MTD CBITS: Moving Target Defense for Cloud-Based IT Systems

The static nature of current IT systems gives attackers the extremely valuable advantage of time, as adversaries can take their time and plan attacks at their leisure. Although cloud infrastructures have increased the automation options for managing IT systems, the introduction of Moving Target Defense (MTD) techniques at the entire IT system level is still very challenging. The core idea of MTD is to make a system change proactively as a means to eliminating the asymmetric advantage the attacker has on time. However, due to the number and complexity of dependencies between IT system components, it is not trivial to introduce proactive changes without breaking the system or severely impacting its performance.

[1]  Thomas C. Eskridge,et al.  VINE: A Cyber Emulation Environment for MTD Experimentation , 2015, MTD@CCS.

[2]  Sushil Jajodia,et al.  A moving target defense mechanism for MANETs based on identity virtualization , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[3]  Peng Liu,et al.  A Practical Approach for Adaptive Data Structure Layout Randomization , 2015, ESORICS.

[4]  Somesh Jha,et al.  End-to-End Software Diversification of Internet Services , 2011, Moving Target Defense.

[5]  Arun K. Sood,et al.  Designing SCIT architecture pattern in a Cloud-based environment , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[6]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[7]  Ehab Al-Shaer,et al.  An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[8]  Salvatore J. Stolfo,et al.  The MEERKATS Cloud Security Architecture , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[9]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[10]  Per Larsen,et al.  Large-Scale Automated Software Diversity—Program Evolution Redux , 2017, IEEE Transactions on Dependable and Secure Computing.

[11]  Hamed Okhravi,et al.  Multi-variant execution to protect unpatched software , 2015, 2015 Resilience Week (RWS).

[12]  Chao Yang,et al.  NOMAD: Towards non-intrusive moving-target defense against web bots , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[13]  Anh Nguyen-Tuong,et al.  Effectiveness of Moving Target Defenses , 2011, Moving Target Defense.

[14]  Valentina Casola,et al.  A moving target defense approach for protecting resource-constrained distributed devices , 2013, 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI).

[15]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[16]  Ehab Al-Shaer,et al.  Towards eliminating configuration errors in cyber infrastructure , 2011, 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG).

[17]  Vyas Sekar,et al.  Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration , 2015, CCS.

[18]  George Cybenko,et al.  No free lunch in cyber security , 2014, MTD '14.

[19]  Jack W. Davidson,et al.  Security through Diversity: Leveraging Virtual Machine Technology , 2009, IEEE Security & Privacy.

[20]  Angelos D. Keromytis,et al.  On the General Applicability of Instruction-Set Randomization , 2010, IEEE Transactions on Dependable and Secure Computing.

[21]  Angelos D. Keromytis,et al.  Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution , 2011, Moving Target Defense.

[22]  Sushil Jajodia,et al.  Efficient integrity checks for join queries in the cloud , 2016, J. Comput. Secur..

[23]  Ehab Al-Shaer,et al.  Toward Network Configuration Randomization for Moving Target Defense , 2011, Moving Target Defense.

[24]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[25]  George Cybenko,et al.  Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity , 2013 .

[26]  Scott A. DeLoach,et al.  Compiling Abstract Specifications into Concrete Systems - Bringing Order to the Cloud , 2014, LISA.

[27]  Kevin M. Carter,et al.  Quantitative Evaluation of Dynamic Platform Techniques as a Defensive Mechanism , 2014, RAID.

[28]  Srdjan Capkun,et al.  Verena: End-to-End Integrity Protection for Web Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[30]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[31]  Arun K. Sood,et al.  Closing cluster attack windows through server redundancy and rotations , 2006 .

[32]  William W. Streilein,et al.  On the Challenges of Effective Movement , 2014, MTD '14.