Browse > Article
http://dx.doi.org/10.3837/tiis.2022.03.017

SD-MTD: Software-Defined Moving-Target Defense for Cloud-System Obfuscation  

Kang, Ki-Wan (Dept. of Information Security, and Convergence Engineering for Intelligent Drone, Sejong University)
Seo, Jung Taek (Department of Computer Engineering, Gachon University)
Baek, Sung Hoon (Department of Computer System Engineering, Jungwon University)
Kim, Chul Woo (LG CNS)
Park, Ki-Woong (Dept. of Information Security, and Convergence Engineering for Intelligent Drone, Sejong University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.16, no.3, 2022 , pp. 1063-1075 More about this Journal
Abstract
In recent years, container techniques have been broadly applied to cloud computing systems to maximize their efficiency, flexibility, and economic feasibility. Concurrently, studies have also been conducted to ensure the security of cloud computing. Among these studies, moving-target defense techniques using the high agility and flexibility of cloud-computing systems are gaining attention. Moving-target defense (MTD) is a technique that prevents various security threats in advance by proactively changing the main attributes of the protected target to confuse the attacker. However, an analysis of existing MTD techniques revealed that, although they are capable of deceiving attackers, MTD techniques have practical limitations when applied to an actual cloud-computing system. These limitations include resource wastage, management complexity caused by additional function implementation and system introduction, and a potential increase in attack complexity. Accordingly, this paper proposes a software-defined MTD system that can flexibly apply and manage existing and future MTD techniques. The proposed software-defined MTD system is designed to correctly define a valid mutation range and cycle for each moving-target technique and monitor system-resource status in a software-defined manner. Consequently, the proposed method can flexibly reflect the requirements of each MTD technique without any additional hardware by using a software-defined approach. Moreover, the increased attack complexity can be resolved by applying multiple MTD techniques.
Keywords
Cloud Computing System; Container Orchestration; Moving-Target Defense; System Obfuscation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Park, Y. Lee, K. Kang, S. Lee, and K. Park, "Ghost-MTD: Moving Target Defense via Protocol Mutation for Mission-Critical Cloud Systems," Energies, 13.8, 1883, 2020.   DOI
2 Y. Huang, and A. Ghosh, "Introducing diversity and uncertainty to create moving attack surfaces for web services," Moving target defense, Springer, New York, NY, 131-151, 2011.
3 M. Taguinod, A. Doupe, Z. Zhao and G. Ahn, "Toward a Moving Target Defense for Web Applications," in Proc. of 2015 IEEE International Conference on Information Reuse and Integration, pp. 510-517, 2015.
4 T. E. Carroll, M. Crouse, E. W. Fulp and K. S. Berenhaut, "Analysis of network address shuffling as a moving target defense," in Proc. of 2014 IEEE International Conference on Communications (ICC), pp. 701-706, 2014.
5 H. Okhravi et al., "Survey of cyber moving target techniques," Massachusetts Inst of Tech Lexington Lincoln Lab, 2018. Available: https://apps.dtic.mil/sti/pdfs/AD1055276.pdf
6 W. Peng, F. Li, C. -T. Huang and X. Zou, "A moving-target defense strategy for Cloud-based services with heterogeneous and dynamic attack surfaces," in Proc. of 2014 IEEE International Conference on Communications (ICC), pp. 804-809, 2014.
7 C. Pahl, A. Brogi, J. Soldani and P. Jamshidi, "Cloud Container Technologies: A State-of-the-Art Review," IEEE Transactions on Cloud Computing, vol. 7, no. 3, pp. 677-692, 1 July-Sept. 2019.   DOI
8 F. Chong, "National cyber leap year summit 2009: Co-chairs' report," NITRD Program, 2009.
9 Z. Kozhirbayev and R. O. Sinnott, "A performance comparison of container-based technologies for the cloud," Future Generation Computer Systems, 68, 175-182, 2017.   DOI
10 S. He, L. Guo, Y. Guo, C. Wu, M. Ghanem et al., "Elastic Application Container: A Lightweight Approach for Cloud Resource Provisioning," in Proc. of 2012 IEEE 26th International Conference on Advanced Information Networking and Applications, pp. 15-22, 2012.
