Professional Documents
Culture Documents
1 Introduction
Cloud computing is an on-demand network access model and offers benefits
including scalability, resilience, availability, and cost reduction. Cloud providers
(e.g., Amazon Web Services, Windows Azure Platform, Google App Engine, etc.)
offering various services are responsible for providing security or their services.
This is because, despite cloud computing benefits, security-related issues would
affect customer’s trust on cloud. Although many security mechanisms are imple-
mented in the cloud, cyber criminals can still exploit software vulnerabilities to
c Springer International Publishing AG 2017
J. K. Liu and P. Samarati (Eds.): ISPEC 2017, LNCS 10701, pp. 539–548, 2017.
https://doi.org/10.1007/978-3-319-72359-4_32
540 H. Alavizadeh et al.
penetrate into a cloud system [9] using tools and techniques easily available on
the Internet. Moving Target Defense (MTD) is an emerging security solution
that confuses the attackers by continuously changing the attack surface [11,14].
Unlike traditional security solutions that focused on removing vulnerabilities,
MTD techniques increase the attack efforts by changing attack surfaces. How-
ever, it is difficult to assess their effectiveness in various systems, especially when
they are used in combinations. MTD techniques are mainly classified into three
main categories [6]: Shuffle, Redundancy, and Diversity. Those techniques can
be used either independently or in a combination. The latter is used to provide
an insight if it is more effective if different categories of MTD techniques used
together. In this paper, we evaluate the effectiveness of the MTD techniques and
their combinations using security and dependability metrics.
Many graphical security models (GSM) (such as Attack Trees (ATs) and
Attack Graphs (AGs)) in conjunction with security metrics, have been proposed
and used. They provide formal methods to analyse the security of a networked
system [10]. Various security metrics can be used with the GSMs (e.g., system
risk, attack costs and etc.), providing different perspectives of the system secu-
rity. Hence, incorporating MTD techniques into GSMs could allow formulating
an optimal MTD deployment solution through security analyses. Moreover, these
models can also be used to find how effective the deployed MTD techniques are by
comparing the results obtained through the models and the metrics. Analysing
security through GSMs suffers from scalability issue, especially in the enterprise
networks [4].
We address the aforementioned problem by using a scalable security model
named Hierarchical Attack Representation Model (HARM) [7]. The HARM can
evaluate the security-related effects of a particular MTD technique before deploy-
ing it. The strength of the HARM is that the security analysis is more scalable
and it also provides heuristic methods such as using Importance Measures (IMs)
[5] to overcome the exponential computational complexity issues. We further
detail the usage and application of IMs to analyse the effectiveness of MTD
techniques in combinations, which was not previously taken into account.
To the best of our knowledge, there is no prior work to evaluate and compare
the effectiveness of the combination of MTD techniques via a formal GSM. Our
main contributions are:
• Analyse and compare the effects of each MTD technique, shuffle, redundancy
and their combinations in term of both system risk and reliability.
• Investigate the use of IMs on different properties of Network Centrality Mea-
sures (NCMs) to understand the effects of such properties to assess the effec-
tiveness of MTD techniques;
• Analyse the correlation of IMs, Betweenness and Closeness, with the result
of deployed MTD techniques using an Exhaustive Search (ES) method in a
HARM to observe the mathematical relation between the metrics;
The rest of this paper is organised as follow. We define the methods and metrics
used in Sect. 2. In Sect. 3, we analyse the MTD techniques and combined them,
then further discussion and limitations are given in Sect. 4. Related work is
summarised in Sect. 5. Finally, we conclude the paper in Sect. 6.
Effective Security Analysis for Combinations of MTD Techniques 541
2 Preliminaries
Importance Measures. IMs are computed to find a set of network components
that serves a critical role in an event of an attack without exhausting all possible
attack paths. We use NCMs in the upper layer of the HARM to compute the IMs
[5], where we consider two types of NCMs; Betweenness and Closeness. However,
there are other NCMs measures which can be used (e.g., Harmonic Closeness,
PageRank etc.), which are out of scope of this paper.
