Slide-block: End-to-end amplified security to improve DevOps resilience through pattern-based authentication

Abstract

DevOps represents the fusion of cultural philosophies, tools, and practices that rapidly enhance an organization's capacity to deploy services and applications. Cloud-based tools, a subset of DevOps services, facilitate collaboration between development and operations teams within an organization. However, persistent challenges such as inadequate security management, substantial leakage of sensitive data, and system/service unavailability pose significant threats to sustainability. We propose an end-to-end enhanced security framework to fortify DevOps resilience by implementing authentication and vulnerability management through the Slide-Block methodology. Our approach comprises four sequential processes: pattern-based authentication, tri-level access control, privacy-focused data storage, and vulnerability management and correction. Initially, we establish candidate legitimacy through pattern-based authentication using the Magnificent Chacha-Poly 1305 algorithm. Subsequently, we devise effective access policies using the Enhanced Deep Deterministic Policy Gradient (EDDPG) algorithm, employing tri-level access control based on trust value, attributes, and roles for optimal user and developer selection via the African Vulture Optimization Algorithm (AVOA). Moreover, we encrypt data in transit and at rest using Mcha-Poly 1305, considering sensitivity, and store it in a blockchain to enhance data privacy. Our approach incorporates a sliding window blockchain for secure data transmission and storage. Finally, we identify and address attack and application-based issues using the Tweak Naive Bayes (Tweak-NB) algorithm and Intruder Vulnerability Scanner (IVS). Our Slide-Block framework demonstrates superior performance in detection rate, authentication time, packet loss, security strengthening, communication overhead, and latency compared to existing models.

1. Introduction

In an Information Technology (IT) environment, “DevOps” is one of the software development cultures that is meant for integrating the software and development teams to boost up development activities with higher convey rates [[1], [2], [3]]. By utilizing DevOps-based software development we can achieve continuous deployment, continuous monitoring, continuous development, security, flexibility, and expandability [4]. To be more specific, DevOps helps to deliver the developed software either on the customer side or server side in a continuous pace in short and fast delivery cycles [5]. Cloud computing is another paradigm that provides on-demand services and infrastructure [6,7].

The combined adoption of cloud computing and DevOps enhances production speed and resilience [[8], [9], [10]]. Specifically, incorporating cloud computing in software development empowers developers to manage their tools and offers additional components for continuous application automation, building, testing, and monitoring [11,12]. Despite these benefits, careful consideration and research are necessary to address potential drawbacks and design improved models. Security emerges as a primary concern, as the lack of empirical research in DevOps has led the research community to hesitate in integrating security practices [13].

Only limited works in recent years to provide a recommendation of security practices but it doesn't provide end-to-end security practices as research articles [14]. Authentication and access control are basic security operation that restricts unauthorized access [15]. However, the existing works on authentication and access control provide limits with poor metrics as they only consider limited metrics to authenticate and access the users, developers, and operators [16,17]. The existing works lack security during continuous monitoring, leading to several cyber security attacks [18]. Machine learning and data engineering are emerging technologies that enable intelligence [19,20]. Thus, the proposed work addressed the challenges and research gaps that are faced in the former works further in this work, the betterment solution is to accommodate for secure and practical application in a cloud environment with DevOps.

1.1. Research aim & objectives

The main aim of this research is to enhance the security for the betterment of the resilience of DevOps by integrating cloud computing, machine learning and data engineering. In addition, the research also identifies the problems of improper security management, inefficacy authorization, enormous sensitive data leakage and system and service unavailability. Moreover, the main objective of this research is to enhance security for the betterment of the resilience of DevOps by integrating cloud computing through effective vulnerability management based on continuous monitoring.

• •We have integrated an effective authentication mechanism to enhance secret management, allowing only legitimate candidates access to the applications. We have developed significant access control policies to improve authorization and implement trust-level-based access control.
• •To enhance data privacy and prevent sensitive data leakage, we have implemented two categories of data encryption. Continuous monitoring and rectification, aided by a security monitoring agent, have been employed to address application-based issues and amplify system and service availability.
• •In order to strengthen security, we have adapted attack detection and enhanced blockchain to improve Quality of Service (QoS)

1.2. Research Motivations

To enhance the security of cloud-based applications with integrated DevOps, most of the existing works perform continuous monitoring for attack detection. However, the current works are limited by improper security management, inefficacy authorization, enormous sensitive data leakage and system and service unavailability.

• I.Improper Security Management: In most of the existing works, insufficient metrics and ineffective authentication mechanisms were utilized, which led to improper security management. In addition to that, in several earlier works, only the application users were authenticated; however, the lack of authenticating the developers and resource owners leads to improper security management.
• II.Inefficacy authorization: In most of the existing works, the access control policies are only provided for application users, and several previous works don't fabricate effective or secure access policies where this inefficacy authorization leads to high-security breaches. Furthermore, the access control policies are stored without any security measures where attackers can easily tamper and modify the policies that affect the security level of cloud-based applications with integrated DevOps.
• III.Enormous Sensitive Data Leakage: In most of the previous works, the data privacy and sensitive data were not secured effectively, and the communication between the cloud and users was performed without any privacy concerns that led to high data leakage. Moreover, the rest of the data, which is sensitive data like organization policies, access control policies, passwords, and other sensitive data, were stored in the cloud without encryption or any other security measure where the attackers can effortlessly access the data.
• IV.System and Service Unavailability: In several existing works, the application users' sides are continuously monitored where the inconsideration of application settings, bugs, data errors, etc.., leads to high system and service unavailability. Besides, the bugs and data errors are continuously monitored manually, and immediate remediation is not taken where this ineffective continuous monitoring leads to high system and service unavailability.

1.3. Research contributions

Improving the resilience of DevOps thereby enhancing security is the primary target of our research. To achieve that, we have proposed several requisite contributions that are explained below as follows.

• •All candidates undergo pattern-based authentication to secure the application and network, with password encryption using the MCha-Poly 1305 encryption algorithm. This algorithm operates efficiently, allowing only legitimate candidates access to the service, and their credentials are stored securely in the blockchain.
• •We generate tri-level access control policies using EDDPG, assigning them to candidates based on their attributes, roles, and trust values. AVOA is employed to optimize access control.
• •To ensure communication and transaction certainty, we implement a privacy-focused data storage mechanism that encrypts data using the MCha-Poly 1305 encryption algorithm, minimizing the risk of highly sensitive data leakage.
• •Continuous monitoring amplifies system and service availability, identifying attacks and application-based issues through an intruder vulnerability scanner and the Tweak NB algorithm.

1.4. Paper organization

The rest of the paper is organized as follows: Section II illustrates state-of-the-art research with its gaps. Section III delineates the foremost problem statement which is faced by cloud-based applications. Section IV articulates the proposed Slides-Block framework, encompassing an appropriate diagram, mathematical equations, algorithm, and pseudocode. Section V exemplifies the experimental analysis of simulation setup, comparative analysis, and research summary. Finally, Section VI concludes the proposed Slides-Block framework.

2. Literature survey

In this section, we have briefly described the state-of-arts with its limitations faced in DevOps-cloud-based applications. Furthermore, this section is divided into three sub-sections which are defined below,

2.1. Analysis of attack & malware detection

The paper [21] introduced an auto-encoder entrenched-based mechanism for detecting advanced persistent threat (APT) attacks. Users underwent authentication through a two-factor authentication system based on the OTP scheme. We employed the auto-encoder neural network to analyze informative features derived from unsupervised network traffic. We performed feature extraction and dimension reduction using Principal Component Analysis (PCA). Subsequently, we added a softmax regression layer to the top layer of the auto-encoder network to classify APT attacks. The detection of the attack prompted the strengthening of cloud-based security.

In a different study [22], the author introduced an approach to detect DDoS attacks in a cloud computing environment to reduce misclassification errors during DDoS attack detection. Initially, the study applied feature selection schemes, including mutual information (MI) and random forest feature importance (RFFI). Subsequently, the study utilized various algorithms for classifying DDoS attacks, such as random forest, gradient boosting, weighted voting ensemble (WVE), k nearest neighbour, and logistic regression. Ultimately, the random forest algorithm demonstrated superior performance compared to the others [23]. implemented a secure SaaS approach for detecting and mitigating attacks. The Deep Belief Network (DBN) is utilized for attack detection, with the weight and activation function fine-tuned through the Median Fitness-oriented Sea Lion Optimization Algorithm (MFSLnO). Upon detecting an attack, the system transitioned control to a lightweight bait mechanism, ensuring the reliable mitigation of the most common attack nodes without disrupting routine connections. The evaluation of the proposed work focused on assessing the packet loss ratio and throughput.

In [24], researchers proposed a method for real-time detection of attacks in the cloud environment. The study initially identified attacks in the application layer by employing multiple machine learning algorithms, such as the multi-layer perceptron (MLP) and random forest (RF), utilizing the Scikit ML library and big data architecture. The researchers optimized the model's performance to decrease prediction time, achieving superior accuracy with the random forest algorithm compared to other approaches.

