Web based services are promoting the way user access the cloud. Web Based Applications has become essential in everyday life. People use the Cloud [1] to work, to exchange information, to make purchases, etc. This growth of the Cloud use has unfortunately been accompanied by a growth of malicious activity in the Cloud. More and more vulnerabilities are discovered, and nearly every day, new security advisories are published.

Potential attackers are very numerous, even if they represent only a very small proportion among the hundreds of millions of Cloud users and clients. The problem is thus particularly tricky: on one hand, the development of the Cloud allows complex and sophisticated services to be offered to its clients.

These services offer to the attacker many new weaknesses and vulnerabilities to exploit. The complexity of current computer systems has been causing an immense number of vulnerabilities. The number of cyber-attacks has been growing making computer security as a whole an important research challenge.

Intrusion tolerance (IT)[2,4] has been proposed as a new paradigm for computer system security. The idea applies the fault tolerance paradigm and virtual mechanism in the domain of system security. Malicious faults can never be entirely prevented [5,6]. Though there are a lot of mechanism for avoiding all kinds of faults, hackers can cause new malicious vulnerabilities, hence systems like what they proposed are necessary to withstand the attacks and also produce reliable outcome.

Nearly every day all nations are discovering new threats and attacks against the web services. Inadequate distributed security and loss of information has inflicted unacceptable damage to its national and economic security. Distributed security [3, 7,8] is the best example of facing difficulty in finding new kinds of threats. The need to develop a coherent and strategic response to the distributed cyber threat is very eminent today. We have to make strong authentication of identity, based on robust in person proofing and thorough verification of devices, a mandatory requirement for critical cyber infrastructure [9,10,11].

2. Cloud Computing

Cloud computing [3,4] affords reliance, cost effective service to satisfy all kind of service oriented environment with lightning speed in reliable manner. So there is no doubt that the intruders and attackers try to thwart this valuable service, Since, this area of research is most beneficial to cloud service providers and users [11,12]. The proposed research is focused on this domain to afford seamless service such as Software as a service, Platform as a service, and Infrastructure as a service for next generation of service oriented Architecture providers and clients [13,14,15].

The CFMS consists of four components for providing efficient service. Figure 1 describes the overall architecture of CFMS Process. The diagram shows the Architecture of CFMS, with all the components attached to it. The CFMS is located at the centre with the cloud, through which the client is going to communicate at its left. The controller is located at the bottom which is connected by a virtual network, created only when the need arises to access the hash codes. The three servers are located at the right side of the CFMS, where the file is replicated and stored.

Figure 1. System Block Diagram

3.1 CFMS Algorithms

The following are the algorithms used in the CFMS work flow.

The fist algorithm authenticates the client to access the server. During the file access a three layer authentication is used, two before usage and one during the file is being uploaded or downloaded.

Algorithm 1 : CFMS client Algorithm
In Web Browser Select Private Browsing
Type http://cfms.com:8080 in address bar
Enter the UID & PWD for Validation after validation server sends an PIN to Users Mobile.
Enter the PIN before entering the file upload or download page.
After entering the PIN the Session is maintained on server for every upload and download.
It checks the system speed and Internet bandwidth along with file type and size then
Generate an threshold TH
If the process takes > TH then
Session is Terminated
End if
End if

The second algorithm is the server part of the authentication procedure. The server checks the User ID and the Password and if it matches, generates a 6 digit PIN, which is sent to users registered mobile number available with the system.

Algorithm 2 : CFMS Server Algorithm
Read the client data from View
Send the data to Business Logic and check it from an Enterprise Logic and Database
If it matches send the PIN to the Users Mobile then
If user entered PIN matches with the Mobile PIN then
Session is created
Else
Invalid User
Authentication Failed
End if
End if

The third on time authentication is taken care by the following algorithm. When the user is connected with the server, the Bandwidth of the users system is calculated and a threshold value is decided also based upon the file requested to download or the file to be uploaded. When the time rate increases beyond the threshold value, immediately the connection is suspected and the user is terminated.

