1
A Trusted Computing Framework for Cloud Data
Security using Role-based Access and Pattern
Recognition
Gyanapriya Pradhan1 and Madhukrishna Priyadarsini2
1
C.V Raman Global University, Bhubaneswar, India,
[email protected]
2
National Institute of Technology, Tiruchirapalli, India,
[email protected]
Abstract—Due to the digitization of data and the dynamic re-
quirements of the users, cloud computing is one of the most used
technologies in the present scenario. Cloud computing provides a
platform to store, process, and share data remotely for heteroge-
neous users and provides services according to the requests gen-
erated by those users. However, its rapid growth has led to one of
the major challenges in the environment; the security and privacy
of the data. To address the security and privacy concerns, in this
paper, our major contribution is a trusted computing framework
namely SFBRA (Secure Framework using Behavior and Role
Analysis) for cloud data security. The framework utilizes user log
monitoring data, pattern recognition algorithms, and role-based
access mechanisms to detect malicious and suspicious activities
of different users. Our proposed framework provides two levels
of security for cloud users. In Level-1, we calculate the trust
value of the logged-in users by analyzing the existing log table
and pattern of request access. In Level-2, we calculate the trust
of the request (storage, processing, sharing) data packet using
behavior analysis of the user and a role-based access mechanism
and finally detect the malicious activities. The efficacy of our
proposed framework is demonstrated through experimentation,
where we compare our framework with existing research works.
The results show 95% accuracy in potential attack detection
and prevention,approximately 8 Mbps throughput, and 0.003%
packet drop on average.
Index Terms—Cloud computing, Security, Attack Detection,
Behavior Analysis, Role-based Access, Pattern Recognition, Trust
Calculation.
I. I NTRODUCTION
In the last decade, cloud computing has grown exponen-
tially, due to the revolution in data digitization i.e., resource
allocation, data storage, and processing, computing power uti-
lization, etc.[10]. Cloud computing provides a highly flexible
and scalable platform where users can utilize the services
of digitization platforms as a pay-per-use model and on-
demand requests. The distributed nature of cloud computing
platform makes it an easy target for attackers who exploit
the vulnerabilities by injecting multiple attacks such as denial
of service (DoS), distributed denial of service (DDoS) [11],
IP spoofing, tampering, information disclosure, elevation of
privilege, etc. Researchers have been provided multiple so-
lutions to detect and prevent attack types in the cloud such
as intrusion detection systems (IDS) [12], machine learning
and AI-based techniques, behavior-based detection, anomaly
detection, signature-based detection, role-based access con-
trol (RBAC), homomorphic encryption, etc. In the face of
sophisticated attackers, conventional security measures like
firewalls and encryption are no longer adequate. Although in-
trusion detection systems (IDS) [13] are essential for spotting
and stopping security breaches, they frequently have trouble
spotting new and complicated threats. The identification and
prevention of harmful actions is one of the most important
security concerns in cloud computing. In addition, end-to-
end security is an essential requirement in the cloud platform,
where the security is provided from the login of the users to the
cloud environment to the storage [14], processing, and sharing
of the data and to the signout of the users from the platform.
To safeguard sensitive data and guarantee the integrity of the
cloud computing environment, it is essential to build strong
security perimeters in the constantly changing landscape of
cyber threats and the possibility of unauthorized access [15].
The above-mentioned challenges need to be addressed by
designing an end-to-end security framework that provides
user authentication and authorization and data security and
privacy after logging into the cloud platform. We are motivated
by the existing challenges and the requirements to design a
security framework that will be implemented in real-life cloud
platforms such as Google Docs, Microsoft 365, etc where login
authentication and authorization are necessary. In addition, the
designed framework can be used to provide security in the
cloud storage sharing environment such as Dropbox, Google
Drive, One Drive, i cloud, Egnyte, etc. where data security
and privacy of each logged-in user are important.
In this research, we design a trusted computing framework;
a Secure Framework using Behavior and Role Analysis (SF-
BRA) for end-to-end data security in the cloud environment.
Our framework leverages the wealth of user log monitoring
data available in cloud systems, combined with advanced
techniques such as pattern recognition and role-based access
mechanisms, to effectively detect and differentiate malicious
and suspicious users, and to provide security to the cloud
platform. The combination of behavior and role analysis are
important innovations of our proposed framework. Here, we
detect abnormal behavior of malicious users that may lead
to unauthorized access or suspicious intentions. Our designed
framework’s accuracy and effectiveness are increased by the
role-based threshold calculation module, which also enables
us to customize the detection procedure for individual users
by their unique roles and privileges. We collect and analyze