The author offered an intelligent behavior-based malware detection framework in a cloud environment [25]. Multiple virtual machines initially collect malware data, examining distinctive features and selecting effective ones. Then, the selected features are fed into learning-based and rule-based detection agents to detect whether the data is normal or malware using several machine learning algorithms effectively. The proposed methodology can detect both known attacks and unknown attacks effectively. Finally, the proposed work enhances security by effectively attack detection using random forest. An effective IDS chronological salp swarm algorithm entrenched deep belief network was designed to detect suspicious intrusion in the cloud [26]. Initially, we designed this method by integrating the chronological concept with the Salp swarm algorithm. We established a fitness function to seek an optimal solution that accepts a low error value. Subsequently, we optimally tuned the weights using this method to identify an efficient solution for detecting intruders. Finally, the designed chronological salp swarm algorithm entrenched deep belief network acquired enhanced performance by the exploitation and exploration facility in search space. Researchers employed a hybrid deep learning approach to create an efficient intrusion detection system [27]. Initially, this work focused on enhancing the efficiency of the Intrusion Detection System (IDS) in analyzing abnormal network traffic. The Pearson correlation feature selection algorithm was utilized for efficient feature selection. The intrusion detection process involved utilizing a recurrent neural network embedded with gated recurrent units (GRU) and enhanced long short-term memory (LSTM), forming Cu-LSTMGRU. Subsequently, the system effectively classified network flows as either malicious or benign. The limitations of attack and malware detection are outlined in Table 1.

Table 1.

Limitations of attack & malware detection.

Reference	Objective	Methods/Algorithms	Limitations
[21]	To utilize auto-encoder based mechanism for APT attack detection.	Auto-encoder neural network & PCA	However, this algorithm misinterprets the significant variable that leads to ineffective attack detection.
[22]	To perform DDoS attack detection in cloud computing using MI.	RFFI, MI, GB, WVE, KNN, RF & LR	Anyhow a MI and RF method selects the redundant and irrelevant feature that leads to high false positive rate.
[23]	To design a method for attack detection and mitigation using secure SaaS approach.	DBN, MFSLnO & lightweight bait mechanism (LBM)	Once intrusion is detected the LBM was performed for mitigation, but ineffective attack mitigation and countermeasure affects the security.
[24]	To method for real time attack detection in the cloud environment.	MLP & RF	Anyhow, RF generates numerous of trees while classification that increase complexity.
[25]	To offer an intelligent behavior-based malware detection framework.	RF	However, lack of ensuring user legitimacy affects the network security.
[26]	To perform an effective IDS CSS algorithm entrenched DBN for detecting suspicious intrusion.	Chronological salp swarm (CSS), DBN & Fuzzy entropy	Anyhow, consideration of inadequate features for performing IDS affects the detection rate.
[27]	To introduce hybrid DL approach for an efficient intrusion detection system.	Cu-LSTMGRU & Pearson's correlation coefficient (PCC)	PCC this algorithm cannot effectively differentiate among dependent and independent variables.

2.2. Analysis of access control mechanism & secure data sharing

A blockchain-based multi-authority access control mechanism (BMAC) for secure data sharing in a cloud environment was incorporated [28]. Initially, the Shamir secret sharing (S3) technique and permission blockchain were utilized to execute individual attributes and jointly supervised by several authorities. Then it adapts the smart contract to generate tokens for attributes handled over several management domains that minimize the communication and computation overhead on data users. The blockchain aids in recording the process of access control in an auditable and secure way. Finally, the security of the proposed algorithm was examined. Several mechanisms are combined to provide fine-grained access control and secure data sharing [29]. Here, the blockchain, ciphertext-policy attribute-based encryption (CP-ABE), and interplanetary file system (IPFS) – BSSPD were utilized for secure personal data sharing. Initially, the user-centric approach was employed where the data owner encrypts the sharing data and stores it in IPS, which increases the approach's decentralization. The decryption key and address of the transmitted data were encrypted using CP-ABE as per the specific access policy, the data owner adapted the blockchain to publish his data-correlated information and distribute the keys to data users. The data user whose attributes are eligible for access policy can download and decrypt data. Finally, the ciphertext keyword search was utilized to protect the data privacy of user's while retrieving the data. Blockchain an entrenched access control technique in a cloud computing environment, was introduced [30]. Initially, in this environment, the data owner (DO) handles an access matrix which was stored in blockchain to illustrate the access policy. Then, the public keys of entire nodes and the access matrix are also stored in blockchain, to assure the security of this system. Here, the DO will encrypt the files that are largely shared once utilizing a symmetric key in a long time. Also, public key to authorized users is encrypted with the symmetric key in parallel within a minimal time. Finally, the proposed mechanism enhanced the security, thereby reducing computation overhead.

The author introduced the Blockchain-based Multi-Authority Access Approach (BMAC) to enhance secure data sharing [31]. Initially, they utilized the Shamir secret sharing approach and the permissioned blockchain Hyperledger Fabric to execute individual attributes. This execution was a collaborative effort supervised by multiple authorities, effectively avoiding a single point of failure. Moreover, blockchain technology established trust between authorities and tokens for attributes generated from smart contracts. These contracts were overseen across various management domains, helping to reduce computation and communication overhead on the data user side. The access control approach was audibly and securely recorded.

In the realm of cloud-based applications, the author implemented a secure data securing mechanism by introducing access control [32]. The Hyperledger Fabric and Attribute-Based Access Control (Fabric-ABAC) were initially proposed for secure data sharing across domains. To address data security issues, a trusted central organization was implemented, and a distributed environment involving stakeholders between parties was developed. The multi-environment was integrated with intelligent contracts, constructing a unified attribute model. The proposed Fabric-ABAC achieved multi-level, auditable access control and fine-grained data security by automatically examining permissions. Finally, intelligent contracts exploited Proxy Re-Encryption (PRE) to identify ciphertext communication without involving a third party. Table 2 outlines the limitations of access control mechanisms and secure data sharing.

Table 2.

Limitations of access control & secure data sharing.

Reference	Objective	Methods/Algorithms	Limitations
[28]	To develop BMAC mechanism for secure data sharing in cloud.	BMAC, Permissioned blockchain & S3 technique	BMAC mechanism was performed for secure access control, however, the usage of traditional blockchain leads to ineffective immutability.
[29]	To tangle several mechanisms for providing fine-grained access control and secure data sharing.	CP-ABE & IPFS- BSSSPD	Lack of authentication increase the malicious traffic in the network which misleads the access control.
[30]	To design blockchain entrenched access control techniques in cloud computing environment.	Encryption & Access control	Access control policies are randomly generated where inconsideration of their role and attributes leaks to high data leakage.
[31]	To develop blockchain based multi-authority access approach BMAC for secure data sharing.	S3 & BMAC	Only considering the attribute while providing access control affects the efficiency of access control.
[32]	To introduce the secure data securing mechanism by implementing access control in the cloud-based applications.	Fabric-ABAC & PRE	Anyhow the traditional blockchain suffers from scalability issues.

2.3. Analysis of authentication mechanism & secure data sharing

A mechanism for generating enhanced secure keys was explicitly designed for encrypting data in a cloud environment [33]. To begin, security keys are generated using segments of an identity bit string to enable an enhanced identity-based encryption approach. This method ensures that the user's identity remains concealed, preventing any possible adversary or attacker from decoding the key or decrypting the data. The key benefit of this method is that it leverages a polynomial interpolation function consisting of a Lagrange coefficient to hide the user's identity. Additionally, the system's security depends on the computing complexity of the bilinear Diffie-Hellman problem. Ultimately, this mechanism efficiently performs the encryption and decryption processes, thereby reducing latency. Another secure authentication scheme based on blockchain was introduced in cloud computing [34]. Initially, all users were registered with the authentication server (AS) and obtained their secret key through AS using Harmony search optimization (HSO). The elliptic curve integrated encryption scheme (ECIES) was then utilized to encrypt the data packets in mobile nodes and transfer them to a cloud server.

The SDN controller oversees the blockchain to protect evidence gathered from the users' signatures and data, which are embedded in the cryptographic hash algorithm of the SHA-256. The authorized investigator then conducts various processes such as identification, evidence gathering, examination, and report generation using the Logical Graph of Evidence (LGoE). A searchable encryption technique has been included for authentication and authorization in cloud computing [35]. This work consists of three components: classic user authentication (based on username, password, and a message with a code sent via SMS), a searchable encryption scheme, and biometric authentication. The first two components comprise two-factor authentication (2FA), with the second component illustrating the initialization process of the searchable encryption technique. Special attention has been given to the trapdoor function, which generates a value that can be used to execute the search process and function. Table 3 outlines the limitations of the authentication mechanism and secure data sharing.

Table 3.

Limitations of authentication & secure data sharing.

Reference	Objective	Methods/Algorithms	Limitations
[33]	To work, I proposed an enhanced secure key generation mechanism to encryption in cloud environment.	Lagrange coefficient & Bilinear Diffle-Hellman	Here, the insecure channel selection for critical transformation leads to greater risk of disclosure.
[34]	To propose blockchain based secure authentication scheme in cloud computing.	HSO, ECIES, SHA-256 & LGoE	Consideration of insufficient credentials for authentication and lack of ensuring developers and resource owners legitimacy increases security breaches.
[35]	To implement a searchable encryption technique for authentication and authorization in cloud computing.	SMA, 2FA, special attention & trapdoor function	2FA approach was utilized which enhance the security but this approach can turn against the users due to factors get losing that limit with QoS.