Algorithm 3 : CFMS Server Algorithm
If valid session then
If Option is File Upload then
Check the Availability of Server ,Priority of File from CFMT
And Generate the Hash Code using HMAC and store it in a controller
File the CFMT Values
Upload Replica of File to Server
Else
Terminated
End if
Else Terminated
End if
If Option is File Download then
Check the Availability of Server, Priority of File from CFMT
And Generate the Hash Code using HMAC and store it in a controller
Update File the CFMT Values
Download the File from Server
Else
Terminated
End if
Else
Terminated
End if
End if

3.2 Overall Working

The CFMS provides a File management system taking into consideration about the necessary steps for ensuring security. The CFMS consists of four components.

• Clients
• Controller
• Sub-servers
• CFMT

3.2.1 Clients

The clients are the system through which the user is going to utilize the service of the CFMS. The service can be utilized for uploading or downloading of the files. When the user requires uploading the files, the user has to be authenticated to use his account. The authentication takes place in two steps. First the user has to enter the user name and password provided to him during the time of registration. Once this is checked with the CFMS Table and found to be correct, the user has to enter the six digits PIN supplied to him by the system through his mobile. Once this PIN is also authenticated, the users bandwidth is calculated and also the size of the file that has to be uploaded. Based upon these two factors the threshold value is arrived at. This threshold value helps in another step of authentication during the transmission process. The same steps take place during the downloading process too. The clients communicate to the server through the cloud as the Interface.

3.2.2 Controller

The controller is the main component in the Intrusion Detection and Tolerance of the System. The Hash codes generated after a file is uploaded is stored in the CFMS Table in the Controller. The controller is detached from the CFMS without any connection during its operation. The controller is connected to the CFMS through a network only when there has been a request for a file to be downloaded. While the CFMS is connected to the Controller, the CFMS detaches all its connection from the Cloud so as to disable any possibilities of an attack at that time. The controller also generates reports so that the administrator can be able to view the functioning of the system. The Controller is the more important part of the system since it holds all the data that are required for the integrity of the system.

3.2.3 Sub-servers

The sub-server is were the files are stored after being uploaded. In this paper, the researchers have chosen three sub-servers in-order to provide replication possibilities and thus increase the availability of the system. The CFMS maintains load balancing of the servers thus ensuring that all the servers are active and also not overloaded. When a file has a very high hit rate the file is replicated to the other servers too so as to increase the availability. These sub-servers can be communicated only after dissecting the communication link through which the client has access to the CFMS.

3.2.4 SHA-1 HMAC Algorithm

HMAC is a Hash based Message Authentication Code (HMAC), for calculating Message Authentication Code (MAC) using a hash functions along with a secret key. The MAC code is used to verify the data integrity and authenticity of the message. Based upon the hash function used the HMAC is called HMAC-MD5 or HMACSHA1. The strength of the HMAC code is based upon the underlying hash algorithm and the key chosen. The same algorithm has been graphically shown in Figure 2. Figure 2 clearly depicts the working of the algorithm with all the components shown with their functionality.

Figure 2. SHA-1 HMAC Generation [9]

An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a compression function. For example, MD5 and SHA-1 operate on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively), although it can be truncated if desired. Let:

• H(•) be a cryptographic hash function
• K be a secret key padded to the right with extra zeros to the block size of the hash function
• m be the message to be authenticated
• || denote concatenation
• denote exclusive or (XOR)
• opad be the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant)
• ipad be the inner padding (0x363636…3636, oneblock- long hexadecimal constant)

Then HMAC (K,m) is mathematically defined by
HMAC (Km) = H((K  opad) || H((K  ipad) || m)).
The following pseudo code demonstrates how HMAC may be implemented [9].
Function hmac (key, message)
if (length(key) > blocksize) then
key = hash(key) // keys longer than blocksize are shortened
end if
if (length(key) < blocksize) then
key = key || zeroes(blocksize - length(key)) // keys shorter than blocksize are zero-padded
end if
o_key_pad = [0x5c * blocksize] key // Where blocksize is that of the underlying hash function
i_key_pad = [0x36 * blocksize] key // Where is exclusive or (XOR)
return hash(o_key_pad || hash(i_key_pad || message)) // Where || is concatenation
end function

