Detecting Suspicious File Migration or

Replication in the Cloud

Adam Bowers† , Cong Liao‡ , Douglas Steiert† , Dan Lin† , Anna Squicciarini‡ , Ali Hurson§
† Department of Electrical Engineering and Computer Science

University of Missouri
Email: {acbqbd,djsg38,lindan}@missouri.edu
‡ Information Science and Technology

Pennsylvania State University

Email:{cxl491, asquicciarini}@ist.psu.edu
§ Department of Computer Science

Missouri University of Science and Technology

Email:[email protected]

Abstract—There has been a prolific rise in the popularity of cloud
storage in recent years. While cloud storage offers many advantages
such as flexibility and convenience, users are typically unable to tell
or control the actual locations of their data. This limitation may affect
users’ confidence and trust in the storage provider, or even render
cloud unsuitable for storing data with strict location requirements. To
address this issue, we propose a system called LAST-HDFS which
integrates Location-Aware Storage Technique (LAST) into the open
source Hadoop Distributed File System (HDFS). The LAST-HDFS sys-
tem enforces location-aware file allocations and continuously monitors
file transfers to detect potentially illegal transfers in the cloud. Illegal
transfers here refer to attempts to move sensitive data outside the
(”legal”) boundaries specified by the file owner and its policies. Our
underlying algorithms model file transfers among nodes as a weighted
graph, and maximize the probability of storing data items of similar pri-
vacy preferences in the same region. We equip each cloud node with a
socket monitor that is capable of monitoring the real-time communication
among cloud nodes. Based on the real-time data transfer information
captured by the socket monitors, our system calculates the probability
of a given transfer to be illegal. We have implemented our proposed
framework and carried out an extensive experimental evaluation in a
large-scale real cloud environment to demonstrate the effectiveness and
efficiency of our proposed system.
1 I NTRODUCTION
With the ever-increasing popularity of cloud computing, the
demand for cloud storage has also increased exponentially.
Computing firms are no longer the only consumers of cloud
storage and cloud computing, but rather average businesses,
and even end-users, are taking advantage of the immense
capabilities that cloud services can provide. While enjoying
the flexibility and convenience brought by cloud storage,
cloud users release control over their data, and particularly
are often unable to locate the actual their data; this could be
in-state, in-country, or even out-of-country. Lack of location
control may cause privacy breaches for cloud users (e.g.,
'LJLWDO2EMHFW,GHQWL¿HU7'6&
‹3HUVRQDOXVHLVSHUPLWWHGEXWUHSXEOLFDWLRQUHGLVWULEXWLRQUHTXLUHV,(((SHUPLVVLRQ
6HH KWWSZZZLHHHRUJSXEOLFDWLRQV VWDQGDUGVSXEOLFDWLRQVULJKWVLQGH[KWPO IRU PRUH LQIRUPDWLRQ
hospitals) who store sensitive data (e.g., medical records) that
are governed by laws to remain within certain geographic
boundaries and borders. Another situation were this problem
arises is with governmental entities that require all data to be
stored in the same country that the government operates in;
this challenge has seen difficulties with cloud service providers
(CSPs) quietly moving data out-of-country or being bought out
by foreign companies. For example, Canadian laws demand
that personal identifiable data must be stored in Canada.
However, large cloud infrastructure like the Amazon Cloud has
more than 40 zones distributed all over the world [1], which
makes it very challenging to provide guaranteed adherence to
regulatory compliance. Even Hadoop, which historically has
been managed as a geographically confined distributed file
system, is now deployed in large scale across different regions
(see Facebook Prism [2] or recent patent [3]).
To date, various tools have been proposed to help users
verify the exact location of data stored in the cloud [4]–[6],
with emphasis on post-allocation compliance. However, recent
work has acknowledged the importance of a proactive location
control for data placement consistent with adopters’ location
requirements [4], [7], [8], to allow users to have stronger
control over their data and to guarantee the location where
the data is stored.
In this work, we infiltrate into one of the most widely
adopted cloud data storage systems–Hadoop Distributed File
System (HDFS), and design an enhanced HDFS system, called
LAST-HDFS. The LAST-HDFS extends HDFS’ capabilities
to achieve location-aware file allocations and file transfer
monitoring. Specifically, LAST-HDFS provides the following
new functions: (i) consistently enforces a location-aware data
loading and storage by assigning datanodes according to user
specified privacy policies; (ii) actively tracks and dynamically
corrects possible data migration (due to balancing or data

Name Node
Location-aware
File Allocator
Data Node Data Node
Socket Monitor Socket Monitor
Illegal File Illegal File
Transfer Detector Transfer Detector
Fig. 1: Architecture of the Name Node and Data Nodes
replication needs) within the cluster that might violate data
placement policies; (iii) detects potentially illegal data migra-
tion, by monitoring socket communication between individual
datanodes and correlating it with the constraints imposed by
the policy.
The idea of our approach is that, once data is allocated
per users’ location preferences, our framework monitors real-
time file transfers in the cloud and is capable of detecting
potential illegal transfers. An illegal transfer in our context
denotes moving sensitive data outside the legal boundaries
specified by the file owner (e.g., storing a file in a physical
location other than what the file owner desires). Our approach
builds on the observation that users’ location preferences
are often consistent with privacy laws and regulations. As a
result, files can be gathered into groups in which multiple
users share the similar, if not the same, location preferences.
Accordingly, our system allocates cloud nodes based on the
similarity of users’ location preferences. More specifically, we
model the file transfers among nodes as a weighted graph
and then maximize the probability that files with similar
privacy preferences will be stored in the same region. We then
devise socket monitoring functions to monitor the real-time
communication among cloud nodes. Based on our legal file
transfer graph and the communication that is detected between
the nodes, we are able to calculate the probability of a transfer
being illegal. Figure 1 shows an overview of the proposed
system, whereby the name node in HDFS is equipped with
our proposed location-aware file allocator, and the data nodes
are equipped with the proposed illegal file transfer detector
that analyzes information collected by socket monitors.
We carry out extensive experimental studies in both a real
cloud testbed and a large-scale simulated cloud environment to
demonstrate the efficiency and effectiveness of our proposed
system. Experimental results confirm correctness of location
enforcement in file uploading and load balancing process with
little computational overhead, as well as the capability to
verify data placement under potential attack and multi-user
scenarios through socket analysis.
The rest of the paper is organized as follows. Section 2
presents the use case of our proposed system. Section 3
briefly review the background about the Hadoop system. Then,
Section 4 gives an overview of the proposed LAST-HDFS
system followed by detailed implementation algorithms in
Section 5. Section 6 reports the experimental results. After
that, Section 7 reviews related work in secure cloud storage.
2
Finally, Section 8 concludes the paper and outlines future
research directions.
2 U SE C ASE
In order to better motivate our work and clarify our goal,
we discuss the impact our proposed approach in realistic
distributed cloud settings. Take for instance, the sample use
of data legally required to stay in country of origin. In this
case false positives in particular are unacceptable due to
contractual and service level agreement (SLA) bindings. A
compelling case for this above case would be an example of
government systems. With the recent Executive Orders [9] to
further increase the security aspects of our cyberspace, there
is a push to move government data to the cloud infrastructure.
The reasoning behind this is due to limited physical infras-
tructure and the common other advantages such as flexibility,
convenience, and scalability. However, since the data being
stored on the cloud is governmental data, there are instances in
which not everyone should be able to access the data, such as
that from Department of Defense (DoD), whereas Department
of Energy (DoE) data is usually public. These two different
data types, public and private, need to be stored differently.
The private data can be set up on private cloud servers that can
be assured to reside within the United States, while the public
data may be stored in the public commercial cloud such as
Amazon S3 and be analyzed using big-data analytic tools such
as Hadoop in Amazon EC2. Yet, for such pubic governmental
data, there still needs to be assurance that this data does not get
processed or placed on nodes that reside outside the United
States. To overcome this challenge, our proposed approach
can be directly adopted by the public cloud services such as
Amazon EC2 to enhance the location protection when Hadoop
is used for data analysis. As for the storage services like
Amazon S3, our proposed approach can be adopted with some
minor tweaks. We can introduce a name node manager as used
in [4] to perform the proposed location-aware file allocation
tasks and validate transfers that we are probabilistically unsure
of being legal or not. The data storage nodes will still be
equipped with socket monitors to collect suspicious transfer
information. Given that we know the probability of an illegal
data transfer from one region to another, the transfer with high
probability to be illegal will be sent to the name node for
further inspection.
3 BACKGROUND ON H ADOOP D ISTRIBUTED
F ILE S YSTEM (HDFS)
In this section, we provide some background information on
the Hadoop Distributed File System (HDFS), which is the
base of our system. HDFS [10] is an essential component of
the open source Hadoop software. HDFS is a distributed file
system designed to run on commodity hardware and support
distributed data storage and access by applications running on
top of it with high throughput and fault-tolerance. It adopts a
master-slave architecture, which consists of a single namenode
as the master node and multiple datanodes as the slave nodes.
The namenode manages file system meta-data and orchestrates
file accesses. The datanodes serve read/write requests issued

