Effective Security Analysis for Combinations

of MTD Techniques on Cloud Computing

(Short Paper)

Hooman Alavizadeh1(B) , Dong Seong Kim2 , Jin B. Hong2 ,

and Julian Jang-Jaccard1
1
Institute of Natural and Mathematical Sciences, Massey University,
Auckland, New Zealand
{h.alavizadeh,j.jang-jaccard}@massey.ac.nz
2
Department of Computer Science and Software Engineering,
University of Canterbury, Christchurch, New Zealand
{dongseong.kim,jin.hong}@canterbury.ac.nz

Abstract. Moving Target Defense (MTD) is an emerging security

solution based on continuously changing attack surface thus makes it
unpredictable for attackers. Cloud computing could leverage such MTD
approaches to prevent its resources and services being compromised from
an increasing number of attacks. Most of the existing MTD methods so
far have focused on devising subtle strategies for attack surface mitiga-
tion, and only a few have evaluated the effectiveness of different MTD
techniques deployed in systems. We conducted an in-depth study, based
on realistic simulations done on a cloud environment, on the effects of
security and reliability for three different MTD techniques: (i) Shuffle,
(ii) Redundancy, and (iii) the combination of Shuffle and Redundancy.
For comparisons, we use a formal scalable security model to analyse
the effectiveness of the MTD techniques. Moreover, we adopt Network
Centrality Measures to enhance the performance of security analysis to
overcome the exponential computational complexity which is often seen
in a large networked mode.

Keywords: Cloud computing · Graphical Security Models

Moving Target Defense · Security analysis

1 Introduction
Cloud computing is an on-demand network access model and offers benefits
including scalability, resilience, availability, and cost reduction. Cloud providers
(e.g., Amazon Web Services, Windows Azure Platform, Google App Engine, etc.)
offering various services are responsible for providing security or their services.
This is because, despite cloud computing benefits, security-related issues would
affect customer’s trust on cloud. Although many security mechanisms are imple-
mented in the cloud, cyber criminals can still exploit software vulnerabilities to
c Springer International Publishing AG 2017
J. K. Liu and P. Samarati (Eds.): ISPEC 2017, LNCS 10701, pp. 539–548, 2017.
https://doi.org/10.1007/978-3-319-72359-4_32
540 H. Alavizadeh et al.

penetrate into a cloud system [9] using tools and techniques easily available on
the Internet. Moving Target Defense (MTD) is an emerging security solution
that confuses the attackers by continuously changing the attack surface [11,14].
Unlike traditional security solutions that focused on removing vulnerabilities,
MTD techniques increase the attack efforts by changing attack surfaces. How-
ever, it is difficult to assess their effectiveness in various systems, especially when
they are used in combinations. MTD techniques are mainly classified into three
main categories [6]: Shuffle, Redundancy, and Diversity. Those techniques can
be used either independently or in a combination. The latter is used to provide
an insight if it is more effective if different categories of MTD techniques used
together. In this paper, we evaluate the effectiveness of the MTD techniques and
their combinations using security and dependability metrics.
Many graphical security models (GSM) (such as Attack Trees (ATs) and
Attack Graphs (AGs)) in conjunction with security metrics, have been proposed
and used. They provide formal methods to analyse the security of a networked
system [10]. Various security metrics can be used with the GSMs (e.g., system
risk, attack costs and etc.), providing different perspectives of the system secu-
rity. Hence, incorporating MTD techniques into GSMs could allow formulating
an optimal MTD deployment solution through security analyses. Moreover, these
models can also be used to find how effective the deployed MTD techniques are by
comparing the results obtained through the models and the metrics. Analysing
security through GSMs suffers from scalability issue, especially in the enterprise
networks [4].
We address the aforementioned problem by using a scalable security model
named Hierarchical Attack Representation Model (HARM) [7]. The HARM can
evaluate the security-related effects of a particular MTD technique before deploy-
ing it. The strength of the HARM is that the security analysis is more scalable
and it also provides heuristic methods such as using Importance Measures (IMs)
[5] to overcome the exponential computational complexity issues. We further
detail the usage and application of IMs to analyse the effectiveness of MTD
techniques in combinations, which was not previously taken into account.
To the best of our knowledge, there is no prior work to evaluate and compare
the effectiveness of the combination of MTD techniques via a formal GSM. Our
main contributions are:
• Analyse and compare the effects of each MTD technique, shuffle, redundancy
and their combinations in term of both system risk and reliability.
• Investigate the use of IMs on different properties of Network Centrality Mea-
sures (NCMs) to understand the effects of such properties to assess the effec-
tiveness of MTD techniques;
• Analyse the correlation of IMs, Betweenness and Closeness, with the result
of deployed MTD techniques using an Exhaustive Search (ES) method in a
HARM to observe the mathematical relation between the metrics;
The rest of this paper is organised as follow. We define the methods and metrics
used in Sect. 2. In Sect. 3, we analyse the MTD techniques and combined them,
then further discussion and limitations are given in Sect. 4. Related work is
summarised in Sect. 5. Finally, we conclude the paper in Sect. 6.
 Effective Security Analysis for Combinations of MTD Techniques 541

