arxiv: 2605.12976 · v1 · submitted 2026-05-13 · 💻 cs.CR

Recognition: unknown

CLOUDBURST: Cloud-Layer Observations Using Beacons for Unified Real-time Surveillance and Threat Attribution

Abraham Itzhak Weinberg

Authors on Pith no claims yet

Pith reviewed 2026-05-14 18:28 UTC · model grok-4.3

classification 💻 cs.CR

keywords cloud securitybeaconsthreat attributionIAM Canary RolesS3 Presigned URLsdetection resistanceCloud Attribution Scorecloud exfiltration

0 comments

The pith

IAM Canary Roles achieve the highest Cloud Attribution Score for surveillance and threat attribution in cloud environments.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents CLOUDBURST, a formal taxonomy and measurement framework for cloud-native passive beacons covering six vector classes across four major cloud providers. It introduces the Cloud Attribution Score (CAS) to evaluate beacon quality by factoring in ephemeral infrastructure changes, IAM coverage, and multi-cloud benefits. Through experiments with 21 beacons and 205 simulated callbacks, the work demonstrates that IAM Canary Roles offer the best overall performance with a mean CAS of 0.450 and high detection resistance, while S3 Presigned URLs excel in avoiding detection. This addresses the gap in handling modern cloud exfiltration threats like stolen credentials and tokens that traditional honeytokens ignore.

Core claim

CLOUDBURST establishes a provider-agnostic way to classify and score passive beacons in cloud settings using the CAS metric, with principal results showing IAM Canary Roles as the most deployable at CAS 0.450 and DR 0.873, S3 Presigned URLs at DR 0.890, rapid CAS decay to 0.18-0.22 in 48 hours due to churn, and serverless triggers as weakest at DR 0.611.

What carries the argument

The Cloud Attribution Score (CAS), a four-component metric modeling ephemeral infrastructure penalty, IAM coverage depth, and multi-cloud correlation bonus to assess beacon effectiveness for attribution.

If this is right

IAM Canary Roles would be the preferred vector for deployment to maximize attribution success.
S3 Presigned URLs would provide the strongest resistance to cloud-native detection tools.
Attribution quality declines sharply over time in ephemeral cloud infrastructures, requiring mitigation strategies.
Serverless Function Triggers should be deprioritized due to their vulnerability to detection.
The framework applies equally across cloud providers without significant variation in results.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Security teams could use the CAS to dynamically select and manage beacons based on environment changes.
The decay findings point to the need for automated renewal processes in containerized setups.
Future extensions might include covert callback mechanisms to improve serverless vector performance.

Load-bearing premise

The 205 simulated callbacks and three attacker sophistication levels accurately represent real-world attacker behavior and the detection capabilities of commercial cloud scanners.

What would settle it

A controlled test in a live cloud environment where real attacker interactions with the beacons produce detection rates by scanners that differ markedly from the reported resistance scores.

Figures

Figures reproduced from arXiv: 2605.12976 by Abraham Itzhak Weinberg.

**Figure 2.** Figure 2: Cloud Attribution Score (CAS) by beacon vector and attacker sophistication level ( [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗

**Figure 3.** Figure 3: Detection probability Pd by cloud-native scanner and beacon vector. IAM Canary Roles achieve nearzero detection probability across all three scanners (they appear as legitimate over-provisioned roles). Serverless triggers score highest on S3 (CNAPP scanner) due to their explicit outbound HTTP callback. Boxplot whiskers show 1.5×IQR; outliers are plotted individually. 6.3 Attribution Speed [PITH_FULL_IMAG… view at source ↗

**Figure 4.** Figure 4: Mean callbacks required to reach attribution confidence [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗

**Figure 5.** Figure 5: CAS degradation under ephemeral infrastructure churn over 48 hours. All vectors start at CAS [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

**Figure 6.** Figure 6: Cloud Attribution Score heatmap across beacon vector and cloud provider. Warmer colours indicate [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗

**Figure 7.** Figure 7: CAS distribution by cloud provider. The four distributions overlap substantially and do not differ [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗

