Advertisement

An Automated Security Analysis Framework and Implementation for MTD Techniques on Cloud

  • Hooman AlavizadehEmail author
  • Hootan Alavizadeh
  • Dong Seong Kim
  • Julian Jang-Jaccard
  • Masood Niazi Torshiz
Conference paper
  • 31 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11975)

Abstract

Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze the cloud security using Graphical Security Models (GSMs) and security metrics. In addition, it has been widely researched in finding appropriate defensive strategies for the security of the cloud. Moving Target Defense (MTD) techniques can utilize the cloud elasticity features to change the attack surface and confuse attackers. Most of the previous work incorporating MTDs into the GSMs are theoretical and the performance was evaluated based on the simulation. In this paper, we realized the previous framework and designed, implemented and tested a cloud security assessment tool in a real cloud platform named UniteCloud. Our security solution can (1) monitor cloud computing in real-time, (2) automate the security modeling and analysis and visualize the GSMs using a Graphical User Interface via a web application, and (3) deploy three MTD techniques including Diversity, Redundancy, and Shuffle on the real cloud infrastructure. We analyzed the automation process using the APIs and showed the practicality and feasibility of automation of deploying all the three MTD techniques on the UniteCloud.

Keywords

Cloud computing Moving Target Defense Security analysis Security modeling Cloud security framework 

References

  1. 1.
  2. 2.
    Alavizadeh, H., Hong, J.B., Jang-Jaccard, J., Kim, D.S.: Comprehensive security assessment of combined MTD techniques for the cloud. In: Proceedings of the 5th ACM Workshop on Moving Target Defense, pp. 11–20. ACM (2018)Google Scholar
  3. 3.
    Alavizadeh, H., Jang-Jaccard, J., Kim, D.S.: Evaluation for combination of shuffle and diversity on moving target defense strategy for cloud computing. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), pp. 573–578. IEEE (2018)Google Scholar
  4. 4.
    Alavizadeh, H., Kim, D.S., Hong, J.B., Jang-Jaccard, J.: Effective security analysis for combinations of MTD techniques on cloud computing (Short Paper). In: Liu, J.K., Samarati, P. (eds.) ISPEC 2017. LNCS, vol. 10701, pp. 539–548. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-72359-4_32CrossRefGoogle Scholar
  5. 5.
    Alavizadeh, H., Kim, D.S., Jang-Jaccard, J.: Model-based evaluation of combinations of shuffle and diversity MTD techniques on the cloud. Fut. Gener. Comput. Syst. (2019).  https://doi.org/10.1016/j.future.2019.10.009CrossRefGoogle Scholar
  6. 6.
    Beale, J., Deraison, R., Meer, H., Temmingh, R., Walt, C.: The NESSUS project. Syngress Publishing (2002). http://www.nessus.org
  7. 7.
    Chung, C.J., Khatkar, P., Xing, T., Lee, J., Huang, D.: Nice: Network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Dependable Secure Comput. 10(4), 198–211 (2013)CrossRefGoogle Scholar
  8. 8.
    Cook, K., Shaw, T., Hawrylak, P., Hale, J.: Scalable attack graph generation. In: Proceedings of the 11th Annual Cyber and Information Security Research Conference, p. 21. ACM (2016)Google Scholar
  9. 9.
    Dewri, R., Ray, I., Poolsappasit, N., Whitley, D.: Optimal security hardening on attack tree models of networks: a cost-benefit analysis. Int. J. Inf. Secur. 11(3), 167–188 (2012)CrossRefGoogle Scholar
  10. 10.
    Gonzalez Granadillo, G., Débar, H., Jacob, G., Gaber, C., Achemlal, M.: Individual countermeasure selection based on the return on response investment index. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 156–170. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33704-8_14CrossRefGoogle Scholar
  11. 11.
    Hong, J., Kim, D.S.: Harms: Hierarchical attack representation models for network security analysis (2012)Google Scholar
  12. 12.
    Hong, J.B., Kim, D.S.: Assessing the effectiveness of moving target defenses using security models. IEEE Trans. Dependable Secure Comput. 13(2), 163–177 (2016)CrossRefGoogle Scholar
  13. 13.
    Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009), pp. 117–126 (2009).  https://doi.org/10.1109/ACSAC.2009.21
  14. 14.
    Jia, F., Hong, J.B., Kim, D.S.: Towards automated generation and visualization of hierarchical attack representation models. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, pp. 1689–1696. IEEE (2015)Google Scholar
  15. 15.
    Kordy, B., Pietre-Cambacedes, L., Schweitzer, P.: DAG-Based Attack and Defense Modeling: Don’t Miss the Forest for the Attack Trees. CoRR abs/1303.7397 (2013)Google Scholar
  16. 16.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Kotenko, I., Chechulin, A.: Computer attack modeling and security evaluation based on attack graphs. In: 2013 IEEE 7th International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), vol. 2, pp. 614–619. IEEE (2013)Google Scholar
  18. 18.
    Kotenko, I.V., Doynikova, E.: Evaluation of computer network security based on attack graphs and security event processing. JoWUA 5(3), 14–29 (2014)Google Scholar
  19. 19.
    Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)CrossRefGoogle Scholar
  20. 20.
    Nespoli, P., Papamartzivanos, D., Mármol, F.G., Kambourakis, G.: Optimal countermeasures selection against cyber attacks: a comprehensive survey on reaction frameworks. IEEE Commun. Surv. Tutor. 20(2), 1361–1396 (2018)CrossRefGoogle Scholar
  21. 21.
    Sgandurra, D., Lupu, E.: Evolution of attacks, threat models, and solutions for virtualized systems. ACM Comput. Surv. (CSUR) 48(3), 46 (2016)CrossRefGoogle Scholar
  22. 22.
    Yusuf, S.E., Ge, M., Hong, J.B., Kim, H.K., Kim, P., Kim, D.S.: Security modelling and analysis of dynamic enterprise networks. In: 2016 IEEE International Conference on Computer and Information Technology (CIT), pp. 249–256. IEEE (2016)Google Scholar
  23. 23.
    Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Gener. Comput. Syst. 28(3), 583–592 (2012)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.School of Natural and Computational SciencesMassey UniversityAucklandNew Zealand
  2. 2.Department of Computer EngineeringImam Reza International UniversityMashhadIran
  3. 3.School of Information Technology and Electrical EngineeringThe University of QueenslandBrisbaneAustralia
  4. 4.Department of Computer Engineering, Mashhad BranchIslamic Azad UniversityMashhadIran

Personalised recommendations