Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
From Intrusion Detection to Software Design Kapitel lesen Erstes Kapitel lesen

2017 | OriginalPaper | Buchkapitel

MTD CBITS: Moving Target Defense for Cloud-Based IT Systems

verfasst von : Alexandru G. Bardas, Sathya Chandran Sundaramurthy, Xinming Ou, Scott A. DeLoach

Erschienen in: Computer Security – ESORICS 2017

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The static nature of current IT systems gives attackers the extremely valuable advantage of time, as adversaries can take their time and plan attacks at their leisure. Although cloud infrastructures have increased the automation options for managing IT systems, the introduction of Moving Target Defense (MTD) techniques at the entire IT system level is still very challenging. The core idea of MTD is to make a system change proactively as a means to eliminating the asymmetric advantage the attacker has on time. However, due to the number and complexity of dependencies between IT system components, it is not trivial to introduce proactive changes without breaking the system or severely impacting its performance.
In this paper, we present an MTD platform for Cloud-Based IT Systems (MTD CBITS), evaluate its practicality, and perform a detailed analysis of its security benefits. To the best of our knowledge MTD CBITS is the first MTD platform that leverages the advantages of a cloud-automation framework (ANCOR) that captures an IT system’s setup parameters and dependencies using a high-level abstraction. This allows our platform to make automated changes to the IT system, in particular, to replace running components of the system with fresh new instances. To evaluate MTD CBITS’ practicality, we present a series of experiments that show negligible (statistically non-significant) performance impacts. To evaluate effectiveness, we analyze the costs and security benefits of MTD CBITS using a practical attack window model and show how a system managed using MTD CBITS will increase attack difficulty.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Labeled Homomorphic Encryption
Nächstes Kapitel Modular Verification of Protocol Equivalence in the Presence of Randomness
Fußnoten
1
min is the minimum.
 
2
lcm stands for “least common multiple” and gcd is the “greatest common divisor”.
 
