Procedia Engineering 15 (2011) 3200 – 3204

1877-7058 © 2011 Published by Elsevier Ltd.doi:10.1016/j.proeng.2011.08.601

Available online at www.sciencedirect.comAvailable online at www.sciencedirect.com

Procedia Engineering 00 (2011) 000–000

ProcediaEngineering

www.elsevier.com/locate/procedia

Advanced in Control Engineeringand Information Science

The New Risk Assessment Model for Information System in Cloud Computing Environment

LIU Peiyua, b, LIU Donga, b *a aSchool of Information Science and Engineering, Shandong Normal University, Jinan Shandong 250014,China;

bShandong Provincial Key Laboratory for Distributed Computer Software Novel Technology, Jinan 250014,China

Abstract

Focusing on the Internet information system faces more security risk problems in Cloud Computing Environment, this paper sums up 8 kinds of threats to security principles, and lists the corresponding factors. Combing with collaborative and virtualization of cloud computing technology and so on, adopting the theory of AHP and introducing the correlation coefficient to analyze the multiple objective decision, the paper proposes a new information security risk assessment model based on AHP in cloud computing environment. Finally getting the security risk assessment strategies of the information system in the cloud computing environment by this model.

© 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of [CEIS 2011]

Keywords: cloud computing, risk assessment, analytic hierarchy process, information system

1. Introduction

Ever since Google CEO Eric Schmidt put forward the concept of cloud computing for the first time in 2006, it has gone through a rapid development and its related technology has gradually become the focus of academic research. By distributing the computing tasks in a resource pool which is composed of a large number of computers it enables users to get access to computing power, storage space and information services according to their demands, thus achieving a utility computing[1]. Cloud computing

a LIU Dong. Tel.: (+86)15165316401. E-mail address: mailsdnu@126.com

3201LIU Peiyu and LIU Dong / Procedia Engineering 15 (2011) 3200 – 32042 LIU Peiyu et al/ Procedia Engineering 00 (2011) 000–000

will form a future of being a giant globalized IT service network[2]with cloud infrastructure as the core and offer different kinds of services such as cloud based software and platform service and cloud application service.

2. Cloud computing environment

To advance cloud computing, series of critical problems should be solved and security is a top priority. Internet information system under cloud computing environment faces numerous challenges: (1) No identical standard. The deployment of existing cloud computing platform is scattered, the major manufacturers have set up their own cloud platform, each with a strong computing power, but interactivity among systems is not accessible because there is no uniform standard. (2) Security risks in the cloud[3]. Potential security risks emerge simultaneously as users choose cloud computing service such as leak of privacy, invasion of information assets, security and auditability of data, credibility of the cloud services platform and errors of large-scale distributed system. (3) Security risks whose origins are traditional Internet. (4) The relevant policies and regulations are not sound.

3. Information recurity risk assessment studies

Information security risk assessment is an assessment aimed to assess the threats. Impacts and vulnerability of information processing facilities and the likelihood of the three in accordance with the external and internal relative technology standards. Information security risk assessment is an integral part of information management[4]. Risk analysis methods are generally divided into qualitative analysis, quantitative analysis and synthesis analysis. A simple method for qualitative or quantitative analysis will lead to the inaccuracy and one-sidedness of the evaluation results. In the assessment of a complex information system, qualitative analysis and quantitative analysis should not be simply separated, on the contrary, the two methods should be integrated to form the method of integrated method[5]. In this paper, we take the integrated analysis method. An integrated method is the combination of qualitative analysis and quantitative analysis, use the expert experience and objective facts to perform a comprehensive risk assessment toward the information system.

4. The risk assessment model in cloud computing environment be based on AHP

4.1. AHP Model

In this paper we summarize 8 evaluation criterias and list the corresponding influencing factors as shown in Fig 1 .