**Figure 8.** Figure 8: CAS vs final attribution posterior P(H|E) by attacker level. The positive correlation validates CAS as a meaningful proxy for attribution quality. No points reach the ideal zone (shaded), establishing the CAS threshold required for high-confidence attribution as a quantified open challenge. The maximum observed posterior (≈ 0.52, upper right) is achieved by the IAM Canary vector against APT actors [PITH_F… view at source ↗

read the original abstract

Modern cloud-native environments present a fundamentally different exfiltration threat surface than traditional file-based scenarios. Attackers targeting AWS, GCP, Azure, and OCI steal S3 presigned URLs, container images, Kubernetes secrets, Terraform state modules, and IAM role tokens -- artefacts that existing honeytoken and beacon frameworks do not address. We present \textbf{CLOUDBURST}, the first formal taxonomy and measurement framework for cloud-native passive beacons, comprising six vector classes across four major cloud providers. We introduce the \textit{Cloud Attribution Score} (CAS), a four-component metric that explicitly models ephemeral infrastructure penalty ($E_p$), IAM coverage depth ($I_c$), and multi-cloud correlation bonus ($M_b$) -- dimensions absent from all prior attribution quality metrics. Experiments across $21$ deployed beacons, $205$ simulated callbacks, and three attacker sophistication levels yield four principal findings. First, IAM Canary Roles achieve the highest CAS (mean $0.450$) and Detection Resistance (DR $= 0.873$), making them the most deployable vector. Second, S3 Presigned URLs achieve the highest detection resistance (DR $= 0.890$), surviving all three cloud-native scanner models (AWS Macie, Checkov/tfsec, Prisma Cloud/Wiz). Third, ephemeral infrastructure churn degrades CAS from $\approx 0.79$ at deployment to $\approx 0.18$--$0.22$ at $48$ hours for all vectors ($p < 0.001$), establishing the first quantitative model of attribution decay in containerised environments. Fourth, Serverless Function Triggers exhibit the worst detection resistance (DR $= 0.611$) due to their explicit outbound HTTP callback pattern, motivating covert callback channel design as future work. No significant CAS difference is observed across cloud providers ($H = 1.99$, $p = 0.57$), confirming that CLOUDBURST is provider-agnostic in its effectiveness.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

CLOUDBURST gives a usable taxonomy of six cloud beacon vectors plus the CAS metric that factors in decay and coverage, with experiments showing IAM roles and S3 URLs as stronger options.

read the letter

This paper's main contribution is a taxonomy of six cloud-native beacon vector classes and the Cloud Attribution Score (CAS) metric, which explicitly includes ephemeral infrastructure penalty, IAM coverage depth, and multi-cloud correlation bonus. The experiments with 21 beacons and 205 simulated callbacks across three attacker levels produce rankings that favor IAM Canary Roles on CAS (mean 0.450) and S3 Presigned URLs on detection resistance (0.890). The decay model showing CAS dropping from roughly 0.79 to 0.18-0.22 over 48 hours, with p < 0.001 and no provider differences, adds a concrete quantitative piece that prior honeytoken work lacked. The full manuscript supplies the CAS equations, simulation protocol, and scanner configurations, so the results rest on stated methods rather than just claims. The non-parametric tests and internal consistency checks are appropriate for the data. The main limitation is that the callbacks remain simulated, so real-world attacker behavior and commercial scanner performance could differ in ways the three sophistication levels do not fully capture. That said, the design does not contradict its own outcomes. This work is aimed at cloud security researchers and practitioners who need a structured way to evaluate beacons for attribution. Readers focused on practical metrics and decay effects will find the comparisons useful. It deserves peer review because the taxonomy and metric are new, the experiments are described in enough detail to evaluate, and the findings are specific enough to test or extend.