process logs from both legitimate and malicious users to
evaluate the effectiveness of our proposed SFBRA framework.
The results of our experiments demonstrate that our proposed
framework successfully detects malicious activities, and dis-
cards the requests or blocks the users. The effectiveness of
our framework is shown by comparing it with state-of-the-art
security solutions in the cloud environment.
The major contributions of this paper are as follows:
1) We identify multiple security attacks in the cloud plat-
form.
2) We design a trusted computing framework namely SF-
BRA (Secure Framework using Behavior and Role Anal-
ysis) for end-to-end security in the cloud as an integration
of two levels of security (Level-1 and Level-2).
3) In Level-1, we calculate the trust of each cloud user trying
to log in to the cloud platform using pattern recognition
and previous log values. We set a threshold value for
trust. For the users whose calculated trust value is less
than the trust threshold, the cloud provider blocks them
for a specified time period. In this step, we identify the
malicious user and prevent them from login to the cloud
platform.
4) In Level-2, We calculate the trust and role of each
logged-in user according to their request for access and
role change. Here, we again set another trust threshold.
The packets whose trust value is less than the set trust
threshold, those packets are discarded. In this step, we
identify the malicious data packet and discard them, so
that they can not access further mechanisms in the cloud.
5) The SFBRA is evaluated through extensive experimen-
tation for varying attack patterns. Comparing the results
with six existing attack detection strategies demonstrates
95% accuracy in detecting attacks. SFBRA is also ac-
curate in detecting coordinated attacks from multiple
attackers in Level-2 yet maintaining the performance
metrics, e.g., throughput, packet drops, and delay.
The rest of the paper is organized as follows. Section II
provides a comprehensive review of related work in cloud
security using attack detection, behavior analysis, and pattern
recognition. Section III Proposes a trusted computing frame-
work namely SFBRA (Secure Framework using Behavior and
Role Analysis) for cloud data security highlighting the key
components and the functionalities. Section IV describes the
experimental setup including data collection and evaluation
metrics and comparison with existing solutions. Finally, we
conclude in Section V with a summary of our contributions
and potential future research directions.
II. R ELATED W ORKS
Numerous researchers have examined various classifiers
and strategies in the area of intrusion detection in the cloud
environment to improve accuracy and recognize both identified
and unidentified threats.
Servin et al. [1] presented a multi-agent reinforcement
learning (MARL) system and explored the difficulties of
applying reinforcement learning. Decision agents (DA) and
heterogeneous sensing agents (SA) made up the Q-learning-
based MARL system.
2
Deep reinforcement learning is proposed as part of a
cloud IDS deployment architecture in the related study by
Kamalakanta et al. [2]. The IDS consists of a host network,
agent network, and administrator network. For increased se-
curity, the agent network is segregated using a VPN. System
calls made by VMs to the hypervisor are examined by the
IDS, which extracts useful log data for intrusion detection.
Utilizing system calls gives intrusion detection systems an
edge. However, relying on precise and comprehensive log
data may create performance, scalability, and resilience issues
against different types of assaults in real-world cloud systems.
The research study by Chien et al.[3] suggests a framework
for identifying abnormal user behavior in cloud systems by
regularly mining patterns and applying anomaly detection
methods. It used a lightweight agent to gather data about
system operations and convert it into profiles of user behavior.
High detection rates, user discrimination, and real-life im-
plementation are all demonstrated by the framework. Future
research may concentrate on enhancing accuracy, security
testing in abnormal situations, and tackling further security
challenges.
In a study, M. Mdini et al. [4] proposed Watchmen
Anomaly identification (WAD), a successful method for real-
time anomaly identification in network monitoring systems.
To discover anomalies and resolve resource limitations and
periodic changes, WAD uses pattern recognition techniques
and an unsupervised algorithm. Potential drawbacks include
separating false positives and identifying unique abnormalities
without prior training data. The future scope includes scaling
and adaptation.
To increase data security and regulate access in the cloud,
K.Sethi et al. [5] suggested an architecture that combines role-
based access control (RBAC) and homomorphic cryptography.
The framework overcomes difficulties with computing en-
crypted data and makes data sharing based on user authoriza-
tion. Role initiation, user management, data storage, and trust
value evaluation are among the trust management components
it has. This architecture has better data protection, regulated
access, and multi-granular operating rights. However, there are
no thorough analyses or experimental findings in the study.
The framework may be improved upon in the future, as well as
performance testing and scalability issues in large-scale cloud
settings.
K.Sethi et al [6], suggested a parallel homomorphic en-
cryption method for safe cloud data storage. It presents a
useful approach that permits parallel calculations on encrypted
data to increase efficiency. With an improvement of 80%
over sequential techniques, the system shows promise. Future
development will focus on real-time applications and enabling
floating-point maths. For the RBAC system, S. Chakraborty
[7] presented a trust model that takes users’ trust into account
by giving users different trust degrees. These trust ratings are
based on a variety of variables, including user credentials, past
conduct, and user recommendations. The responsibilities are
matched to trust levels. Extensions, a policy language, and
the construction of a permissions management system are all
future ambitions. The article by Fujun et al.,[8], describes the
Trust and Context-Based Access Control (TCAC) paradigm,
 3

which improves the conventional Role-Based Access Control

(RBAC) system by combining trust and context information.
According to contextual circumstances and trustworthiness,
users are given roles in the TCAC model, allowing them
to exercise the relevant permissions. To calculate user trust
in distributed systems, the study proposes a trust evaluation
technique using local and global reputation. However, they
do not include in-depth implementation details and empirical
validation, allowing space for future studies to assess the
effectiveness, scalability, and application of the TCAC model.
All of these trust models solely take into account user trust
in an RBAC system. The confidence that data owners have in
the RBAC system as a whole, determines the trust of the roles
in the RBAC system with whom they desire to engage, is not
addressed in any of these research works. For cloud storage
solutions to work, data owners must be trusted.
The SP-DPM model [17] stands out as a significant addition
to the field of safeguarding data generated by the Internet of
Things. By utilizing effective encryption and data partition-
ing, SP-DPM is excellent at improving security and privacy.
Because of its adaptability, it may be applied to a wide
range of industries, including cloud computing, healthcare,
businesses, and multimedia data. Notably, through extensive
experimentation and comparisons with existing models, SP-
DPM demonstrates its effectiveness with excellent outcomes
for accuracy, precision, recall, and F1-score. The model’s
strength is its strong methodology, which places a strong em-
phasis on security. Its possible shortcomings include resource
intensiveness and possible implementation problems.
The Differential and TriPhase adaptive learning-based
Privacy-Preserving Model (DT-PPM) stands out among the
models available for protecting patient privacy when it comes
Fig. 1. Workflow of the Proposed Secure Architectural Framework for Cloud
to medical data stored in the cloud. By utilizing MFNN for
analysis, k-anonymization, and noise injection through the
Laplace mechanism, DT-PPM attains a strong 87.03% accu- possible scalability issues, in addition to worries about com-
racy, guaranteeing trustworthy data analysis. Though acknowl- putation time, accuracy in specific situations, and decreased
edged for improving overall security, privacy, and usefulness, data utility[20].
its implementation difficulty and a minor decrease in the use Our proposed framework offers enhanced efficiency through
of data are points to take into account [18]. the integration of static and dynamic analysis techniques. It
The suggested MLPAM (Machine Learning and Probabilis- boasts a high accuracy rate of 92% in detecting potential
tic Analysis based Model) [19] combines machine learning attacks and malicious behavior, surpassing existing papers in
and strong encryption to improve security while pursuing safe both effectiveness and precision. Table I shows the existing
and effective data sharing in cloud environments. By providing security solutions methodologies, outcomes, and drawbacks. It
distinct keys for each data owner, MLPAM guarantees safe also lists our proposed solution, the secure framework using
sharing and outperforms previous efforts by up to 186%. behavior and role analysis (SFBRA), proposed in this paper.
Its effectiveness is highlighted by notable improvements in
Detection Accuracy, Precision, Recall, and Specificity. The fa- III. P ROPOSED S ECURE A RCHITECTURAL F RAMEWORK
vorable aspects of MLPAM position it as a major contribution FOR C LOUD
to furthering safe data management in cloud contexts, even In this section, we present our proposed secure framework
though the conclusion doesn’t specifically list any drawbacks. for end-to-end security in the cloud environment, named Se-
When it comes to differential privacy models, the Privacy- cure Framework using Behavior and Role Analysis (SFBRA).
Preserving Model based on the Differential approach (PPMD) The SFBRA framework integrates two levels of security,
performs exceptionally well since it uses many machine learn- Level-1, and Level-2, to address multiple security attacks in
ing algorithms for cloud-based classification, partitions data the cloud platform. Figure 1 shows the overall workflow of
for privacy, and introduces noise. With an accuracy rate of the proposed framework and the flow of data through different
up to 93.75%, PPMD is notable for its effectiveness and layers.
security. Nevertheless, there are several drawbacks, such as the The operational flow of SFBRA is discussed as follows: the
model’s incapacity to safeguard the classification model and users try to log in to the cloud platform by providing their user

