Model-based evaluation of combinations of Shuffle and Diversity MTD techniques on the cloud

Abstract Regardless of cloud computing capabilities, security is still one of the biggest threats in the cloud. Moving Target Defense (MTD) has shown to be an effective security mechanism to secure the cloud by changing the attack surface to make uncertainties for the attackers. In this paper, we propose a combination of two MTD techniques: Shuffle and Diversity which we believe further attributes to reduce the cyber attack surface. We first provide the formal definitions of the combination to design and implement our proposal. Then, we investigate a number of approaches in which Shuffle and Diversity can be combined in order to provide the most effective defense. Towards, we utilize Network Centrality Measures (NCMs) to find out the most critical component in the cloud. Then, we evaluate the proposed MTD techniques through formal Graphical Security Models (GSM) and quantify the cloud security level through security metrics before and after deploying the MTD techniques. Our experimental evaluation shows that the combination of Shuffle and Diversity techniques can increase the security posture of the cloud.

[1]  Khaled Salah,et al.  VDC-Analyst: Design and verification of virtual desktop cloud resource allocations , 2014, Comput. Networks.

[2]  Jin B. Hong,et al.  What Vulnerability Do We Need to Patch First? , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[3]  Jin B. Hong,et al.  Assessing the Effectiveness of Moving Target Defenses Using Security Models , 2016, IEEE Transactions on Dependable and Secure Computing.

[4]  Bradley R. Schmerl,et al.  Architecture-based self-protecting software systems , 2013, QoSA '13.

[5]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[6]  Enrico Zio,et al.  Using Centrality Measures to Rank the Importance of the Components of a Complex Network Infrastructure , 2008, CRITIS.

[7]  K. Popovic,et al.  Cloud computing security issues and challenges , 2010, The 33rd International Convention MIPRO.

[8]  Khaled Salah,et al.  IoT security: Review, blockchain solutions, and open challenges , 2017, Future Gener. Comput. Syst..

[9]  Cristina Nita-Rotaru,et al.  Increasing Network Resiliency by Optimally Assigning Diverse Variants to Routing Nodes , 2015, IEEE Trans. Dependable Secur. Comput..

[10]  Mina Guirguis,et al.  Combating the Bandits in the Cloud: A Moving Target Defense Approach , 2017, 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID).

[11]  Julian Jang,et al.  An Automated Security Analysis Framework and Implementation for MTD Techniques on Cloud , 2019, ICISC.

[12]  Narmeen Zakaria Bawany,et al.  DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions , 2017, Arabian Journal for Science and Engineering.

[13]  Julian Jang,et al.  Evaluation for Combination of Shuffle and Diversity on Moving Target Defense Strategy for Cloud Computing , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[14]  Julian Jang,et al.  Comprehensive Security Assessment of Combined MTD Techniques for the Cloud , 2018, MTD@CCS.

[15]  Ehab Al-Shaer,et al.  Toward Network Configuration Randomization for Moving Target Defense , 2011, Moving Target Defense.

[16]  Sushil Jajodia,et al.  A moving target defense approach to mitigate DDoS attacks against proxy-based architectures , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[17]  Rami J. Haddad,et al.  Moving Target Defense Intrusion Detection System for IPv6 based smart grid advanced metering infrastructure , 2017, SoutheastCon 2017.

[18]  Yih Huang,et al.  Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services , 2011, Moving Target Defense.

[19]  Sachin Shetty,et al.  RootkitDet: Practical End-to-End Defense against Kernel Rootkits in a Cloud Environment , 2014, ESORICS.

[20]  Abdul Jabbar,et al.  Path diversification for future internet end-to-end resilience and survivability , 2014, Telecommun. Syst..

[21]  Dong Seong Kim,et al.  Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees , 2012, Secur. Commun. Networks.

[22]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[23]  Paul Rimba,et al.  Data-Driven Cybersecurity Incident Prediction: A Survey , 2019, IEEE Communications Surveys & Tutorials.

[24]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[25]  Aiko Pras,et al.  DDoS defense using MTD and SDN , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[26]  Jin B. Hong,et al.  Composite Metrics for Network Security Analysis , 2020, ArXiv.

[27]  Pratyusa K. Manadhata,et al.  Game Theoretic Approaches to Attack Surface Shifting , 2013, Moving Target Defense.

[28]  Yulong Zhang,et al.  Incentive Compatible Moving Target Defense against VM-Colocation Attacks in Clouds , 2012, SEC.

[29]  Jin B. Hong,et al.  Proactive defense mechanisms for the software-defined Internet of Things with non-patchable vulnerabilities , 2018, Future Gener. Comput. Syst..

[30]  Marcus Pendleton,et al.  A Survey on Systems Security Metrics , 2016, ACM Comput. Surv..

[31]  Jin B. Hong,et al.  Performance Analysis of Scalable Attack Representation Models , 2013, SEC.

[32]  Wei Hu,et al.  Moving target defense: state of the art and characteristics , 2016, Frontiers of Information Technology & Electronic Engineering.

[33]  Kishor S. Trivedi,et al.  Performance and Reliability Analysis of Computer Systems: An Example-Based Approach Using the SHARPE Software Package , 2012 .

[34]  Wanlei Zhou,et al.  Identifying Propagation Sources in Networks: State-of-the-Art and Comparative Studies , 2017, IEEE Communications Surveys & Tutorials.

[35]  Jun Zhang,et al.  Detecting and Preventing Cyber Insider Threats: A Survey , 2018, IEEE Communications Surveys & Tutorials.

[36]  Ghassan O. Karame,et al.  Enabling secure VM-vTPM migration in private clouds , 2011, ACSAC '11.

[37]  Mohamed Eltoweissy,et al.  ChameleonSoft: A moving target defense system , 2011, 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom).

[38]  Dong Seong Kim,et al.  FRVM: Flexible Random Virtual IP Multiplexing in Software-Defined Networks , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[39]  Chin-Tser Huang,et al.  A moving-target defense strategy for Cloud-based services with heterogeneous and dynamic attack surfaces , 2014, 2014 IEEE International Conference on Communications (ICC).

[40]  Jin B. Hong,et al.  A systematic evaluation of cybersecurity metrics for dynamic networks , 2018, Comput. Networks.

[41]  Frederick T. Sheldon,et al.  Moving Toward Trustworthy Systems: R&D Essentials , 2010, Computer.

[42]  Wanlei Zhou,et al.  A Sword with Two Edges: Propagation Studies on Both Positive and Negative Information in Online Social Networks , 2015, IEEE Transactions on Computers.

[43]  Jin B. Hong,et al.  Security Modelling and Analysis of Dynamic Enterprise Networks , 2016, 2016 IEEE International Conference on Computer and Information Technology (CIT).

[44]  Mohammad Hossein Manshaei,et al.  A cost-effective security management for clouds: A game-theoretic deception mechanism , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[45]  Scott A. DeLoach,et al.  Investigating the application of moving target defenses to network security , 2013, 2013 6th International Symposium on Resilient Control Systems (ISRCS).

[46]  Khaled Salah,et al.  Impact of CPU Utilization Thresholds and Scaling Size on Autoscaling Cloud Resources , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[47]  Sailik Sengupta,et al.  Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud , 2018, GameSec.

[48]  Jun Zhang,et al.  Network Traffic Classification Using Correlation Information , 2013, IEEE Transactions on Parallel and Distributed Systems.

[49]  Julian Jang,et al.  Effective Security Analysis for Combinations of MTD Techniques on Cloud Computing (Short Paper) , 2017, ISPEC.