System Risk Analysis. A risk of an asset (here, a VM) can be defined as a the
product of probability of an attack success of a VM and the impact of the attack
on that VM. Given above, we can define the system risk as a cumulative sum
of all the risk associated with VMs in all possible attack paths. To compute the
system risk, the HARM is first generated using the reachability and vulnerability
information. Then, we first show the probability of an attack success calculation
steps. We assume there is a set of VMs V M , an N number of VMs in the
upper layer HARM where N = |V M |, and each VM V Mi ∈ V M has up to a
|V | number of vulnerabilities for a set of vulnerabilities V . Let Vi be the set of
vulnerabilities for a VM V Mi , then there exists a vulnerability vj ∈ Vi | 0 ≤ i ≤
|N |, 0 ≤ j ≤ |V |. There are two logical gates AN D and OR-gates, which connect
the vulnerabilities in the lower layer of the HARM. AN Dk represents a set of
vulnerabilities and other logical gates connected by the AN D-gatek , and the
ORk represents a set of vulnerabilities and other logical gates connected by the
OR-gatek . Let p(V Mi ) be the probability of compromising the V Mi , and p(vj )
is the probability of attack success when exploiting the vulnerability vj . Also, we
let p(AN Dk ) be the probability of attack success for exploiting all vulnerabilities
grouped for that AN D-gatek , and similarly for p(ORi ). Then, the probability
of attack success based on AN Di or ORi can be calculated as follows.
p(AN Dk ) = p(vj ) | vj ∈ AN Dk (1)
p(ORk ) = 1 − 1 − p(vj ) | vj ∈ ORk (2)
Using Eqs. (1) and (2), we can calculate the probability of an attack success
to compromise V Mi as shown in Eq. (3) denoted by the top-gate, T OP .
RV Mi = p(V Mi ) × IV Mi , (5)
Here, we assume that each attack path is independent to other attack paths in
the system. All possible attack paths, paths, is a set of attack paths path ∈ paths
where path = (V M1 , V M2 , . . . , V MN ) ∈ V M × V M × . . . × V M | path ∈ paths,
where a series of VMs that form an attack path such that V Mi is adjacent to
V Mi+1 for 1 ≤ i < |N |. Finally, the system risk, Rsystem , can be calculated as
shown in Eq. 6.
Rsystem = RV Mi (6)
V Mi ∈path∈paths
effectiveness of MTD techniques. In the following sections, we show that how the
MTD techniques may affect security and reliability factors. The system risk and
reliability of the current system have been evaluated based on different number
of VMs in each cloud-band node and reported in Fig. 2 for further comparison
with the results of MTD deployment strategies.
3.1 Shuffle
In this paper, we only focus on shuffling the VM through the VM live migration
(VM-LM), where we use the HARM to assess the effectiveness of deploying the
shuffle.
If we consider all possible migration scenarios and analyse the effectiveness
of each movement separately through an exhaustive search (ES) method, we
can obtain an optimal solution. However, this method is time consuming and
impractice for large sized networks. Alternatively, we use IMs for discovering the
most important nodes in the network [5]. We analyse the relation of each IMs,
betweenness and closeness, with deploying shuffle. We then compare the results
obtained from ES with those of found through a portion of IMs. The effects of
deploying shuffle on each node are investigated by both ES method and using
IMs (two NCMs are used, betweenness and closeness). Figure 2a illustrates (i)
how deploying shuffle can enhance system security, (ii) whether the best sce-
nario for deployed MTD technique can be obtained through IMs. The results
show that the best shuffle deployment scenario minimising the system risk can
be found through analysing only the top 10 percent of the most important nodes
based on betweenness, but this method does not guarantee the best reliability
value. As shown in Fig. 2a, the result of this analysis is equivalent with ES to
find the optimal shuffle deployment. However, deploying shuffle so that it min-
imises the system risk leads a mild decrement on the system reliability. Figure 2b
demonstrates the reliability values before and after deploying shuffle.
544 H. Alavizadeh et al.
120
Min (Risk) - top 10% IMs
0.25
100 Before VM-LM
Min (Risk) - ES 0.2
80
1000
Reliability
0.15
60
Risk
40 0.1
20 0.05
Before VM-LM
After Shuffle
0 0
20 50 100 150 200 250 300 350 400 20 50 100 150 200 250 300 350 400
No. of VMs on each Cloud -band Node No. of VMs on each Cloud -band Node
(a) (b)
Fig. 2. Deploying shuffle technique based on top 10% of betweenness and ES. (a)
System risk after deploying shuffle. (b) System reliability after deploying shuffle.