TABLE I
E XISTING R ESEARCH W ORK F EATURE A NALYSIS
Model Methodology
MARL for intrusion de- - Agents learn hierarchy, interpreting
tection [1] local states and communicating up-
ward
- Utilizes distributed RL for cooper-
ative detection of faults, attacks, and
abnormal states.
Deep reinforcement - Utilizes Deep Reinforcement Learn-
learning-based adaptive ing (DRL) with Q-learning and deep
cloud IDS architecture. learning for autonomous and adaptive
[2] intrusion detection.
FP Outlier Detection [3] - Scanning the memory of running
virtual machines and employing a
Bayesian inference-based trust mech-
anism along with a frequent pattern
outlier factor.
Watchmen Anomaly De- - WAD processes data in real-time,
tection (WAD) [4] highlighting abrupt changes.
- Creates reference patterns, and de-
tects anomalies by measuring gaps.
RBAC with Homomor- - Integration of RBAC and Homo-
phic Cryptosystem Inte- morphic Cryptosystem using trust and
gration [5] role hierarchy.
- Trust value calculated based on user
count and feedback for role-based ac-
cess.
Homomorphic cryptosys- - Design of parallel algorithms for
tem for secure cloud data encrypted file operations with multi-
storage [6] threading and ”cipher-text refresh” at
KGS.
TrustBAC [7] - Extends RBAC by introducing trust
levels based on user factors.
- Users assigned trust levels determine
access privileges.
TCAC (Trust and Context- - Role assignment based on user trust-
Based Access Control) [8] worthiness and context information.
- Trust evaluation using local and
global reputation.
Secure Data Protection - Uses K-anonymization, CP-ABE,
Method (SP-DPM) [17] and a voting classifier for enhanced
IoT data security and privacy.
- Proposes data partitioning, analysis,
and experiments, comparing results
with state-of-the-art models.
Differential and TriPhase - Employs k-anonymization for pri-
adaptive learning-based vacy by grouping sensitive data.
Privacy-Preserving Model - Introduces noise via the Laplace
(DT-PPM) [18] mechanism and utilizes MFNN for
effective data analysis.
Machine Learning and - Individualized encryption keys for
Probabilistic Analysis secure data sharing.
based Model (MLPAM) - Integration of machine learning and
[19] probabilistic analysis for enhanced
security infrastructure and effective
sharing protocols.
A differential privacy - PPMD ensures privacy through data
model for sensitive data partitioning, injecting statistical noise
(PPMD) [20] into sensitive sections.
- The model integrates differential pri-
vacy and deploys machine learning
for cloud-based classification.
SFBRA (This Paper) - Level-1: Trust calculation using
pattern recognition and log values,
blocking users below the threshold.
- Level-2: Trust and role calculation
based on access requests, discarding
packets below the threshold.
Outcomes
- Scales effectively for a large number
of agents.
- Enables collaboration among diverse
agents for detecting DDoS attacks.
- Demonstrates higher accuracy in in-
trusion detection
- Maintains a balance between high
accuracy and low false positive rates
(FPR)
Framework detects all malicious ac-
tivities with ¡ 4.6% false positives.
- Profiles identify 86% suspicious be-
haviors across users with ¡ 1% false
positives.
- Enhances productivity and trou-
bleshooting efficiency.
- Provides instant alerts, reducing
manual checks
- Enhances security by enabling en-
crypted data computations without
decryption.
- Provides fine-grained access control
through role-based permissions.
- Over 80% improvement in execution
time for parallel implementations.
- Provides practical, secure data stor-
age without compromising data secu-
rity.
- Integrates RBAC advantages with a
multi-level trust model.
- Enhances access control by consid-
ering user behavior and recommenda-
tions.
- Flexible and scalable for dynamic
distributed systems.
- Dynamic role assignment based on
user behavior and context.
- SP-DPM secures IoT data with
strong partitioning and encryption
- Suited for diverse do-
mains—healthcare, enterprises,
cloud computing, multimedia.
- High accuracy of 87.03% ensures
reliable data analysis.
- Enhances overall privacy, security,
and utility of medical data sharing and
analysis in cloud environments.
- Significant improvement, up to
186%, over existing works
- Achieved notable enhancements in
Detection Accuracy, Precision, Re-
call, and Specificity compared to prior
works.
- PPMD achieves up to 93.75% accu-
racy, excelling in both accuracy and
privacy preservation compared to ex-
isting methods.
- Highlight efficiency, security, and
optimality, making it superior for
cloud-based data sharing
- Dual-layered security with static and
dynamic analysis.
- High accuracy in attack detection
and efficient data processing.
4
Drawback
-Relies on a simple RL strategy with
a straightforward Q-update function.
- Limited exploration of more com-
plex RL techniques for enhanced per-
formance
- Computational cost challenges.
- Limited exploration of DRL in the
context of cloud network security.
-System in early development, indi-
cating potential limitations.
- Long-term datasets needed to ad-
dress issues like ”concept drift” in
user behaviors.
- Faces issues with tolerance band and
parameter configuration.
- Requires improvements for auto-
matic parameter computation
- Potential increased computational
complexity (not explicitly stated).
- Effectiveness depends on accurate
trust value calculations, which may
vary.
- The current system handles only
integer representation, not floating-
point arithmetic.
- Future work is needed for function-
level encryption to enhance security.
- Possible need for additional
credential-based evaluations.
- Acknowledges ongoing work,
indicating potential limitations.
- Approaches do not consider geo-
social information.
- SP-DPM may introduce complex-
ities, particularly with intricate data
structures or diverse applications.
- Security measures might demand
extra resources, potentially impacting
system performance
- Implementation complexity may
pose challenges
- Noise injection could lead to a slight
reduction in data utility
- No explicit mention of identified
cons or limitations in the provided
information.
- Further details on potential draw-
backs or challenges are not specified
in the given context.
- It does not protect the classification
model and scalability challenges
- High computation time, low accu-
racy, and reduced data utility.
-Dependency on user log data for
behavior analysis.
- Future testing is needed for coordi-
nated attacks.