by clients and perform the actual read/write operations on disk
blocks as instructed by the namenode. In what follows, we
briefly review the data storage and load balancing mechanisms
adopted by the current HDFS since our proposed system will
revise these two functions to achieve location-aware storage.
3.1 Write Mechanism in HDFS
For a data owner (client) to upload a file to HDFS, he needs to
first initiate a write request to the namenode asking to create
a new file in HDFS. Once the namenode approves the request,
the client will begin writing data to the stream where data is
split into packets. Each packet represents a data block of the
file that will be written to the datanodes. A separate thread in
the client will pick up a packet and contact the namenode,
from which a list of candidate datanodes will be returned
to the client. Then, the client will send write packet to the
first datanode in the list where the data block will be stored.
Subsequently, the data block will be replicated to the following
datanodes in the list in a pipeline manner.
3.2 Load Balancing in HDFS
Load balancing is of great importance to the overall perfor-
mance of HDFS clusters, especially when a new datanode is
added to the cluster or the disk space of certain datanodes
is saturated. Hadoop provides a balancer tool that allows a
cloud administrator to balance the disk space usage in a HDFS
cluster. An outline of the load balancing process is described
below:
1) The balancer partitions all the datanodes into two
groups: i) under-utilized node group and (ii) over-
utilized node group, based on their data block usage
reports.
2) The balancer randomly select one datanode from each
group to form a pair of nodes whose load will be
balanced by transferring certain amount of data from
one to the other.
3) The balancer randomly selects a list of data blocks in
the over-utilized datanode and transfer the data to the
under-utilized datanode in the same pair.
4) The balancer iterates the above three steps until all
the datanodes in the cluster reach certain utilization
threshold, i.e., the system achieves balanced load.
4 A N OVERVIEW OF THE P ROPOSED
LAST-HDFS S YSTEM
In this section, we first layout the system design goals and the
threat model. Then, we present an overview of our proposed
LAST-HDFS system.
4.1 Design Goals
We consider a cloud architecture similar to the Amazon Cloud,
which is partitioned in multiple zones and each zone contains a
number of cloud nodes (e.g., 50,000 [11]). Each node supports
a distributed file system such as HDFS (Hadoop Distributed
File System). A file is typically partitioned into chunks of
3
equal size which are then replicated three times when stored
in the cloud. In our work, we will simply refer to the “file
chunks” as “file”.
Our overarching goal is to enable HDFS to support location-
aware data storage so that data owners’ location privacy
policies are strongly enforced when storing their data in the
cloud. Recall that in the existing HDFS, the locations of a user
uploaded file are determined by two factors: i) data replication
for the purpose of fault-tolerance, and ii) load balancing to
optimize cluster space utilization. In other words, users’ file
chunks will be replicated to multiple datanodes when the files
are uploaded for the first time, and it is very likely that the
file blocks on saturated nodes may be transferred to under-
utilized nodes at a later time. Therefore, in order to enforce
users’ location settings during the lifespan of their data in the
cloud, we need to achieve the following design goals:
1) When uploading the files to the cloud, users should be
allowed to specify the location constraints (e.g., regions,
countries) within which their data is allowed to be placed
in the cloud.
2) The location constraints (i.e., location privacy policies)
specified by the users should be consistently enforced
during the data replication process.
3) The location constraints (i.e., location privacy policies)
should also be consistently enforced during the load
balancing process.
4) Any data movement (caused by malicious attacks) that
violates the location constraints should be detected.
4.2 Threat Model
In our system, we consider the following three types of
entities:
• File loader: It uploads files to the cloud on behalf of users.
• Namenode: It is the master node in HDFS which manages
the entire file system and also interacts with users.
• Datanodes: They are the nodes that actually store the user
data.
Accordingly, we make the following assumptions and threat
model. The namenode is the core node in the system and
is assumed fully trusted due to the following reasons. There
is typically one name node per cluster with a couple of its
backups. That means the number of name nodes is far less
than the number of data nodes. The name node controls all
the file directories which are extremely important to the service
provider to ensure the availability of the whole cloud service,
and hence the name node is typically much better protected
and already closely monitored by the service provider. With
that said, the namenode will faithfully handle requests from
users. On the other hand, since the number of data nodes is
huge, it is much more challenging for the service providers to
keep track of the behavior of all the data nodes. The attacks on
data nodes are more silent, frequent, and hard to be noticed.
Thus, we do not assume all the datanodes are fully trusted.
The compromised datanodes could intentionally transfer or
copy users’ data to any other nodes that may reside outside the
legal regions specified by the users. Attackers may do this for
various purposes such as analyzing users’ data for advertising,

selling users’ data to obtain financial gains, stealing one’s
private information, or even using this to hide malicious data.
Our proposed system aims to protect users’ data from this kind
of attacks.
4.3 LAST-HDFS System Components
We now provide an overview of our proposed LAST-HDFS
system. With respect to the goals and threat model that we
described above, the LAST-HDFS adds two new features to
the existing HDFS, which are (i) location-aware file allocation
and (ii) real-time file transfer analysis.
The location-aware file allocation feature is realized through
three new components:
• Location-aware File Loading: This is a file loader that
runs on the namenode (master node) to perform the file
loading operations upon users’ requests. Along with the
file uploading request, the file loader will also accept
the users’ location privacy policies if any. In the loca-
tion privacy policy, the user can clearly specify which
regions/countries are allowed to store their data and the
maximum number of copies of data can be stored.
• Location-aware File Replication: This function is per-
formed by the namenode in order to allocate datanodes
that satisfy the user’s location privacy policy. It replaces
the original file replication function in HDFS. Specifi-
cally, once the user’s request has been submitted to the
namenode by the file loader program, the namenode will
return a list of candidate nodes according to the required
regions and the replication factor specified in the policy
file. The policy will be enforced by the namenode such
that only the qualified datanodes will be selected and
the number of chosen datanodes equals the replication
factor. In case there is no enough space or sufficient
number of qualified datanodes available, the namenode
will only select those that meet the criteria and reduce
the replication factor accordingly, and inform the user
about this.
• Location-aware Load Balancing: This function is also
performed by the namenode to balance the loads on in-
dividual datanodes while enforcing location privacy poli-
cies. This function replaces the original load balancer in
HDFS. As we know, load balancing is essential to ensure
the optimal performance of the cloud storage services.
Our proposed location-aware load balancer inherits this
important property while taking into account the location
privacy concerns. During the load balancing process,
whenever a particular data block is selected to be moved
or copied from one datanode to another, the location-
aware load balancer will check the policy associated with
the data and verify whether the destination datanodes are
permitted by the policy. If not, another datanode will be
selected and verified similarly till the qualifying nodes
are found.
The real-time file transfer analysis is realized with one new
component called Host-based Socket Monitoring. The basic
idea of the host-based socket monitoring is the following.
Since the data transfer between the datanodes relies on socket
4
Fig. 2: An Example of File Storage and Transfer in the Cloud
communication, monitoring socket connections between indi-
vidual datanodes within a HDFS cluster provides useful insight
into how data is moved. The socket monitor is in charge of
monitoring all of the communication that occurs between the
multiple nodes within the cloud infrastructure. Note that the
socket monitor only detects packets transferred between nodes
but not the content of the packets. The challenge here is to
address the following question, “How can the cloud service
provider optimally allocate storage nodes for users so that the
socket monitoring component can easily conclude that there
is a violation during the file transfer?”
Consider the example in Figure 2. Without loss of general-
ity, we adopt the following format to represent users’ location
preferences regarding their data in the cloud.
Definition 1: Given a user u, his/her location privacy pol-
icy Pu is in the form of Pu ((f1 , Υ1 ), (f2 , Υ2 ), ..., (fk , Υk )),
where fi represents user u’s files and Υi is a set of regions
in the cloud that are allowed to store fi .
User u1 has a policy Pu1 ((f 11, {R1 , R2 }), (f 12, {R3 })), user
u2 has a policy Pu2 ((f 21, {R1 , R2 })) and user u3 has a policy
Pu3 ((f 31, {R2 , R3 }), (f 32, {R1 , R3 })). Assume that chunks
of these three users’ files are allocated to the available cloud
nodes A, B and C based on individual privacy preferences as
illustrated in the figure.
Suppose that the socket monitor at node A detects a file
transfer from node A in region R1 to node C in region R3 .
Since both files f 11 and f 21 stored in node A are not allowed
to be stored in region R3 , we can easily conclude that this
file transfer must be illegal even though the socket monitor
does not know which file is transferred. The conclusion in
this instance is based on the knowledge that every file in node
A cannot be transferred to region R3 , so there is no need
to determine which files are being transferred. However, in
another case when the socket monitor at node B detects a file
transfer from itself to node D in region R3 , we would not
be able to know for sure whether this file transfer is legal or
illegal. This is because one of the file items (f 31) at node B
is allowed to be stored in region R3 whereas the other file
f 11 is not allowed to be stored at R3 . If this file transfer is
about f 31, then it is legal. Otherwise, it is an illegal transfer.
From the above example, we can observe that if our proposed
file allocation method enables the cloud server (i.e., the name
node in HDFS) to allocate files associated with similar location
preferences, our system would be more efficient at detecting
illegal file transfers.