3.2 Redundancy
For redundancy, we replicate the number of VMs k times and connect the replicas
to the same adjacent nodes with the original VM. We denote the number of
replicated VMs as k-R. However, any other component of the network can also be
replicated (e.g., a service, server etc). In this section, (i) we perform a regression
analysis to compare system risk and reliability against the IMs. We first calculate
the values of reliability and system risk after deploying redundancy technique
(with 3-R) for each VM through the ES. The upper layer of HARM is used by
the SHARPE to obtain reliability, then perform a regression analysis to show
the correlation of each IMs with the corresponding system risk and reliability
values. Despite correlation analysis, and for evaluation of deploying redundancy,
(ii) we investigate if the optimal values for the system risk and reliability can
be found using the IMs, and (iii) to investigate how IMs can affect the system
risk and reliability when deploying redundancy.
The results of regression analysis on deploying redundancy in HARM’s nodes
are considered through comparing the correlation of system risk and reliability
against betweenness and closeness. We construct the HARM consisting of overall
50 VMs based on the Cloud-band model. Then, the behaviour of system are
monitored after passing three hours in order to calculate reliability. We deploy
three replicas (3-R) for each VM in the top layer of HARM in order to perform
regression analysis. However, other VM sizes and different replicas are tested to
compare the effects of redundancy on both system risk and reliability separately.
The results shown in Fig. 3 indicates that deploying the redundancy technique
increases the reliability. The best deployment scenario can be found through
analysing closeness. It is noticeable that the reliability obtained through this
deployment grows logarithmic while if we use betweenness, it causes an expo-
nential growth in the system risk and in the best case (using closeness) we have
linear increment in the system risk. Hence, one should deploy redundancy pre-
cisely based on the network’s size and specifications. Next, we investigate the
combinations of the shuffle and redundancy.
Effective Security Analysis for Combinations of MTD Techniques 545
Fig. 3. System risk and reliability based on IMs after deploying redundancy. (a) com-
pares deploying redundancy on the top 10% of betweenness nodes. (b) compares deploy-
ing redundancy on the top 10% of betweenness and closeness.
Fig. 4. Combinations of MTD techniques with regard to system risk and reliability.
(a) compares the combinations of MTD techniques based on different cloud-band sizes
and replicas over the system risk. (b) compares deploying Shuffle, Redundancy (2-R),
and S+R techniques on the system reliability
threshold between those two measures based on the a particular system and
networked environment.
For our future work, we will conduct experiments using a real testbed, which
we are currently working on implementing a private cloud named Unitecloud [3].
Further, we will incorporate other combinations of MTD techniques to evaluate
their effectiveness, as well as to incorporate more vulnerabilities from other layers
in the system (e.g., application vulnerabilities).
5 Related Work
Many research efforts are made to improve the MTD systems in the last decade,
including frameworks [14], strategies and techniques [1,8], and applications [2].
Jafarian et al. [8] developed a MTD technique to proactively change the IP
addresses of the hosts. Similarly, the concept of Random Route Mutation (RRM)
has been introduced by Al-Shaer [1] to find an optimal randomised path between
the source and the target. Zhang et al. [13] proposed an end-to-end defence
strategy to secure VMs in a cloud data centre at a hypervisor level. Zhang
et al. [14] proposed a MTD method to cope with the problem resulting from
co-residency in the virtualised environment.
On the other hand, there are only a few work to evaluate the effectiveness of
the MTD techniques. Peng et al. [11] investigated the effectiveness of MTD tech-
niques for securing cloud-based services with a heterogamous or dynamic attack
surface. However, they did not utilise a rational and formal security model and
analysis tool. Hong et al. [6] analysed the security changes when MTD techniques
are deployed, by introducing a formal method to model Shuffle, Redundancy, and
Diversity individually. We extended this work by combining Shuffle and Redun-
dancy measuring the system risk and reliability, as well as incorporating to use
the IMs for better scalability.
