Analysis of VM migration scheduling as moving target defense against insider attacks

As cybersecurity threats evolve, cloud computing defenses must adapt to face new challenges. Unfortunately, due to resource sharing, cloud computing platforms open the door for insider attacks, which consist of malicious actions from cloud authorized users (e.g., clients of an Infrastructure-as-a-Service (IaaS) cloud) targeting the co-hosted users or the underlying provider environment. Virtual machine (VM) migration is a Moving Target Defense (MTD) technique to mitigate insider attacks effects, as it provides VMs positioning manageability. However, there is a clear demand for studies quantifying the security benefits of VM migration-based MTD considering different system architecture configurations. This paper tries to fill such a gap by presenting a Stochastic Reward Net model for the security evaluation of a VM migration-based MTD. The security metric of interest is the probability of attack success. We consider multiple architectures, ranging from one physical machine pool (without MTD) up to four physical machine pools. The evaluation also considers the unavailability due to VM migration. The key contributions are i) a set of results highlighting the probability of insider attacks success over time in different architectures and VM migration schedules, and ii) suggestions for selecting VMs as candidates for MTD deployment based on the tolerance levels of the attack success probability. The results are validated against simulation results to confirm the accuracy of the model.

[1]  Jianhua Gu,et al.  A Scheduling Strategy on Load Balancing of Virtual Machine Resources in Cloud Computing Environment , 2010, 2010 3rd International Symposium on Parallel Architectures, Algorithms and Programming.

[2]  Yuri Diogenes,et al.  Cybersecurity – Attack and Defense Strategies: Infrastructure security with Red Team and Blue Team tactics , 2018 .

[3]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[4]  Julian Jang,et al.  Model-based evaluation of combinations of Shuffle and Diversity MTD techniques on the cloud , 2020, Future Gener. Comput. Syst..

[5]  Sailik Sengupta,et al.  A Survey of Moving Target Defenses for Network Security , 2019, IEEE Communications Surveys & Tutorials.

[6]  Yu Shi,et al.  Job Completion Time Under Migration-Based Dynamic Platform Technique , 2022, IEEE Transactions on Services Computing.

[7]  Julian Jang,et al.  Comprehensive Security Assessment of Combined MTD Techniques for the Cloud , 2018, MTD@CCS.

[8]  Fei Li,et al.  Towards Cost-Effective Moving Target Defense Against DDoS and Covert Channel Attacks , 2016, MTD@CCS.

[9]  Dong Seong Kim,et al.  Modeling and analysis of software rejuvenation in a server virtualized system with live VM migration , 2013, Perform. Evaluation.

[10]  Ramakrishna Tipireddy,et al.  Quantifying mixed uncertainties in cyber attacker payoffs , 2015, 2015 IEEE International Symposium on Technologies for Homeland Security (HST).

[11]  Zhen Han,et al.  Numerical Evaluation of Job Finish Time Under MTD Environment , 2020, IEEE Access.

[12]  Chuang Lin,et al.  Modeling and security analysis of enterprise network using attack-defense stochastic game Petri nets , 2013, Secur. Commun. Networks.

[13]  Dijiang Huang,et al.  Moving Target Defense , 2018, Software-Defined Networking and Security.

[14]  Armin Zimmermann Modelling and Performance Evaluation with TimeNET 4.4 , 2017, QEST.

[15]  Mina Guirguis,et al.  Combating the Bandits in the Cloud: A Moving Target Defense Approach , 2017, 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID).

[16]  Hooman Alavizadeh,et al.  Toward Proactive, Adaptive Defense: A Survey on Moving Target Defense , 2019, IEEE Communications Surveys & Tutorials.

[17]  Kishor S. Trivedi Probability and Statistics with Reliability, Queuing, and Computer Science Applications , 1984 .

[18]  Pengcheng Liu,et al.  Heterogeneous Live Migration of Virtual Machines , 2008 .

[19]  Andrea Bobbio,et al.  Reliability and Availability Engineering - Modeling, Analysis, and Applications , 2017 .

[20]  Tuan Anh Nguyen,et al.  A Hierarchical Modeling and Analysis Framework for Availability and Security Quantification of IoT Infrastructures , 2020 .

[21]  Marjan Kuchaki Rafsanjani,et al.  A survey on security challenges in cloud computing: issues, threats, and solutions , 2020, The Journal of Supercomputing.

[22]  S. M. Jaisakthi,et al.  Overview on Security Concerns Associated in Cloud Computing , 2020 .

[23]  Paulo Maciel,et al.  A Model for Availability and Security Risk Evaluation for Systems With VMM Rejuvenation Enabled by VM Migration Scheduling , 2019, IEEE Access.

[24]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[25]  Marco Ajmone Marsan,et al.  Modelling with Generalized Stochastic Petri Nets , 1995, PERV.

[26]  Wei Hu,et al.  A Model for Evaluating and Comparing Moving Target Defense Techniques Based on Generalized Stochastic Petri Net , 2016, ACA.

[27]  Su Zhang Deep-diving into an Easily-overlooked Threat : Inter-VM Attacks , 2012 .

[28]  Raj Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[29]  Daniel A. Menascé,et al.  Performance Modeling of Moving Target Defenses with Reconfiguration Limits , 2021, IEEE Transactions on Dependable and Secure Computing.

[30]  Kishor S. Trivedi,et al.  Analyzing Software Rejuvenation Techniques in a Virtualized System: Service Provider and User Views , 2020, IEEE Access.

[31]  Djamal Zeghlache,et al.  Energy Efficient VM Scheduling for Cloud Data Centers: Exact Allocation and Migration Algorithms , 2013, 2013 13th IEEE/ACM International Symposium on Cluster, Cloud, and Grid Computing.

[32]  Marco Vieira,et al.  Moving target defense in cloud computing: A systematic mapping study , 2020, Comput. Secur..

[33]  Marco Vieira,et al.  Availability and reliability modeling of VM migration as rejuvenation on a system under varying workload , 2020, Software Quality Journal.

[34]  Dong Seong Kim,et al.  Performability analysis of services in a software-defined networking adopting time-based moving target defense mechanisms , 2020, SAC.