Towards Models for Availability and Security Evaluation of Cloud Computing with Moving Target Defense
TTowards Models for Availability and SecurityEvaluation of Cloud Computing with MovingTarget Defense
Matheus Torquato
Student
CISUC, Department of Informatics EngineeringUniversity of Coimbra
Coimbra, [email protected]
Marco Vieira
Advisor
CISUC, Department of Informatics EngineeringUniversity of Coimbra
Coimbra, [email protected]
Abstract —Security is one of the most relevant concerns incloud computing. With the evolution of cyber-security threats,developing innovative techniques to thwart attacks is of utmostimportance. One recent method to improve cloud computingsecurity is Moving Target Defense (MTD). MTD makes use ofdynamic reconfiguration in virtualized environments to ”confuse”attackers or to nullify their knowledge about the system state.However, there is still no consolidated mechanism to evaluate thetrade-offs between availability and security when using MTDon cloud computing. The evaluation through measurements iscomplex as one needs to deal with unexpected events as failuresand attacks. To overcome this challenge, we intend to proposea set of models to evaluate the availability and security ofMTD in cloud computing environments. The expected resultsinclude the quantification of availability and security levels underdifferent conditions (e.g., different software aging rates, varyingworkloads, different attack intensities).
Index Terms —Moving Target Defense, Security, Availability,cloud computing
I. I
NTRODUCTION
Previous works show cloud computing security as a sig-nificant research challenge [1] [2]. One of the root problemsfor cloud security is the intrinsic advantage of attackers overdefenders. Attackers can perform a series of actions (e.g.,repeated attacks, vulnerability analysis) until they achievetheir goal. So, the attackers can try to explore a specificsystem vulnerability while the defenders have to protect allthe possible attack venues [3]. Besides that, the generally staticnature of data centers facilitates the attacker to obtain enoughinformation to improve the chance of attack success.MTD is a flexible technique for system security improve-ment. Previous papers showed the effectiveness of MTDdeployment in environments like the Internet of Things(IoT) [4], Virtualized Containers [5], Software Defined Net-works (SDN) [6], and cloud computing [7]. In the cloudcomputing context, MTD techniques can be used to thwartor reduce the impact of security attacks as co-residencyattacks [8] and Distributed Denial of Service attacks [9].
Matheus Torquato is also with Federal Institute of Alagoas (IFAL), Ara-piraca, Brazil.
The United States Department of Homeland Security definesMTD as ”the concept of controlling change across multiplesystem dimensions to increase uncertainty and apparent com-plexity for attackers, reduce their window of opportunity andincrease the costs of their probing and attack efforts.” [10].Besides the security concern, cloud-hosted applications alsoneed high availability levels. There are several strategies toachieve this goal as failover techniques, redundancy, and soft-ware rejuvenation. But, the problem is to evaluate the possibleavailability and security impacts of applying Moving TargetDefense along with availability improvement techniques.Usually, there is a trade-off between security and availabilityin cloud computing systems when applying Moving TargetDefense. For example, a common technique of MTD on cloudcomputing is Virtual Machine Migration. VM migration movesa VM from one physical machine to another. This remap-ping can, for example, avoid co-residency attack. However,each VM migration (even in Live Migration mode) has anassociated downtime [11]. So, if we decide to perform toofrequent VM migrations, we may achieve higher levels ofsystem security, but lower availability levels. Otherwise, if thesystem manager decides to deploy less frequent migrations, thesystem may reach higher availability levels but jeopardizes thesystem security.Our research aims to propose a set of models to evaluate thetrade-offs between security and availability of cloud comput-ing MTD based on different policies of VM placement. Fromthe models’ results, we will select specific policies to reachthe desired levels of security and availability.Our models will be mainly based on Stochastic RewardNets (SRN) that are extensively used for cloud computingavailability evaluation [12]. SRNs are also suitable for securityevaluation [13].The remainder of this paper is as follows. Section II presentsthe details of our research goals. Section III contains ourresearch methodology. Section IV presents the related works.Section V highlights our current work. Finally, Section VIcontains final remarks.I. G
OALS
The main research question (RQ) of this work is:
Whatare the trade-offs between cloud computing availability andsecurity when applying specific policies of MTD based onVM placement techniques?
This work aims to propose a setof models for availability and security evaluation of MovingTarget Defense on cloud computing, aiming to answer thisquestion.The following RQs will drive the design of the models tobe proposed:1)
What is the availability level of cloud computing archi-tectures?