TABLE II
N OTATIONS USED IN THE PROPOSED SFBRA F RAMEWORK
Notation Description
S Sequence of user behavior
Bi Behavior of each sequence Si
N Number of cloud users
B Behavior set of N cloud users
BM Behavior matrix
θ1 Trust value for static analysis
θ2 Trust value for dynamic analysis
θ Overall trust value
AR Access request
PR Process request
NV D National vulnerability database
TS Time stamp
VS Vulnerability Score
M Magnitude of each role
W1 , W 2 , W 3 Weight parameters
ID and password. The server first checks the trustworthiness of
the user using behavior analysis methodology and calculates
the trust of the user, where it considers the log monitor data
of the same user in Level-1. Once the user is termed as
trusted then, the server allows the user to send its request
packet to the cloud for accessing the storage or processing
of data. Otherwise, the server suspends the user login for a
particular period. Here, we consider only two request packets
by the user i.e., storage request and processing request. Once
the user sends its request packet, the cloud again calculates
the trustworthiness of the sent packet request using another
module trust and role calculation before processing it. This
module takes the input as the log monitor data for the same
user inside the cloud. In the next step, the role of the user is
calculated, and if the role is trusted, then the cloud grants
access to the same user otherwise the request packet is
discarded.
The trustworthiness is calculated in the two levels because
malicious users can try to access the cloud using the legitimate
user’s login ID and password. In the Level-1 security which
is checked inside the cloud server, the framework calculates
the trust of users by analyzing their historical behavior and
real-time factors such as access requests, process requests,
IP address, and vulnerability score. This evaluation helps in
identifying suspicious patterns and determining the trustwor-
thiness of users. Level-2 security in the cloud focuses on
calculating the trust and role of logged-in users, considering
elements such as user identification, password, timestamp,
access requests, process requests, IP address, and vulnerability
score. By integrating static and dynamic analysis techniques
and considering various factors, the SFBRA framework pro-
vides a robust approach to evaluating user trust, preventing
unauthorized access, and analyzing role behavior, ultimately
enhancing the overall security of cloud platforms.
The next subsections describe Level-1 and Level-2 security
frameworks in detail. The details of the parameters used in
Level-1 and Level-2 are summarized in Table II.
A. Level-1 Security: Trust Calculation and User Blocking
In Level-1 of our security framework, our focus is on
behavior analysis to determine the trustworthiness of each
5
Fig. 2. Log File Creation and Storage in Central Log Server for Cloud Users
Fig. 3. Behavioural Pattern Matching
cloud user attempting to log in to the cloud platform. The
analysis is carried out in two essential steps: Static Analysis
and Dynamic Analysis.
1) Static Analysis: In the Static Analysis phase, we detect
and analyze the timestamps of user activities using a log
monitor. By examining the user’s historical behavior, including
login patterns and various activities, we aim to identify any
suspicious patterns or anomalies. This step allows us to gain
insights into the user’s past actions, helping us assess their
overall trustworthiness. We can detect whether the user has
previously engaged in any suspicious activities or exhibited
unusual behavior during login sessions. The static analysis is
carried out using two steps as follows;
Step 1: Log File Creation and Storage in Central Log
Server for Cloud Users In the first step, we are converting
unstructured log data into a well-organized format, because,
raw log files are not arranged in order fashion and parsing
is required before they can be utilized effectively. Here, we
choose the XML format for log file structuring. We extract
vital details from the raw log data, such as; event name, event
ID, associated process or thread ID, opcode, and timestamp.
Let XM Lm m
i is the XML format with behaviors defined as Bi
= {Si,1 , Si,2 , ...Si,m } where Si,t (1 < t < m) is one behavior
entry, and S is the sequence of behavior.
Step 2: Behavioural Pattern Matching In this Step, we do
behavior matching and review the findings from the log files
to produce a structured file for more operation on the user
information. We can identify significant patterns and trends
in the log data. We separate particular behavioral aspects
and characteristics using behavior extraction techniques, which
helps to gain a better knowledge of how the system functions
and interacts. The next step is behavior matching, where
we contrast the discovered behavioral patterns with estab-
lished standards/patterns. This process enables us to effectively
identify abnormalities, possible risks, or anomalous system
activity.
The methodical process of behavior pattern matching, be-
havior extraction, and behavior matching provides a thorough
examination of log data, producing insightful information

Fig. 4. Process of Behaviour Extraction
and trustworthy results. These findings provide insight into
the system’s operation and possible weak points, and they
considerably improve the overall security and dependability of
the system. Our research study seeks to significantly influence
the fields of system analysis and cybersecurity through the use
of a strict methodology.
The behavior extraction from structured data is done through
the following procedures; we embark on further refining
the structured data by undertaking sequence ID extraction
and subsequent encoding. This crucial stage allows us to
construct a comprehensive behavior matrix, which serves as
the foundation for behavior extraction. Through a meticulous
and systematic approach, we extract relevant sequence IDs
from the structured data, enabling us to encode and represent
the intricate relationships among various events and activities.
By employing advanced encoding techniques, we transform
the sequence IDs into a coherent and analyzable behavior
matrix. This matrix captures the underlying patterns and inter-
actions within the system, providing valuable insights into the
system’s behavior and performance. The behavior extraction
process in this step plays a pivotal role in our research, as
it facilitates a deeper understanding of the system’s dynamics
and aids in identifying potential anomalies or irregularities that
may impact its overall functioning. Figure 2, 3, 4 show the
steps and methods used in the behavior extraction process.
Let B =B1 , B2 ...., Bn be the set that contains behavior of
N cloud users. When the behavior entry Si,t matches the
behavior Bj (j ∈ (1, N )), the entry in the behavior matrix
will be Si,t = [e1i,t , e2i,t ,....,eN j B. Level-2 Security: Trust and Role Calculation
i,t ], where ei,t will be set as 1 and
others are set as 0. Finally, the
 generated behavior matrix is
Si,1  1
ei,1 . . . eN
 Si,2  i,1
..
represented as BMi =  .  = 
  
