An Automated Security Analysis Framework and Implementation for Cloud

Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze the cloud security using Graphical Security Models (GSMs) and security metrics. In addition, it has been widely researched in finding appropriate defensive strategies for the security of the cloud. Moving Target Defense (MTD) techniques can utilize the cloud elasticity features to change the attack surface and confuse attackers. Most of the previous work incorporating MTDs into the GSMs are theoretical and the performance was evaluated based on the simulation. In this paper, we realized the previous framework and designed, implemented and tested a cloud security assessment tool in a real cloud platform named UniteCloud. Our security solution can (1) monitor cloud computing in real-time, (2) automate the security modeling and analysis and visualize the GSMs using a Graphical User Interface via a web application, and (3) deploy three MTD techniques including Diversity, Redundancy, and Shuffle on the real cloud infrastructure. We analyzed the automation process using the APIs and showed the practicality and feasibility of automation of deploying all the three MTD techniques on the UniteCloud.

[1]  Barbara Kordy,et al.  Attack-defense trees , 2014, J. Log. Comput..

[2]  Peter J. Hawrylak,et al.  Scalable Attack Graph Generation , 2016, CISRC.

[3]  Julian Jang,et al.  Effective Security Analysis for Combinations of MTD Techniques on Cloud Computing (Short Paper) , 2017, ISPEC.

[4]  Jin B. Hong,et al.  Towards Automated Generation and Visualization of Hierarchical Attack Representation Models , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[5]  Dong Seong Kim,et al.  Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees , 2012, Secur. Commun. Networks.

[6]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[7]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[8]  Hervé Debar,et al.  Individual Countermeasure Selection Based on the Return On Response Investment Index , 2012, MMM-ACNS.

[9]  Daniele Sgandurra,et al.  Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems , 2016, ACM Comput. Surv..

[10]  Igor V. Kotenko,et al.  Evaluation of Computer Network Security based on Attack Graphs and Security Event Processing , 2014, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[11]  Jin B. Hong,et al.  Security Modelling and Analysis of Dynamic Enterprise Networks , 2016, 2016 IEEE International Conference on Computer and Information Technology (CIT).

[12]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[13]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[14]  Yuan Zhang,et al.  Reverse Replication of Virtual Machines (rRVM) for Low Latency and High Availability Services , 2016, 2016 IEEE/ACM 9th International Conference on Utility and Cloud Computing (UCC).

[15]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[16]  Jin B. Hong,et al.  HARMs: Hierarchical Attack Representation Models for Network Security Analysis , 2012, AISM 2012.

[17]  Igor V. Kotenko,et al.  Computer attack modeling and security evaluation based on attack graphs , 2013, 2013 IEEE 7th International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS).

[18]  Georgios Kambourakis,et al.  Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks , 2018, IEEE Communications Surveys & Tutorials.

[19]  Jin B. Hong,et al.  Assessing the Effectiveness of Moving Target Defenses Using Security Models , 2016, IEEE Transactions on Dependable and Secure Computing.

[20]  Julian Jang,et al.  Evaluation for Combination of Shuffle and Diversity on Moving Target Defense Strategy for Cloud Computing , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[21]  Julian Jang,et al.  Comprehensive Security Assessment of Combined MTD Techniques for the Cloud , 2018, MTD@CCS.

[22]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[23]  Christopher Leckie,et al.  Using Virtual Machine Allocation Policies to Defend against Co-Resident Attacks in Cloud Computing , 2017, IEEE Transactions on Dependable and Secure Computing.