pith. sign in

CLOUDBURST: Cloud-Layer Observations Using Beacons for Unified Real-time Surveillance and Threat Attribution

1 Pith paper cite this work. Polarity classification is still indexing.

1 Pith paper citing it
abstract

Modern cloud-native environments present a fundamentally different exfiltration threat surface than traditional file-based scenarios. Attackers targeting AWS, GCP, Azure, and OCI steal S3 presigned URLs, container images, Kubernetes secrets, Terraform state modules, and IAM role tokens -- artefacts that existing honeytoken and beacon frameworks do not address. We present \textbf{CLOUDBURST}, the first formal taxonomy and measurement framework for cloud-native passive beacons, comprising six vector classes across four major cloud providers. We introduce the \textit{Cloud Attribution Score} (CAS), a four-component metric that explicitly models ephemeral infrastructure penalty ($E_p$), IAM coverage depth ($I_c$), and multi-cloud correlation bonus ($M_b$) -- dimensions absent from all prior attribution quality metrics. Experiments across $21$ deployed beacons, $205$ simulated callbacks, and three attacker sophistication levels yield four principal findings. First, IAM Canary Roles achieve the highest CAS (mean $0.450$) and Detection Resistance (DR $= 0.873$), making them the most deployable vector. Second, S3 Presigned URLs achieve the highest detection resistance (DR $= 0.890$), surviving all three cloud-native scanner models (AWS Macie, Checkov/tfsec, Prisma Cloud/Wiz). Third, ephemeral infrastructure churn degrades CAS from $\approx 0.79$ at deployment to $\approx 0.18$--$0.22$ at $48$ hours for all vectors ($p < 0.001$), establishing the first quantitative model of attribution decay in containerised environments. Fourth, Serverless Function Triggers exhibit the worst detection resistance (DR $= 0.611$) due to their explicit outbound HTTP callback pattern, motivating covert callback channel design as future work. No significant CAS difference is observed across cloud providers ($H = 1.99$, $p = 0.57$), confirming that CLOUDBURST is provider-agnostic in its effectiveness.

fields

cs.CR 1

years

2026 1

verdicts

UNVERDICTED 1

representative citing papers

citing papers explorer

Showing 1 of 1 citing paper.

  • Subtle Injection for Ground-truth Inference of LLM Training Data cs.CR · 2026-05-18 · unverdicted · none · ref 18 · internal anchor

    SIGIL introduces five canary strategies and a Neyman-Pearson-based Membership Inference Score that achieves AUC 0.831-0.947 in 36,000 simulations, remaining above 0.86 even after full paraphrasing.