Fig. 3: An Example of the LP-tree
5 D ETAILED A LGORITHMS FOR
I MPLEMENTING THE LAST-HDFS S YSTEM
In this section, we present the detailed algorithms that support
the two major functionalities in the proposed LAST-HDFS
system, including (i) location-aware file allocation and (ii)
real-time file transfer analysis.
5.1 Location-aware File Allocation
We will present the algorithms first and then discuss the system
implementation details.
5.1.1 Algorithms
Due to the increasing number of the users who are adopting
the cloud services, large amounts of cloud storage requests
are being received continuously over time by cloud service
providers. When a user has an incoming storage request, our
proposed location-aware file allocation aims at finding the
cloud nodes that store the files with location preferences most
similar to that of the newly uploaded file, so as to help identify
additional illegal file transfers in the future. A straightforward
way to perform this step is to simply compare the location
preference of the new data item with the location preferences
of all the existing data items already stored in the cloud.
However, considering the scale of the cloud, this naive solution
is obviously very time consuming to carry out. Therefore, we
propose an efficient approach, i.e., the Location Preference
(LP) tree, to help speed up this process.
Our proposed LP-tree will index location preferences of
the files stored in each cloud node. The tree is maintained
and updated by the name node whenever there is an update
to the file storage, such as cloud nodes or files being added
or deleted. An example of the LP-tree is shown in Figure 3,
whereby N0 , ..., N5 denote the names of the nodes in the
index, and the # symbol indicates the number of users who
have their information indexed in the same index node. The
leaf nodes of the tree contain the IDs of the cloud nodes which
store files with the similar geographical location preferences.
The internal nodes of the LP-tree record the aggregated
location preferences of their corresponding children nodes, so
as to facilitate the search for the suitable cloud nodes that have
available space for incoming storage requests. The aggregated
location preferences include two kinds of information: (i) the
IDs of the allowed regions; and (ii) the number of data items
associated with each allowed region. For example, as shown
in Figure 3, the first entry in Node N1 is (4R1,5R2), which
5
means 4 files stored in the cloud nodes indexed by N1 have
location preference of region R1 and 5 files prefer region R2 .
The example LP-tree corresponds to the example in Figure 2.
Specifically, cloud node A stores the data items f 11 and f 21
which have their location preferences constrained to R1 and
R2 . Assume that some other cloud nodes F and G store data
items with the same location preferences as node A. Then,
cloud nodes A, F and G are recorded in the same leaf node
N2 in the tree as illustrated in Figure 3, where # = 4 indicates
the files belong to 4 different users. Similarly, node N3 in the
tree shows that both of the cloud nodes B and E store data
items with the same location preferences R2 and R3 and these
files belong to 2 different users.
The construction of the LP-tree is as follows. Starting from
the first new data item uploaded to the cloud, the name node
will look for an empty cloud node within the satisfying regions
(e.g., R1 and R2 for f 22). If an empty cloud node is found,
the new data item will be stored in that cloud node. Since the
LP-tree is empty right now, a root node will be created. One
of the root node’s entries will be used to record this new data
item’s indexing information (e.g., the ID of the cloud node
that stores this item). For the subsequent insertions of data
items to the LP-tree, the first step is to search in the LP-tree
to identify potential cloud nodes which stores the data items
with the same location preferences as the new data item. If
such cloud node is found and has capacity to store the new
item, the aggregation information in its parent node in the LP-
tree will be updated to include the new item. For example, a
new file with location preferences R1 and R2 may be stored
in cloud node F and we only need to update N1 ’s aggregation
information from (4R1, 5R2) to (5R1, 6R2). The update will
also propagate to all the ancestor nodes.
If none of the cloud nodes indexed by the LP-tree has
sufficient storage space, the name node will identify a new
empty cloud node and create a new index entry. The new
index entry will be inserted into the leaf node whose location
preferences are the same as the new data item. If a leaf node
in the LP-tree is full, it will be split into two nodes and the
aggregation information at the parent level will be adjusted.
Such adjustment may propagate all the way up to the root.
In this way, the LP-tree’s height will increase gradually. For
example, if a new file with location preferences R1 and R2
arrives in the cloud, the name node will start checking the root
node of the LP-tree. It will find that the first entry in the root
node contains (R1 , R2 , R3 , R4 ), which includes the new data
item’s location preferences of R1 and R2 . Then, it retrieves