Fig.1. (a) AHP model; (b) corresponding factors

3202 LIU Peiyu and LIU Dong / Procedia Engineering 15 (2011) 3200 – 3204 LIU Peiyu et al / Procedia Engineering 00 (2011) 000–000 3

There are three layers in this model :. • Level one—Formulating the problem in a hierarchical structure is the first step in AHP. The top level,

or focus of the problem, consists of the overall objective. In this model it corresponds to the overall assessment of cloud computing system platform.

• Level two —It includes 8 attributes consisting of the major factors identified for assessing the Level one.

• Level tree—The lowest level is for the concrete assessment factors in the decision framework. 39 factors were identified corresponding to higher levels and specific local conditions.The analytic hierarchy process (AHP) has been frequently used as an appropriate means of analysis in

dealing with the dilemma. AHP is carried out using the following three principles: decomposition, pairwise comparison, and synthesis of weights[6]AHP has a number of advantages in the assessment of cloud computing system platform .First, it can effectively translate intricate problems into an orderly hierarchy, because of its strong capacity for solving multi-criteria decision problems. Secondly, the AHP approach is able to quantify the decision-maker’s experiential judgments, particularly when the objectives lacked quantifiable data[7].

4.2. Making Pairwise Comparison

To make sure the rules to the weight of the goals by comparing, is called constructing evaluation matrices. Complex problem is decomposed into criteria, sub-criteria and alternatives from which choice is made[8-9]. The fundamental 1 to 9 scale can be used to rank the judgments as shown in Table 2. Following construction of the AHP model tree, it is extremely important that experts fill the judgment matrix forms faithfully[10].

Table2. A fundamental scale of 1 to 9

Number Rating Verbal Judgment of Preferences

1

3

5

7

9

Equally

Moderately

Strongly

Very

Extremely

2, 4, 6, 8 indicate the medium value of above pairwise comparison.

4.3. Calculating Weight Vector

For the given matrix M, we calculate its eigen value equation written as WMW maxλ= , where W is non-zero vector called eigenvector, and maxλ is a scalar called eigenvalue. After standardizing the eigenvector W, we regard the vector element of W as the local weight of each decision factor approximately.

4.4. Checking for consistency

Next, it is necessary to execute a consistency validation for each hierarchy and for the framework as a whole for every judgment matrix form[11]. If the hierarchy hadn’t passed validation, experts were required to adjust their forms until they passed[12].

5. Strategies of assessment

3203LIU Peiyu and LIU Dong / Procedia Engineering 15 (2011) 3200 – 3204

4 LIU Peiyu et al/ Procedia Engineering 00 (2011) 000–000

The paper collects samples through distribution in different area perceptions, and the data mainly from the clouds, the clients provide the feedback information of the assessment effect. Based on the collaborative computing and distributed processing during the process of the information processing, all the perceptions collect the sample information collaboratively, and the collected data then go into the sample collector. The collectors store samples and provide data source. They make full use of the virtualization in the cloud computing technology during the process of storing, and open up virtual space and increase the security. The evaluation module uses the AHP model to assess the system with the help of the data from the collectors. The cloud servers store a lot of expert evaluation set, and divide a security risk level .The judgment matrix is filled by the experts in the cloud computing service platform .Finally calculating the weighted vector ），，，（ n21 ωωω Λ , and getting the final order. The results are obtained by the clouds and input to the knowledge base .The knowledge base is controlled by the cloud computing platform, and it inputs the theoretical results to the clouds. If the result is reasonable , put it into join the knowledge base; If it is not reasonable ,it will inform the perception relied on new collect samples. The knowledge base contains three data sets: weight vector sets, risk hierarchies sets, security strategy sets. The whole process is as shown in Fig. 3.

For grading the risk rating, the paper introduces a correlation coefficient as in Eq.(1)and analysis theirs correlation. The process is as follows: make correlation calculations between the hierarchical analysis model calculated weight vectors (called theory weight vectors) and the corresponding factors in knowledge base which have the same weight vector orders that calculated by the cloud computing system.

