G y be a fuzzy measure on X and F be a measurable function where G y (X) → [0, 1].The Sugeno fuzzy integral [23] can be written as follows: In this problem formulation, F denotes the performance of a given attribute for the alternatives, while G y denotes the attribute's weighting grade.The total evaluation for each alternative is given by a fuzzy integral of F with regard to G y [21][22][23].

Intrusion detection using fuzzy integral
In order to achieve high accuracy for detecting intrusion, we take the authentication level for each node, trust level, traffic size, and node activity level as the main criteria.
Authentication test.The main concern of the proposed scheme is to ensure that a new client that requests to join the market does not represent a risk to the cloud environment.The scheme works at two levels: the CSP's level and the client's level.To be accepted into the cloud market, the new node must pass through the suggested two layers of authentication.The certificate for each client is validated through the CSP.The CSP issues certificate for each client in the market.Each certificate includes: logic identifier, MAC address, and a pair of its public/private keys.Since each node's certificate is issued by the CSP, each client in the market contacts the CSP to validate other certificates for others nodes.Each client may get all node information from the CSP for authentication purposes, with the exception of the node's private key, which is not shared with any other node in the market.To avoid launching attacks in the market, CSP should scan new nodes for hacking tools and viruses before allowing it to join the cloud market.
The new node has to send its CSP's certificate to CSP, which only accepts nodes from a predefined CSPs' list in the market.If the certificate was issued by a known CSP, the CSP issues the node a new certificate.The client then sends the new certificate along with a message containing the node ID and MAC address, which is encrypted with the public key.The following is the definition of authentication's evaluation value: Trust level based on multiple criteria decision making.When it comes to calculate the trust level for each node, there are a lot of parameters to consider.These parameters include: response time, throughput, availability, and success rate.The CSP keeps track of the values of these attributes in the performance logs.These values are updated after each event in the market, ensuring that the most recent parameter values are always current.For each node, the overall length of time it takes to react to a service request is known as response time.The response time for i th node is computed as follows: where the T max and T min are the maximum and minimum response time in the neighborhood, respectively; and T r is the response time of a regular node.The higher the T i value, the more likely the node is to be an intruder.
Throughput for the node is the percentage of messages successfully transmitted via a communication medium.Throughput for i th node is calculated as follows: (5) where the H max and H min are the maximum and minimum throughput in the neighborhood, respectively; and H r is the throughput of a regular node.The lowest the H i value, the more likely the node is to be an intruder.
The length of time a system works at full functionality during the time it is required to do so is referred to as availability.In this situation, the CSP would strive to resolve the issue so that the node could continue to function.Frequent node failure, on the other hand, indicates that this node is acting maliciously.Therefore, the evaluation value of availability can be computed as follows: where V 0 denotes the total failure times of i th node; V max and V min are the maximum and minimum restart number received from neighbors, respectively.The percentage of requests that are fulfilled successfully is known as the success rate.Therefore, the evaluation value of success rate can be evaluated as follows:

S S S S S
i min max m in 1 0 (7) iJIM -Vol.16, No. 03, 2022 where S 0 denotes the total number of requests successfully completed by i th node; S max and S min are the maximum and minimum number of requests that executed successfully from neighbors, respectively.
Traffic size.When an intruder node in cloud market pump more traffic into the network than it can handle, subsequent nodes face high contention rates, rendering cloud resources unavailable to clients.However, when one of the later nodes fails to relay a packet after several tries, the link is declared broken, and the routing scheme starts looking for a new path.In the cloud market, no packets can be forwarded until a new route is discovered.As a result, the number of packets lost increases, and the throughput declines dramatically.
The more pumping of unnecessary traffic in the network, the more waiting time in the network and the more degrading of quality of service.In our work, D K (d i ) denotes the distance between i th node's and its K th nearest data rate of neighbor.All rates are ranked based on their D K (d i ) distances, which leads to the following definition of outliers: where O denotes the set of greatest distances.Node activity level.We distinguish three types of clients in the cloud market based on their behavior: normal, passive, and hyperactive.Some nodes exchange data with their neighbors more frequently than others, and they interact with others more frequently.The client is interested in increase of his/her benefits.Therefore, more efforts do, the more benefit for a client.A client makes his/her decision for increasing the benefit.The decision depends on the conditions of the market conditions.
The activity of a node is determined by the number of events in which it participates.Relaying packets and generating new messages are examples of these events.Node activity can be computed as follows: where a t denotes the event at time t, and T is the time horizon.The evaluation value of node activity level can be evaluated as follows: (10) where L i denotes the node activity level of i th node; L max and L min are the maximum and minimum number of activities in which neighbors participate, respectively.