Literatur
1.
2.
3.
4.
Al-Shaer, E.: Toward network configuration randomization for moving target defense. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 153–159. Springer, New York (2011). doi:10.​1007/​978-1-4614-0977-9_​9 CrossRef
5.
Albanese, M., De Benedictis, A., Jajodia, S., Sun, K.: A moving target defense mechanism for MANETs based on identity virtualization. In: IEEE CNS (2013)
6.
Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against Hitlist worms using network address space randomization. In: ACM WORM (2005)
7.
Armbust, M., Fox, A., Griffith, R., Joseph, A., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: A view of cloud computing. In: ACM CACM (2010)
8.
Bauer, K., Dedhia, V., Skowyra, R., Streilein, W., Okhravi, H.: Multi-variant execution to protect unpatched software. In: RWS (2015)
9.
Boyd, S.W., Kc, G.S., Locasto, M.E., Keromytis, A.D., Prevelakis, V.: On the general applicability of instruction-set randomization. In: IEEE TDSC, July 2010
10.
11.
Casola, V., Benedictis, A.D., Albanese, M.: A moving target defense approach for protecting resource-constrained distributed devices. In: IEEE IRI (2013)
12.
13.
Chen, P., Xu, J., Lin, Z., Xu, D., Mao, B., Liu, P.: A practical approach for adaptive data structure layout randomization. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 69–89. Springer, Cham (2015). doi:10.​1007/​978-3-319-24174-6_​4 CrossRef
14.
Christodorescu, M., Fredrikson, M., Jha, S., Giffin, J.: End-to-End software diversification of internet services. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 117–130. Springer, New York (2011). doi:10.​1007/​978-1-4614-0977-9_​7 CrossRef
15.
16.
Cybenko, G., Hughes, J.: No free lunch in cyber security. In: MTD (2014)
17.
De Capitani, S., di Vimercati, S., Foresti, S., Jajodia, S.P., Samarati, P.: Efficient integrity checks for join queries in the cloud. In: IOS JCS (2016)
18.
19.
20.
Dunlop, M., Groat, S., Urbanski, W., Marchany, R., Tront, J.: MT6D: a moving target IPv6 defense. In: IEEE MILCOM (2011)
21.
Eskridge, T.C., Carvalho, M.M., Stoner, E., Toggweiler, T., Granados, A.: VINE: a cyber emulation environment for MTD experimentation. In: ACM MTD (2015)
22.
Evans, D., Nguyen-Tuong, A., Knight, J.: Effectiveness of Moving Target Defenses (2011)
23.
Hobson, T., Okhravi, H., Bigelow, D., Rudd, R., Streilein, W.: On the challenges of effective movement. In: ACM MTD (2014)
24.
Homescu, A., Jackson, T., Crane, S., Brunthaler, S., Larsen, P., Franz, M.: Large-scale automated software diversity-program evolution redux. In: IEEE TDSC (2015)
25.
Huang, Y., Arsenault, D., Sood, A.: Closing cluster attack windows through server redundancy and rotations. In: Workshop on Cluster Security (2006)
26.
Hughes, J., Cybenko, G.: Quantitative metrics and risk assessment: the three tenets model of cybersecurity. In: Technology Innovation Management Review (2013)
27.
Jafarian, J.H., Al-Shaer, E., Duan, Q.: An effective address mutation approach for disrupting reconnaissance attacks. IEEE Trans. Inf. Forensics Secur. 10, 2562–2577 (2015)CrossRef
28.
Karapanos, N., Filios, A., Popa, R.A., Capkun, S.: Verena: end-to-end integrity protection for web applications. In: IEEE S&P (2016)
29.
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: ACM CCS (2003)
30.
Keromytis, A.D., Geambasu, R., Sethumadhavan, S., Stolfo, S.J., Yang, J., Benameur, A., Dacier, M., Elder, M., Kienzle, D., Stavrou, A.: The MEERKATS cloud security architecture. In: IEEE DCS (2012)
31.
Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address Space Layout Permutation (ASLP): towards fine-grained randomization of commodity software. In: IEEE ACSAC (2006)
32.
Manadhata, P.K., Wing, J.M.: An attack surface metric. In: IEEE TSE (2010)
33.
34.
35.
36.
37.
Moon, S.-J., Sekar, V., Reiter, M.K.: Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In: ACM CCS (2015)
38.
Narain, S., Coan, D.C., Falchuk, B., Gordon, S., Kang, J., Kirsch, J., Naidu, A., Sinkar, K., Tsang, S., Malik, S., Zhang, S., Rajabian-Schwart, V., Tirenin, W.: A science of network configuration. J. CSIAC-CSIS, 4(1), 18–31 (2016)
39.
Narain, S., Malik, S., Al-Shaer, E.: Towards eliminating configuration errors in cyber infrastructure. In: IEEE SafeConfig (2011)
40.
Nguyen, Q., Sood, A.: Designing SCIT architecture pattern in a cloud-based environment. In: DSN-W (2011)
41.
Okhravi, H., Riordan, J., Carter, K.: Quantitative evaluation of dynamic platform techniques as a defensive mechanism. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 405–425. Springer, Cham (2014). doi:10.​1007/​978-3-319-11379-1_​20
42.
Portokalidis, G., Keromytis, A.D.: Global ISR: toward a comprehensive defense against unauthorized code execution. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 49–76. Springer, New York (2011). doi:10.​1007/​978-1-4614-0977-9_​3 CrossRef
43.
44.
45.
46.
47.
Unruh, I., Bardas, A.G., Zhuang, R., Ou, X., DeLoach, S.A.: Compiling abstract specifications into concrete systems - bringing order to the cloud. In: USENIX LISA (2014)
48.
49.
50.
Vikram, S., Yang, C., Gu, G.: NOMAD: towards non-intrusive MTD against web bots. In: IEEE CNS (2013)
51.
52.
53.
Williams, D., Hu, W., Davidson, J.W., Hiser, J.D., Knight, J.C., Nguyen-Tuong, A.: Security through diversity: leveraging virtual machine technology. In: IEEE S&P, July 2009
Metadaten
Titel
MTD CBITS: Moving Target Defense for Cloud-Based IT Systems
verfasst von
Alexandru G. Bardas
Sathya Chandran Sundaramurthy
Xinming Ou
Scott A. DeLoach
Copyright-Jahr
2017
Buch
Computer Security – ESORICS 2017

Print ISBN: 978-3-319-66401-9

Electronic ISBN: 978-3-319-66402-6

Copyright-Jahr: 2017

DOI
https://doi.org/10.1007/978-3-319-66402-6_11