3. Problem statement

Network traffic analysis for anomaly detection in the integrated environments of cloud computing and DevOps was introduced [36]. Initially, the weight agnostic neural networks (WANNs) framework was designed to automate the detection of malicious intent through darknet traffic examination and network management. Then it was utilized as an intelligent forensics tool for analyzing network traffic, and clarification of malware traffic, and the traffic identification was encrypted in real-time. After that, features are extracted, and feature selection is performed using the predictive power score (PPS) method. Then, the automated searching neural-net scheme was implemented to detect zero-day attacks. Finally, the employed process of malicious intent detection, the most critical asset of many organizations, was protected effectively by reducing effort barriers. The major limitations of this proposed work are described below as follows,

• •Here, all the users are considered legitimate users and developers, further permitting them to access the cloud application that leads to high complexity and communication overhead in both the network and application due to the presence of high number of illegitimate users.
• •In this work, even though intrusion detection was performed to enhance the security in DevOps, permission for accessing the applications was provided to all the users and developers, leading to the high leakage of sensitive data.
• •The features are extracted, and appropriate features are selected by feature selection using predictive power score which executes effectively; however, this method consumes a considerable time for performing calculations that leads to high latency.
• •Here, even though the intrusion detection was implemented using WANNs to minimize the security threats in the DevOps, lack of effective and secure data storage affects the data privacy and leads to security breaches.

Efficient feature extraction is incorporated for intrusion detection in a cloud computing environment [37]. Initially, the set significant features is selected using a univariate ensemble feature selection mechanism. It utilizes five dissimilar filter feature selection mechanisms for acquiring the subset of optimal features from the collected data. Then the feature map is generated from the set of filtered features for classification. Finally, the ensemble majority voting is performed using the ensemble of several machine learning algorithms which classify into two classes: intruder and normal. The major issues of the work are delineated,

• •All the users in this work are considered legitimate candidates and granted access to the cloud-based applications without any limitations and permission policies that lead to high-security breaches.
• •The feature extraction employed five different filter selection mechanisms, while an ensemble of machine learning algorithms was used for intrusion detection, leading to increased system complexity.
• •Here, the intruder was detected using an ensemble learning algorithm, which improves security; the lack of countermeasures and other technical issues (i.e., bugs, network settings.., etc.) led to system and service unavailability in the cloud environment.

A hybrid optimized deep learning approach was developed to improve security in DevOps by detecting attacks. The approach consists of two phases: feature extraction and classification. Initially, network traffic is monitored, and data from individual applications are processed to extract features. These extracted features are then fed into a the classification model for attack detection. To execute the classification model, an optimized deep belief network (DBN) algorithm was proposed. Finally, the activation function was optimized using the hybrid optimization algorithm called Firefly Alpha-Evaluated Grey Wolf Optimization Algorithm (FAE-GWO). The limitations of this approach are further explained below,

• •In this work, communication and data sharing were implemented without performing any privacy concerns that lead to the leakage of user's sensitive information and organizational policies.
• •Here, the network traffic is monitored, data flows are collected, and statistical features are extracted for attack classifications. However, the consideration of limited features leads to ineffective attack detection.
• •The attack detection was accomplished by an optimized deep belief network where the complexity of this algorithm was minimized by optimizing the activation method, however, the traditional drawback of this algorithm was its robust nature which is unsuitable for handling large data that leads to increases in high latency.
• •Even though the attack detection was performed to enhance the security of DevOps effectively, anyhow, lack of consideration of the bugs, network settings, etc …, leads to service unavailability thereby limiting QoS.

Fast and continuous monitoring (F&CM) effectively improves system availability and security in DevOps, as stated in Ref. [39]. Initially, this mechanism was executed using the software and system process engineering metamodel (SPEM). The real-time scenario demonstrated that the execution of F&CM availability mechanism helps teams to detect and remedy outage problems and attacks better. By promptly detecting and identifying outage problems and attacks, teams can quickly and effectively apply the necessary remediation. However, some drawbacks of this research are mentioned below,

• •Continuous monitoring was carried out in this study to monitor system outages and attacks, which was effective. However, improper monitoring and remediation failed to meet QoS requirements. DevOps enhanced system availability and security through fast and continuous monitoring. Nonetheless, the lack of secure data communication and information sharing resulted in high leakage of organizational policies and sensitive application information.
• •Continuous monitoring was employed to detect attacks and outage issues in a cloud-based application. However, the packet features were not considered, leading to ineffective attack detection. The Software and System Process Engineering Metamodel (SPEM) was used for continuous monitoring, but no intelligence was adapted to detect outages and attacks, resulting in security issues.

A method of fine-grained access control using an attributed-based searchable encryption approach was proposed in Ref. [40]. The framework includes an attribute-entrenched searchable encryption scheme allowing precise access control. The data owner stores the access rules with a searchable encryption service provider (SESP). When a user requests access, the SESP returns the encrypted search results using the SHA algorithm within a specified timeframe. If the user has any disputes, they can initiate an arbitration request. The blockchain handles such requests but only arbitrates on entrenched details. The main issues addressed by this research are also defined. The Neural network approach as suggested by Liu et al. [41] leveraging mixed mode-dependent time-delays were also found interesting.

In a cloud environment, all users are considered legitimate. However, malicious users increase the amount of malicious traffic, which negatively affects security. Access control is provided using a searchable encryption scheme, which can be complicated to implement and may not be fully effective due to limited consideration for this attribute. Searchable encryption service providers (SESPs) preserve data and privacy during transmission to address this issue. While this method is effective, traditional blockchain technology may need to provide more confidentiality and scalability. In this work, SESP stores and provides user requests through encryption using the SHA algorithm, which is effective but can result in high latency due to its time consumption.

3.1. Research solutions

We have proposed an end-to-end security amplified framework to overcome the disputes. Initially, the users, developers, and resource owners are candidates authenticated by TCA using the Mcha-Poly 1305 algorithm based on their credentials. After that, the access control policies are effectively generated by EDDPG. Based on trust value evaluated by SMA, attribute, and role, the optimal user and developer are selected using AVOA, and access control is provided, thus minimizing high data sensitive leakage. Then, data privacy in transmission and rest is enhanced by performing encryption before transmission using the Mcha-Poly 1305 algorithm.

Moreover, based on the sensitive data, it is decided to store it in blockchain and cloud servers, improving the application's security. System and service unavailability are the foremost issues; we have proposed vulnerability management and revision to address this. In this process, we have identified and mitigated both application-based issues and attacks using IVS and Tweak-NB algorithms, respectively, in terms of considering several parameters.

4. Proposed work

In this research, we concentrate on amplifying the security of cloud-based applications by integrating DevOps. In addition, data engineering, DevOps, and machine learning are combined to ensure the automation of the DevOps cycle in the production environment. The slide window blockchain is employed to increase data privacy and immutability. Fig. 1 represents the architectural flow of the proposed Slide-Block framework. The proposed work consists of several entities, which are elaborated on below,

• •Users: Users in the physical layer (fundamental layer) are seeking cloud applications, performing data collection, and storing their data in a cloud server from several sensors. The users can access cloud applications from any location through laptops, mobile phones, computers, etc.
• •Developers & Resource Owners: Developers in the network were responsible for developing the cloud-based application. The resource owners are the ones who own the cloud-based applications.
• •Trust Certification Authority (TCA): Trust Certification Authority deployed in the physical layer is one of the blockchain nodes for accommodating authenticity to users by analysing their credentials and affording them with security keys.
• •Edge Server: The edge layer encompasses several servers accountable for collecting the network traffic. Furthermore, it continuously monitors the network for attack detection to strengthen the security and privacy of users, developers, and resource owners.
• •Cloud Server: Cloud layer composed of blockchain to upsurge network security and minimize computational burden by providing adequate access control. Moreover, it is responsible for accommodating servers for users.
• •Security Management Agent (SMA): A Security Management Agent is deployed in the network to amplify network security. This agent monitors and maintains the candidate records in the blockchain based on the historical data of the candidate and is constantly monitoring. Furthermore, it also evaluates trust value for individual users while affording access control and transmitting the application-based issues if they occur.

Fig. 1.

Overall architecture of proposed slide-block framework.