Intrusion detection scheme based on multiple criteria decision making
The trust value of a node is determined using a variety of criteria, including authentication level for each node, trust level, traffic amount, and node activity level.CSP measures and maintains the values of these attributes.The evaluation matrix E i for i th node is given below: where eij represents the value of i th event in market for j th attribute.Analytical Hierarchy Process (AHP) is used to assign the wight for attributes.The pair-wise matrix for each attribute is constructed to compute the wight.This matrix is used to find the comparative priority of each attribute over the other.The following algorithm is used to calculate the weights and node trust: The market's trust value for each client will be in the range of [0-1].If the trust value is less than 0.5, the node is removed from the market, and CSP sends a warning message to all nodes telling them to avoid messages from this node.If the value of trust is more than 0.5, the CSP will enable the node to participate in the cloud market.Performance evaluation We test the suggested security scheme to identify the attacker nodes that degrade network performance in cloud market.Table 1 illustrates the network that was simulated, along with the values that were utilized for the needed parameters.By monitoring node activity and analyzing node data, the results are evaluated to highlight the importance and implications of using our scheme to protect data across cloud market.In the simulations, the following major performance measures are of interest: (1) Throughput, which is the average rate at which a message is delivered successfully via a communication connection.(2) Resources utilization, which is the average amount of time the resources in cloud market are used.(3) Delay Figure 1 shows a comparison of throughput for network in the cloud with the help of our security scheme (secure cloud, SC) and cloud without security mechanism (NSC).It is clear from the figure that the throughput shifts into higher level when SC is applied and the arrival rate for requests increases.Some malicious nodes keep dropping packets and decreases significantly the number of received packets successfully.Furthermore, these malicious nodes block packets from being forwarded.In terms of throughput, our scheme surpasses NSC since it filters out these nodes.
For varying values of request arrival rates in the cloud market, Figure 2 depicts the packet drop ratio analysis between the NSC and suggested SC.Even with high levels of arrival rates, the packet drop ratio for SC gradually reduces as compared to NSC.Since our scheme excludes all malicious nodes, the packet dropping ratio has decreased significantly.Unfortunately, some cloud market nodes refuse to relay packets and discard part of them.In Figure 3, we examine resource utilization for both schemes at various task load levels (i.e.arrival rate).The figure clearly shows that when the load increases, the utilization of resources falls.As the number of attacker nodes increases, resource utilization falls dramatically.Some attackers use cloud resources far more frequently than the ordinary client.Furthermore, attackers may continue to transmit malicious traffic until the cloud's resources, such as network resources, processors, and servers, are depleted.
Because our approach keeps these attackers out of the cloud market, it makes better utilization of resources than the NSC scheme.We measure the delay in a different level of networks' load to see how attackers affect the quality of service for clients.The latency increases as the value of λ (i.e.network load) increases, as shown in Figure 4.By flooding the cloud market with malicious traffic, some attackers attempt to render all resources in the cloud market inaccessible to clients.As seen in Figure 4, our scheme eliminates these nodes, resulting in a significant reduction in service delay in the cloud market.

Conclusion
The security challenge is an important research topic that will have an impact on the operational efficiency of cloud computing industry.This research looked into security concerns when designing an intrusion detection system for the cloud market.Unfortunately, cloud market is vulnerable to a variety of threats.We are concentrating on identifying malicious nodes and eliminating them from the cloud market by developing a new fuzzy-based security scheme.The key contribution of this work is that the proposed approach treated the security challenge in the cloud market as a multisource information fusion problem, with the criteria depicted as evidence by taking into account both the subjective and objective weights of these criteria.
The fuzzy integral was used to combine the most important criteria that can influence intrusion detection in the cloud market into a single one.Furthermore, the new strategy offers data fusion at CSP, which can effectively eliminate redundant data and minimize traffic in the cloud market.The simulation results showed that the suggested security scheme greatly increase throughput while also improving service quality.We intend to deploy the proposed scheme in the real world and analyze it against a variety of attack types in the future.