 ..  . This level provides an additional layer of security to prevent
1 N
ei,m . . . ei,m
Si,m
is the behavior matrix of a cloud user i. Let θ1 be the trust
value in static analysis which is calculated as
no.of 1inBMi
θ1 =
totalentriesinBMi
2) Dynamic Analysis: The Dynamic Analysis phase in-
volves pattern detection using specific neural network-based
algorithms such as the Feed-Forward Backpropagation neural
network (FFBPNN). Here, we consider various factors, in-
cluding the user’s access request, process request, IP address,
and vulnerability score (NVD score). Each of these factors
contributes to calculating a dynamic trust value for the user.
To calculate the dynamic trust value, we assign appropriate
weights (W 1, W 2, W 3) to the factors, based on their sig-
nificance in determining user trust. The Feed-Forward Back-
propagation neural network (FFBPNN) algorithm processes
the relevant data to derive a numerical value representing the
6
user’s trustworthiness at that moment. During the training
of the neural network, it takes the input pattern from the
behavior matrix BM defined in the previous step and defines
corresponding class labels, which are used to train the neural
network. Then, it adjusts the weights (W 1, W 2, W 3) and
biases through backpropagation to minimize the difference
between its predictions and the actual labels. The output of the
FFBPNN typically has the class of labels in the recognition
task. The final testing is done when the input contains a new
pattern. Let θ2 be the trust value in the dynamic analysis
process and is calculated as
n
X
θ2 = W1 ∗ ARi + W2 ∗ P Ri + W3 ∗ N V Di (2)
i=1
3) Overall Trust Value Calculation: The overall trust value
for the user in Level-1 is calculated by combining the trust
values of both static analysis and dynamic analysis and is
denoted as:
θ = θ1 + θ2 (3)
4) User Validation and Access Control: Here, we compare
the calculated overall trust value with a predefined trust value,
typically assumed to be 0.5. If the calculated trust value
exceeds the predefined threshold, the user is allowed further
access to the cloud environment. In this case, the user is
considered trustworthy enough to utilize the cloud resources
without restrictions.
However, if the calculated trust value is less than the
predefined threshold, it indicates potential malicious behavior
or insufficient trustworthiness. Consequently, the system will
block the user from accessing the cloud platform or discard
their login request, effectively preventing unauthorized access
and maintaining the security of the cloud environment.
In the Level-2 security of our proposed framework SFBRA,
we focus on calculating the trust and role of each logged-

in user based on their access requests and role changes.
. This matrix

malicious data packets from accessing further mechanisms in
the cloud. The details regarding the trust and role calculation
are presented in the following subsections.
1) Trust Calculation: The trust calculation in Level-2
incorporates various elements, including user identification
(1)
(ID), password, timestamp, access request, process request,
IP address, and vulnerability score (NVD score). To ensure
an accurate assessment of trust, we employ two calculation
methods as follows:
1) Vulnerability Calculation: To assess the vulnerability
of a packet, we introduce the vulnerability calculation,
which considers the product of the timestamp and the
vulnerability score (NVD score). The National Vulnera-
bility Database [16] is a repository of information about
software vulnerabilities maintained by NIST. It provides
details on vulnerabilities, severity ratings, and references
to patches and advisories. It helps organizations and
individuals stay informed about vulnerabilities and take
 7

TABLE III modified, allowing the system to identify potential anomalies

NATIONAL V ULNERABILITY DATABASE (NVD ) S CORE or suspicious activities. Magnitude assesses the impact of
NVD Score Protocol role changes by considering factors such as the level of
7.8 TCP access granted or revoked. It quantifies the significance of
5.0 UDP each role change in terms of its effect on the overall system
9.8 DNS
security. The timestamp parameter denotes the time at which
5.8 ICMP
10.0 ARP the role calculation is performed. It enables the system to track
7.5 IGMP and analyze the changes in roles over time, facilitating the
8.6 IPv4 identification of patterns or trends in role behavior. The role
5.0 IPv6
indicates the current role of the user, providing the baseline
value for the role calculation. By integrating these elements,
necessary actions to secure their systems. Mathematically, the role calculation formula evaluates the behavior of users
this can be expressed as: concerning role changes and their influence on the system’s
n
X security. The overall SFBRA framework solution is shown in
V C(t) = T Si (t) ∗ V Si (t) (4) Algorithm 1. In Algorithm 1, step-5 to step-9 can be performed
i=1 in O(n) time, and step-15 to step-31 can be performed in
Here, T Si is the time stamp of the packet i at time t O(n) time. So, the time complexity of the proposed algorithm
and V Si is the vulnerability score of the packet i at is O(n). The space complexity is O(n) as step-5 and step-6
time t. This equation quantifies the vulnerability of a take O(n) space to generate and store the behavioral matrix
packet based on the combination of its arrival time and BMi .
the severity of potential security risks indicated by the
vulnerability score. Table III shows the vulnerability score
of various protocols. Algorithm 1 SFBRA Security Solution
2) Exposure Calculation: To determine the exposure level 1: procedure LEVEL 1(AR, P R, N V D)
of a packet, we utilize the exposure calculation method. 2: T = 0, i = 1
The exposure calculation shown in equation 5 takes into 3: XM L= GenerateStructuredLogData()
account the sum of the access request, process request, 4: do
and the timestamp. The packet request is dropped if the 5: Generate BMi
resulting value is less than the predetermined threshold. 6: θ1 = div(no.of 1’s in BMi , total entries in BMi )
The exposure calculation can be represented as: 7: θ2 = sum( AR, P R, N V D)
Pn 8: θ = θ1 +θ2
ARi (t) ∗ P Ri (t) ∗ T Si (t) 9: i=i+1
EC(t) = i=1 Pn (5)
i=1 T Si 10: while ((T ̸= Tmax )&& (i ̸= n))
11: end procedure
Here, ARi (t) is the access request by packet i at time t,
12: procedure LEVEL 2(T S, V S, AR, P R, W , M , n)
P Ri is the process request by packet i at time t, and T Si
13: T = 0, i = 1
is the timestamp of packet i at time t. By incorporating
14: do
the timestamp and assessing the proportion of access and
15: TrustCalculation()
process requests, this equation provides an estimation of
16: Find(V C)
the exposure level of a packet. It enables the system
17: V C= multiply(T S, V S)
to deny further processing if the exposure surpasses the
18: Find(EC)
defined threshold.
19: EC1 = multiply(AR, P R, T S)
2) Role Calculation (Role Identified Behavior Analysis): 20: EC= divide(EC1 , T S)
The role calculation mechanism focuses on determining the 21: Trust= add(EC, V C)
total number of role requests and analyzing the changes in 22: if (Trust > Θ) then
roles over time. In this calculation, we consider three crucial 23: Goto RoleCalculation
elements: weight, frequency, and magnitude. The role of each 24: else
logged-in user is calculated as follows: 25: Goto end procedure
Pn Pn 26: end if
i=1 (Wi ∗ Mi ) ∗ i=1 T Si
Ri = (6) 27: RoleCalculation()
Role
28: R1 = multiply(W , M , T S)
Here, Wi is the weight of each role, Mi is the magnitude 29: R= divide(R1 , Role)
of each role, and T Si is the time stamp for role i. The weight 30: i=i+1
represents the weightage assigned to each role, indicating its 31: while ((T ̸= Tmax )&& (i ̸= n))
importance or level of access. This weightage is a constant 32: end procedure
value associated with each role. Frequency measures the
number of role changes for a particular user within a specific
period. It tracks the frequency with which a user’s role is
 8

