Dynamic Security Risk Assessment in Cloud Computing Using IAG
Cloud computing is one of the most emerging technologies because of its benefits. However, cloud security is one of the major issues that attracting lot of research. In cloud computing environment, cloud users may have privilege to install their own applications, Particularly in Infrastructure as a Service (IaaS) clouds provide privileges to users to install applications on their virtual machines (VMs), so users may install vulnerable applications. In this case, identifying zombie’s exploitation attack is difficult. Many attack graph-based solutions were proposed to detect compromised VMs, but they focus only on static attack scenario. In this paper, we propose a dynamic risk assessment system by incorporating Bayes theorem into attack graph model, namely improved attack graph (IAG) to assess the dynamic risks and decide appropriate countermeasure based on IAG analytical models. The effectiveness and efficiency of the propose system are demonstrated in security and performance analysis, respectively.
KeywordsCloud computing DDoS attack Vulnerability Attack graph Risk management Bayesian theorem
- 1.Coud Security Alliance, "Top Threats to Cloud Computing v1.0," https://cloudsecurityalliance.org/topthreats/csathreats. v1.0.pdf, Mar. 2010.
- 2.Chun-Jen Chung, Tianyi Xing and Dijiang Huang, "NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems", IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 10, NO. 4, JULY/AUGUST 2013.Google Scholar
- 3.P. Mell, K. Scarfone, and S. Romanosky, Common Vulnerability Scoring System (CVSS), http://www.first.org/cvss/cvss-guide. html, May 2010.
- 5.G. Gu, J. Zhang, and W. Lee, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, Proc. 15th Ann. Network and Distributed Sytem Security Symp. (NDSS 08), Feb. 2008.Google Scholar
- 6.R. Sadoddin and A. Ghorbani, Alert Correlation Survey: Framework and Techniques, Proc. ACM Intl Conf. Privacy, Security and Trust: Bridge the Gap between PST Technologies and Business Services (PST 06), pp. 37:1–37:10, 2006.Google Scholar
- 7.O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing, Automated Generation and Analysis of Attack Graphs, Proc. IEEE Symp. Security and Privacy, pp. 273–284, 2002.Google Scholar
- 8.NuSMV: A New Symbolic Model Checker, http://afrodite.itc.it:1024/nusmv. Aug. 2012.
- 9.P. Ammann, D. Wijesekera, and S. Kaushik, Scalable, graphbased network vulnerability analysis, Proc. 9th ACM Conf. Computer and Comm. Security (CCS 02), pp. 217–224, 2002.Google Scholar
- 10.X. Ou, S. Govindavajhala, and A.W. Appel, MulVAL: A Logic Based Network Security Analyzer, Proc. 14th USENIX Security Symp., pp. 113–128, 2005.Google Scholar
- 11.The MITRE Corporation. Common weakness scoring system. http://cwe.mitre.org/cwss/ 2010.
- 12.National vulnerability database. available at: http://www.nvd.org, May 9, 2008.
- 13.OpenStack Open Source Cloud Software (2014). [Online]. Available: http://openstack.org/.
- 14.M. Dacier. Towards quantitative evaluation of computer security. Ph.D. Thesis, Institut National Polytechnique de Toulouse, 1994Google Scholar
- 16.D. Balzarotti, M. Monga, and S. Sicari. Assessing the risk of using vulnerable components. In Proceedings of the 1st ACM QoP, 2005.Google Scholar
- 17.W. Li and R. B. Vaughn. Cluster security research involving the modeling of network exploitations using exploitation graphs. In Proceedings of the Sixth IEEE International Symposium on Cluster Computing and the Grid, CCGRID 06, pages 26, Washington, DC, USA, 2006. IEEE Computer Society.Google Scholar
- 18.E. Clarke, O. Grumberg, and D. Peled. Model Checking MIT Press, 2000.Google Scholar
- 19.Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray, Member, Dynamic Security Risk Management Using Bayesian Attack Graphs, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 1, JANUARY/FEBRUARY 2012. pp. 61–74.Google Scholar