11 H. Jin, Z. Li, D. Zou, B. Yuan, "DSEOM: A Framework for Dynamic Security Evaluation and Optimization of MTD in Container-Based Cloud," IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 3, pp. 1125-1136, 1 May-June 2021.
12 A. Chung, J. Park, and G. Ganger, "Stratus: cost-aware container scheduling in the public cloud," in Proc. of the ACM Symposium on Cloud Computing (SoCC '18). Association for Computing Machinery, New York, NY, USA, 121-134, 2018.
13 A. Shaer, Ehab, Q. Duan, and J. Jafarian, "Random host mutation for moving target defense," in Proc. of International Conference on Security and Privacy in Communication Systems, Springer, Berlin, Heidelberg, pp. 310-327, 2012.
14 E. Al-Shaer, "Toward network configuration randomization for moving target defense," Moving Target Defensem, Springer, New York, NY, 153-159, 2011.
15 C. Lei, H. Zhang, J. Tan, Y. Zhang, X. Liu, "Moving Target Defense Techniques: A Survey," Security and Communication Networks, vol. 2018, Article ID 3759626, 25 pages, 2018.
16 X. Gao, Z. Gu, M. Kayaalp, D. Pendarakis and H. Wang, "ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds," in Proc. of 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 237-248, 2017.
17 X. Xu, H. Yu and X. Pei, "A Novel Resource Scheduling Approach in Container Based Clouds," in Proc. of 2014 IEEE 17th International Conference on Computational Science and Engineering, pp. 257-264, 2014.
18 H. Alavizadeh, J. Jang-Jaccard and D. S. Kim, "Evaluation for Combination of Shuffle and Diversity on Moving Target Defense Strategy for Cloud Computing," in Proc. of 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 573-578, 2018.
19 P. Kampanakis, H. Perros and T. Beyene, "SDN-based solutions for Moving Target Defense network protection," in Proc. of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, pp. 1-6, 2014.
20 J. Haadi, E. Al-Shaer, and Q. Duan, "Openflow random host mutation: transparent moving target defense using software defined networking," in Proc. of the first workshop on Hot topics in software defined networks, pp. 127-132, 2012.
21 A. Gupta, L. Vanbever, M. Shahbaz, S. Donovan, B. Schlinker et al., "Sdx: A software defined internet exchange," ACM SIGCOMM Computer Communication Review, 44.4, 551-562, 2014.   DOI
22 A. Voellmy, and J. Wang, "Scalable software defined network controllers," ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 289-290, 2012.   DOI
23 P. Dawson, and A. Butler, "IT Market Clock for Server Technology and SDx, 2014," Gartner Report 2014. 9.
24 A. Darabseh, M. Al-Ayyoub, Y. Jararweh, E. Benkhelifa, M. Vouk and A. Rindos, "SDDC: A Software Defined Datacenter Experimental Framework," in Proc. of 2015 3rd International Conference on Future Internet of Things and Cloud, pp. 189-194, 2015.
25 N. Handigol, B. Heller, V. Jeyakumar, D. Mazieres, and N. McKeown, "Where is the debugger for my software-defined network?," in Proc. of the first workshop on Hot topics in software defined networks (HotSDN '12), Association for Computing Machinery, New York, NY, USA, 55-60, 2012.
26 Y. -B. Luo, B. -S. Wang, X. -F. Wang, X. -F. Hu, G. -L. Cai and H. Sun, "RPAH: Random Port and Address Hopping for Thwarting Internal and External Adversaries," in Proc. of 2015 IEEE Trustcom/BigDataSE/ISPA, pp. 263-270, 2015.
27 J. Cho, D. Sharma, H. Alavizadeh, S. Yoon, B. Noam et al, "Toward proactive, adaptive defense: A survey on moving target defense," IEEE Communications Surveys & Tutorials, 22.1, 709-745, 2020.   DOI
28 M. Green, "Characterizing network-based moving target defenses," in Proc. of the Second ACM Workshop on Moving Target Defense, pp. 31-35, 2015.
29 B. Hong, and D. Kim, "Assessing the effectiveness of moving target defenses using security models," IEEE Transactions on Dependable and Secure Computing, 13.2, 163-177, 2016.   DOI
30 A. Alshamrani, S. Myneni, A. Chowdhary, D. Huang, "A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities," IEEE Communications Surveys & Tutorials, Vol. 21, no. 2, pp. 1851-1877, Secondquarter 2019.   DOI