）（ nnK12

1ss

32

R

−=ρ (1)

Where the Rss denotes the sum of deviation square of R as in ∑ ∑−= nR

Rss2

2R

）（ ,R is

the sum of the weight vector factors and K is the column number of the grade, in this paper it stands for the number of the factors in the weight vector. n is the number of comparative objects, we set n to2 in the paper. The t is the number of same weight values. In the paper we define ρ >0.7 as strong association,

and the theoretical weight vector is in consistent with the weight vector in knowledge base, so we can grade the security level according to the result and input them to the cloud computing system, providing users with a targeted security policy, and issuing to users the security warnings timely.

6. Conclusions

3204 LIU Peiyu and LIU Dong / Procedia Engineering 15 (2011) 3200 – 3204 LIU Peiyu et al / Procedia Engineering 00 (2011) 000–000 5

The rise of cloud computing is pushing the assessment of information system into a new horizon. Cloud computing platforms can (in theory) scale infinitely, with the addition of more hardware units bringing more resources to the system. Many existing challenges are exacerbated in the Cloud. In this paper, we developed a novel algorithm AHP for assessing the information system in cloud computing environment. Analytical Hierarchy Process (AHP) is applied for optimal decision making. AHP is adopted to achieve weighting factors. In the future work , we may introduce a warning mechanism to information system for sensing the threats from the cloud computing environment.

Acknowledgements

This research was supported by the National Natural Science Foundation of China (No.60873247), High-tech self-innovation project of Shandong Province (No. 2008ZZ28), the Natural Science Foundation of Shandong Province of China (No. ZR2009GZ007) and the S&T plan projects of Shandong Provincial Department of Education (No. J09LG52).

References

[1] Zhang Jian Xun, Gu ZhiMin.Surey of research progress on cloud computing.Application Research of Computers,2010,27(2).

429-433.

[2] FENG DengGuo, ZHANG Min,ZHANG Yan,XU Zhen.Study on Cloud Computing Security.Journal of Software,2011,22(1).

71-83.

[3] Michael Armbrust, Armando Fox,Rean Griffith.Above The Clouds:A Berkeley View of Cloud Computing .2009,2. EECS

Department University of California, Berkeley Technical Report No. UCB /EECS 200928.http: //www.eecs. erkeley.edu /Pubs /Tec-

hRpts /2009/EECS-2009-28.pdf.

[4] Sun Qiang, Han Youtao, Dong Yuxin. Research on a Quantitative Information Security Risk Assessment Model. Journal of

Computer Research and Development,2006,43. 594-598.

[5] FENG Deng-guo, ZHANG Yang, ZHANG Yu-qing.Survey of information security risk assessment. JOURNAL OF CHINA

INSTITUTE OF COMMUNICATIONS,2004,7(25). 10-18.

[6] BysronN, Joseph A. Generating consensus priority interval vectors for group decision making in the AHP.Journal of Multi-

Crtieria Decision Analysis. 2000, 9(4):127-137

[7] Kassar. M, Kervella.B. An overview of vertical handover decision strategies in heterogeneous wireless networks.

Computer Communications 31, 2607-2620 (2008).

[8] Frair L, Matson J O, Matson J E.An undergraduate curriculum evaluation with the Analytic Hierarchy Process.IEEE

Explore,1998(3):992-997.

[9] Xu Z S, Wei C P. A consistency improving method in the Analytic Hierarchy Process.European Journal Operational

Research,1999,116(2):443-449.

[10] Saaty T L, Alexander J M. Thinking with Models[M].New York:Pergamon Press,1981.

[11] WANG LianFen, XU ShuBo. The theory of analytic hierarchy process.Beijing:China Renmin University Press,

1989.11~260 (in Chinese).

[12] LI Zhan, ZHOU Shiguo, WANG Ke..A Method for Constructing Perfectly Consistent Judgement Matrix in AHP.

Zhengzhou Univ.(Nat.Sci.Ed.),2008,3(40).41-46.