4.1. Pattern-based authentication

Initially, the users $\left(\epsilon \right)$, developers $\left(\gamma \right)$ and resource owners $\left(\delta \right)$ legitimacy are ensured through performing authentication. For that, the $\epsilon ,\gamma$ and $\delta$ are known as regitration candidates they are register by providing their credentials such as user name $\left(Ɲ\right)$, user Id $\left(\alpha \right)$, device Id $\left(\mathfrak{T}\right)$, role $\left(\mathfrak{r}\right)$, password $\left(Ƿ\right)$, mail Id $\left(Ɯ\right)$ and grid-based pattern selection $\left(Ơ\right)$ to the Trust Certification Authority (TCA) which sends the candidate credentials to blockchain to improve network security. This scheme consists of two stages, where the registration and authentication phase are detailed below as follows,

4.1.1. Registration phase

• •Step 1: At first, the $\epsilon$ is registered to TCA by providing their credentials $\left(Ɲ\right)$, $\left(\alpha \right)$, $\left(\mathfrak{T}\right)$, $\left(\mathfrak{r}\right)$, $\left(Ƿ\right)$, $\left(Ɯ\right)$, and $\left(Ơ\right)$ which can be formulated as,

$$\text{TCA}\leftarrow \text{Reg}\left\{\left(Ɲ\right),\left(\alpha \right),\left(\mathfrak{T}\right),\left(\mathfrak{r}\right),\left(Ƿ\right),\left(Ɯ\right),\left(Ơ\right)\right\}$$

where, $\text{Reg}\left\{\left(Ɲ\right),\left(\alpha \right),\left(\mathfrak{T}\right),\left(\mathfrak{r}\right),\left(Ƿ\right),\left(Ɯ\right),\left(Ơ\right)\right\}$ denotes the registration of $\epsilon$ with parameters $\left(Ɲ\right)$, $\left(\alpha \right)$, $\left(\mathfrak{T}\right)$, $\left(\mathfrak{r}\right)$, $\left(Ƿ\right)$, $\left(Ɯ\right)$, and $\left(Ơ\right)$ respectively.

• •Step 2: Once, the $\epsilon$ is registered in this stage, the TCA display the registration Compute Alphabets (CA) where that $\epsilon$ selects two Compute Alphabets (CA) which comprises of hide mathematical operations.

$$TCA\leftarrow dis\left(\text{CA}\right)$$

In that, the first alphabet denotes the addition, and the second alphabet defines subtraction that will only be acknowledgeable for registration $\epsilon$.

• •Step 3: Then the $\epsilon$ must select the computer integer (CI) among 0 to 5 where the CA and CI generates new password pattern each time.

$$\epsilon \left(sel\right)\to {CI}_{1\leftrightarrow 5}$$

where $sel$ defines the $\epsilon$ user selected CI within the range of 0–5 that is denoted as ${CI}_{1\leftrightarrow 5}$.

4.1.2. Authentication phase

• •Step 4: In the second stage, that is the authentication phase the registered $\epsilon$ must enter the $Ɲ$, $\alpha$ and $Ƿ$ that can be expressed as,

$$\epsilon \leftarrow Ent\left(Ɲ,\alpha ,Ƿ\right)$$

• •Step 5: After that, the authenticate pointer (AP) display single letter which is selected by the $\epsilon$ during registration phase and display two random numbers among 1–6.

$$\text{AP}\leftarrow \text{dis}\left({CA}_1,{CI}_{1\leftrightarrow 6}\right)$$

where ${CA}_1$ denotes the displayed single letter and ${CI}_{1\leftrightarrow 6}$ denotes the displayed random two numbers from range of $1\leftrightarrow 6$.

• •Step 6: Furthermore, the $\epsilon$ executes the mathematical operation which is hidden in the AP of CA displayed letter i.e., either addition or subtraction between the candidate selected CI and the digits displayed by TCA.
• •Step 7: Then the $\epsilon$ obtains two numbers by performing the mathematical operation. After that, the TCA displays the 7 × 11 grid where the candidate must draw the pattern through obtained numbers (i.e., the first number is considered as column and second number as row).
• •Step 8: During, this the behavioural features of the $\epsilon$ person such as finger velocity and stroke time features are also extracted for authenticating the person.

$$TCA\leftarrow ext\left({fin}_{vel},{str}_{time}\right)$$

where the parameters ${fin}_{vel}$ and ${str}_{time}$ refers to the finger velocity and stroke time features of $\epsilon$.

• •Step 9: Here, the password, $\epsilon$ selected CA and CI are encrypted by TCA, and it provides the security key to the legitimate $\epsilon$, then the encrypted data is stored in blockchain using MCha-Poly 1305 algorithm.

$$TCA\leftarrow sk\left[\left(Ɲ,\alpha ,Ƿ,CA,CI\right)\right]$$

where $sk$ represents security key affords to legitimate $\epsilon$.

Likewise, the registration and authentication are performed for both $\gamma$ and $\delta$. The employed MCha-Poly 1305 [detailed in section C] algorithm improves the resistance to cryptanalysis with low complexity. By performing this pattern-based authentication, the shield against shoulder surfing attack and smudge attacks are resisted by TCA where the AP is displayed while the candidate touches the screen and disappears while taking their finger from the screen enhancing security. Fig. 2 illustrates the workflow of pattern-based authentication using the MCha-Poly 1305 algorithm.

Fig. 2.

Workflow of pattern-based authentication.

4.2. Tri-level access control

After performing successful authentication, access control is implemented using the Enhanced Deep Deterministic Policy gradient (EDDPG) reinforcement algorithm where this algorithm effectively fabricates the access policies. Based on the actor-critic structure, the DDPG algorithm is developed with a dual deep neural network (DNN). To be more specific, critic network $\mathcal{Q}$ and policy network $\mu$. Here, the policy network act as an actor to map the composition of state-space to continuous action $\forall$, while the value network act as critic, that timely estimates the performance of policy function and provides feedback for enhancement. Target networks ${\mathcal{Q}}^{\prime }$ and ${\mu }^{\prime }$ are utilized for tracking the original network of $\mathcal{Q}$ and $\mu$, hence for mitigating the impact of incorrect estimation. The determination of DDPG action in certain timestamps $t$ contemplatedboth inherent policy and exploration, which is mathematically expressed as,

$${\mathfrak{A}}_t=\mu \left({\mathfrak{S}}_t|{\theta }^{\mu }\right)+\omega$$

where ${\mathfrak{S}}_t$ refers to the state space, ${\theta }^{\mu }$ is the parameter of $\mu$ and $\omega$ refers to the Gaussian noise that occurs only in training phase. Subsequently, the policy is evaluated in training phase; the ideologies of offline training are illuminated hereafter. Then, the policy estimation is executed by means of Bellman's principles as,

$${\mathcal{Q}}^{*}\left({\mathfrak{S}}_t,{\mathfrak{A}}_t\right)=\mathfrak{E}\left[\mathfrak{R}\left({\mathfrak{S}}_t,{\mathfrak{A}}_t\right)+{\rm Y}\mathit{arg}\underset{{\mathfrak{A}}_t}{\max }\left({\mathcal{Q}}^{*}\left({\mathfrak{S}}_{t+1},{\mathfrak{A}}_{t+1}\right)\right)\right]$$

where ${\mathcal{Q}}^{*}$ represents the function of optimal value, $\mathfrak{R}$ is the single-step reward and ${\rm Y}$ known as discount factor. From the equation, it is clears that the optimal estimation of current composition of $\mathfrak{S}$ and $\mathfrak{A}$ can be acquired repeatedly. It is anticipated that deep networks $\mathcal{Q}$ and ${\mathcal{Q}}^{\prime }$ might indefinitely repetition task precisely. To recognize it, the updating error of critic network $\mathcal{Q}$ can be estimated by.

$${\mathfrak{L}}_{\mathfrak{Z}}\left(t|{\theta }^{\mathfrak{Z}}\right)=\left[\left(\mathfrak{R}\left({\mathfrak{S}}_t,{\mathfrak{A}}_t\right)+{\rm Y}{\mathcal{Q}}^{\prime }\left({\mathfrak{S}}_{t+1},{\mathfrak{A}}_{t+1}|{\theta }^{{\mathfrak{Z}}^{\prime }}\right)-\mathcal{Q}\left({\mathfrak{S}}_t,{\mathfrak{A}}_t|{\theta }^{\mathfrak{Z}}\right)\right)\right]$$

$${\mathfrak{A}}_t={\mu }^{\prime }\left({\mathfrak{S}}_t|{\theta }^{{\mathfrak{Z}}^{\prime }}\right)$$

where the first two terms in (9) represents the anticipated $\mathcal{Q}$ value denoting to (10), and the last term represents the actual output of current critic network. By this way, the squared error is acquired, and the updating method of gradient-descent is performed for enhancing the ability of policy evaluation. An ideal critic network is anticipated to generate effective policy, henceforth that the actor network can modify its policies corresponding to abandon the action with worst $\mathcal{Q}$ value feedback. Thus, the performance of objective policy network can be represented as $\nexists$,

$$\nexists \left({\theta }_{\mu }\right)=\mathfrak{E}\left[-\mathcal{Q}\left({\mathfrak{S}}_t,\mu \left({\mathfrak{S}}_t\right)\right)\right]$$

where $\mathfrak{E}(\bullet )$ defines the expectation operator. Next, the policy network repeats updating autonomously towards the promoting direction of performance objective. Consequently, the updating error expressed as objective gradient regarding network $\mu$ can be expressed as,

$${\mathfrak{L}}_{\mu }\left(t|{\theta }^{\mu }\right)={\nabla }_{{\theta }_{\mu }}\nexists \left({\theta }^{\mu }\right)={\nabla }_{\mathfrak{A}}\mathcal{Q}\left({\mathfrak{S}}_i,\mu \left({\mathfrak{S}}_i\right)|{\theta }^{\mathcal{Q}}\right){\nabla }_{{\theta }_{\mu }}\mu \left({\mathfrak{S}}_t|{\theta }^{\mu }\right)$$