6 Conclusion
MTD techniques have been proposed to enhance the cyber security by changing
the network surface continuously, therefore making the attack surface unpre-
dictable for attackers. However, the effectiveness of deploying multiple MTD
techniques has not been evaluated. To address this problem, we first incorpo-
rated MTD techniques, namely Shuffle, Redundancy, and the combination of
both, into a scalable graphical security model named HARM, in order to evalu-
ate the effectiveness of MTD techniques by comparing the changes in the system
risk and reliability. Moreover, we used IMs to find the most effective MTD
techniques in a scalable manner. Finally, our experimental results showed the
effectiveness and the trade-off using the proposed MTD techniques in order to
maximise the reliability while minimising the system risk.
Acknowledgment. This paper was made possible by Grant NPRP 8-531-1-111 from
Qatar National Research Fund (QNRF). The statements made herein are solely the
responsibility of the authors.
548 H. Alavizadeh et al.
References
1. Al-Shaer, E.: Toward network configuration randomization for moving target
defense. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Mov-
ing Target Defense - Creating Asymmetric Uncertainty for Cyber Threats, vol.
54, pp. 153–159. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-
0977-9 9
2. Chatfield, B., Haddad, R.: Moving Target Defense Intrusion Detection System for
IPv6 based smart grid advanced metering infrastructure. In: Proceedings of the
IEEE SoutheastCon 2017, pp. 1–7, March 2017
3. He, M., Pang, S., Lavrov, D., Lu, D., Zhang, Y., Sarrafzadeh, A.: Reverse Replica-
tion of Virtual Machines (rRVM) for mow latency and high availability services. In:
Proceedings of the 9th International Conference on Utility and Cloud Computing
(UCC 2016), pp. 118–127. ACM (2016)
4. Hong, J.B., Kim, D.S.: Performance analysis of scalable attack representation mod-
els. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol.
405, pp. 330–343. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-
39218-4 25
5. Hong, J.B., Kim, D.S.: Scalable security analysis in hierarchical attack repre-
sentation model using centrality measures. In: Proceedings of the 43rd Annual
IEEE/IFIP International Conference on Dependable Systems and Networks Work-
shop (DSN-W 2013), pp. 1–8 (2013)
6. Hong, J.B., Kim, D.S.: Assessing the effectiveness of moving target defenses using
security models. IEEE Trans. Dependable Secure Comput. 13(2), 163–177 (2016)
7. Hong, J.B., Kim, D.S.: Towards scalable security analysis using multi-layered secu-
rity models. J. Netw. Comput. Appl. 75(C), 156–168 (2016)
8. Jafarian, J., Al-Shaer, E., Duan, Q.: Openflow random host mutation: transparent
moving target defense using software defined networking. In: Proceedings of the
1st Workshop on Hot Topics in Software Defined Networks (HotSDN 2012), pp.
127–132. ACM, New York (2012)
9. Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., Powell, W.: Catch me if you
can: a cloud-enabled DDoS defense. In: Proceedings of the Annual IEEE/IFIP
International Conference on Dependable Systems and Networks (DSN 2014), pp.
264–275 (2014)
10. Kaynar, K., Sivrikaya, F.: Distributed attack graph generation. IEEE Trans.
Dependable Secure Comput. 13(5), 519–532 (2016)
11. Peng, W., Li, F., Huang, C., Zou, X.: A moving-target defense strategy for cloud-
based services with heterogeneous and dynamic attack surfaces. In: Proceedings of
the IEEE International Conference on Communications (ICC 2014), pp. 804–809
(2014)
12. Sahner, R., Trivedi, K., Puliafito, A.: Performance and Reliability Analysis of Com-
puter Systems: An Example-Based Approach Using the SHARPE Software Pack-
age. Springer, US (2012)
13. Zhang, L., Shetty, S., Liu, P., Jing, J.: Rootkitdet: practical end-to-end defense
against kernel rootkits in a cloud environment. In: Proceedings of the European
Symposium on Research in Computer Security (ESORICS 2014), pp. 475–493
(2014)
14. Zhang, Y., Li, M., Bai, K., Yu, M., Zang, W.: Incentive compatible moving target
defense against VM-colocation attacks in clouds. In: Proceedings of the 27th IFIP
Information Security and Privacy Conference (SEC 2012), pp. 388–399 (2012)