CLOUDBURST: Cloud-Layer Observations Using Beacons for Unified Real-time Surveillance and Threat Attribution

Computer Science > Cryptography and Security [Submitted on 13 May 2026] CLOUDBURST: Cloud-Layer Observations Using Beacons for Unified Real-time Surveillance and Threat Attribution Abraham Itzhak Weinberg Modern cloud-native environments present a fundamentally different exfiltration threat surface than traditional file-based scenarios. Attackers targeting AWS, GCP, Azure, and OCI steal S3 presigned URLs, container images, Kubernetes secrets, Terraform state modules, and IAM role tokens -- artefacts that existing honeytoken and beacon frameworks do not address. We present \textbf{CLOUDBURST}, the first formal taxonomy and measurement framework for cloud-native passive beacons, comprising six vector classes across four major cloud providers. We introduce the \textit{Cloud Attribution Score} (CAS), a four-component metric that explicitly models ephemeral infrastructure penalty (E_p), IAM coverage depth (I_c), and multi-cloud correlation bonus (M_b) -- dimensions absent from all prior attribution quality metrics. Experiments across 21 deployed beacons, 205 simulated callbacks, and three attacker sophistication levels yield four principal findings. First, IAM Canary Roles achieve the highest CAS (mean 0.450) and Detection Resistance (DR = 0.873), making them the most deployable vector. Second, S3 Presigned URLs achieve the highest detection resistance (DR = 0.890), surviving all three cloud-native scanner models (AWS Macie, Checkov/tfsec, Prisma Cloud/Wiz). Third, ephemeral infrastructure churn degrades CAS from \approx 0.79 at deployment to \approx 0.18--0.22 at 48 hours for all vectors (p < 0.001), establishing the first quantitative model of attribution decay in containerised environments. Fourth, Serverless Function Triggers exhibit the worst detection resistance (DR = 0.611) due to their explicit outbound HTTP callback pattern, motivating covert callback channel design as future work. No significant CAS difference is observed across cloud providers (H = 1.99, p = 0.57), confirming that CLOUDBURST is provider-agnostic in its effectiveness. Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2605.12976 [cs.CR]   (or arXiv:2605.12976v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2605.12976 Focus to learn more Submission history From: Abraham Itzhak Weinberg [view email] [v1] Wed, 13 May 2026 04:14:21 UTC (1,072 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-05 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)