A strategy of soft updating is employed for target networks ${\mathcal{Q}}^{\prime }$ and ${\mu }^{\prime }$ can expressed as,

$${\theta }^{\mathcal{Q}}\leftarrow \tau {\theta }^{\mathcal{Q}}+\left(1-\tau \right){\theta }^{\mathcal{Q}}$$

$${\theta }^{\mu }\leftarrow \tau {\theta }^{\mu }+\left(1-\tau \right){\theta }^{\mu }$$

Here, the method of experience method is exploited for evade the back-forth correlations while training which enhance the stability and efficiency of learning. The probability of appraised experience $j$ can be defined as,

$${Pro}_j=D_j^{\partial }/\left({\sum }_k{D}_k^{\partial }\right)$$

$$D_j=\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$rank\left(j\right)$}\right.$$

where ${\sum }_k(\bullet )$ is the total index of experience pool and $\partial$ denotes the hyperparameter to compute degree of priority which ranges from 0 to 1. Lower $\partial$ leads to uniform conventional sampling DDPG, $rank(\bullet )$ is the prominence degree of set experience that can be estimated by,

$$rank\left(j\right)=\sqrt{{\mathfrak{L}}_{\mathcal{Q}}\left(i\right)}$$

By exploiting the replay experience, those experiences initiating huge important variations to policy estimations will be allocated huge weights, and therefore, are mostly selected and replay in training process. Once, the policies are generated, the access policies are provided steps involved are articulated as follows. Initially, the legitimate user (users and developers) initiates the request to TCA for accessing the cloud based application. Here, the TCA is responsible for generating the access policies and providing the access control based on their attribute role and trust value using smart contract. Once the TCA received the request, it redirects the request to the security Management agent (SMA) where this agent monitoring and maintain the candidate records in the blockchain based on the historical data of the candidate, historical access behaviour and constant monitoring which can be represented as,

${Can}_{rec}\left(d,a,m\right)=\left\{{Can}_{{rec}_1},{Can}_{{rec}_2},\dots ,{Can}_{{rec}_n}\right\}$ Furthermore, it will calculate the trust value based on the information stored in blockchain which can be evaluated as,

$${Tru}_{can}^{\mathfrak{t}}=\sum _{{Can}_{rec}}\mathcal{P}\left({Can}_{{rec}_i}\right)\times \mathfrak{F}\left(d,a,{Can}_{{rec}_i}\right)$$

where $\mathfrak{t}$ is the current time period and $\mathfrak{F}\left(d,a,{Can}_{{rec}_i}\right)$ signifies the trust estimation of candidate records ${Can}_{{rec}_i}$, in which, $\mathcal{P}\left({Can}_{rec}\right)$ can be expressed as,

$$\mathcal{P}\left({Can}_{rec}\right)=\mathfrak{p}\left({Can}_{{rec}_i}\right)/{\sum }_{\mathfrak{p}}\left({Can}_{{rec}_j}\right)$$

where the equation defines the proportion of candidate records set ${Can}_{rec}$, and $\mathfrak{p}\left({Can}_{{rec}_i}\right)$ is decrease with time. Here, the $\mathcal{P}$ denotes the permission of an entity collection of degree and scope of candidate operations on resources which includes of writing, deleting, data reading etc. Then, the SMA sends the candidate's trust value and historical data to TCA. Based on the attribute, role and trust value of the candidate, the TCA assigns access control for the candidate through resource owner. The resource owner will sign the token to prove that the resource is issued by the owner. Fig. 3 demonstrates the tri-level access control based on EDDPG and AVOA. For providing access control optimally, the African Vulture Optimization Algorithm (AVOA) is employed which is illustrated below.

Fig. 3.

Tri-level access contract.

4.2.1. Preliminary stage

At first, the primary members are moulded, and then the appositeness of entire solution is determined. Here, there are two kinds of candidate solutions, individual group's optimal solution is determined. In our work, the TCA is act as a vulture which search for optimal candidate.

4.2.2. Starvation rate

For providing access control, vulture keeps searching for food (i.e., optimal candidate) which become violent while starvation that can be represented as,

$$\mathcal{t}=h\times \left({\mathit{sin}}^{\mathcal{w}}\left(\frac{\pi }{2}\times \frac{iter}{\max \_iter}\right)+\mathit{cos}\left(\frac{\pi }{2}\times \frac{iter}{\max \_iter}\right)-1\right)$$

$$Ϩ=\left(2{\gamma }_1+1\right)\times \vartheta \times \left(1-\frac{iter}{\max \_iter}\right)+\mathcal{t}$$

where $Ϩ$ defines the eagles satisfied status, the parameters $iter$ and $\max \_iter$ is the present and maximum iterations respectively, $\vartheta$ is the random number which ranges [-1,1], $h$ is random number which ranges [-2,2] and ${\gamma }_1$ is also an random number among 0 and 1. The eagle is predicted as starved, if the value of $\vartheta$ is minimal than 0, and the eagle is satisfied if the value gets increased. Here, the $\mathcal{w}$ is fixed number that represents the exploration and exploitation phase in AVOA.

4.2.3. Exploration phase

In this stage, the eagle scan diverse area arbitrarily that can be attained by two dissimilar strategies. In AVOA, ${\beta }_1$ is the parameter that is adopted to choose any one of those two strategies, the ${\beta }_1$ value is among 0 and 1, the strategy is chosen utilizing following equation,

$${\beta }_1\left(\mathcal{t}+1\right)=\{\begin{array}{c}\mathcal{Z}\left(i\right)-\mathfrak{|}\mathfrak{X}-\mathcal{Z}\left(i\right)-\beta \left(i\right)|\times {F\beta }_1\ge {\gamma }_{{\beta }_1}\\ \mathcal{Z}\left(i\right)-F+{\gamma }_2\times \left(\left({\mathfrak{u}}_{\mathfrak{b}}-{\mathfrak{l}}_{\mathfrak{b}}\right)\times {\gamma }_3+{\mathfrak{l}}_{\mathfrak{b}}\right){\beta }_1<{\gamma }_{{\beta }_1}\end{array}$$

where $\mathcal{Z}\left(i\right)$ designates one of the finest eagles, $\mathfrak{X}$ is the distance that the eagle moves to shield food from others ${\gamma }_2$ and ${\gamma }_3$ which is an random number [0,1], $F$ is the fitness value and the parameters ${\mathfrak{u}}_{\mathfrak{b}}$ and ${\mathfrak{l}}_{\mathfrak{b}}$ designates the upper and lower bounds in search space respectively.

4.2.4. Exploitation stage

In this stage, the eagle has adequate energy for searching the food. At such times, the vulture with extreme physical strengthens and it generates rotational flight to typical spiral motion. The exploitation is the first stage which can be formulated as follows,

$${\beta }_i\left(\mathcal{t}+1\right)=\{\begin{array}{c}\left|\mathfrak{X}-\mathcal{Z}\left(i\right)-\beta \left(i\right)\right|\left(F+{\gamma }_4\right)-\left(\mathcal{Z}\left(i\right)-\beta \left(i\right)\right){\beta }_2\ge {\gamma }_{{\beta }_2}\\ \mathcal{Z}\left(i\right)-\mathcal{Z}\left(i\right)\times \left(\frac{\beta \left(i\right)}{2\pi }\right)\left({\gamma }_5\times \cos \left(\beta \left(i\right)\right)+{\gamma }_6\times \sin \left(\beta \left(i\right)\right)\right){\beta }_2<{\gamma }_{{\beta }_2}\end{array}$$

where ${\gamma }_4\text{,}$ ${\gamma }_5$ and ${\gamma }_6$ denotes the random numbers [0,1]. In second stage, the movements of eagle fascinate various vultures. The second stage of exploitation phase is mathematically formulated as,

$${\beta }_i\left(\mathcal{t}+1\right)=\{\begin{array}{c}0.5\left(Bes{t}_{Eagle}-\left(\frac{Bes{t}_{Eagle}\left(i\right)\times \beta \left(i\right)}{Bes{t}_{Eagle}\left(i\right)\times \beta {\left(i\right)}^2}\right)\times F\right)\\ \mathcal{Z}\left(i\right)-|\mathcal{Z}\left(i\right)-\beta \left(i\right)|\times F\times Levy\left(\mathcal{Z}\left(i\right)-\beta \left(i\right)\right){\beta }_3<{\gamma }_{{\beta }_3}\end{array}$$

where $Levy$ denotes the function of levy flight. After performing, the AVOV for optimal candidate selection, if the candidate is not suitable for certain access or with low trust value, then the TCA terminates the request and send the notification to the specific candidate. Here, the permission level that is the degree of operations on resource is imitated with three levels as Operator (developer), subscribed and unsubscribed. Those permission levels are determined as,

• •Operator: The developer who developed the program coding and implementation-data reading, program reading and changing, program-only reading, the program only deleting.
• •Subscribed user (authorized users): Access the application with certain limits.
• •Unsubscribed users: The candidate who is login as guest-here, the demo or basic instructions for those specific applications can be only viewed by those users with the limited time using Just-in-time (JIT) mechanism. Once the time is completed, the robust warning notification will be displayed, and their demo session will be concluded.

The access control policies are encrypted and stored in the blockchain for tamper-proof. By this, way the access control policies enhance security thereby reducing highly sensitive information linkage.