C. Security Analysis of Proposed SFBRA Framework data d and S(d) is 1, then C(u, d) = 0.
In this section, we analyze our proposed SFBRA frame- R(u) is not authorized for data d ∧ S(d) is 1 =>
work’s correctness using logic. The security property we C(u, d) = 0.
want to prove is that the proposed framework ensures the
privacy/confidentiality of sensitive data which is presented as D. Working of Proposed SFBRA Framework with an Example
follows:
Here, we demonstrate our proposed SFBRA framework’s
1) Proposed SFBRA Framework: The framework ensures
operation considering the two-level security. Two example use
the confidentiality/privacy of sensitive user data in the
cases are explained for legitimate and malicious users’ overall
cloud environment. The proposed framework relies on a
trust calculation.
dynamic access control algorithm that considers factors
Example 1: Legitimate user trust calculation When a
such as user roles, behavior patterns, and the log data of
legitimate user logs in to the cloud, at the Level-1 security its
the logged-in user.
behavior is analyzed to check the trustworthiness. Using the
2) Security Property: Confidentiality/Privacy - Ensuring that
static analysis phase the unstructured log data is converted into
unauthorized users cannot access sensitive user data in the
organized XML format with event name, event ID, process
cloud.
ID, Opcode, and timestamp information of the user. Let
3) Assumptions: 1. The proposed security solution algorithm
XM Lm i is the XML format with behaviors defined as Bi
m
is correctly implemented and cannot be tampered with.
= {Si,1 , Si,2 , ...Si,m } where Si,t (1 < t < m) is one behavior
2. User roles and behavior patterns are accurately repre-
entry, and S is the sequence of behavior. The behavior matrix
sented in the system.
is calculated as
4) Formalization: Let C(u, d) represent the confidentiality
level assigned to user u for data d. Let R(u) represent no.of 1inBMi 2
θ1 = = = 0.4 (7)
the role of user u. Let B(u) represents the behavior totalentriesinBMi 5
pattern of user u. Let S(d) represent the sensitivity The dynamic analysis phase involves pattern detection us-
classification of data d.The access decision can be ing specific machine-learning algorithms. Here, we consider
formalized as follows: various factors, including the user’s access request, process
( request, IP address, and vulnerability score (NVD Score).
1; access authozied To calculate the dynamic trust value, we assign appropriate
0; Otherwise weights (w1, w2, w3) to the factors. The weight values are
5) Logical Reasoning and Formal Proofs: experimental and chosen according to the priority of the
factors.
a) Role Based Access: Each user u is accessing a partic-
n
ular role at a certain timestamp T S and is calculated X
θ2 = W1 ∗ ARi + W2 ∗ P Ri + W3 ∗ N V Di
as R(u) using equation 6. So, ui => (R(u)i , T Si ). (8)
i=1
If other users try to access the authenticated data d
= 2 ∗ 2 + 3 ∗ 5 + 4 ∗ 7.0 = 47
then the timestamp T S, magnitude M , and the weight
W are modified and it will notify user u regarding its The overall trust value is calculated as
change in role. For all user u and data d if R(u) is
authorized for d => C(u, d) = 1. θ = θ1 + θ2 = 47 + 0.4 = 47.4 (9)
b) Behavior Pattern: If there is any adversarial attack For user validation, here we compare the calculated overall
on the authenticated user data then the entries in the trust value with a predefined trust value of 0.5 (assumed
behavior matrix BM will be changed and so will considering various experimental results), If the calculated
the static trust value θ1 . Simultaneously, it affects the trust value is more, then the user is allowed for Level-2
weights (W1 , W2 , W3 ) of the feed-forward backprop- security, otherwise blocked.
agation neural network (FFBPNN) and the dynamic Once the user has been entered into the Level-2 security
trust value θ2 . So, the overall trust value θ will be layer, the framework calculates the trust and role of each
different for user ui in a certain timestamp T Si , which logged-in user based on their access request and role changes.
is not valid, and the system detects the adversarial The vulnerability values are calculated as:
attack on the sensitive data.
n
For all user u and data d if B(u) deviates significantly X
V C(t) = T Si (t) ∗ V Si (t) = 253 ∗ 10 = 2530 (10)
from the usual pattern, then C(u, d) is adjusted.
i=1
Deviation in B(u) => Adjustment in C(u, d)
c) Sensitivity Classification: If there is no change in the To determine the exposure level of a packet, we utilize
overall trust value θ or user ui in a certain timestamp the exposure calculation. If the resulting value exceeds the
T Si , then the access decision will be 1, which demon- predetermined threshold, the packet request is dropped.
strates the access authorization mentioned in step-4, Pn
otherwise it is classified as 0 and the user request is i=1 ARi (t) ∗ P Ri (t) ∗ T Si (t) 2 ∗ 3 ∗ 10
blocked. EC(t) = Pn = =3
i=1 T Si 20
For all user u and data d, if R(u) is not authorized for (11)
 9

