Model-based evaluation of combinations of Shuffle and Diversity MTD techniques on the cloud

Highlights

• Formal mathematical definition for combining Shuffle and Diversity MTD techniques.

• Proposing new mechanisms to combine Shuffle and Diversity techniques.

• Quantify the cloud security posture using Graphical Security Models (GSMs).

• Evaluating the MTD techniques using security metrics including path-based metrics.

Abstract

Regardless of cloud computing capabilities, security is still one of the biggest threats in the cloud. Moving Target Defense (MTD) has shown to be an effective security mechanism to secure the cloud by changing the attack surface to make uncertainties for the attackers. In this paper, we propose a combination of two MTD techniques: Shuffle and Diversity which we believe further attributes to reduce the cyber attack surface. We first provide the formal definitions of the combination to design and implement our proposal. Then, we investigate a number of approaches in which Shuffle and Diversity can be combined in order to provide the most effective defense. Towards, we utilize Network Centrality Measures (NCMs) to find out the most critical component in the cloud. Then, we evaluate the proposed MTD techniques through formal Graphical Security Models (GSM) and quantify the cloud security level through security metrics before and after deploying the MTD techniques. Our experimental evaluation shows that the combination of Shuffle and Diversity techniques can increase the security posture of the cloud.

Introduction

Cloud computing security has become a huge challenge for the cloud providers as the cloud’s customers cannot trust the security of this new paradigm while the cloud provides comprehensive services to their customers. According to the International Data Corporation (IDC) survey on the cloud computing challenges, the cloud security with 87.5% was ranked first as the greatest concern for the enterprise cloud customers [1]. Conventional security mechanisms are used to address the security issues by eliminating the vulnerabilities and risks. However, it is difficult to perfectly remove or patch all possible vulnerabilities on a system. Hence, it is crucial to have effective security mechanism to improve the cloud security from different defensive aspects [2], [3]. As an emerging proactive approach, Moving Target Defense (MTD) has been proposed which can provide another perspective of defensive strategies against cyber attacks. MTD makes a system more unpredictable for the attackers by continuously changing the attack surface. MTD can utilize the existing system components and technologies providing more affordable defense solutions.

In [4], Hong et al. categorized MTD techniques into three comprehensive categories including [4]: Shuffle [5], [6], Redundancy [7] and Diversity [8], [9]. In general, Shuffle MTD techniques can reconfigure the system’s components in order to change the attack surface and consequently increase uncertainty and confusion for the attacker. Redundancy MTD techniques deal with replication of any system’s component aiming to enhance the system and service reliability or availability for the customers. Thus, if a system’s component fails due to attack, there would be alternative ways to provide the same service. The advent of the Internet of Things (IoT) makes more viable attack sources for attackers so that they can launch various attacks through the botnets these days. Botnets are good starting points for attackers to launch a wider attack range to the cloud using vulnerable IoT-based botnets [10]. For example, a Distributed Denial-of-Service (DDoS) attack utilizes botnets (leveraging compromised IoT devices) to attack a cloud by flooding traffic messages from various sources aiming to deny services to users. In this case, Redundancy contributes to increase cloud resiliency, and can battle these kinds of attacks. However, the investigation of Redundancy technique is out of the scope of this paper and is presented in [11]. Diversity MTD techniques may increase the difficulties of attacks by changing the system’s component variant. Changing a component in the system may introduce different and new set of vulnerabilities and invalidate the vulnerability information collected by the attackers. Ultimately, the attacker may spend more time, effort, and money to learn new techniques to exploit the newly introduced vulnerabilities.

Deploying an MTD technique for a specific reason may vary the security posture of a system. Most of proposed MTD techniques do not offer convincing evidence if they would be effective as claimed. Therefore, it is important to assess the effectiveness of MTD techniques through security metrics such as Attack Cost (AC) and Return on Attack (RoA) which evaluate the security from the attackers’ perspective and other metrics like Risk (R) and Attack Success Probability (ASP) which may be desirable metrics for cloud providers’ perspective. Security analysis plays an inevitable role in evaluating the overall security-related perspectives of a system.