4.3. Privacy attentive data storage

After accommodating the access control, privacy-attentive data storage and communication is executed for evading sensitive data leakage. Here, the two types of the data are encrypted and stored in blockchain. The data in transmission $\left({trans}_{data}\right)$ and the data in rest $\left({rest}_{data}\right)$ are the two categories. Initially, the ${trans}_{data}$ that is the data transmitted between the cloud, developers, users, and resource owners are encrypted. Then, the ${rest}_{data}$, which is whenever the candidate must store their data in cloud, the query is raised to whether the data $\left({Ϣ}_{data}\right)$ is sensitive or non-sensitive. The sensitive data are password, hard code passwords, rules and regulations, organizational policies and access control policies and are stored in the blockchain respectively. Moreover, the sensitive and non-sensitive data are evaluated based on certain threshold which can be determined as follows,

$${rest}_{data}=\{\begin{array}{c}if0>{Ϣ}_{data}\le 0.5non-sensitive\\ if0.5>{Ϣ}_{data}\le 1sensitive\end{array}$$

If the ${rest}_{data}$ is sensitive then the ${rest}_{data}$ is encrypted and stored in blockchain which can be illustrated as,

$$Enc\left({rest}_{data}\right)\to {Љ}_{Ϲ}$$

where ${Љ}_{Ϲ}$ denotes the blockchain. If the If the ${rest}_{data}$ is non-sensitive it is encrypted and stored in cloud server which can be exemplified as,

$$Enc\left({rest}_{data}\right)\to {cloud}_{server}$$

For that encryption purpose, we have adapted the Magnificent Chacha algorithm where this algorithm encrypts the data effectively thereby incorporating poly 1305 algorithm. Henceforth, the proposed algorithm is known as Magnificent Chacha-poly 1305 algorithm (MCha-Poly 1305) which is employed for its randomization characteristics and rotation technique to secure the data that execute on low duty cycle meanwhile poly 1305 is employed for its confidentiality and integrity. Both the algorithms are tangled to effectively encrypt the data. MCha-Poly 1305 considers input ${Ϣ}_{data}$, nonce of 12-byte $\left(Ցռ\right)$ which is depicted as,

$${rest}_{data}:{\left\{0,1\right\}}^{256}\to {\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{128}$$

where, $Ցռ\to {\left\{0,1\right\}}^{256}$ and ${Ϣ}_{data}\to {\left\{0,1\right\}}^{128}$ which are tuple of $\left(Ցռ,{Ϣ}_{data}\right)$ 256-bit. The tuple is accommodating as an input to MCha-Poly 1305 for computing the $Enc\left({{rest}_{{data}_i}}^{\prime }\right)$. With 256-bit tuple, the MCha-Poly 1305 executes randomized zig-zag rounds $\left(i.e.\ge 10\right)$ that can be mathematically formulated as,

$${{rest}_{{data}_i}}^{\prime }=\left\{\text{MCha}-Q^{fun}\left(\mathfrak{y}0,\mathfrak{y}4,\mathfrak{y}12,\mathfrak{y}7\right),\text{MCha}-Q^{fun}\left(\mathfrak{y}9,\mathfrak{y}1,\mathfrak{y}10,\mathfrak{y}2\right),\text{MCha}-Q^{fun}\left(\mathfrak{y}6,\mathfrak{y}13,\mathfrak{y}5,\mathfrak{y}3\right),\dots ,\text{MCha}-Q^{fun}\left(\mathfrak{y}8,\mathfrak{y}12,\mathfrak{y}11,\mathfrak{y}15\right)\right\}$$

From the equation, $\text{MCha}$ is the Magnificent Chacha algorithm and $Q^{fun}$ is denoted as quartier function that implements randomized zig-zag approaches to update the input for individual rounds. By performing the update of randomized zig-zag approaches, security is strengthened where the attackers faces high complexity to tamper the data. Generated ${{rest}_{{data}_i}}^{\prime }$ is accommodate as input to ploy 1305 for acquiring the ${Љ}_{Ϲ}$. The poly 1305 is computing ${Љ}_{Ϲ}$ based on ${sk}_i^{\prime }$ and the polynomial co-efficient $\left({\mathfrak{y}}_i\right)1\le i\le \mathbb{n}$ at $\bar{\mathcal{g}}$ that can be expressed as,

$${Љ}_{Ϲ}=\left({\sum }_{i=1}^{\mathbb{n}}{\mathfrak{y}}_i{\bar{\mathcal{g}}}^{\mathbb{n}-i+1}\mathit{mod}{2}^{130}-5\right)+{sk}_i^{\prime }\mathit{mod}{2}^{128}$$

By this way of encryption, data privacy is enhanced thereby reducing sensitive data leakage. Furthermore, the cloud-based application is secured, and the attackers can't tamper the policies and candidate's information.

4.4. Vulnerability management and emendation

Once, the data is securely stored and data transmission is encrypted successfully, vulnerability management and emendation are performed. In DevOps, continuous integration, continuous delivery, and continuous monitoring are the vital processes to enhance the QoS and security for cloud based application integrated DevOps. To improve the security, continuous monitoring is established. In this process, both the application-based issues and attack is detected and rectified. Here, the application-based issues such as bugs, application issues, network settings, data errors are detected using IP configuration, user privileges, security protocols, file system infrastructure and patch levels through the Intruder Vulnerability Scanner (IVS) constantly. Furthermore, the packet features and behavioural features are continuously collected from the gateway and monitored for detecting the attackers using Tweak Naive Bayes (Tweak-NB) Algorithm where this algorithm significantly analyses the packet features and detect the attackers accurately.

Here, the linear relationships among the attributes are eradicated by an orthogonal matrix to minimize their relations thereby enhancing the algorithm performance. Assume ${\mathfrak{M}}_c=\left\{{\mathcal{v}}_1,{\mathcal{v}}_2,\dots ,{\mathcal{v}}_m\right\}$ defines the set of entire samples associate to class $c$ in network traffic $\mathfrak{M}$, the samples ${\mathcal{v}}_t=\left\{{\mathcal{v}}_{t1},{\mathcal{v}}_{t2},\dots ,{\mathcal{v}}_{tn}\right\}$ in ${\mathfrak{M}}_c$ is n-dimensional vector. The covariance matrix is determined as,

$${Matx}_c=\frac{1}{m}{\sum }_{k=1}^m\left({\mathcal{v}}_t-Փ\right)-{\left({\mathcal{v}}_t-Փ\right)}^{\mathcal{T}}$$

$$Փ={\left({Փ}_1,{Փ}_2,\dots ,{Փ}_n\right)}^{\mathcal{T}}$$

$${Փ}_{\mathcal{l}}=\frac{{\mathcal{v}}_{1\mathcal{l}}+{\mathcal{v}}_{2\mathcal{l}}+\dots +{\mathcal{v}}_{m\mathcal{l}}}{m},\mathcal{l}=1,2,\dots ,n$$

where ${Փ}_{\mathcal{l}}$ is denoted as the mean in $\mathcal{l}$ th attribute value in individual class, $m$ is the number of samples presented in ${\mathfrak{M}}_c$ and ${Matx}_c$ is denoted as covariance matrix. ${Matx}_c$ is an $n\times n$ matrix, assume eigenvalues in ${Matx}_c$ be ${կ}_1,{կ}_2,\dots ,{կ}_n.,$ and the eigenvectors as ${ջ}_1,{ջ}_2,\dots ,{ջ}_n$. Each eigenvectors is combined by equation (36) to acquire the basis of standard orthogonal and to fabricate the orthogonal matrix ${\mathcal{O}}_c$.

$${\mathcal{O}}_c=\left({ֆ}_1,{ֆ}_2,\dots ,{ֆ}_n\right)$$

From that, ${ֆ}_i=\frac{1}{\left|{ջ}_i\right|}{ջ}_i,i=1,2,\dots ,n$, where ${ֆ}_i=1,2,\dots ,n$ is the combined eigenvector. Following covariance, matrix ${Matx}_c$ is harmoniously diagonalized through orthogonal matrix ${\mathcal{O}}_c$, entire elements are excepting the diagonal are 0's. Specifically, the linear relationships among the attributes are eradicated, which is nearer to the conditional independence assumption of naïve bayes (NB). The $m$ samples in ${\mathfrak{M}}_c$ are transmuted by ${\mathcal{O}}_c\text{,}$ then the mean and variance of individual attribute are evaluated. After executing the abovementioned transformation, the mean is 0 and variances modifies from ${\sigma }_{c,i}$ to ${\sigma }_{c,i}^{\prime }$. By means of this basis, the weight of attribute ${Ծ}_{c,i}$ is enabled to optimize NB, and Tweak-NB is formulated as,

$${Պ}_{inb}\left(\mathcal{v}\right)={\mathit{argmax}}_{c\in \mathcal{C}}\hat{\mathcal{O}}\left(c\right){\prod }_{i=1}^n{Ծ}_{c,i}\hat{\mathcal{O}}\left({\mathfrak{y}}_i|c\right)$$

where $\mathfrak{y}={\mathcal{O}}_c^{\mathcal{T}}\left(\mathcal{v}-{Փ}_{c,i}\right),i=1,2,\dots ,n$ is denoted as the new sample acquired by transformation of ${\mathcal{O}}_c$ of sample $\mathcal{v}$.