The first step is to design a scalable model foravailability evaluation of different cloud architectures.2)
What is the security level of a given cloud deploymentarchitecture?
The second step is to propose a model forcloud security evaluation. In this step, we will also selectthe considered threat models (i.e., security threats asDenial of Service, Man-in-the-middle, and Side-channelattacks). Our goal is to cover the Denial of Service (DoS)and Man-in-the-Middle attacks.3)
What are the side-effects of MTD based on VirtualMachine (VM) placement on the system availability?
Using the model from the first step, our goal is to expandthe model including MTD based on VM placement.4)
What are the cloud computing security levels achievedby MTD techniques?
Using the model from previoussteps, we aim to add the behavior related to MTD basedon VM placement techniques.Finally, we aim to merge the models obtained from theresearch questions mentioned above. The final model willallow evaluating the trade-offs between cloud availability andsecurity, considering MTD based on VM placement tech-niques. In the future, we also intend to answer the followingresearch questions:1)
What are the actual levels of availability and security ofMTD based on VM placement when considering aspectsof software aging and rejuvenation? What is the cloud computing performance overheadcaused by MTD based on VM placement? Is there any cloud computing reliability improvement dueto MTD based on VM placement?
III. R
ESEARCH M ETHODOLOGY
Figure 1 presents the intended workflow and expectedcontributions from our research work. In the following text, wepresent our planned step-by-step for conducting the proposedresearch.Step
Design a baseline availability model for cloudcomputing . Firstly, we aim to design an availability model forgeneral cloud computing architectures. Our previous papers[12] and [14] have the obtained results from this first step.We are now working on expanding their contribution to morecomplex cloud computing architectures.Step startend
Step
Design a baselineavailability modelfor CloudComputing Availability model for Cloud
Step
Design a baselinesecurity modelfor CloudComputing
Step
Inclusion of theMoving TargetDefense behaviorin the models.
Step
Inclusion of otherrelevant aspectsas software agingand performance Security models or an approach forsecurity evalution usingdependability modelsModel for dependability andsecurity evaluation of MTD onCloudA Holistic Model for CloudComputing performability andsecurity evaluation when usingMTD
Workflow Expected Contributions
Fig. 1. Research workflow and expected contributions framework. Our main focus in the security aspect is the security risk focusing on the probability of attack success .We consider adding realistic scenarios in the modeling process.One interesting example is proposed by the TPCx-V bench-mark , which is based on the architecture of a brokerage firm.Step MTD based on VM migration scheduling and 2)
MTDbased on creation and deletion of VMs . Those behaviors willbe incorporated into the models obtained from the previoussteps. From these models, we will be able to conduct a trade-off analysis between cloud computing security and availabilitywhile using MTD based on VM placement policies.Step software aging and rejuvenation and performance impacts caused by applying MTD techniques. V. R
ELATED W ORKS
Alavizadeh et al. [15] provide a comprehensive securityassessment of MTD on cloud computing. The evaluation isbased on modeling and analysis of MTD techniques. Theauthors evaluate four security metrics: system risk, attack cost,return on attack, and availability. The assessment uses onHierarchical Attack Representation Model (HARM) modelsfor combined MTD techniques. The main contribution of thepaper is an approach to evaluate the effectiveness of combinedMTD. This paper provides relevant insights for our idea ofavailability and security modeling of MTD deployment oncloud computing. We aim to tackle the limitations observedin the paper as: modeling the co-residency attacks, takingaccount of the cost of MTD on cloud computing availabilityand security, and including other relevant aspects on theanalysis (e.g., software aging and rejuvenation, and hardwareand software failure and repair).Thebeau et al. [16] provides a theoretical point-of-view ofhow to measure resiliency of a cloud which applies SoftwareBased Encryption (SBE) MTD. SBE uses software diversityto improve system security, survivability, and resilience. Thepaper describes some of the essential concepts of securityevaluation as integrity, availability, survivability, and confi-dentiality. Finally, the paper proposes a model for resiliencyquantification in scenarios with SBE-based MTD. We alsoaim to deliver models covering different MTD deploymentson Cloud Computing. Such deployments are based on shuffletechniques as VM Migration and remap of the VM placement.Ahmed and Bhargava [17] propose
Mayflies
MTD frame-work for distributed systems.