Algorithm 1 Data Allocation
1: procedure A SSIGN DATA(data, node, minMatch)  find
node to add data to
2: if node = null then return false
else if node.children=null and
3:
4: node.estimateConfidenceLevel(data)>minMatch then
5: node.addData(data) return true
6: end if
7: bestMatch = null
8: bestScore = 0
9: for child in node.children do
10: score = child.estimateConfidenceLevel(data)
11: if score>bestScore then
12: bestMatch = child
13: bestScore = score
14: end if
15: end for
16: return AssignData(data,bestMatch,minMatch)
17: end procedure
the child node N1 of that first entry. By inspecting all the
entries in N1 , it finds that the first entry of N1 contains the
new data item’s preferred locations, and hence check all the
cloud nodes indexed by N2 which are cloud nodes A, F and
G. If A, F and G do not have sufficient space for the new data
item, the name node will find an empty cloud node (say H).
An index entry for H will be created and inserted to Node N2 .
Suppose that N2 is full, N2 will be split into two index nodes:
one contains entries for A and F, and the other contains entries
for G and H. A parent index entry for the newly created node
will be inserted into Node N1 . Similar tree adjustment will
occur in all the ancestor nodes of this new node.
In the case when none of the cloud nodes indexed by the
LP-tree has the same location preferences as the new data item,
we propose a metric called confidence level to help identify
the most suitable node for the new data item so that such
storage could maximize the chance of detecting non-compliant
file transfers. As shown in Algorithm 1, the algorithm still
starts the search from the root node of the LP-tree. Instead
of only looking for exact matches of the location preferences,
the algorithm also checks the nodes which partially match the
new data item’s location preferences. These tree nodes will be
examined in a descending order of the number of matching
location preferences. Once the best answer is found (e.g., the
exact match), we do not need to check the remaining tree
nodes. When the algorithm reaches the leaf node of the LP-
tree, we will compute the confidence level of the candidate
cloud node by assuming that the new data item would be stored
there (but not actually store it yet). The higher the confidence
level is, the higher the probability that a communication
incurred between two nodes could be an allowed file transfer.
We will choose the cloud node with the highest confidence
level to actually store the new file. The confidence level is
computed as follows:
6
 Si→j
Si→j +Sij , Si→j ≤ Sij
Ci→j = Sij (1)
Si→j +Sij ,
otherwise
N r
j=1 Ci→j
DCi = (2)
Nr
Equation 1 computes the confidence level of detecting an
illegal transfer from region i to j. Without loss of generality,
we assume each file chunk is of the same size. Then, Si→j
denotes the number of file chunks (including the new data
item) in the cloud node to be considered, that are allowed to
be transferred from region i to region j based on the data
owners’ privacy preferences. On contrast, Sij denotes the
number of file chunks that are not allowed to transfer to region
j. The intuition behind the calculation is that the more files
that are allowed (or not allowed) to be transferred to the same
place, the easier to determine whether the file transfer is illegal.
Specifically, if all files at region i are allowed to be transferred
to region j, it would be easier to conclude that any file transfer
detected between these two regions later on should be legal,
and hence the confidence level Ci→j of making the conclusion
is as high as 1. On the other hand, if none of the files at
region i are allowed to be stored at region j, it would also
be easy to conclude that any file transfer between these two
nodes are illegal, and hence the confidence level Ci→j is also
1. The case where uncertainty is the highest is when half of
the files at region i are allowed to be transferred to region
j whereas the other half are not. In this case, the confidence
level is lowered to 50%, which is similar to a random guess.
After computing the confidence level for the candidate region i
regarding all other regions, we aggregate the confidence level
to obtain the final detection confidence (DCi ) in Equation
2, whereby Nr denotes the total number of regions specified
in the files of the node being considered. Choosing the node
with the highest DCi value maximizes the chance to make the
correct judgement on a file transfer.
Table 1 shows a simple example of the confidence level
calculation assuming there are total 10 data items in the cloud
node i. As reported, the confidence level is 1 in the case when
0 or all files are allowed to be transferred to region j. Similarly,
when there is only one file which is allowed or disallowed to
be transferred to region j, the confidence level is the same at
0.9. When half of the files are allowed (or disallowed) to be
transferred to region j, the confidence level of detecting the
illegal transfer decrease to the lowest 0.5 which is basically a
random guess.
To gain a better understanding of the algorithm, let us look
at the following example. Assume that a new data item is
requested to be contained to only regions R1 or R6 , and
should ideally not be transferred to any other regions. Based
on the LP-tree in Figure 3, there is not any node with exact
match of the location preferences of the new data item. Rather,
there are several candidate nodes that fulfill part of this new
file’s location preferences, which are cloud nodes A, F, G and
K. Nodes A, F, G contain 5 files with location preference of
R1 partially matching the new file’s location preferences, and
their detection confidence after adding the new file would be

TABLE 1: Examples of Confidence Score Calculation
Si→j Ci→j
0 1
1 0.9
2 0.8
3 0.7
4 0.6
5 0.5
6 0.6
7 0.7
8 0.8
9 0.9
10 1 This step aims to store the user data at the specified
73%. Node K contains only 2 files with location preferences
partially matching the new file, and its detection confidence
after considering the new file would be 67%. By comparing
the detection confidence of them, we can find that nodes A,
F, G are better candidates.
With the aid of the LP-tree, we only need to check log(n)
nodes in the LP-tree to locate candidate cloud nodes to store
a newly uploaded file, where n is the total number of cloud
storage nodes. The
 space complexity in the worse case for the
LP-tree is log( xr ), where r is the number of regions and x is
the
 r  number of regions allowed. The reason for this is there are
x possible policies that need to be represented by the tree.
It is worth noting that the actual policies can be stored in the
hard drive. Only the top few levels (typically 2 or 3 levels) of
the LP-tree (a few MB) need to be stored in the main memory
for quick retrieval.
5.1.2 System Implementation
To realize the proposed location-aware file allocation, we need
to extend three components in the existing HDFS as elaborated
in the following.
Location-Aware File Loader
The file loader is a Java application program that takes data
location policy files as input and prepare for the data repli-
cation on the specified nodes. Instead of using FileSystem
APIs that are normally designated for user programs, we
leverage public APIs provided by DFSClient class to improve
efficiency. Specifically, one of the public methods, named
create, has a particular input parameter FavoredNodes,
which virtually allow users to specify their preferred nodes for
storing the data. Hence, this particular method is by default
used by our file loader when handling user requests.
The data location policy file is designed as a simple text file
containing multiple file entries. Each entry has the following
format:
src path, dest path, replica, region ID
where src path is the file location in local host, and dest
path is the file location in HDFS. replica denotes the
replication factor, which allows users to store multiple copies
of data for the purpose of fault-tolerance. Lastly, region ID
denotes the locations where data should be stored, represented
by user friendly texts such as “EAST US” or “WEST US”.
These representations are predefined and associated with a
7
list of IP addresses of datanodes respectively. The mapping
between regions and datanodes are hard-coded in the file
loader as described in Section 6.1.
Users have the choice of submitting their data either with or
without a data location policy file. If a policy file is provided,
the locations in the file will be extracted and serve as the input
value of the parameter FavoredNodes in the corresponding
API call. Otherwise, the location is considered as null when
the create method is invoked.
Location-Aware Replicator
locations. When the create method is invoked by file loader,
a request is sent to the namenode asking for a list of datanodes
to store the data as we describe with the write mechanism in
HDFS in Section 3.1. The datanodes are selected according to
the class BlockPlacementPolicy. In Hadoop’s default im-
plementation of BlockPlacementPolicy, candidate datan-
odes are firstly drawn from the list of FavoredNodes specified
by the user. However, there is no guarantee that a candidate
datanode will be actually selected unless it meets a series of
criteria, e.g., enough space and low network latency. In case
of disqualified candidate datanodes in the FavoredNodes list,
additional datanodes will be selected from those nodes who
do not belong to the preferred list, in order to make sure that
the number of returned datanodes equals the replication factor.
As a result, it is possible that some copies of user data will
be stored in the locations against the date location policy.
To enforce the location policy in the process of
data replication, we extend the default implementation of
BlockPlacementPolicy and override the original procedure
of selecting candidate datanodes. In our design, if there exists
the case where at least one candidate datanode from the
FavoredNodes list is disqualified, we reduce the replication
factor to the number of datanodes that are eventually selected
by the namenode, instead of selecting other possible datanodes
outside the scope of the FavoredNodes list. As for changing
the replication factor, we leverage the Hadoop shell command
hdfs setrep. Specifically, we add a command option -w so
that the change will only be made after the replication process
has ended. In this way, we can ensure that the data location
policy can be consistently enforced in the replication process.
For such files whose replication factor cannot be met at this
initial uploading, our system will invoke the location-aware
replication process again whenever there is resource released
in order to produce desired number of copies eventually.
Location-Aware Load Balancer
During the data processing in Hadoop, load balancing may
occur once in a while to maximize the system performance.
If we rely on the default Hadoop load balancer, user data
may be moved to the nodes that do not satisfy location
data policies since the default Hadoop load balancer does
not consider location privacy issues. In order to consistently
enforce location policy during the load balancing, we enhanced
the Hadoop load balancer by adding an additional procedure to
check whether the outgoing location of the selected data block
on the over-utilized node conforms to the policy specified
in the data location configuration file. In particular, we add

Select a
Block ID
Find the
corresponding
 
Find the
 


 
  1
Check if the outgoing
 
 


 
 