2 Preliminaries
Importance Measures. IMs are computed to find a set of network components
that serves a critical role in an event of an attack without exhausting all possible
attack paths. We use NCMs in the upper layer of the HARM to compute the IMs
[5], where we consider two types of NCMs; Betweenness and Closeness. However,
there are other NCMs measures which can be used (e.g., Harmonic Closeness,
PageRank etc.), which are out of scope of this paper.

System Risk Analysis. A risk of an asset (here, a VM) can be defined as a the
product of probability of an attack success of a VM and the impact of the attack
on that VM. Given above, we can define the system risk as a cumulative sum
of all the risk associated with VMs in all possible attack paths. To compute the
system risk, the HARM is first generated using the reachability and vulnerability
information. Then, we first show the probability of an attack success calculation
steps. We assume there is a set of VMs V M , an N number of VMs in the
upper layer HARM where N = |V M |, and each VM V Mi ∈ V M has up to a
|V | number of vulnerabilities for a set of vulnerabilities V . Let Vi be the set of
vulnerabilities for a VM V Mi , then there exists a vulnerability vj ∈ Vi | 0 ≤ i ≤
|N |, 0 ≤ j ≤ |V |. There are two logical gates AN D and OR-gates, which connect
the vulnerabilities in the lower layer of the HARM. AN Dk represents a set of
vulnerabilities and other logical gates connected by the AN D-gatek , and the
ORk represents a set of vulnerabilities and other logical gates connected by the
OR-gatek . Let p(V Mi ) be the probability of compromising the V Mi , and p(vj )
is the probability of attack success when exploiting the vulnerability vj . Also, we
let p(AN Dk ) be the probability of attack success for exploiting all vulnerabilities
grouped for that AN D-gatek , and similarly for p(ORi ). Then, the probability
of attack success based on AN Di or ORi can be calculated as follows.

p(AN Dk ) = p(vj ) | vj ∈ AN Dk (1)
 
p(ORk ) = 1 − 1 − p(vj ) | vj ∈ ORk (2)

Using Eqs. (1) and (2), we can calculate the probability of an attack success
to compromise V Mi as shown in Eq. (3) denoted by the top-gate, T OP .

p(V Mi ) = p(T OP ) | T OP ∈ {AN Dj , ORk } (3)

We define the impact of an attack exploiting a vulnerability vj as Ivj . Then,

we define the impact of an attack exploiting V Mi as denoted as IV Mi , which is
shown in Eq. (4).
IV Mi = max(Ivj ) | vj ∈ V Mi (4)
542 H. Alavizadeh et al.

Then, we denote the risk associated with V Mi as RV Mi , which is calculated

by the product of the probability of an attack success and the impact of an
attack to V Mi as shown in Eq. 5.