Mayflies use a specific policyof VM placement as MTD. The idea is to perform VMsubstitution through creation and deletion cycles, obeyingcertain time intervals. Every cycle of substitution changesa VM characteristic. In
Mayflies , VMs are created to use adifferent operating system from the previous deleted VM. Thestrategy avoids attack progress or the spread of an undetectedattack. The authors evaluate their proposed framework throughexperiments in a real testbed. However, different from ourintended approach, the paper does not present a securityanalysis of the proposed technique.Chung et. al. [18] proposes SeReNe, a platform to deliverNetwork-Security-as-a-Service (NSaaS) for multi-tenant datacenter environments. SeReNe plans to apply MTD usingdiversity techniques to mitigate software vulnerabilities asBohrbugs, Mandelbugs, and aging-related bugs. However,SeReNe is still in a conceptual phase, and the paper lacksits practical implementation and evaluation. We also intend toinclude the effects of MTD deployments on software agingand rejuvenation. But, different from SeReNe, our approachis focused on shuffling VM placement techniques.The majority of the papers in the area neglects the evalu-ation of trade-offs between availability and security of MTDdeployments on cloud computing. Different from the papersmentioned earlier, we aim to design an evaluation approachable to provide security and availability results to support the
Fig. 2. Availability and Security Model decision-making process.V. C
URRENT W ORK
We are now working on the second step of our workflow.The papers [12] and [14] present the obtained results from thefirst step of our research.Figure 2 presents the current version of our model. Thismodel covers a simple virtualized environment with one MainNode, one Standby Node, and one Virtual Machine. Thismodel also covers software aging and rejuvenation aspects.In this model, we consider software aging effects in theVirtual Machine Monitor (VMM) software component [19].VMM software rejuvenation is supported by VM migrationscheduling.Specifically in the model, the places
Clock and
Schedule in conjunction with the transitions
Trigger and
ResetClock represent the behavior of a system clock forVM migration submission in the environment. The places LM , DW_Mig and
SN_W with the transitions
StartLM , PC , LM_dwt and
Rej represent the behavior of the VM migration.The Erlang sub-net represent the software aging accumulationprocess. The remainder places and transitions are related withthe failure and repair behavior of the architectural components.The model consists of an SRN model. In the SRN models,we can represent the failure and repair behavior for eachcomponent of the virtualized environment. As the SRN modelsare already extensively used for availability evaluation, one ofthe major challenges is to extract security measures from theavailability model.So, besides extracting availability measures, we also com-pute a security measure named R ISK S CORE from the pro-posed availability model. Figure 3 presents the obtained re-sults. Our obtained results include system unavailability andthe R ISK S CORE related to Man-in-the-Middle (MITM) andDenial of Service (DoS) threats. MITM attacks have high Places
AgingHigh , Accumulation and
DW2 with the transitions
Aging , AgingPhase , AgingFailure and
ClearAging(2) R ISK S CORE is obtained through the steady-state probability of the systembeing in a risky state (from a security perspective). U n a v a il a b ili t y R i s k S c o r e Rej. Trigger (h)
Unavailability MITM DoS
Fig. 3. Obtained results severity and can harm system confidentiality. DoS attacks areamong the most relevant threats for cloud computing highavailability. The X-Axis represents the considered softwarerejuvenation policies.
Rej. Trigger means the adoptedtime interval between VM migrations.From the obtained results it is possible to notice that thereis a specific VM migration policy which minimizes systemunavailability. Besides that, there are other VM migrationpolicies which minimize the R
ISK S CORE related to Denialof Service or Man-In-The-Middle attacks. Therefore, the VMmigration policy selection will depend on the assigned weightfor the considered metrics.We aim to expand the model in two ways: i) adoptinglarger architectures with more nodes and VMs; ii) to covermore realistic scenarios like what is presented in the TPC-xVarchitecture and iii) to consider other security threats.VI. F
INAL REMARKS