No
True?
Yes
Prepare for
transfer
Fig. 4: Work Flow of isDataBlockLocationValid
the isDataBlockLocationValid function to the current
implementation of Hadoop balancer as illustrated in Figure 4.
The challenge of implementing the above process is to find
the mapping from the data blocks to the filename because
the mapping is not supported by the programmable API in
HDFS. To address this issue, we studied the Hadoop tool fsck
which can provide the current storage status of HDFS, and
identified a useful command that can serve our purpose. The
command is -files, -blocks, -locations such that the
data blocks and corresponding locations of a given file are
known. Specifically, for those files protected by data location
policies, we execute the following command tool:
hdfs fsck <path> -files -blocks -locations
where <path> denotes the absolute path of the file in HDFS.
It will yield a list of data blocks and their whereabouts for the
given file as output. We further process the output to create the
mapping from the data blocks to the filename and store the
mapping in a file. The file will be loaded when we launch
our balancer tool. The above process is encapsulated in a
script shown below and the code for parsing fsck output is
implemented in ParseFsckOutput Java program.
5.2 Real-time File Transfer Analysis
We now proceed to discuss how to perform real-time file
transfer analysis to capture potentially illegal transfers.
5.2.1 Illegal File Transfer Detection Algorithm
The main idea of the illegal file transfer detection is to build
a dynamic Legal File Transfer (LFT) graph along the file
allocation process to capture the possible file transfer routes in
the cloud. Then, by comparing a detected file transfer with the
expected routes in the LFT graph, we estimate the probability
8
1
(f11, f21) A
1
1 R1
(f11, f31) B 1
(f12, f32) C 0.5
1 R2
D 1
1
E
R3
F 0.9
Fig. 5: An Example of the Legal File Transfer Graph
of the detected file transfer being illegal or not. The formal
definition of the LFT graph is given below:
Definition 2: The Legal File Transfer  graph is a weighted
directed bipartite graph LF T = (V R, E), where V de-
notes the set of cloud nodes, R denotes the cloud regions,
and E denotes the edges from the cloud nodes to the cloud
regions. Each edge eij is associated with a weight value
S
wij = Si→ji→j +Sij which indicates the percentage of files
located at the cloud node i allowed to be transferred to cloud
region j.
In the LFT graph, each edge indicates a possible file transfer
route from a cloud node to a cloud region. The weight value
on the edge further helps to determine the probability that a
file transfer could be illegal.
Recall the example in Figure 2. User u1 has a pol-
icy Pu1 ((f 11, {R1 , R2 }), (f 12, {R3 })), user u2 has a
policy Pu2 ((f 21, {R1 , R2 })) and user u3 has a policy
Pu3 ((f 31, {R2 , R3 }), (f 32, {R1 , R3 })). Figure 5 shows an
example of a partial LFT graph built based on this running
example. Each region in the cloud is represented as a node
in the graph such as nodes R1 , R2 and R3 in the figure,
and each cloud node that has been used for storage is also
represented as a node in the graph such as nodes A, B, C,
D, E, and F . If files stored in a cloud node A are allowed
to be transferred from region R1 to R2 , then there is an edge
in the LFT graph from A to R1 and R2 . The weight value
on the edge A → Ri indicates the percentage of the files that
are allowed to be transferred from A to Ri . Since all the files
in node A are allowed to be transferred to R1 and R2 , the
weight values are 1. Similarly, the edge from the node to its
own region always has a weight value of 1 because the files are
definitely allowed to be transferred within its current region.
In the example, node C stores files f 12 and f 32. Since only
f 32 (not f 12) is allowed to be stored in region R1 , the edge
from cloud node C to R1 is weighted 0.5.
The LFT graph can be incrementally updated during the
file allocation process. When a new file has been assigned a
cloud node (say A) for storage, the name node will check if
its location privacy policy introduces a new allowable cloud
region (say R3 ) that has not been recorded in the graph yet. If
so, a new edge from the cloud node A to the cloud region R3
will be added. Otherwise, the name node just needs to update
the weight value on the edge that is related to the new file. In
the case when a file has been removed, a similar process can
 9

be conducted to reflect the change on the LFT graph. Thread Starts

Based on the graph, we can assess the compliance (or lack Yes

of thereof) of a file transfer as follows. When the socket at

Socket Capturer > time_thresh ?
a cloud node (say A) detects a communication from A to B,
the system will search the legal file transfer (LFT) graph. If No
there is no edge between node A and the region that node Socket Parser Wait
B belongs to, we can conclude that this transfer is illegal
No No
with 100% confidence. If there is an edge between these two
new socket ? interrupted?
nodes, we compute the probability of this transfer being illegal
as 1 − wA→B , where wA→B is the weight value on the edge Yes Yes
from node A to B. If the probability is higher than a threshold Push to DB Thread Ends
ξ, our system will report it as a highly suspected transfer. In
the experiments, we set the threshold to be 90% which yields Fig. 6: Work Flow of Socket Monitor
very high detection rate.
5.2.2 Host-based Socket Implementation Socket
Monitor
The proposed real-time file transfer analysis relies on the
Central Datanode
collected communication information among cloud nodes. To DB
collect such information, we equip each cloud node with a Slave
Socket
socket monitor. The socket monitor aims to intercept infor- Monitor

……
mation sent out of the datanode so that by analyzing such Namenode
information, we will know if data has been transferred to
disqualified locations. The socket monitor is implemented as File Loader Datanode

a threaded Java program running on data hosts (i.e., individual Socket

datanodes). It has two major functionalities: capturing socket
connections on the host and storing the captured information
in a centralized database on the master node.
To capture socket connections, we employ netstat
which is a tool in Linux [12]. All datanodes in our system
use Netstat in the operating system. When executing the
command "netstat" on a terminal, a list of existing socket
connections on the host will be generated as output. We parse
the consecutive output by netstat between a very short
period of time to extract detailed information (e.g., source
IP, destination IP, protocol, process name or ID, timestamp)
about a open or closed socket connection. In particular, the
actual command we use is:
netstat -t, -n, -a, --inet, --program
which gives us tcp sockets connections from both listening
and non-listening port with IP & port in numeric format and
process name or ID displayed.
Figure 6 outlines the workflow of our proposed socket mon-
itor. As shown in Figure 6, our socket capturer executes the
predefined netstat command shown above, and the socket
parser processes the corresponding output to extract useful
socket information. The whole work flow is executed every
100 ms in a while loop, and thus we achieve continuous
monitoring of the file transfer.
The socket monitor keeps track of all the socket connections
established on the host, especially those related to Hadoop
daemons (namenode, datanode, etc.). The collected socket
information will be sent and stored in a centralized MySQL
database on the master node. Moreover, location policy files
submitted by the users will also be kept in the database for
post-mortem analysis. The overall system setup is shown in
Figure 7.
Other network analysis commands such as lsof may be
used in a similar way. It is worth noting that although some
Master
Monitor
Slave
datanode message
 
  
socket message
Fig. 7: Hadoop Cluster and Socket Monitoring Flow
commands like lsof are able to detect the names of files
being transferred, the detected files at the OS level are not
solely mapped to single user files in HDFS. Instead, these
detected files could include the contents of multiple users’ files
in HDFS. This is because users’ original files are partitioned
and physically stored in files with entirely different names
and formats managed by the HDFS. Therefore, even though
commands lsof can get information about opened files on a
machine, it does not directly contribute to the differentiation of
which user’s file in HDFS is being transferred via sockets. This
is why we choose netstat which is sufficient to complete
the task and retrieves minimal information for efficiency.
6 E XPERIMENTAL S TUDY
In order to evaluate the efficiency and effectiveness of our
proposed system, we carry out a series of experiments on a
real cloud testbed as well as a large-scale simulated cloud
environment.
The real cloud testbed consists of 16 virtual machines on
VMWare virtual platform with Intel(R) Xeon(R) E5440 2.83
GHz CPU and 8GB memory running Ubuntu 12.04 Linux
OS. One VM acts as the master node and the rest are slave
nodes, i.e., datanodes in HDFS. All the datanodes are assigned
to different regions identified by region ID, e.g., region1,
region2. Each region consists of three datanodes. Region
ID will be used in the location policy file to specify desired