RV Mi = p(V Mi ) × IV Mi , (5)

Here, we assume that each attack path is independent to other attack paths in
the system. All possible attack paths, paths, is a set of attack paths path ∈ paths
where path = (V M1 , V M2 , . . . , V MN ) ∈ V M × V M × . . . × V M | path ∈ paths,
where a series of VMs that form an attack path such that V Mi is adjacent to
V Mi+1 for 1 ≤ i < |N |. Finally, the system risk, Rsystem , can be calculated as
shown in Eq. 6. 
Rsystem = RV Mi (6)
V Mi ∈path∈paths

Reliability Analysis. We use SHARPE (Symbolic Hierarchical Automated

Reliability and Performance Evaluator) [12] to assess the reliability of the cloud.
In detail, we can compute the probability of the existence of a path from start
point to target using a reliability graph in SHARPE. We utilise this feature by
defining the upper layer of the HARM as a reliability graph. This allows us to
determine the robustness of the system over the time given attack rates. We can
compute the probability of the existence of a path from a start point (entry of
a network) to a target using the reliability graph. Reliability of the networked
system was computed assuming the attack rates follow an exponential distribu-
tion. We vary the attack rate, indicated by λ value over time t, to observe the
change in reliability of the network. Hence, estimating the probability of attack
success, p(AS) (component failure) at time t can be obtained by a cumulative
exponential distribution. Then, the reliability of each component (a VM in here)
can be defined as the probability of an attack failure under certain attack rate
and a given time, R(t) = 1 − p(AS). Finally, to expand the reliability analysis
for the whole system, we fed the reliability graph constructed through the upper
layer of HARM to SHARPE with an assumed attack rate (λ = 0.2, one attack
per five hours) and different time t to evaluate the overall reliability of system.

3 MTD Technique Analysis Through HARM

In order to evaluate the effectiveness of different MTD techniques, we simulated

a large Cloud-band model as shown in Fig. 1. This model includes two cloud-
band nodes that can hold up to 450 VMs. Only a few VMs in the Cloud-band are
connected to the Internet (i.e., front-end servers). We assume there is an attacker
outside the cloud, and the attack goal is to compromise the resource node by
compromising VMs in the attack paths. We also assume that VMs can migrate
between the Cloud-band nodes if there is an available space, which rearranges the
logical connections between the VMs. All VMs in the Cloud-bands are using the
same OS. We measure the changes in system risk and reliability to evaluate the
 Effective Security Analysis for Combinations of MTD Techniques 543

effectiveness of MTD techniques. In the following sections, we show that how the
MTD techniques may affect security and reliability factors. The system risk and
reliability of the current system have been evaluated based on different number
of VMs in each cloud-band node and reported in Fig. 2 for further comparison
with the results of MTD deployment strategies.

Fig. 1. A Cloud-band model consisting up to 450 VMs in each Cloud-band nodes.

3.1 Shuffle

In this paper, we only focus on shuffling the VM through the VM live migration
(VM-LM), where we use the HARM to assess the effectiveness of deploying the
shuffle.
If we consider all possible migration scenarios and analyse the effectiveness
of each movement separately through an exhaustive search (ES) method, we
can obtain an optimal solution. However, this method is time consuming and
impractice for large sized networks. Alternatively, we use IMs for discovering the
most important nodes in the network [5]. We analyse the relation of each IMs,
betweenness and closeness, with deploying shuffle. We then compare the results
obtained from ES with those of found through a portion of IMs. The effects of
deploying shuffle on each node are investigated by both ES method and using
IMs (two NCMs are used, betweenness and closeness). Figure 2a illustrates (i)
how deploying shuffle can enhance system security, (ii) whether the best sce-
nario for deployed MTD technique can be obtained through IMs. The results
show that the best shuffle deployment scenario minimising the system risk can
be found through analysing only the top 10 percent of the most important nodes
based on betweenness, but this method does not guarantee the best reliability
value. As shown in Fig. 2a, the result of this analysis is equivalent with ES to
find the optimal shuffle deployment. However, deploying shuffle so that it min-
imises the system risk leads a mild decrement on the system reliability. Figure 2b
demonstrates the reliability values before and after deploying shuffle.
544 H. Alavizadeh et al.