$$\mathfrak{y}=\left({\mathfrak{y}}_1,{\mathfrak{y}}_2,\dots ,{\mathfrak{y}}_n\right)$$

$$\hat{\mathcal{O}}\left({\mathfrak{y}}_i|c\right)=\frac{1}{\sqrt{2\pi }{\sigma }_{c,i}^{\prime }}\mathit{exp}\left(-\frac{{\mathfrak{y}}_1^2}{{\sigma }_{c,i}^{\prime 2}}\right)$$

$${Ծ}_{c,i}={\left[1+\mathit{exp}\left(-0.3\times \frac{{\prod }_{c^{\prime }\in C}\mathcal{q}\left({Փ}_{c,i},{Փ}_{c^{\prime },i}\right)}{{\sigma }_{c,i}}\right)\right]}^{-1}$$

$$\mathcal{q}\left({Փ}_{c,i},{Փ}_{c^{\prime },i}\right)=\{\begin{array}{c}\left|{Փ}_{c,i}-{Փ}_{c^{\prime },i}\right|,{\mathfrak{M}}_c=normal;\\ 1,{\mathfrak{M}}_c=attack\end{array}$$

Here, the parameters $c$ and $c^{\prime }$ are denoted as class labels, ${Փ}_{c,i}$ and ${Փ}_{c^{\prime },i}$ are represented as the means in $i$ th attribute value in classes $c$ and $c^{\prime }$. Furthermore, the ${\sigma }_{c,i}$ is the variance in $i$ th attribute value in classes $c$ and $c^{\prime }$ respectively. Among these, the attribute variance ${\sigma }_{c,i}$ can illustrates as network traffic concentration, imitating the classification pre-eminence of attributes under the class when minimizing the noise interference. The product of absolute value in mean difference among different classes of same attribute, specifically, $\mathcal{q}\left({Փ}_{c,i},{Փ}_{c^{\prime },i}\right)$, enhances the classification performance. Once the application-based issues are detected, the SMA agent notifies to specific developer to amend the issues and it will block the attackers. Furthermore, feedback from the users, and developers are collected to enhance the continuous delivery. By executing this, both the system and service unavailability and the security are amplified.

5. Experimental results

In this section, we have illustrated experimental result of the proposed Slide-Block framework using artificial intelligence (AI) approach and blockchain technologies. This experimental research enfolds of three categories including implementation setup, comparison analysis and research summary. The result section describes that the proposed work attains betterment performance with compared to existing models.

5.1. Implementation setup

In implementation setup, the experimental setup of proposed Slide-Block framework is demonstrated. The server utilized for proposed Slide-Block framework is Wamp server 2.0 and MySQL 5.1.36 as backend. Furthermore, we utilize OS windows 10 and the programming language of Java is adopted with development tool kit of JDK 1.8. We proposed conducted our work on Integrated Development Kit (IDE) by means of NetBeans 8.2. The above Software/Hardware requirements are installed in PC with Central Processing Unit (CPU) of Intel (R) Core (TM) i5-4590S CPU @ 3.00 GHz 3.00 GHz for the proposed Slide-Block framework.

5.2. Comparative analysis

In this section, several metrics are considered from proposed Slide-Block framework is compared with existing methods. Here, the following are the various performance metrics which we have evaluated such as detection rate, authentication time, packet loss rate, security strengthen, latency and communication overhead. The proposed Slide-Block framework is compared with several existing works such as Darknet [36], HOD-Net [38] and SPEM [39] to prove its efficacy of proposed work.

5.2.1. Result of detection rate

Detection rate $\left({Dec}_{rate}\right)$ is the metric which utilized to evaluate the rate of attack detection in network. Generally, this is characterized as number of detected attacks in ratio to the number of candidates increasing that can be described as,

$${Dec}_{rate}=\frac{{dec}_{att}}{\aleph }$$

where, ${dec}_{att}$ designates the detected attacks and $\aleph$ designates the increasing candidates. Fig. 4 the graphical plot shows the comparison of proposed work and existing models in terms of detection rate with respect to number of candidates. Among that, it is clearly shown that the proposed work have achieved higher detection rate then the Darknet, HOD-Net and SPEM existing works. The main reason for achieving such high detection rate is due to executing vulnerability management and emendation process. In this, we have focused on both application-based issues and attacks detection through continuous monitoring. Data errors, application issues, bugs and network settings are some of the application-based issues which are detected using IVS based on user privileges, patch levels, file system infrastructure etc. Furthermore, the packet and behavioural features are considered for detecting the attacks using Tweak NB algorithm which provides effective and accurately results thus aids to increases in high detection rate. Meanwhile, in existing works lack of considering application side-based issues and manually monitoring leads to ineffective. Besides, while attack detection the adequate features are considered which are leads to low detection rate.

Fig. 4.

# of Candidates vs Detection Rate.

The numerical result shows that the ${Dec}_{rate}$ of the proposed work is increased to 97% when the number of candidates increased to 100. In contrast, for the same number of candidates, the ${Dec}_{rate}$ of the existing works Darknet, HOD-Net and SPEM achieves 86%, 78% and 70.3% of ${Dec}_{rate}$ respectively. Overall, the ${Dec}_{rate}$ of the proposed Slide-Block framework increases about 11%–27.3% than the existing works.

5.2.2. Result of authentication time

Authentication time $\left({Au}_{time}\right)$ is the vital metric utilized to estimate the amount of time occupied for implementing authentication of users, developers, and resource owners. ${Au}_{time}$ is illustrated as the difference among the amount of time occupied for accommodating access to the individual request of the equivalent user to total amount of time. ${Au}_{time}$ can be mathematically expressed as,

$${Au}_{time}={բ}_{time}-{Ծ}_{time}$$

where, ${բ}_{time}$ indicates the time occupied to access the request and ${Ծ}_{time}$ is the total amount of time. Fig. 5 the graphical plot displays the comparison of proposed work and existing models in terms of authentication time with respect to number of candidates. From that, it is clearly exposed that the proposed work has attained minimal authentication time then the Darknet, HOD-Net and SPEM existing works. The main reason for attaining such minimal authentication time is due to proposing of pattern-based authentication. In the proposed Slide-Block framework, pattern-based authentication is performed for users, developers, and resource owners by contemplating several credentials, which is implemented by TCA using MCha-poly 1305 algorithm. Once, the authentication is completed the credentials are stored in slide window blockchain. Authentication with minimal time consumption is achieved by executing sliding window blockchain which occupies minimal amount of time to execute authentication while compared with other existing approaches. Whereas, in existing works the authentication is only performed for users with insufficient credentials and traditional blockchain which are tends to increase the authentication time.

Fig. 5.

# of Candidates vs Authentication Time.

The numerical result shows that the ${Au}_{time}$ of the proposed work is minimized to 550 ms when the number of candidates increased to 100. Meanwhile, for the same number of candidates, the ${Au}_{time}$ of the existing works Darknet, HOD-Net and SPEM reaches 820 ms, 880 ms and 920 ms of ${Au}_{time}$ respectively. Overall, the ${Au}_{time}$ of the proposed Slide-Block framework minimized about 270 ms–370 ms than the other existing works.

5.2.3. Result of packet loss rate

Packet loss rate $\left({Pac}_r^{los}\right)$ is the number of packets plunge tersely against the total number of packets while transmitted that can be formulated as,

$${Pac}_r^{los}=\frac{{Avg}_r^{pac}}{{Tol}^{pac}}$$

where ${Avg}_r^{pac}$ represents the average number of packet loss while transmission from total packets and ${Tol}^{pac}$ is the transmitted packets. Fig. 6 the graphical plot indicates the comparison of proposed work and existing models in terms of packet loss rate with respect to number of candidates. From that, it is clearly visible that the proposed work has reached a lower packet loss rate then the Darknet, HOD-Net and SPEM existing works. The main reason for reaching such lower packet loss rate is due to proposing of tri-level access control and privacy attentive data storage. In our work, at first the access control policies are effectively generated using EDDPG. Once, the request initiated by the candidates to TCA, which is responsible for providing access based on attribute role and trust value by utilizing smart contract Here, the TCA redirects those candidate request to SMA, it will evaluate the trust value through constant monitoring as well as historical candidate data. Evaluated trust values are transmitted to TCA, then optimal candidates are selected by AVOA and then the access control are provided in three level permission levels as operator, subscribed users and unsubscribed users that improves the data privacy level thereby minimizing packet loss rate. Besides, in privacy attentive data storage, both data in transmission and rest are encrypted using Mcha-Poly 1305 algorithm where the packet loss rate is minimized. Meanwhile in existing works, the data communication is performed without any privacy concern that leads to high data leakage. Moreover, the sensitive are stored in clouds server without encryption which are tends to high data leakage thereby increasing high packet loss rate.

Fig. 6.

# of Candidates vs Packet Loss Rate.

The numerical result shows that the ${Pac}_r^{los}$ of the proposed work is reduced to 53.5% when the number of candidates increased to 100. Meanwhile, for the same number of candidates, the ${Pac}_r^{los}$ of the existing works Darknet, HOD-Net and SPEM increased as 75%, 80% and 85% of ${Pac}_r^{los}$ respectively. Overall, the ${Pac}_r^{los}$ of the proposed Slide-Block framework reduced about 21.5%–31.5% than the other existing works.