location. The mapping between region ID and datanode IP
address is summarized in Table 2. Each virtual machine is
installed with our proposed Last-HDFS system which is built
upon Hadoop 2.6.0. On each individual slave node, we also
deploy a socket monitor running as an independent daemon
service. In addition, we set up a MySQL database on the
master node to store socket information and location policy
files submitted by the users.
TABLE 2: Mapping Between Region ID, Node ID and IP
Address
Region ID Node ID IP Address
master master-node 218.193.126.201
region1 slave-node-{1∼3} 218.193.126.{202∼204}
region2 slave-node-{4∼6} 218.193.126.{205∼207}
region3 slave-node-{7∼9} 218.193.126.{208∼210}
region4 slave-node-{10∼12} 218.193.126.{211∼213}
region5 slave-node-{13∼15} 218.193.126.{214∼216}
The real cloud testbed is focused on evaluating the efficiency
of our proposed system. In order to test the accuracy of
detecting illegal file transfers in various scenarios that may
exist in the real world, we also build a simulated large-scale
cloud network that resembles Amazon Global Infrastructure
[1]. Specifically, we simulate about 40 regions (called zones
by Amazon). In each region, we randomly generate a set of
cloud nodes and vary the total number of nodes in the whole
cloud from 1,000 to 20,000. Each user file is associated with
a location privacy policy that specifies up to five randomly
generated regions. Then, we simulate legal (or illegal) file
transfers by randomly selecting the file transfer destination
node that satisfies (or does not satisfy) the location policy of
the file.
6.1 Performance of Location-aware File Loader and
Replicator
The first round of experiments is conducted in the real cloud
set-up. We aim to evaluate two aspects of our proposed
location-aware file loader and replicator: (i) whether or not
our system correctly enforces the location privacy policies for
each file; (ii) what is performance overhead introduced by our
location-aware file loading and replicating compared to the
original HDFS.
First, we carry a proof-of-concept experiment to check
whether the policy is enforced at the time a file is uploaded. We
choose two files with size of 1.4 MB and 1.5 MB. Each file has
a different location policy. For simplicity, we set replication
factor to be 1 since it is not a relevant variable for this
experiment. The location policy being tested is shown below.
∼/file1.txt /user/file1.txt 1 region1
∼/file2.txt /user/file2.txt 1 region2
According to this policy, file1 and file2 will be uploaded
to different locations indicated by region1 and region2. To
proof-check correctness, we firstly run our file loader with the
above policy, and then check the final file locations with the
following HDFS shell command afterwards:
hdfs fsck <file> -files -locations -blocks
where <file> denote the file path in HDFS. The output of
the above command is the following::
10
/user/ <dir>
/user/file1.txt 1572864 bytes, 1 block(s): OK
0.BP-1231142416-127.0.1.1-1445285059107:blk_1073741843_1019
len=1572864 rep1=1 [218.193.126.202:50010]
/user/file2.txt 1423803 bytes, 1 block(s): OK
0.BP-1231142416-127.0.1.1-1445285059107:blk_1073741844_1020
len=1423803 rep1=1 [218.193.126.207:50010]
The results explicitly shows that file1 and file2 are
stored in different datanodes indicated by the IP address, and
each datanode belongs to different region in our setting. Hence,
policy is indeed enforced during the process of file uploading.
We then repeated this experiment using various policies and
file types , and all the uploading operations are correct.
Next, we test the performance of Last-HDFS, by comparing
it with the default file uploading method supported by HDFS.
Specifically, files are uploaded in HDFS by the HDFS shell
command:
hdfs dfs -copyFromLocal <localsrc> URI
where <localsrc> is the source path of file in the local
system and URI is the destination path in HDFS.
In this test, we use five different files with size of 2.2 GB,
4.4 GB, 6.6 GB, 8.8 GB, 11GB. In addition, we also vary
the replication factor from 1 to 15 for each file. For each
combination of file size and replication factor, we run the
default command and our file uploader with a policy file on
the master node respectively, and measure the elapsed time of
file uploading process. The result is shown in Figure 8;
35:00
Default (2.2GB)
/$6Tí+DF6 (2.2GB)
30:00 Default (4.4GB)
/$6Tí+DF6 (4.4GB)
Default (6.6GB)
Elapsed Time (mm:ss)
25:00 /$6Tí+DF6 (6.6GB)
Default (8.8GB)
/$6Tí+DF6 (8.8GB)
20:00 Default (11GB)
/$6Tí+DF6 (11GB)
15:00
10:00
05:00
00:00
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Replication Factor
Fig. 8: Performance Comparison Between Two Methods
As we can see from the result, for a given replication
factor, it takes more time to replicate larger files than smaller
ones to multiple datanodes, which is reasonable under the
assumption of similar network conditions between datanodes.
For individual files, the replication period is prolonged as
the replication factor increases. This is due to the replication
mechanism that data will be replicated to multiple datanodes
in a pipeline manner.
6.2 Performance of Location-aware Load Balancing
We also evaluate the location-aware load balancer in the real
cloud test. Recall that we extend the default load balancer to
comply with location constraints during data movement. We
 11

aim to check if the location policy is also enforced by our As we can see from Table 4, there is no significant dif-
proposed balancer, as described in Section 5.1.2. ference among the time taken by our proposed load balancer
In order to control closely the saturation level of individual under various policy ratio, compared to the default one. Hence,
datanodes, we conduct this test in a three-node cluster locally our proposed load balancer does not introduce extra overhead
with one being the master node and two slave nodes. The to its overall performance.
cluster consists of three machines with two Intel(R) Xeon(R)
X5550 2.67 GHz CPUs, 48GB memory and Ubuntu 12.04 LTS 6.3 Accuracy of Illegal File Detection
Linux OS. Each machine is installed with the same softwares
as that in the large testbed described earlier. The two slave In this subsection, we aim to demonstrate how the proposed
nodes represent two regions respectively. location-aware file allocation strategy helps with the illegal
file transfer detection. Since the real cloud testbeds only has
We employ 10 files with identical size of 2.2 GB. We set
limited number of nodes which would not be sufficient to
the ratio of files with locations policy to be 50%, meaning that
cover various scenarios of file transfers that may happen in
half of the data will be subjected to location constraints. We
large-scale real-world cloud like Amazon cloud , we adopt
start the Hadoop cluster with one datanode only denoted by
a simulated cloud environment that resembles the structure
region1, and upload the files without location policy to the
of the Amazon cloud with 40+ regions and thousands of
cluster using the default command. For the remaining files,
nodes. The specific parameters of the simulated cloud will
we run our file loader with the policy stating that they should
be introduced in each corresponding experiments.
be uploaded to region1. Then, we add another datanode to
We compare our system with a baseline approach that
the cluster as region2. As a result, one region is considered
simply assigns each individual file to a random node in one
saturated as compared to the other one. Lastly, we launch our
of the regions specified in the location privacy policy. The
extended balancer and check the location changes of every
detection accuracy is defined as the accuracy rate of detecting
files afterwards using the fsck command, whose output is
the correct types of file transfers including legal and illegal
parsed and summarized in Table 3.
ones. Specifically, after files are allocated to the cloud nodes
by both approaches, we simulated both illegal and legal file
TABLE 3: Block Location Comparison Before and After Load
transfers. Illegal transfers move files to regions that are not
Balancing
allowed in the corresponding location policies, whereas legal
File Total Block Locations (Before) Block Locations (After) file transfers move files to regions that are allowed. Let Nillegal
ID Block [# in region1,# in region 2] [# in region1,# in region 2] and Nlegal denote the number of illegal and legal transfers,
1 35 35 in region1, 0 in region2 same
2 35 35 in region1, 0 in region2 same respectively. Let Ni→i denote the number of illegal transfers
3 35 35 in region1, 0 in region2 same being detected, and Nl→l denote the number of legal transfers
4 35 35 in region1, 0 in region2 same that have been correctly marked as legal transfer. The detection
5 35 35 in region1, 0 in region2 same
6 35 35 in region1, 0 in region2 29 in region1, 6 in region2
accuracy is defined as follows:
7 35 35 in region1, 0 in region2 21 in region1, 14 in region2 Ni→i + Nl→l
8 35 35 in region1, 0 in region2 30 in region1, 5 in region2 Correctness = (3)
9 35 35 in region1, 0 in region2 30 in region1, 5 in region2 Nillegal+Nlegal
10 35 35 in region1, 0 in region2 20 in region1, 15 in region2
It is important to note that in any cases, neither approach
will have a perfect (100%) detection correctness rate. This is
As we can see from Table 3, the first five files stay in because our correctness function considers both false positives
region 1, while the remaining five files were moved to and false negatives, and it is common that some suspicious file
region 2, after the load balancing operation. Therefore, transfers could just be false alarms.
location policies are indeed enforced by the load balancer
during data movement. 6.3.1 Effect of the Number of Files to Be Stored in the
We also assess how enforcing location constraints will affect Cloud
the performance of common load balancing tasks. We conduct In this round of experiments, we vary the total number of
the same test mentioned above but vary the ratio of files with data files from 100K to 1M. Without loss of generality, we
location constraints from 20% to 80%. At each round, we assume each file has the same size. The total number of cloud
measure the elapsed time taken by our extended load balancer regions is set to 40 and the total number of cloud nodes is
to move data across nodes according to the location constraints 1,000. Each cloud node can store up to 1000 files. Each data
applied to the data. We compare it against the overhead of the file specifies up to 5 allowable regions in its location privacy
default balancer by Hadoop in absence of such constraints. policy. We simulated 1000 legal file transfers and 1000 illegal
For each experiment, we run our balancer and default one file transfers. The performance of our approach is compared
five times separately. The overall performance is reported in against the baseline as described previously
Table 4. Figure 9 reports the detection correctness. As we can see,
our LAST-HDFS has much higher detection accuracy than the
TABLE 4: Balancer Performance Under Different Policy Ratio baseline approach. This is because that the baseline approach
Policy Ratio 0% 20% 40% 60% 80% considers each file independently when allocating them and
Avg Time (unit: hour) 1.6514 1.6572 1.6856 1.6856 1.6532 hence files with different privacy preference are very likely to