120
Min (Risk) - top 10% IMs
0.25
100 Before VM-LM
Min (Risk) - ES 0.2
80
1000

Reliability
0.15
60
Risk

40 0.1

20 0.05
Before VM-LM
After Shuffle
0 0
20 50 100 150 200 250 300 350 400 20 50 100 150 200 250 300 350 400
No. of VMs on each Cloud -band Node No. of VMs on each Cloud -band Node

(a) (b)

Fig. 2. Deploying shuffle technique based on top 10% of betweenness and ES. (a)
System risk after deploying shuffle. (b) System reliability after deploying shuffle.

3.2 Redundancy
For redundancy, we replicate the number of VMs k times and connect the replicas
to the same adjacent nodes with the original VM. We denote the number of
replicated VMs as k-R. However, any other component of the network can also be
replicated (e.g., a service, server etc). In this section, (i) we perform a regression
analysis to compare system risk and reliability against the IMs. We first calculate
the values of reliability and system risk after deploying redundancy technique
(with 3-R) for each VM through the ES. The upper layer of HARM is used by
the SHARPE to obtain reliability, then perform a regression analysis to show
the correlation of each IMs with the corresponding system risk and reliability
values. Despite correlation analysis, and for evaluation of deploying redundancy,
(ii) we investigate if the optimal values for the system risk and reliability can
be found using the IMs, and (iii) to investigate how IMs can affect the system
risk and reliability when deploying redundancy.
The results of regression analysis on deploying redundancy in HARM’s nodes
are considered through comparing the correlation of system risk and reliability
against betweenness and closeness. We construct the HARM consisting of overall
50 VMs based on the Cloud-band model. Then, the behaviour of system are
monitored after passing three hours in order to calculate reliability. We deploy
three replicas (3-R) for each VM in the top layer of HARM in order to perform
regression analysis. However, other VM sizes and different replicas are tested to
compare the effects of redundancy on both system risk and reliability separately.
The results shown in Fig. 3 indicates that deploying the redundancy technique
increases the reliability. The best deployment scenario can be found through
analysing closeness. It is noticeable that the reliability obtained through this
deployment grows logarithmic while if we use betweenness, it causes an expo-
nential growth in the system risk and in the best case (using closeness) we have
linear increment in the system risk. Hence, one should deploy redundancy pre-
cisely based on the network’s size and specifications. Next, we investigate the
combinations of the shuffle and redundancy.
 Effective Security Analysis for Combinations of MTD Techniques 545

Fig. 3. System risk and reliability based on IMs after deploying redundancy. (a) com-
pares deploying redundancy on the top 10% of betweenness nodes. (b) compares deploy-
ing redundancy on the top 10% of betweenness and closeness.

3.3 Combination of Shuffle and Redundancy

The shuffle technique improves the security while the redundancy improves the
reliability as shown in previous sections. Thus both aforementioned measures
would be necessary in a network, especially in large sized networks or cloud
environments. In this section, we explore the effectiveness of the combination
of Shuffle(S) and Redundancy(R), denoted as S+R technique. Based on the
experimental results obtained from the previous sections, we develop the S+R
together with IMs so that we deploy shuffle among the top 10% of VMs having
the highest betweenness values and we deploy redundancy on the most important
VM opted by on closeness measure. The obtained results of S+R are compared
with the suffle only, redundancy only, and no MTD deployed configurations of the
network. Figure 4a compares the growth trend in the system risk against different
cloud-band sizes and replicas by deploying all combinations of foregoing MTD
strategies. Furthermore, in order to analyse the effects of deploying S+R on
system reliability and compare it with other deployment scenarios, we duplicate
the most important VM in the term of closeness and find the best shuffle scenario
through betweenness (as in Sect. 3.1), see Fig. 4b).
As it can be seen in Fig. 4a, deploying shuffle-only can decrease the system
risk (compare S-Only with No-R-No-S in chart). Next, deploying redundancy-
only decreases system security. Nevertheless, deploying S+R causes a gentle
increment on the system risk which is not comparable with the same values
cased by deploying redundancy only. In Fig. 4b, comparing current system with
the results of deploying both redundancy and S+R, we obviously observe that
both of these techniques enhance the system reliability, while shuffle decreases
reliability.
Finally, we conclude that the two important security and reliability mea-
sures have a negative correlation toward MTD techniques. Although increasing
the system reliability through deploying redundancy may deteriorate security
and vice versa, one can benefit from a combination strategy to find a reliable
546 H. Alavizadeh et al.

