Nemesis : Automated Architecture for Threat Modeling and Risk Assessment for Cloud Computing

It is critical to ask and address the following type of questions, both as a cloud computing architect who has designed and deployed a public, or private, or hybrid cloud; or a user who benefits from available cloud services: What are the types of threats facing the cloud’s assets? Is there any scale to indicate the cloud’s assets threat level? Is there any metric to characterize critical vulnerabilities facing the cloud’s assets? In this paper, we present a novel automated architecture for threat modeling and risk assessment for cloud system called Nemesis, which address all the above and other related questions. With Nemesis, we use ontologies knowledge bases to model the threats and assess the risks of the given cloud system. To realize this feat, we built ontologies for vulnerabilities, defenses and attacks and automatically instantiate them to generate the Ontologies Knowledge Bases (OKBs). These OKBs capture the relationship between vulnerabilities, defenses mechanisms and attacks. We use the generated OKBs and Microsoft STRIDE model [1] to classify the threats and map them to relevant vulnerabilities. This is used together with the cloud configurations and the Bayesian threat probability model in assessing the risk. Apart from classifying the given cloud system’s threats and assessing its risk, we deliver two useful metrics to rank the severity of classified threat types and to evaluate exploitable vulnerabilities. In addition, we recommend an alternative cloud system’s configuration with a lower perceived risk, and mitigations techniques to counter classified threat types. For the proof of concept of our proposed architecture, we have designed an OpenStack’s [2] based cloud and deployed various services. Then, we evaluated our Nemesis, and presented our findings. Our proposed architecture can help evaluate the security threat level of any cloud computing configurations, and any configurations of shared technologies found in computing systems.

[1]  Stefan Fenz,et al.  An ontology-based approach for constructing Bayesian networks , 2012, Data Knowl. Eng..

[3]  Sasko Ristov,et al.  Security assessment of virtual machines in open source clouds , 2013, 2013 36th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[4]  Sanjay Kumar Madria,et al.  Off-Line Risk Assessment of Cloud Service Provider , 2014, 2014 IEEE World Congress on Services.

[5]  Stefan Fenz,et al.  An ontology- and Bayesian-based approach for determining threat probabilities , 2011, ASIACCS '11.

[6]  Jack Jones,et al.  Information Security Metrics , 2015 .

[7]  Sasko Ristov,et al.  OpenStack Cloud Security Vulnerabilities from Inside and Outside , 2013, CLOUD 2013.

[8]  Krishna Kavi,et al.  A methodology for ranking cloud system vulnerabilities , 2013, 2013 Fourth International Conference on Computing, Communications and Networking Technologies (ICCCNT).

[9]  Stefan Fenz,et al.  Ontology-based generation of IT-security metrics , 2010, SAC '10.

[10]  Anoop Singhal,et al.  VULCAN: Vulnerability Assessment Framework for Cloud Computing , 2013, 2013 IEEE 7th International Conference on Software Security and Reliability.

[11]  Felicia Nicastro Zero-Day Attack , 2005 .

[12]  Antonio Cerone,et al.  Enhancing ontology-based antipattern detection using Bayesian networks , 2012, Expert Syst. Appl..

[13]  Edgar R. Weippl,et al.  Security Ontology: Simulating Threats to Corporate Assets , 2006, ICISS.