About being the Tortoise or the Hare? - A Position Paper on Making Cloud Applications too Fast and Furious for Attackers

Cloud applications expose - beside service endpoints - also potential or actual vulnerabilities. And attackers have several advantages on their side. They can select the weapons, the point of time and the point of attack. Very often cloud application security engineering efforts focus to harden the fortress walls but seldom assume that attacks may be successful. So, cloud applications rely on their defensive walls but seldom attack intruders actively. Biological systems are different. They accept that defensive "walls" can be breached at several layers and therefore make use of an active and adaptive defense system to attack potential intruders - an immune system. This position paper proposes such an immune system inspired approach to ensure that even undetected intruders can be purged out of cloud applications. This makes it much harder for intruders to maintain a presence on victim systems. Evaluation experiments with popular cloud service infrastructures (Amazon Web Services, Google Compute Engine, Azure and OpenStack) showed that this could minimize the undetected acting period of intruders down to minutes.

[1]  N CalheirosRodrigo,et al.  Interconnected Cloud Computing Environments , 2014 .

[2]  Roel Peeters,et al.  Balloon: A Forward-Secure Append-Only Persistent Authenticated Data Structure , 2015, ESORICS.

[3]  Rajkumar Buyya,et al.  Inter‐Cloud architectures and application brokering: taxonomy and survey , 2014, Softw. Pract. Exp..

[4]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[5]  Pooyan Jamshidi,et al.  Migrating to Cloud-Native Architectures Using Microservices: An Experience Report , 2015, ESOCC Workshops.

[6]  Dana Petcu,et al.  Portability in clouds: approaches and research opportunities , 2014, Scalable Comput. Pract. Exp..

[7]  Frank Leymann,et al.  Cloud Computing Patterns: Fundamentals to Design, Build, and Manage Cloud Applications , 2014 .

[8]  Wolfgang Kastner,et al.  Applying High-Performance Bioinformatics Tools for Outlier Detection in Log Data , 2017, 2017 3rd IEEE International Conference on Cybernetics (CYBCON).

[9]  Seungyeop Han,et al.  MetaSync: File Synchronization Across Multiple Untrusted Storage Services , 2015, USENIX Annual Technical Conference.

[10]  Bob Duncan,et al.  Compliance with standards, assurance and audit: does this equal security? , 2014, SIN.

[11]  Qiang Fu,et al.  Execution Anomaly Detection in Distributed Systems through Unstructured Log Analysis , 2009, 2009 Ninth IEEE International Conference on Data Mining.

[12]  Blesson Varghese,et al.  Cloud Services Brokerage: A Survey and Research Roadmap , 2015, 2015 IEEE 8th International Conference on Cloud Computing.

[13]  Robert Anderson Keith Duncan,et al.  Creating an Immutable Database for Secure Cloud Audit Trail and System Logging , 2017 .

[14]  René Peinl,et al.  ClouNS - a Cloud-Native Application Reference Model for Enterprise Architects , 2016, 2016 IEEE 20th International Enterprise Distributed Object Computing Workshop (EDOCW).

[15]  Nane Kratzke,et al.  About Automatic Benchmarking of IaaS Cloud Service Providers for a World of Container Clusters , 2015 .

[16]  Robert Anderson Keith Duncan,et al.  Cloud cyber-security: Empowering the audit trail , 2016 .

[17]  Nane Kratzke Smuggling Multi-cloud Support into Cloud-native Applications using Elastic Container Platforms , 2017, CLOSER.

[18]  Claus Pahl,et al.  Benchmark Requirements for Microservices Architecture Research , 2017, 2017 IEEE/ACM 1st International Workshop on Establishing the Community-Wide Infrastructure for Architecture-Based Software Engineering (ECASE).

[19]  Edgar R. Weippl,et al.  Advanced social engineering attacks , 2015, J. Inf. Secur. Appl..

[20]  Abhishek Singhal,et al.  A literature survey on social engineering attacks: Phishing attack , 2016, 2016 International Conference on Computing, Communication and Automation (ICCCA).

[21]  Randy H. Katz,et al.  Mesos: A Platform for Fine-Grained Resource Sharing in the Data Center , 2011, NSDI.

[22]  Nane Kratzke About the Complexity to Transfer Cloud Applications at Runtime and How Container Platforms Can Contribute? , 2017, CLOSER.

[23]  Jun Rao,et al.  Building a Replicated Logging System with Apache Kafka , 2015, Proc. VLDB Endow..

[24]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[25]  Ragib Hasan,et al.  Towards Building Forensics Enabled Cloud Through Secure Logging-as-a-Service , 2016, IEEE Transactions on Dependable and Secure Computing.

[26]  Sam Newman,et al.  Building Microservices , 2015 .