Fig. 4. Combinations of MTD techniques with regard to system risk and reliability.
(a) compares the combinations of MTD techniques based on different cloud-band sizes
and replicas over the system risk. (b) compares deploying Shuffle, Redundancy (2-R),
and S+R techniques on the system reliability

threshold between those two measures based on the a particular system and
networked environment.

4 Discussion and Limitations

In this section, we discuss the main findings of the deployed methods as well as
the limitations and future work. Experimental analysis in Sect. 3 showed that
the best shuffle technique that minimised the system risk can be found using the
IMs with only the top 10% of VMs. Although deploying the shuffle decreased the
system reliability, this decrement was neglectable (especially in the larger cloud-
bands) as shown in Figs. 2a and 4b. When deploying the redundancy technique,
betweenness measure has a strong exponential correlation with the system risk. It
shows that deploying redundancy technique on the nodes with higher between-
ness values increases system risk exponentially. As the redundancy technique
aims to improve the the system reliability, we observed a trade-off between the
system risk and the reliability when using the redundancy technique. The sec-
ond finding is that, the betweenness had no correlation with the reliability; thus,
replication of a VM with highest betweenness centrality does not guarantee the
best reliability. However, one can deploy redundancy on a VM with the high-
est closeness rate to achieve the best reliability value while system risk grows
linearly. Finally, through combination of both shuffle and redundancy and util-
ising the pros and cons of each, we can find an appropriate threshold between
those with regard to the security and performance-related requirements and the
networked environment. The observed results are valid based on our cloud-band
model and may vary on different type of networks and cloud models. Other MTD
combinations including Diversity should also be considered with more analysis
related to time and complexity of the methods. We only focused on two crite-
ria for assessing our methods, system risk and reliability, while there are many
security metrics, such as attack cost, probability, etc.
 Effective Security Analysis for Combinations of MTD Techniques 547

For our future work, we will conduct experiments using a real testbed, which
we are currently working on implementing a private cloud named Unitecloud [3].
Further, we will incorporate other combinations of MTD techniques to evaluate
their effectiveness, as well as to incorporate more vulnerabilities from other layers
in the system (e.g., application vulnerabilities).

5 Related Work

Many research efforts are made to improve the MTD systems in the last decade,
including frameworks [14], strategies and techniques [1,8], and applications [2].
Jafarian et al. [8] developed a MTD technique to proactively change the IP
addresses of the hosts. Similarly, the concept of Random Route Mutation (RRM)
has been introduced by Al-Shaer [1] to find an optimal randomised path between
the source and the target. Zhang et al. [13] proposed an end-to-end defence
strategy to secure VMs in a cloud data centre at a hypervisor level. Zhang
et al. [14] proposed a MTD method to cope with the problem resulting from
co-residency in the virtualised environment.
On the other hand, there are only a few work to evaluate the effectiveness of
the MTD techniques. Peng et al. [11] investigated the effectiveness of MTD tech-
niques for securing cloud-based services with a heterogamous or dynamic attack
surface. However, they did not utilise a rational and formal security model and
analysis tool. Hong et al. [6] analysed the security changes when MTD techniques
are deployed, by introducing a formal method to model Shuffle, Redundancy, and
Diversity individually. We extended this work by combining Shuffle and Redun-
dancy measuring the system risk and reliability, as well as incorporating to use
the IMs for better scalability.

