nach oben

Cluster Computing

Erschienen in:

22.10.2018

Online Smart Disguise: real-time diversification evading coresidency-based cloud attacks

verfasst von: Mona S. Kashkoush, Mohamed Azab, Gamal Attiya, Amr S. Abed

Erschienen in: Cluster Computing | Ausgabe 3/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Security is a major challenge in Cloud Computing. In this paper, we propose an Online Smart Disguise Framework (OSDF). OSDF employs dynamic, proactive, real-time moving-target defense against cloud attacks. OSDF relies on two main pillars. The first, is a behavior obscuring module that frequently live-migrates virtual machines (VMs) between heterogeneously configured compute nodes to avoid co-residency and virtualization based attacks. The second module limits attack dispersion between same-host VMs by migrating maliciously behaving VMs to remote isolated compute node acting as a quarantine zone. The second module is guided by a smart intrusion detection system that monitors the VM system calls searching for suspicious activities. To evaluate OSDF efficiency and effectiveness on limiting attack dispersion, we devised the vulnerable, exposed, attacked, recovered model based on the susceptible, exposed, infected, recovered (SEIR) epidemic model. The SEIR model is an epidemiological model commonly used to investigate disease dispersion on cooperative communities. The implementation of OSDF is tested on OpenStack private cloud. Simulation results show the effectiveness of OSDF MTD approach in decreasing the number of attacked VMs even for fast-spreading worms. Furthermore, NAS Parallel Benchmark is used to evaluate OSDF efficiency for cloud-hosted VMs running both stateful and stateless applications.

Vorheriger Artikel Dynamic metric OSPF-based routing protocol for Software Defined Networks

Nächster Artikel Cloud workload prediction based on workflow execution time discrepancies

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Adore worm: https://www.f-secure.com/v-descs/adore.shtml

Npb: https://www.nas.nasa.gov/publications/npb_problem_sizes.html/

Openstack: https://www.openstack.org/software/

strace: https://linux.die.net/man/1/strace/

sysbench: https://www.howtoforge.com/how-to-benchmark/-your-system-cpu-file-io-mysql-with-sysbench

Abed, A.S., Clancy, C., Levy, D.S.: Intrusion detection system for applications using linux containers. In: International Workshop on Security and Trust Management, pp. 123–135. Springer (2015)

Azab, M., Eltoweissy, M.: Chameleonsoft: software behavior encryption for moving target defense. Mobile Netw. Appl. 18(2), 271–292 (2013)CrossRef

Azab, M., Eltoweissy, M.: Migrate: towards a lightweight moving-target defense against cloud side-channels. In: IEEE Security and Privacy Workshops (SPW), 2016, pp. 96–103. IEEE, Washington DC (2016)

Beloglazov, A., Piraghaj, S.F., Alrokayan, M., Buyya, R.: Deploying openstack on centos using the KVM hypervisor and GlusterFS distributed file system. University of Melbourne (2012)

10.

Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J., Brandic, I.: Cloud computing and emerging it platforms: vision, hype, and reality for delivering computing as the 5th utility. Future Gener. Comput. Syst. 25(6), 599–616 (2009)CrossRef

11.

Cai, G., Wang, B., Wei, H., Wang, T.: Moving target defense: state of the art and characteristics. Front. Inf. Technol. Electron. Eng. 17(11), 1122–1153 (2016)CrossRef

12.

Chiueh, S.N.T.C., Brook, S.: A survey on virtualization technologies. RPE Report pp. 1–42 (2005)

13.

Evans, D., Nguyen-Tuong, A., Knight, J.: Effectiveness of moving target defenses. In: Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S. (eds.) Moving Target Defense, pp. 29–48. Springer, Heidelberg (2011)CrossRef

14.

Expósito, R.R., Taboada, G.L., Ramos, S., TouriñO, J., Doallo, R.: Performance analysis of HPC applications in the cloud. Future Gen. Comput. Syst. 29(1), 218–229 (2013)CrossRef

15.

Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)

16.

Hashizume, K., Rosado, D.G., Fernández-Medina, E., Fernandez, E.B.: An analysis of security issues for cloud computing. J. Internet Serv. Appl. 4(1), 5 (2013)CrossRef

17.

Ibrahim, A.S., Hamlyn-Harris, J., Grundy, J., Almorsy, M.: Cloudsec: a security monitoring appliance for virtual machines in the IAAS cloud model. In: Proceedings of the 5th International Conference on Network and System Security (NSS) 2011, pp. 113–120. IEEE, Piscataway (2011)

18.

Kaur, P., Rani, A.: Virtual machine migration in cloud computing. Int. J. Grid Distrib. Comput. 8(5), 337–342 (2015)CrossRef

19.

Khorshed, M.T., Ali, A.S., Wasimi, S.A.: A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing. Future Gener. Comput. Syst. 28(6), 833–851 (2012)CrossRef

20.

Kim, T., Peinado, M., Mainar-Ruiz, G.: Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security symposium, pp. 189–204 (2012)

21.

Lee, W., Stolfo, S.J., et al.: Data mining approaches for intrusion detection. In: USENIX Security Symposium, pp. 79–93. San Antonio, TX (1998)

22.

Mell, P., Grance, T.: A NIST definition of cloud computing. National Institute of Standards and Technology (NIST) Special Publication 800-145 (2009)

23.

Modi, C., Patel, D., Borisaniya, B., Patel, A., Rajarajan, M.: A survey on security issues and solutions at different layers of cloud computing. J. Supercomput. 63(2), 561–592 (2013)CrossRef

24.

Moon, S.J., Sekar, V., Reiter, M.K.: Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1595–1606. ACM, New York (2015)

25.

Murtaza, S.S., Khreich, W., Hamou-Lhadj, A., Couture, M.: A host-based anomaly detection approach by representing system calls as states of kernel modules. In: 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE), pp. 431–440. IEEE Computer Society, Los Alamitos (2013)

26.

Okhravi, H., Comella, A., Robinson, E., Haines, J.: Creating a cyber moving target for critical infrastructure applications using platform diversity. Int. J. Crit. Infrastruct. Prot. 5(1), 30–39 (2012)CrossRef

27.

Satsuma, J., Willox, R., Ramani, A., Grammaticos, B., Carstea, A.: Extending the sir epidemic model. Physica A 336(3), 369–375 (2004)CrossRef

28.

Theoharidou, M., Papanikolaou, N., Pearson, S., Gritzalis, D.: Privacy risk, security, accountability in the cloud. In: 2013 IEEE 5th International Conference on, Cloud Computing Technology and Science (CloudCom), vol. 1, pp. 177–184. IEEE, Washington, DC (2013)

29.

Zhang, Y., Reiter, M.K.: Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 827–838. ACM, New York (2013)

Titel: Online Smart Disguise: real-time diversification evading coresidency-based cloud attacks
verfasst von: Mona S. Kashkoush
Mohamed Azab
Gamal Attiya
Amr S. Abed
Publikationsdatum: 22.10.2018
Verlag: Springer US
Erschienen in: Cluster Computing / Ausgabe 3/2019
Print ISSN: 1386-7857
Elektronische ISSN: 1573-7543
DOI: https://doi.org/10.1007/s10586-018-2851-2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2019

Cloud workload prediction based on workflow execution time discrepancies

A scalable parallel implementation of the Cluster Benders Decomposition algorithm

Benchmarking based search framework

Power-network aware VM migration heuristics for multi-tier web applications

Toward a new approach for sorting extremely large data files in the big data era

A study on performance measures for auto-scaling CPU-intensive containerized applications