Formal graphical attack models like Graphical Security Models (GSMs) are useful tools to model and evaluate the security of the systems such as IoT and enterprises [12] or clouds [13]. GSMs can be used to evaluate the effectiveness of MTD techniques [11], [4]. However, analyzing the security through most of GSM suffers from exponential computational complexity issue, especially, in the large networks [14]. To overcome this problem, Hierarchical Attack Representation Model (HARM) is proposed which is a formal hierarchical graph-based model including two layers [14]. HARM is more scalable and adaptable than other formal GSMs [15]. In this paper, we use HARM to evaluate the effectiveness of the MTD techniques and compute the security metrics.

MTD techniques can be either used independently or combined together to obtain more effective results. Many MTD strategies have been proposed [16], [17], but it is still difficult to evaluate the effectiveness of combined MTD techniques. Combining MTD techniques can introduce additional benefits of enhancing security, which may not be possible under a single technique based MTD solutions; for instance, as Redundancy is mostly used to increase service reliability, it can be measured with the concepts of system dependability (e.g. reliability), while other MTD techniques like Shuffle and Diversity are used to increase the security of a system and need to be evaluated using security metrics. Thus, MTD techniques can be well-mingled together aiming to increase both security and reliability. However, those techniques should be evaluated using adequate security metrics as deploying each MTD technique may affect others in different ways. A combination of MTD techniques including Shuffle, Diversity, and Redundancy is presented in [18] which is mainly limited to a single deployment strategy and four security metrics such as R, AC, RoA, and Reliability. However, in this paper, we conduct extensive analysis on Shuffle and Diversity MTD technique which considers different sets of combination strategies. Moreover, we capture the effects of different MTD deployment strategies using eight important security metrics.

The earlier version of this paper was presented in [19]. In this paper, we extend the earlier version mainly focusing on formalism and definitions of MTD techniques and combination strategies on the cloud together with more effective security metrics to show the different perspective of the cloud security posture affected by deploying MTD techniques. Moreover, we have revised the previous model with new vulnerabilities and metrics. The new contributions of this paper, which to the best of our knowledge have not already been proposed by other works, are listed as follows:

• We provide the formal mathematical definitions for the combination of Shuffle (S) and Diversity (D) MTD techniques to unambiguously design and implement it in the cloud. Our formal method is written based on Hierarchical Attack Representation Model (HARM).

• We propose a new approach that combines Shuffle (S) and Diversity (D) techniques. We also provide a set of strategies for the way Shuffle (S) and Diversity (D) can be combined differently. By computing Important Measures (IMs), the effects of the different combination strategies are calculated and explained.

• We provide simulation and calculation results for the deployed MTD techniques using four security metrics to assist in extensive understanding of the trades between MTD techniques and Metrics involved in the combined defense and the attack. The security metrics we use include: Cloud Risk (R), Attack Cost (AC), Return on Attack (RoA), and Attack Success Probability (ASP).

• We also include the path-based security metrics and evaluate them against each MTD strategy to evaluate how difficult the attacker can reach a target. We also conduct regression analysis between path-based metrics and security metrics (R and ASP) to investigate the correlation between those metrics.

• We perform comparative analysis and evaluation of “before” and “after” deployment of MTD techniques to be able to quantify and compare the cloud security posture.

The rest of this paper is organized as follows. We present the related work in Section 2. We define the concepts, definitions, formalism, and the security metrics used throughout the paper in Section 3. In Section 4, we provide definitions and formalism for MTD techniques including Shuffle and Diversity and evaluate the deployment of each MTD technique. Definition, deployment, and analysis of different strategies for combining MTD techniques are given in Section 5. Then further discussion and limitations are given in Section 6. Finally, we conclude the paper in Section 7.