be placed in the same cloud node. For example, a cloud node
A may store a file f 1 that is allowed to be transferred to node
B, but also another file f 2 that is not allowed to transfer to B.
As a result, when a communication with node B is detected,
it is very hard for the baseline approach to ascertain whether
this communication is transferring file f 1 which is legal, or
file f 2 which is illegal. Our proposed LAST-HDFS system
considers multiple files’ privacy preferences simultaneously
and allocates them in a way (i.e., the use of LFT graph)
that helps effectively detect the illegal transfers. Therefore,
we achieve much higher accuracy.
90
Baseline
LAST-HDFS
85
Correct Prediction %
80
75
70
1 3 5 7
Total Number of Files in the Cloud
Fig. 9: Detection Correctness When Varying the Number of
Files
6.3.2 Effect of the Percentage of Illegal Transfers
In this set of experiments, we aim to study the effect of the
amount of illegal file transfers among the total file transfers
in the cloud. The total number of files is set to 100,000. The
total number of cloud regions is 40 and the total number of
cloud nodes is 1,000. We simulated total 2000 file transfers
and vary the percentage of illegal file transfers over the total
file transfers from 1% to 50%. Figure 10 reports the results.
90
Baseline
LAST-HDFS
80
Correct Prediction %
70
60
50
40
0.01 0.05 0.1 0.2 0.3 0.4
Percentage of Illegal File Transfers
Fig. 10: Impact of Percentage of Illegal File Transfers
As shown, when the percentage of illegal transfers is small
ranging from 1% to 10%, our LAST-HDFS approach achieves
much higher detection rate than the baseline. This is because
the baseline mixed files with different location preferences in a
node, which makes it very challenging to distinguish legal and
illegal transfers without knowing the communication content
between two nodes. The baseline approach reports any transfer
from one region to another region as illegal so long as one
file in the same cloud node does not have the destination
node in its location preference list. Therefore, the baseline
12
approach will detect 100% of illegal transfers. However, for
a legal transfer, the baseline approach is like taking a random
guess and the detection probability would be around 50%. In
the real cloud when there are very few illegal transfers, the
baseline approach will generate too many false positives and
hence will not be suitable for illegal file transfer detection.
Compared to the baseline, LAST-HDFS reports 99.9% illegal
files and has a lower false positive detection rate around 30%
when the illegal files are few. This is attributed to the better
file allocation strategy adopted by LAST-HDFS that enhances
the chance of making the correct judgment. Moreover, by
reporting all suspected file transfers, the baseline also increases
the workload at the name node. The name node has to examine
every suspected transfer one by one. In contrast, our proposed
LAST-HDFS has significantly helped reduce the fine-grained
examination needed at the name node.
6.3.3 Effect of the Total Number of Cloud Nodes
Next, we study the scalability of our approach by increasing
the total number of cloud nodes up to 20,000. We fix the total
10
number of files to 250,000 and the total number of regions to

105
40 as that in the previous experiments. The number of legal
and illegal file transfers is still 1000 each. Figure 11 reports the
detection correctness rate. We can see that our proposed LAST-
HDFS performs consistently better than the baseline approach
by detecting more illegal file transfers due to the same reason
as previously discussed. In addition, observe that the correct
detection rate of both approaches increases with the number
of cloud nodes. This is because the more cloud nodes, the
lower chance files with different policies being placed in the
same node. Thus, it becomes easier to identify illegal transfers
through the socket monitors.
95
Baseline
LAST-HDFS
90
Correct Prediction %
85
80
75
70
0.2 0.6 1 1.4 1.8 2
Cloud Nodes
104
Fig. 11: Detection Correctness When Varying the Number of
0.5 Nodes
6.3.4 Effect of the Number of Cloud Regions
In this round of experiments, we alternate the number of cloud
regions from 10 to 50. The total number of cloud nodes is
1000. The total number of files to be stored in the cloud is
set to 250,000, and each file still specifies up to 5 desired
locations as that in the previous round of experiments. Again,
1000 legal file transfers and 1000 illegal file transfers were
simulated. Figure 12 shows the detection correctness. The
LAST-HDFS again achieves much higher detection rate than
the baseline approach. In addition, we also observe that the
detection accuracy of our approach decreases with the increase
 13

of the cloud regions. The possible reason is that the fewer the data security and privacy [13]. There have been some efforts
cloud regions, the more likely it is that files will have similar on the research problem of data placement control in cloud
location preferences and hence lead to better grouping results storage systems. Peterson et al. [14] defined the notion of
in our approach. “data sovereignty” and proposed a MAC-based proof of data
100
possession (PDP) technique to authenticate the geographic
Baseline locations of data stored in the cloud. Benson et al. [15]
LAST-HDFS
95
addressed the problem of determining the physical locations of
Correct Prediction %

90 data stored in geographically distributed data centers, by using

85
80
75
70
10 20 30
Total Number of Cloud Regions
Fig. 12: Detection Correctness When Varying the Total Num-
ber of Cloud Regions
6.3.5 Effect of the Number of Regions Allowed in Each
Policy
In the last set of tests, we further examine the effect of the
number of regions specified in each location privacy policy.
We increase the number of allowable regions in each policy
from 5 to 25, and keep other parameters the same as the pre-
vious experiment. Figure 13 shows the detection correctness
rate. As in the previous experiments, our LAST-HDFS yields
much higher detection accuracy than the baseline approach.
The baseline approach deteriorates with the increase of the
allowable regions in each policy. Specifically, the detection
correctness of the baseline approach decreases to a random
guess (50%) when each file specifies 25 desired regions (out of
40). The possible reason is that the more regions that each file
is allowed to be stored, the more likely that files with different
location preferences will be stored together by the baseline
approach. As a result, more file transfers become suspicious
since there may always be a file which is allowed to go to the
destination region, but the baseline approach will still report
such a file transfer as a potential illegal one if other files did
not include that destination region in their policies.
80
75
Baseline
LAST-HDFS
Correct Prediction %
passive distance measurement and linear regression predictive
model to estimate in which data center the data is stored. Later,
Gondree and Peterson [16] proposed a general framework,
named constraint-based data geo-location (CBDG), that binds
latency-based geo-location techniques with a probabilistic
40 50 PDP, based on the previous solutions in [14], [15]. In addition,
Watson et al. [17] considered the case of collusion between
malicious service providers and suggested a proof of location
(PoL) scheme that deployed trusted landmarks to verify the the
existence of a file on a host using proof of retrievability (PoR)
protocol. In [18], [19], PoR was also adopted with a time-
based distance-bounding protocol to provide strong geographic
location assurance.
Instead of verifying file locations afterwards, another com-
mon approach is to require users to encrypt their data before
uploading it to the cloud [20]. The rationale behind is that
if the cloud does not have the original plain-text data, users
would have fewer concerns on data location. This approach,
however, imposes a large computational burden on the users
and it renders the data hard to index and analyze on cloud
premises.
The above two types of approaches do not provide any
mechanisms for the cloud providers to directly enforce
location-aware storage, and hence are very difficult for the
cloud providers to implement. Unlike any existing work, our
proposed system addresses location-aware data storage from a
system oriented perspective by embedding location checking
directly in the datanode assignment as well as load balancing
process. It releases the burden at the client side and also
provides the cloud service provider an efficient and effective
way to honor clients’ SLA regarding data location constraints.
8 C ONCLUSION
In this paper, we build, on top of the existing HDFS, a novel
LAST-HDFS system to address the data placement control