This paper presented the work-in-progress of our research.This research tackles the cloud security problem from adifferent perspective, aiming not only on security improvementbut also in the possible availability impact due to securitymechanisms adoption. In the context of this research, we focusonly on the Moving Target Defense technique.Our research is on the initial stage, and we are workingto improve our proposed model to more realistic scenarios.However, our research effort so far produced results publishedin two research papers [12] and [14].Our next step is to proceed with the submission of themodel’s current version and results to validate our securityevaluation approach. We aim to deal with the state-explosionproblem using interacting models approach.The expected contributions of our research will advance thestate of the art, providing a holistic model for performabilityand security evaluation of a cloud computing environment withMoving Target Defense.R
EFERENCES[1] K. Ren, C. Wang, and Q. Wang, “Security challenges for the publiccloud,”
IEEE Internet Computing , vol. 16, no. 1, pp. 69–73, 2012. [2] R. Buyya, S. N. Srirama, G. Casale, R. Calheiros, Y. Simmhan,B. Varghese, E. Gelenbe, B. Javadi, L. M. Vaquero, M. A. Netto et al. ,“A manifesto for future generation cloud computing: Research directionsfor the next decade,”
ACM Computing Surveys (CSUR) , vol. 51, no. 5,p. 105, 2018.[3] G.-l. Cai, B.-s. Wang, W. Hu, and T.-z. Wang, “Moving target defense:state of the art and characteristics,”
Frontiers of Information Technology& Electronic Engineering , vol. 17, no. 11, pp. 1122–1153, 2016.[4] M. Kahla, M. Azab, and A. Mansour, “Secure, resilient, and self-configuring fog architecture for untrustworthy iot environments,” in . IEEE,2018, pp. 49–54.[5] M. Azab, B. M. Mokhtar, A. S. Abed, and M. Eltoweissy, “Smartmoving target defense for linux container resiliency,” in
Collaborationand Internet Computing (CIC), 2016 IEEE 2nd International Conferenceon . IEEE, 2016, pp. 122–130.[6] A. Chowdhary, A. Alshamrani, D. Huang, and H. Liang, “Mtd analysisand evaluation framework in software defined network (mason),” in
Proceedings of the 2018 ACM International Workshop on Security inSoftware Defined Networks & Network Function Virtualization . ACM,2018, pp. 43–48.[7] M. Villarreal-Vasquez, B. Bhargava, P. Angin, N. Ahmed, D. Goodwin,K. Brin, and J. Kobes, “An mtd-based self-adaptive resilience approachfor cloud systems,” in
Cloud Computing (CLOUD), 2017 IEEE 10thInternational Conference on . IEEE, 2017, pp. 723–726.[8] M. S. Kashkoush, M. Azab, G. Attiya, and A. S. Abed, “Onlinesmart disguise: real-time diversification evading coresidency-based cloudattacks,”
Cluster Computing , pp. 1–16, 2018.[9] Q. Jia, H. Wang, D. Fleck, F. Li, A. Stavrou, and W. Powell, “Catch me ifyou can: A cloud-enabled ddos defense,” in
Proceedingsof the 2nd conference on Symposium on Networked Systems Design &Implementation-Volume 2 . USENIX Association, 2005, pp. 273–286.[12] M. Torquato and M. Vieira, “Interacting srn models for availabilityevaluation of vm migration as rejuvenation on a system under varyingworkload,” in . IEEE, 2018, pp. 300–307.[13] Y. Wang, J. Li, K. Meng, C. Lin, and X. Cheng, “Modeling and securityanalysis of enterprise network using attack–defense stochastic game petrinets,”
Security and Communication Networks , vol. 6, no. 1, pp. 89–99,2013.[14] M. Torquato, E. Guedes, P. Maciel, and M. Vieira, “A hierarchical modelfor virtualized data center availability evaluation,” in , 2019.[15] H. Alavizadeh, J. B. Hong, J. Jang-Jaccard, and D. S. Kim, “Compre-hensive security assessment of combined mtd techniques for the cloud,”in
Proceedings of the 5th ACM Workshop on Moving Target Defense .ACM, 2018, pp. 11–20.[16] D. Thebeau II, B. Reidy, R. Valerdi, A. Gudagi, H. Kurra, Y. Al-Nashif, S. Hariri, and F. Sheldon, “Improving cyber resiliency of cloudapplication services by applying software behavior encryption (sbe),”
Procedia Computer Science , vol. 28, pp. 62–70, 2014.[17] N. O. Ahmed and B. Bhargava, “Mayflies: A moving target defenseframework for distributed systems,” in
Proceedings of the 2016 ACMWorkshop on Moving Target Defense . ACM, 2016, pp. 59–64.[18] C.-J. Chung, T. Xing, D. Huang, D. Medhi, and K. Trivedi, “Serene:on establishing secure and resilient networking services for an sdn-based multi-tenant datacenter environment,” in
Dependable Systems andNetworks Workshops (DSN-W), 2015 IEEE International Conference on .IEEE, 2015, pp. 4–11.[19] M. Torquato, P. Maciel, J. Araujo, and I. Umesh, “An approach toinvestigate aging symptoms and rejuvenation effectiveness on softwaresystems,” in2017 12th Iberian Conference on Information Systems andTechnologies (CISTI)