5.2.4. Result of security strengthen

Security strengthens $\left({\mathit{Sec}}^{str}\right)$ is the vital metric utilized to estimate the security level of the cloud-based applications during authentication, access control, data storage and vulnerability analysis. High security strengthen enriches the resistance of cloud-based applications against several vulnerabilities. ${\mathit{Sec}}^{str}$ is denoted as (%).

Fig. 7the graphical plot specifies the comparison of proposed work and existing models in terms of security strengthen with respect to number of candidates. From that, it is clearly observable that the proposed work has achieved maximum rate of security strengthen then the Darknet, HOD-Net and SPEM existing works. The main reason for achieving such maximum security strengthens is due to proposing of authentication and vulnerability analysis. In our work, pattern-based authentication is performed for users, developers, and resource owners by contemplating several credentials, which is implemented by TCA using MCha-poly 1305 algorithm. Once, the authentication is completed the credentials are stored in slide window blockchain and further, the data are encrypted and stored in blockchain as well as data is encrypted before transmission thus improves data privacy. Furthermore, the packet and behavioural features are taken into an account for detecting the attacks using Tweak NB algorithm which are increases the security. However, in existing works, the insufficient metrics and ineffective authentication, as well as lack of authenticating the resource owner leads and developers leads to improper security management. In addition to that, while attack detection the adequate features are considered which reduces the security strengthen.

Fig. 7.

# of Candidates vs Security Strengthen.

The numerical result shows that the ${\mathit{Sec}}^{str}$ of the proposed work is increased to 98% when the number of candidates increased to 100. In contrast, for the same number of candidates, the ${\mathit{Sec}}^{str}$ of the existing works Darknet, HOD-Net and SPEM reduced as 87%, 80% and 74% of ${\mathit{Sec}}^{str}$ respectively. Overall, the ${\mathit{Sec}}^{str}$ of the proposed Slide-Block framework increased about 11%–24% than the other existing works.

5.2.5. Result of communication overhead

Communication overhead $\left({Com}_{ϙ}\right)$ is describes as the ratio of overhead packets when transmission to receiver which can mathematically expressed as,

$${Com}_{ϙ}=\frac{{pac}_{ϙ}}{{pac}_{trans}}$$

where ${pac}_{ϙ}$ is denoted as the overhead packets occurs while transmission and ${pac}_{trans}$ is the transmitted packets. Fig. 8 the graphical plot symbolizes the comparison of proposed work and existing models in terms of communication overhead with respect to number of candidates. From that, it is clearly visible that the proposed work has achieved a slightest latency then the Darknet, HOD-Net and SPEM existing works. The main reason for achieving such slightest latency is due to performing of pattern-based authentication. In this, the legitimacy of candidate is ensured by TCA using MCha-poly 1305 algorithm based on their credentials. Furthermore, the vulnerability analysis is performed by Tweak NB algorithm by considered several constraints which are tends to minimize the malicious traffic in network thus reduce communication overhead. Whereas, in existing works the authentication is only performed for users and ineffective vulnerability analysis is performed which are leads to increases in high communication overhead.

Fig. 8.

# of Candidates vs Communication Overhead.

The numerical result shows that the ${Com}_{ϙ}$ of the proposed work is minimized to 0.54 ms when the number of candidates increased to one hundred. In contrast, for the same number of candidates, the ${Com}_{ϙ}$ of the existing works Darknet, HOD-Net and SPEM increased as 0.78 ms, 0.8 ms and 0.84 ms of ${Com}_{ϙ}$ respectively. Overall, the ${Com}_{ϙ}$ of the proposed Slide-Block framework minimized about 0.24ms–0.3 ms than the other existing works.

5.2.6. Result of latency

Latency $\left({lat}_{ƛ}\right)$ is utilized to evaluate the amount of time occupied for performing data encryption, authentication, access control and vulnerability analysis. ${lat}_{ƛ}$ is defined as the difference between the amount of time taken for performing specific task from the above-mentioned tasks to the total amount of time. ${lat}_{ƛ}$ can be expressed as,

$${lat}_{ƛ}={time}_{tak}-{Ծ}_{time}$$

where ${time}_{tak}$ refers to the time taken for performing the task. Fig. 9 the graphical plot represents the comparison of proposed work and existing models in terms of latency with respect to number of candidates. From that, it is clearly noticeable that the proposed work has attained minimal latency then the Darknet, HOD-Net and SPEM existing works. The main reason for achieving such minimal latency is due to adopting appropriate algorithms and techniques in individual process. Initially, the authentication with minimal time consumption is achieved by executing sliding window blockchain which occupies minimal amount of time to execute authentication. Then, the access control policies are generated by EDDPG, and the tri-level access control is provided by TCA based on attribute and trust level estimated by SMA. Furthermore, the data in transmission rest are encrypted using MCha-Poly 1305 where this algorithm encrypts the data effectively thereby minimizing the number of rounds. In vulnerability analysis, the Tweak NB algorithm is employed for attack detection which removes linear relationship that are tends to minimize high latency. However, in existing works utilization of ineffective algorithms and techniques leads to high latency.

Fig. 9.

# of Candidates vs Latency.

The numerical result shows that the ${lat}_{ƛ}$ of the proposed work is reduced to 4700 ms when the number of candidates increased to 100. In contrast, for the same number of candidates, the ${lat}_{ƛ}$ of the existing works Darknet, HOD-Net and SPEM increased as 7800 ms, 8400 ms and 9000 ms of ${lat}_{ƛ}$ respectively. Overall, the ${lat}_{ƛ}$ of the proposed Slide-Block framework reduced about 3100 ms–4300 ms than the other existing works.

5.3. Research summary

In this section, we summarize the experimental results that demonstrate the superior performance of the proposed Slide-Block framework compared to existing approaches. We evaluate the performance of our work in terms of several metrics, including detection rate, authentication time, packet loss, security strength, communication overhead, and latency, presented in Fig. 4, Fig. 5, Fig. 6, Fig. 7, Fig. 8, Fig. 9. Additionally, Table 4 provides a numerical analysis of the performance metrics for proposed and existing works. Finally, we list the research highlights as follows.

• •For enhancing application and network security, pattern-based authentication is performed for all candidates and the passwords are encrypted using the MCha-poly 1305 encryption algorithm. This algorithm executes effectively, which permits only legitimate candidates to access the service.
• •For efficient authorization, the Tri-level access control policies are fabricated using an enhanced deep deterministic policy gradient algorithm (EDDPG) and provided to the candidate who meets the control policy. The African vulture optimization algorithm is adapted to provide optimal access policies.
• •To ensure communication and transaction certainty, the privacy-attentive data storage mechanism is executed, encrypting the data using the MCha-poly 1305 encryption algorithm that minimizes highly sensitive data leakage.
• •For amplifying system and service availability, continuous monitoring is established where the intruder vulnerability scanner detects the Tweak NB algorithm detects both the application-based issues and the attack.

Table 4.

Performance analysis of proposed & existing works.

Performance metrics (%)	SPEM	HOD-Net	Darknet	Slide-Block
Detection Rate (%)	$\simeq$37.86	$\simeq$45.4	$\simeq$52.6	$\simeq$66.4
Authentication Time (ms)	$\simeq$640	$\simeq$582	$\simeq$522	$\simeq$348
Packet Loss (%)	$\simeq$62.2	$\simeq$55.2	$\simeq$49	$\simeq$35.5
Security Strengthen (%)	$\simeq$43.2	$\simeq$47	$\simeq$53.2	$\simeq$65.2
Communication Overhead (ms)	$\simeq$0.644	$\simeq$0.598	$\simeq$0.54	$\simeq$0.34
Latency (ms)	$\simeq$5860	$\simeq$5180	$\simeq$4500	$\simeq$3200

6. Conclusion

Improper security management, enormous sensitive data leakage and system and service unavailability are the primary concerns in DevOps-based cloud applications, which are addressed and resolved by our proposed work. For that, initially, the users, developers and resource owners are candidates authenticated based on their credentials by TCA using the Mcha-Poly 1305 algorithm. After that, the access control policies are effectively engendered by EDDPG. Based on trust value evaluated by SMA, attribute and role, the optimal user and developer are selected using AVOA and access control is provided, thus minimizing high data sensitive leakage. Then, data privacy in transmission and rest is enhanced by performing encryption before transmission using the Mcha-Poly 1305 algorithm.

Furthermore, based on the sensitivity, it is decided that the data will be stored in blockchain and cloud servers, improving the application's security. System and service unavailability are the foremost issues; we have proposed vulnerability management and emendation to address this. In this process, we have identified and mitigated both application-based issues and attacks using IVS and Tweak-NB algorithms, respectively, in terms of considering several parameters. The proposed work is implemented by Java/JDK 1.8 to prove this efficacy in several performance metrics such as detection rate, authentication time, packet loss, security strength, communication overhead and latency, where our proposed Slide-Block achieves better performance.

Data availability statement

The data used in this research will be made available on request.

Ethics statement

Informed consent was not required for this study because no specific information from humans is used.

CRediT authorship contribution statement

Gopalakrishnan Sriraman: Writing – review & editing, Writing – original draft, Software, Methodology, Data curation, Conceptualization. Shriram R: Validation, Supervision, Project administration.

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.