6 Conclusion

MTD techniques have been proposed to enhance the cyber security by changing
the network surface continuously, therefore making the attack surface unpre-
dictable for attackers. However, the effectiveness of deploying multiple MTD
techniques has not been evaluated. To address this problem, we first incorpo-
rated MTD techniques, namely Shuffle, Redundancy, and the combination of
both, into a scalable graphical security model named HARM, in order to evalu-
ate the effectiveness of MTD techniques by comparing the changes in the system
risk and reliability. Moreover, we used IMs to find the most effective MTD
techniques in a scalable manner. Finally, our experimental results showed the
effectiveness and the trade-off using the proposed MTD techniques in order to
maximise the reliability while minimising the system risk.

Acknowledgment. This paper was made possible by Grant NPRP 8-531-1-111 from
Qatar National Research Fund (QNRF). The statements made herein are solely the
responsibility of the authors.
548 H. Alavizadeh et al.

References
1. Al-Shaer, E.: Toward network configuration randomization for moving target
defense. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Mov-
ing Target Defense - Creating Asymmetric Uncertainty for Cyber Threats, vol.
54, pp. 153–159. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-
0977-9 9
2. Chatfield, B., Haddad, R.: Moving Target Defense Intrusion Detection System for
IPv6 based smart grid advanced metering infrastructure. In: Proceedings of the
IEEE SoutheastCon 2017, pp. 1–7, March 2017
3. He, M., Pang, S., Lavrov, D., Lu, D., Zhang, Y., Sarrafzadeh, A.: Reverse Replica-
tion of Virtual Machines (rRVM) for mow latency and high availability services. In:
Proceedings of the 9th International Conference on Utility and Cloud Computing
(UCC 2016), pp. 118–127. ACM (2016)
4. Hong, J.B., Kim, D.S.: Performance analysis of scalable attack representation mod-
els. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol.
405, pp. 330–343. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-
39218-4 25
5. Hong, J.B., Kim, D.S.: Scalable security analysis in hierarchical attack repre-
sentation model using centrality measures. In: Proceedings of the 43rd Annual
IEEE/IFIP International Conference on Dependable Systems and Networks Work-
shop (DSN-W 2013), pp. 1–8 (2013)
6. Hong, J.B., Kim, D.S.: Assessing the effectiveness of moving target defenses using
security models. IEEE Trans. Dependable Secure Comput. 13(2), 163–177 (2016)
7. Hong, J.B., Kim, D.S.: Towards scalable security analysis using multi-layered secu-
rity models. J. Netw. Comput. Appl. 75(C), 156–168 (2016)
8. Jafarian, J., Al-Shaer, E., Duan, Q.: Openflow random host mutation: transparent
moving target defense using software defined networking. In: Proceedings of the
1st Workshop on Hot Topics in Software Defined Networks (HotSDN 2012), pp.
127–132. ACM, New York (2012)
9. Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., Powell, W.: Catch me if you
can: a cloud-enabled DDoS defense. In: Proceedings of the Annual IEEE/IFIP
International Conference on Dependable Systems and Networks (DSN 2014), pp.
264–275 (2014)
10. Kaynar, K., Sivrikaya, F.: Distributed attack graph generation. IEEE Trans.
Dependable Secure Comput. 13(5), 519–532 (2016)
11. Peng, W., Li, F., Huang, C., Zou, X.: A moving-target defense strategy for cloud-
based services with heterogeneous and dynamic attack surfaces. In: Proceedings of
the IEEE International Conference on Communications (ICC 2014), pp. 804–809
(2014)
12. Sahner, R., Trivedi, K., Puliafito, A.: Performance and Reliability Analysis of Com-
puter Systems: An Example-Based Approach Using the SHARPE Software Pack-
age. Springer, US (2012)
13. Zhang, L., Shetty, S., Liu, P., Jing, J.: Rootkitdet: practical end-to-end defense
against kernel rootkits in a cloud environment. In: Proceedings of the European
Symposium on Research in Computer Security (ESORICS 2014), pp. 475–493
(2014)
14. Zhang, Y., Li, M., Bai, K., Yu, M., Zang, W.: Incentive compatible moving target
defense against VM-colocation attacks in clouds. In: Proceedings of the 27th IFIP
Information Security and Privacy Conference (SEC 2012), pp. 388–399 (2012)