Fig. 6. Attack packet detection comparison of proposed SFBRA framework

Fig. 5. Identification of similar and dissimilar patterns using the mentioned
with state-of-the-art research proposals
behavioral pattern matching method in Level-1 security

speed. The computing machine runs Ubuntu 64-bit and has

Next for role calculation, we consider three crucial ele-
8 GB of main memory RAM. Python 2.7.15 programming
ments: weight, frequency, and magnitude. The role of each
language is used. We compare the performance of SFBRA
logged-in user is calculated as follows:
with four state-of-the-art research papers Chakraborty, S. et
Pn Pn al. [7], Feng, F. et al. [8], Ma, W et al. [9], A. Servin et al.
i=1 (Wi ∗ Mi ) ∗ i=1 (5 ∗ 2) ∗ 414
T Si [1], considering multiple network parameters such as attack
Ri = = = 1035
Role 4 detection, throughput, and packet drop. The experiments were
(12)
The calculated trust is more than the predefined threshold conducted using various datasets and metrics to assess the
value and the role value is more, so the cloud provides access effectiveness and accuracy of our framework. The results are
to the legitimate user. taken from the continuous simulation run over 10 minutes.
Example 2: Malicious user trust calculation When a
malicious user logs into the cloud, Level-1 security fo- A. Attack Detection
cuses on behavior analysis to check the trustworthiness. Let We used a synthetic data set of 15000 user logins and ran
XM Lm i is the XML format with behaviors defined as Bi =
m
studies to assess the effectiveness of SFBRA in attack de-
{Si,1 , Si,2 , ...Si,m } where Si,t (1 < t < m) is one behavior tection. The dataset comprised several attack types, including
entry, and S is the sequence of behavior. The behavior matrix denial of service (DoS), distributed denial of service (DDoS),
is calculated as IP spoofing, data manipulation, and information leaking. We
no.of 1inBMi 2 contrasted SFBRA’s performance with the four state-of-the-art
θ1 = = = 0.05 (13) research papers Chakraborty, S. et al. [7], Feng, F et al. [8],
totalentriesinBMi 40
Ma, W et al. [9], A. Servin et al. [1] each of which used a
In dynamic analysis, the pattern is detected using specific
different strategy for attack detection.
machine-learning algorithms. The dynamic value is calculated
The result analysis of attack detection is shown in Figure
as:
6. In comparison to the other frameworks, the SFBRA has
n
X a reduced failure rate and bypass rate. A larger percentage
θ2 = W1 ∗ ARi + W2 ∗ P Ri + W3 ∗ N V Di
(14) of possible threats were successfully identified and stopped,
i=1
hence boosting the cloud platform’s security. In particular, our
= 0.02 ∗ 2 + 0.03 ∗ 3 + 0.04 ∗ 5.0 = 0.33
approach outperformed the other frameworks when it came to
The overall trust value is calculated as: identifying possible assaults, achieving an astounding accuracy
of 95%.
θ = θ1 + θ2 = 0.05 + 0.33 = 0.38 (15)
The integrated strategy used by SFBRA, which combines
For user validation, here we compare the calculated overall behavior analysis, role-based access control, and pattern recog-
trust value with a predefined trust value of 0.5. The calculated nition algorithm- Feed-Forward Backpropagation neural net-
trust value determines that this user is not a legitimate user, work (FFBPNN), is responsible for its exceptional perfor-
terminates all the access requests, and blocks the user for mance in attack detection. A higher degree of security for
further execution. cloud platforms is provided by SFBRA, which efficiently
detects aberrant activity and identifies malicious users by
IV. E XPERIMENTAL R ESULTS AND E VALUATION taking into account user log monitoring data and examining
In this section, we present the experimental results and eval- user behavior.
uation of our proposed framework, SFBRA (Secure Frame-
work using Behavior and Role Analysis), for cloud data secu- B. Throughput
rity. The experiments are performed on a machine equipped We have done one experiment on a user login database of
with Intel (R) Core (TM) i5-4210U CPU @ 1.70GHz clock 15000 users to gauge the performance of our framework. The