3.2.5 CFMT

The CFMT contains information about the file like File Name, ID along with details like priority of the file hit rate and Intrusion rate. The hit rate is decided based upon the request for the file and Intrusion rate based upon the number of times the file has been hacked. The priority is decided based on these two factors. The priority decides on the files replication and the intrusion rate decides when the administrator has to interfere and provide additional security for a particular file or inform the user about the file being repeatedly attacked. Table1 is an outline of the CFMT table showing its fields.

Table 1. CFMT Table

The following are the sample screen shots of CMFS Process. Figure 3 describes the overall process of CFMS System. The Interface shown is that of the server side where the process of the CFMS system is monitored.

Figure 4 shows the SHA1 hash code interface. The generated hash code for some input is shown as an example. The hash codes shall be saved.

Figure 5 shows the CFMS process with a single attack being identified. The attacked file is provided from another server which can be noticed from the line next to the one specified. The Figures 3 to 5 shows the process executed with Figure 5 especially showing the detection of a node being attacked and the same corrected through the system. Figure 3 shows the working of the server, the message depict what the server is functioning and instructions given by the server. Figure 4 shows a sample hash code that has been generated.

Figure 3. Snapshot of CFMS Server

Figure 4. CFMS Hash Code

Figure 5. CFMS Process

The efficiency of the CFMS process is checked by using different number of servers for the evaluation. The Analysis is made based on calculation of the following terms.

• Hack Rate = (No of times files hacked in a server/No of file access)*100
• Efficiency Rate = 100-Hack Rate
• Service Rate = (No of times server priority is updated / No of time periodical check is run)
• File Access=(No of time a file is correctly fetched/No of attempt)*100

Comparison of the process is done by taking into account the performance of the servers before and after the implementation of CFMS. The factors mentioned are calculated for both the stages and comparison is made. The comparison reveals that the CFMS produces far better results than before its implementation.

Table 2 contain the values evaluated both before and after CFMS implementation. Figure 6 depicts the performance of CFMS on the basis of Efficiency Rate. Figure 7 depicts the performance of CFMS on the basis of Service Rate. Figure 8 depicts the performance of CFMS on the basis of File Access.

The Graph depicts the performance of CFMS on the basis of File Access. The Figures 6,7,8 shows the graphical representations of the performance of our system rated against the normal implementation of a file service.

Table 2. CFMT Performance Table

Figure 6. CFMS Performance Graph –I (Efficiency Rate) The Graph depicts the performance of CFMS on the basis of Efficiency Rate.

Figure 7. CFMS Performance Graph –I (Service Rate) The Graph depicts the performance of CFMS on the basis of Service Rate.

Figure 8. CFMS Performance Graph –I (File Access)

The paper focuses on providing web based file management service, considering the importance of cloud based systems in today's world. In this system they have spliced the authentication module into three tiers, so as to provide the maximum security possible. They have also ensured that the controller can never be hacked, as it is the main component of the CFMS. The Performance analysis of the system compared with normal implementation has pointed out that the performance has considerably improved in all aspects. This system shall provide new outcomes in the area of distributed file service.

Future Enhancements

The paper currently looks into the factor of a file being handled while it is transmitting. They would like to enhance the paper in such a way that the CFMS system will know if the file that is currently being transmitted is being listened to. Simultaneously the username and password authentication can be replaced with a hardware device containing digital certificates for authentication.

Acknowledgment

The researchers would like to thank the management and co faculty members for helping and bearing with them during this period. Also the authors would like to thank all the authors of the papers they have referenced to bring up this work, without which it would have been very difficult to complete this work.

We are the heaviest burden to our parents in many cases yet their passion upon us gave us support to get this work done. The authors dedicate this research to their beloved parents.