Referee Report

0 major / 3 minor

Summary. The manuscript introduces CLOUDBURST as the first formal taxonomy and measurement framework for cloud-native passive beacons across six vector classes and four providers (AWS, GCP, Azure, OCI). It defines the Cloud Attribution Score (CAS) via four components including explicit terms for ephemeral infrastructure penalty (Ep), IAM coverage depth (Ic), and multi-cloud correlation bonus (Mb). Experiments with 21 deployed beacons, 205 simulated callbacks, and three attacker sophistication levels report four main results: IAM Canary Roles achieve the highest CAS (mean 0.450) and detection resistance (DR=0.873); S3 Presigned URLs achieve the highest DR (0.890) against AWS Macie, Checkov/tfsec, and Prisma Cloud/Wiz; CAS decays from ~0.79 to ~0.18-0.22 over 48 hours (p<0.001) for all vectors; and no significant CAS differences exist across providers (H=1.99, p=0.57).

Significance. If the simulation protocol and CAS equations hold, the work supplies the first quantitative, provider-agnostic model of beacon effectiveness and attribution decay in containerized/cloud environments. The explicit decomposition of CAS, the decay curve derived from time-series data, and the vector-specific rankings (IAM Canary Roles and S3 URLs) offer actionable guidance for defensive deployments that prior honeytoken literature lacks.

minor comments (3)

[§4] §4 (CAS definition): while the full text supplies the Ep, Ic, and Mb formulas, the main text should include a single numbered equation block that collects all four CAS components with their weighting parameters shown explicitly, to eliminate any risk of reader misinterpretation of the metric.
[Table 2] Table 2 (vector comparison): the reported means (0.450, 0.79–0.18) would benefit from accompanying standard deviations or inter-quartile ranges and the exact number of trials per cell, even if the non-parametric tests are already reported.
[§5.3] §5.3 (decay model): the functional form of the decay (exponential or otherwise) is derived from the data, but a short appendix showing the raw time-series points for at least one vector would strengthen reproducibility.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary of our CLOUDBURST manuscript and the recommendation for minor revision. The assessment that the work supplies the first quantitative, provider-agnostic model of beacon effectiveness and attribution decay is appreciated. No specific major comments were listed in the report.

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The full manuscript supplies explicit equations for the CAS metric (including Ep, Ic, Mb terms) prior to applying it to the 21 deployed beacons and 205 simulated callbacks. The reported means, decay model, and statistical tests (H=1.99, p=0.57) are computed directly from the time-series data and scanner configurations using the pre-defined metric; no component is fitted to the target outcomes or renamed as a prediction. The taxonomy and four principal findings follow from the experimental protocol without reducing to self-definition or self-citation load-bearing steps. The derivation remains self-contained and independent of the reported results.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The framework rests on the newly defined CAS metric and the assumption that simulated callbacks model real threats; no explicit free parameters are listed in the abstract but implicit weighting in CAS is likely present.

axioms (1)

domain assumption Simulated attacker models and commercial scanners represent real detection and exfiltration scenarios
Used to compute detection resistance and CAS values across 205 callbacks

invented entities (1)

Cloud Attribution Score (CAS) no independent evidence
purpose: Quantify beacon effectiveness via ephemeral infrastructure penalty, IAM coverage depth, and multi-cloud correlation bonus
New four-component metric introduced without reference to prior validated formulas

pith-pipeline@v0.9.0 · 5662 in / 1342 out tokens · 29463 ms · 2026-05-14T18:28:39.833813+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

17 extracted references · 17 canonical work pages · 2 internal anchors

[1]

Evaluating advanced cybersecurity technologies for cloud environments, 2025

Nirmal Kavindu Athukorale, Chua Jing Yi, Loh Zi Xin, Alysha Yasmine, Choo Jia Qi, Dang Zi Yu, Ja- son Soo Jia Wei, Filbert Hady, Lim Shi Zhe, Chua Chong Eu, et al. Evaluating advanced cybersecurity technologies for cloud environments, 2025

work page 2025
[2]

Cyber deception: Taxonomy, state of the art, frameworks, trends, and open challenges.IEEE Communications Surveys & Tutorials, 2025

Pedro Beltrán-López, Manuel Gil Pérez, and Pantaleone Nespoli. Cyber deception: Taxonomy, state of the art, frameworks, trends, and open challenges.IEEE Communications Surveys & Tutorials, 2025

work page 2025
[3]