70
problem in the cloud. LAST-HDFS supports policy-driven file
65
loading that enables location-aware storage in cloud sites.
60 More importantly, it also ensures that the location policy is
55 enforced regardless of data replication and load balancing
50
processes that may affect policy compliance. Specifically,
an efficient LP-tree and Legal File Transfer graph were de-
45
5 10 15 20 25
signed to help optimally allocate files with similar location
Allowable Regions in Each Policy
preferences to the most suitable cloud nodes which in turn
Fig. 13: Detection Correctness When Varying the Number of enhance the chance of detecting illegal file transfers. We
Regions in Each Policy have conducted extensive experimental studies in both a real
cloud testbed and a large-scale simulated cloud environment.
Our experimental results have shown the effectiveness and
7 R ELATED W ORK efficiency of the proposed LAST-HDFS system.
Data location in the cloud environment has been recognized In the future, we plan to take into account more complicated
as an important factor in providing users with assurance of policies to capture other privacy requirements other than the
 14

location. We will adopt more sophisticated policy analysis
algorithm [21] and compute the integrated policy as the repre-
sentative policy [22] at each node to help speed up the policy
comparison and selection of nodes for the newly uploaded
files. Moreover, we also plan to leverage Intel SGX technology
to secure socket monitors from being compromised.
[20] A. Michalas and K. Y. Yigzaw, “Locless: Do you really care where your
cloud files are?” ACM/IEEE, 2016.
[21] D. Lin, P. Rao, R. Ferrini, E. Bertino, and J. Lobo, “A similarity
measure for comparing XACML policies,” IEEE Trans. Knowl. Data
Eng., vol. 25, no. 9, pp. 1946–1959, 2013.
[22] P. Rao, D. Lin, E. Bertino, N. Li, and J. Lobo, “Fine-grained integration
of access control policies,” Computers & Security, vol. 30, no. 2-3, pp.
91–107, 2011.

Adam Bowers received a B.S. in Computer Sci-

ACKNOWLEDGEMENT ence from the Missiour University of Science and
Technology in 2016. He is currently a PhD Com-
This work is partially supported by National Science Founda- puter Science student at Missouri University of
tion under the project DGE-1433659. Science and Technology. His current research
focus is cloud security and privacy.

R EFERENCES
[1] Amazon, “Aws global infrastructure,” in https://aws.amazon.com/about-
aws/global-infrastructure/, 2017. Cong Liao received a BE degree in Mechani-
[2] C. Metz, “Facebook tackles (really) big data with project prism,” in cal Design, Manufacturing and Automation from
https://www.wired.com/2012/08/facebook-prism/, 2012. University of Electronic Science and Technology
[3] K. V. SHVACHKO, Y. Aahlad, J. Sundar, and of China, and a MS degree in Robotics from Uni-
P. Jeliazkov, “Geographically-distributed file sys- versity of Pennsylvania. He is currently working
tem using coordinated namespace replication,” in towards a PhD degree in the College of Infor-
https://www.google.com/patents/WO2015153045A1?cl=zh, 2014. mation Sciences and Technology at the Penn-
[4] C. Liao, A. Squicciarini, and L. Dan, “Last-hdfs: Location-aware storage sylvania State University. His current research
technique for hadoop distributed file system,” in IEEE International interests include cloud security and adversarial
Conference on Cloud Computing (CLOUD), 2016. machine learning.
[5] N. Paladi and A. Michalas, ““one of our hosts in another country”: Chal-
lenges of data geolocation in cloud storage,” in International Conference Douglas Steiert is a graduate student enrolled
on Wireless Communications, Vehicular Technology, Information Theory in a Computer Science PhD program at Mis-
and Aerospace & Electronic Systems (VITAE), 2014, pp. 1–6. souri University of Science and Technology. He
[6] Z. N. Peterson, M. Gondree, and R. Beverly, “A position paper on received his B.S. in Computer Science from
data sovereignty: The importance of geolocating data in the cloud.” in Missouri University of Science and Technology
HotCloud, 2011. in 2015. His main research focus has been on
[7] A. Squicciarini, D. Lin, S. Sundareswaran, and J. Li, “Policy driven node privacy within smartphone and social media ar-
selection in mapreduce,” in 10th International Conference on Security eas.
and Privacy in Communication Networks (SecureComm), 2014.
[8] J. Li, A. Squicciarini, D. Lin, S. Liang, and C. Jia, “Secloc: Securing
location-sensitive storage in the cloud,” in ACM symposium on access Dan Lin is an associate professor and Director
control models and technologies (SACMAT), 2015. of Cybersecurity Lab at Missouri University of
[9] E. Order, “Presidential executive order on strengthening the Science and Technology. She received the PhD
cybersecurity of federal networks and critical infrastructure,” in degree in Computer Science from the National
https://www.whitehouse.gov/the-press-office/2017/05/11/presidential- University of Singapore in 2007, and was a post
executive-order-strengthening-cybersecurity-federal, 2017. doctoral research associate at Purdue University
[10] “Hdfs architecture,” http://hadoop.apache.org/docs/stable/ for two years. Her main research interests cover
hadoop-project-dist/hadoop-hdfs/HdfsDesign.html. many areas in the fields of database systems
[11] R. Miller, “Inside amazon cloud computing infrastructure,” and information security.
in http://datacenterfrontier.com/inside-amazon-cloud-computing-
infrastructure/, 2015.
[12] T. Bujlow, K. Balachandran, S. L. Hald, M. T. Riaz, and J. M. Pedersen, Anna Squicciarini is an associate professor at
“Volunteer-based system for research on the internet traffic,” Telfor College of Information Sciences and Technology
Journal, vol. 4, no. 1, pp. 2–7, 2012. at Pennsylvania State University. She received
[13] M. Geist, “Location matters up in the cloud,” http://www.thestar.com/ the PhD degree in Computer Science from Uni-
business/2010/12/04/geist location matters up in the cloud.html. versity of Milan, Italy in 2006. Her research
[14] Z. N. Peterson, M. Gondree, and R. Beverly, “A position paper on is currently funded by the National Science
data sovereignty: the importance of geolocating data in the cloud,” in Foundation, Hewlett-Packard, and a Google Re-
Proceedings of the 8th USENIX conference on Networked systems design search Award.
and implementation, 2011.
[15] K. Benson, R. Dowsley, and H. Shacham, “Do you know where your
cloud files are?” in Proceedings of the 3rd ACM workshop on Cloud
computing security workshop. ACM, 2011, pp. 73–82. Ali Hurson received B.S. degree in Physics from
[16] M. Gondree and Z. N. Peterson, “Geolocation of data in the cloud,” the University of Tehran in 1970, M.S. degree in
in Proceedings of the third ACM conference on Data and application Computer Science from the University of Iowa
security and privacy. ACM, 2013, pp. 25–36. in 1978, and Ph.D. from the University of Central
[17] G. J. Watson, R. Safavi-Naini, M. Alimomeni, M. E. Locasto, and Florida in 1980. He was a Professor of Computer
S. Narayan, “Lost: location based storage,” in Proceedings of the 2012 Science at the Pennsylvania State University un-
ACM Workshop on Cloud computing security workshop. ACM, 2012, til 2008, when he joined the Missouri University
pp. 59–70. of Science and Technology. He has published
[18] A. Albeshri, C. Boyd, and J. G. Nieto, “Geoproof: proofs of geographic over 300 technical papers in areas including
location for cloud computing environment,” in Distributed Computing multi-databases, global information sharing and
Systems Workshops (ICDCSW), 2012 32nd International Conference on. processing, computer architecture and cache
IEEE, 2012, pp. 506–514. memory, and mobile and pervasive computing. He serves as an ACM
[19] A. Albeshri, C. Boyd, and J. G. Nieto, “Enhanced geoproof: improved distinguished speaker, area editor of the CSI Journal of Computer
geographic assurance for data in the cloud,” International Journal of Science and Engineering, and Co-Editor-in-Chief of Advances in Com-
Information Security, vol. 13, no. 2, pp. 191–198, 2014. puters.