Fig. 7. Throughput and packet drop comparison of proposed SFBRA
framework with state-of-the-art research proposals
system’s performance was tested in the trials under numerous
circumstances, including diverse protocols and vulnerability
levels. The pace at which the system processes data packets
is known as throughput, and it reflects the effectiveness and
performance of the cloud platform. A remarkable throughput
accuracy of 92% was attained (approx. 8 Mbps) by SFBRA,
according to the testing findings, demonstrating effective data
processing and system performance. We contrasted SFBRA’s
throughput with that of the four state-of-the-art research works
we chose, where each used a distinct set of data-processing
methods and algorithms. The throughput comparison results of
our proposed SFBRA framework with state-of-the-art research
proposals are shown in Figure 7.
Due to its streamlined processing processes, effective role-
based access control, and use of pattern recognition algo-
rithms, SFBRA has good throughput performance. The SF-
BRA guarantees seamless and fast data processing, resulting
in increased system performance and user experience by
precisely analyzing user requests and behavior.
C. Packet Drop
We have compared the effectiveness of our frame-
work, SFBRA, with the four state-of-the-art research papers
Chakraborty, S. et al. [7], Feng, F et al. [8], Ma, W et al. [9],
A. Servin et al. [1] for packet drop. The percentage of data
packets deleted or rejected by the system during processing is
referred to as packet drop. Reduced packet drops mean more
dependable and effective data processing, reducing data loss,
and maintaining smooth communication on the cloud platform.
According to the results of our experiments shown in Figure
7, SFBRA has a lower packet loss (0.003% on average) rate
than the other frameworks (approximately 10%). This shows
that a larger proportion of data packets were correctly handled
by our system, guaranteeing dependable communication and
reducing data loss.
The strong data processing methods, effective role-based
access control, and precise pattern recognition are responsible
for SFBRA’s remarkable performance in minimizing packet
loss. To guarantee reliable data transmission, avoid excessive
packet dropouts, and enhance system performance, SFBRA
manages and prioritizes data packets properly.
10
In terms of attack detection, throughput, and packet loss,
the test findings generally confirm the usefulness and superi-
ority of our suggested framework, SFBRA. The comparisons
with the chosen research works reveal SFBRA’s exceptional
performance, showing more accuracy, increased system perfor-
mance, and improved data security. These findings highlight
the usefulness of SFBRA in securing cloud data and preserving
the reliability of cloud platforms, confirming its potential for
use in real-time applications.
V. C ONCLUSION
The proposed Secure Framework using Behavior and Role
Analysis (SFBRA) is a thorough and cutting-edge solution
to the immediate security issues in cloud computing. SFBRA
offers a comprehensive solution for protecting cloud platforms
from potential threats by seamlessly integrating static and
dynamic analysis methodologies, behavior monitoring, role-
based access control, and advanced pattern recognition algo-
rithms. The dual-layered design of SFBRA, which includes
Level-1 and Level-2 security measures, demonstrates its flex-
ibility and efficiency in a range of security circumstances.
The empirical analyses conducted in this study demonstrate
the efficacy of SFBRA over existing approaches, highlighting
its exceptional accuracy in attack detection, effective data
processing throughput, and low packet drop rates. SFBRA
ultimately offers itself as a crucial asset in the ongoing growth
of cloud security due to its capacity to simultaneously secure
data integrity and user privacy while retaining operational
efficiency. The proposed SFBRA framework can reinvent the
rules of data protection and safe cloud-based operations in the
future as the use of cloud platforms continues to influence
current data management.
One of the limitations of the proposed framework is that
it depends on user log data for behavior analysis. Due to
unavoidable circumstances such as log maintenance failure if
the data is not available then it won’t be able to calculate the
trust value of the user. In the future, we would like to eliminate
the limitation mentioned above and test coordinated attacks on
our proposed framework to check its efficacy.
R EFERENCES
[1] A. Servin and D. Kudenko, ”Multi-agent Reinforcement Learning for
Intrusion Detection,” Proceedings of the 5th, 6th and 7th European
Conference on Adaptive and Learning Agents and Multi-agent Systems:
Adaptation and Multiagent Learning, 2008.
[2] Kamalakanta et al., ”Deep Reinforcement Learning based Intrusion De-
tection System for Cloud Infrastructure.” 12th International Conference on
Communication Systems & Networks (COMSNETS), 2020.
[3] Chien-Yi Chiu, Chi-Tien Yeh, and Yuh-Jye Lee. ”Frequent Pattern-based
User Behavior Anomaly Detection for Cloud System.” Conference on
Technologies and Applications of Artificial Intelligence, 2013.
[4] M. Mdini, A. Blanc, G. Simon, J. Barotin, and J. Lecoeuvre, ”Moni-
toring the Network Monitoring System: Anomaly Detection using Pattern
Recognition,” Proceedings of the International Conference on Network and
Service Management (CNSM), 2017.
[5] Sethi, K., Chopra, A., Bera, P., & Tripathy, B. K., ”Integration of Role
Based Access Control with Homomorphic Cryptosystem for Secure and
Controlled Access of Data in Cloud”, In Proceedings of Security of
Information and Networks, 2017.
[6] Sethi, K., Majumdar, A., & Bera, P., ”A Novel Implementation of Parallel
Homomorphic Encryption for Secure Data Storage in Cloud”, International
Conference on Cyber Security and protection of Digital Services, 2017.
 11

[7] Chakraborty, S., & Ray, I., ”TrustBAC - Integrating Trust Relationships
into the RBAC Model for Access Control in Open Systems”, In Proceed-
ings of the ACM Symposium on Access Control Models and Technologies,
2008.
[8] Feng, F., Lin, C., Peng, D., & Li, J., ”A Trust and Context-Based
Access Control Model for Distributed Systems”, 10th IEEE International
Conference on High-Performance Computing and Communications, 2019.
[9] Ma, W., Zhou, Q., Hu, M., and Wang, X. ”A Deep Learning-Based
Trust Assessment Method for Cloud Users”, Security and Communication
Networks, 2021.
[10] Teni, C., Nawale, A., ”A Comprehensive Review on Cloud Computing
Security”. Vidhyayana - An International Multidisciplinary Peer-Reviewed
E-Journal, 2023.
[11] Tian, Y., & Romero Nogales, A. F., ”A Survey on Data Integrity Attacks
and DDoS Attacks in Cloud Computing”. IEEE 13th Annual Computing
and Communication Workshop and Conference (CCWC), 2023.
[12] Butt, U. A., Amin, R., Mehmood, M., Aldabbas, H., Alharbi, M. T., &
Albaqami, N., ”Cloud Security Threats and Solutions: A Survey”, Wireless
Personal Communications, 2023.
[13] Attou, H., Guezzaz, A., Benkirane, S., Azrour, M., & Farhaoui, Y.,
”Cloud-Based Intrusion Detection Approach Using Machine Learning
Techniques”, Big Data Mining and Analytics, 2023.
[14] Akbar, H., Zubair, M., and Malik, M. S., ”The Security Issues and
Challenges in Cloud Computing”, International Journal for Electronic
Crime Investigation, 2023.
[15] Kumar, U. V., and Reddy, E. M., ”Preventing Unauthorized
Users from Accessing Cloud Data”, Available online at:
https://ssrn.com/abstract=4448543, 2023.
[16] National Vulnerability Database (NVD). Available on:
https://nvd.nist.gov/vuln/search. Accessed on June 2023.
[17] Gupta, R., Gupta, I., Singh, A.K., Saxena, D. and Lee, C.N., 2022. An
iot-centric data protection method for preserving security and privacy in
cloud. IEEE Systems Journal.
[18] Gupta, R., Saxena, D., Gupta, I. and Singh, A.K., 2022. Differential
and triphase adaptive learning-based privacy-preserving model for medical
data in cloud environment. IEEE Networking Letters, 4(4), pp.217-221.
[19] Gupta, I., Gupta, R., Singh, A.K. and Buyya, R., 2020. MLPAM: A
machine learning and probabilistic analysis based model for preserving
security and privacy in cloud environment. IEEE Systems Journal, 15(3),
pp.4248-4259.
[20] Singh, A.K. and Gupta, R., 2022. A privacy-preserving model based on
differential approach for sensitive data in cloud environment. Multimedia
Tools and Applications, 81(23), pp.33127-33150.