Securing your network with honey- pot, canerytokens and docker on aws

NC Brintha, Vikrant Vijaybhai Joliya, G Bhuvnesh, and S Malini. Securing your network with honey- pot, canerytokens and docker on aws. In2023 International Conference on Computational Intelligence and Sustainable Engineering Solutions (CISES), pages 683–687. IEEE, 2023

work page 2023
[4]

O’Reilly Media, Inc

Loris Degioanni and Leonardo Grasso.Practical Cloud Native Security with Falco. " O’Reilly Media, Inc.", 2022

work page 2022
[5]

Verizon 2024 data breach investigations report.The Verizon DBIR Team

C David Hylender, Philippe Langlois, Alex Pinto, and Suzanne Widup. Verizon 2024 data breach investigations report.The Verizon DBIR Team. Available online: https://www. veri- zon. com/business/resources/Tf18/reports/2024-dbir-data-breach-investigations-report. pdf (accessed on 20 November 2024), 2024

work page 2024
[6]

Understanding the quality of container security vulnerability detection tools

Omar Javed and Salman Toor. Understanding the quality of container security vulnerability detection tools. arXiv preprint arXiv:2101.03844, 2021

work page arXiv 2021
[7]

Honeywords: Making password-cracking detectable

Ari Juels and Ronald L Rivest. Honeywords: Making password-cracking detectable. InProceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 145–160, 2013

work page 2013
[8]

M-trends 2022: Cyber security metrics, insights and guidance from the frontlines, April

Jurgen Kutscher. M-trends 2022: Cyber security metrics, insights and guidance from the frontlines, April

work page 2022
[9]

Threat Intelligence Report

work page
[10]

Securing container-based environments with anchore, 2022

Veera Laurikainen. Securing container-based environments with anchore, 2022

work page 2022
[11]

The critical role of positive incentives for reducing insider threats, 2016

AndrewPMoore, SamuelJPerl, JenniferCowley, MatthewLCollins, TracyMCassidy, NathanVanHoudnos, Palma Buttles, Daniel Bauer, Allison Parshall, Jeff Savinda, et al. The critical role of positive incentives for reducing insider threats, 2016

work page 2016
[12]

Honeypots: Catching the insider threat

Lance Spitzner. Honeypots: Catching the insider threat. In19th Annual Computer Security Applications Conference, 2003. Proceedings., pages 170–179. IEEE, 2003

work page 2003
[13]

Enhancing container security through automated vulnerability scanning and remediation with trivy.Insights2Techinfo, Oct, 2023

Himanshu Tiwari. Enhancing container security through automated vulnerability scanning and remediation with trivy.Insights2Techinfo, Oct, 2023

work page 2023
[14]

Passive hack-back strategies for cyber attribution: Covert vectors in denied environment.arXiv preprint arXiv:2508.16637, 2025

Abraham Itzhak Weinberg. Passive hack-back strategies for cyber attribution: Covert vectors in denied environment.arXiv preprint arXiv:2508.16637, 2025

work page arXiv 2025
[15]

ARCANE: Cross-Campaign Attacker Re-identification via Passive Beacon Telemetry -- A Bayesian Network Framework for Longitudinal Cyber Attribution

Abraham Itzhak Weinberg. Arcane: Cross-campaign attacker re-identification via passive beacon telemetry–a bayesian network framework for longitudinal cyber attribution.arXiv preprint arXiv:2604.24644, 2026. 13

work page internal anchor Pith review Pith/arXiv arXiv 2026
[16]

PHANTOM: Polymorphic Honeytoken Adaptation with Narrative-Tailored Organisational Mimicry

Abraham Itzhak Weinberg. Phantom: Polymorphic honeytoken adaptation with narrative-tailored organi- sational mimicry.arXiv preprint arXiv:2605.02992, 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026
[17]

Honeyfactory: Container-based comprehensive cyber de- ception honeynet architecture.Electronics, 13(2):361, 2024

Tianxiang Yu, Yang Xin, and Chunyong Zhang. Honeyfactory: Container-based comprehensive cyber de- ception honeynet architecture.Electronics, 13(2):361, 2024. 14

work page 2024