[논문]SD-MTD: Software-Defined Moving-Target Defense for Cloud-System Obfuscation

Kang, Ki-Wan; Seo, Jung Taek; Baek, Sung Hoon; Kim, Chul Woo; Park, Ki-Woong

doi:10.3837/tiis.2022.03.017

[국내논문] SD-MTD: Software-Defined Moving-Target Defense for Cloud-System Obfuscation 원문보기

KSII Transactions on internet and information systems : TIIS, v.16 no.3, 2022년, pp.1063 - 1075

Kang, Ki-Wan (Dept. of Information Security, and Convergence Engineering for Intelligent Drone, Sejong University) , Seo, Jung Taek (Department of Computer Engineering, Gachon University) , Baek, Sung Hoon (Department of Computer System Engineering, Jungwon University) , Kim, Chul Woo (LG CNS) , Park, Ki-Woong (Dept. of Information Security, and Convergence Engineering for Intelligent Drone, Sejong University)

Abstract ▼ AI-Helper

In recent years, container techniques have been broadly applied to cloud computing systems to maximize their efficiency, flexibility, and economic feasibility. Concurrently, studies have also been conducted to ensure the security of cloud computing. Among these studies, moving-target defense techniques using the high agility and flexibility of cloud-computing systems are gaining attention. Moving-target defense (MTD) is a technique that prevents various security threats in advance by proactively changing the main attributes of the protected target to confuse the attacker. However, an analysis of existing MTD techniques revealed that, although they are capable of deceiving attackers, MTD techniques have practical limitations when applied to an actual cloud-computing system. These limitations include resource wastage, management complexity caused by additional function implementation and system introduction, and a potential increase in attack complexity. Accordingly, this paper proposes a software-defined MTD system that can flexibly apply and manage existing and future MTD techniques. The proposed software-defined MTD system is designed to correctly define a valid mutation range and cycle for each moving-target technique and monitor system-resource status in a software-defined manner. Consequently, the proposed method can flexibly reflect the requirements of each MTD technique without any additional hardware by using a software-defined approach. Moreover, the increased attack complexity can be resolved by applying multiple MTD techniques.

주제어

표/그림 (6)

그림 Fig. 1. Overall system architecture and core components of SD-MTD system
그림 Fig. 2. Main components of SD-MTD and overall operation flow to realize MTD
그림 Fig. 3. Dashboard interacting SD-MTD testbed for performance evaluation
그림 Fig. 4. Experiment environment for accuracy verification of the SD-MTD
그림 Fig. 5. Request-response messages for (a) IP shuffling and (b) port shuffling
그림 Fig. 6. IP and port shuffling applied to the Apache service

AI 본문요약
AI-Helper

제안 방법

Thus, the MTD is employed to ensure the security of service modules. In this study, the Apache web service, which is operated in actual cloud-computing systems, is implemented to verify the accuracy of the proposed SD-MTD system.
These include wasted resources, management complexity caused by the additional function implementation and system introduction, and an increase in attack complexity. The proposed SD-MTD system was composed of an SD-MTD dashboard and SD- MTD orchestrator, SD-MTD agent, and SD-MTD connector modules. The administrator first selected the MTD for the service to be protected from the SD-MTD dashboard, and then defined its valid mutation range and mutation cycle.

성능/효과

Subsequently, the SD-MTD system requirements were derived, and the proposed system was designed and implemented according to these requirements. First, to achieve a flexible management, the system was designed to enable the administrator to monitor the system-resource status in real time through the implemented dashboard and configure a valid mutation range and mutation cycle for the MTD techniques. Second, when multiple MTD techniques are implemented, the economic feasibility of the cloud computing system is compromised because each MTD technique has different requirements.
Cloud computing systems, which offer a high agility and flexibility, have enabled the implementation of various MTD techniques. However, an analysis of existing MTD techniques revealed that although each technique was capable of deceiving attackers, they had limitations when applied to an actual cloud-computing system. These include wasted resources, management complexity caused by the additional function implementation and system introduction, and an increase in attack complexity.
First, to achieve a flexible management, the system was designed to enable the administrator to monitor the system-resource status in real time through the implemented dashboard and configure a valid mutation range and mutation cycle for the MTD techniques. Second, when multiple MTD techniques are implemented, the economic feasibility of the cloud computing system is compromised because each MTD technique has different requirements. To address this, a software-defined technique was employed to flexibly reflect the requirements.
The limitations of existing MTD techniques were derived prior to designing and implementing the SD-MTD system proposed in this study. Subsequently, the SD-MTD system requirements were derived, and the proposed system was designed and implemented according to these requirements. First, to achieve a flexible management, the system was designed to enable the administrator to monitor the system-resource status in real time through the implemented dashboard and configure a valid mutation range and mutation cycle for the MTD techniques.
The SD-MTD orchestrator module verified that a valid range of mutation elements had been defined through the dashboard and created a mutation list. The SD-MTD agent and SD-MTD connector modules were located between the services provided by the cloud computing system and authorized service user. They obfuscated the communication according to the mutation list transmitted from the SD- MTD orchestrator module and the mutation cycle configured from the SD-MTD dashboard.
The administrator first selected the MTD for the service to be protected from the SD-MTD dashboard, and then defined its valid mutation range and mutation cycle. The SD-MTD orchestrator module verified that a valid range of mutation elements had been defined through the dashboard and created a mutation list. The SD-MTD agent and SD-MTD connector modules were located between the services provided by the cloud computing system and authorized service user.
The SD-MTD agent and SD-MTD connector modules were located between the services provided by the cloud computing system and authorized service user. They obfuscated the communication according to the mutation list transmitted from the SD- MTD orchestrator module and the mutation cycle configured from the SD-MTD dashboard. The limitations of existing MTD techniques were derived prior to designing and implementing the SD-MTD system proposed in this study.
To address this, a software-defined technique was employed to flexibly reflect the requirements. Third, an MTD has some limitations when faced with an increased attack complexity because of limited system resources. This limitation can be resolved by applying multiple MTD techniques.
Second, when multiple MTD techniques are implemented, the economic feasibility of the cloud computing system is compromised because each MTD technique has different requirements. To address this, a software-defined technique was employed to flexibly reflect the requirements. Third, an MTD has some limitations when faced with an increased attack complexity because of limited system resources.

후속연구

The SD-MTD system implemented in this study is expected to flexibly apply and manage both existing and future MTD techniques. In a follow-up study, we intend to apply context-aware techniques to control the MTD and automate the application according to the service security level by situation.
This limitation can be resolved by applying multiple MTD techniques. The SD-MTD system implemented in this study is expected to flexibly apply and manage both existing and future MTD techniques. In a follow-up study, we intend to apply context-aware techniques to control the MTD and automate the application according to the service security level by situation.

참고문헌 (30)

C. Pahl, A. Brogi, J. Soldani and P. Jamshidi, "Cloud Container Technologies: A State-of-the-Art Review," IEEE Transactions on Cloud Computing, vol. 7, no. 3, pp. 677-692, 1 July-Sept. 2019.

상세보기
Z. Kozhirbayev and R. O. Sinnott, "A performance comparison of container-based technologies for the cloud," Future Generation Computer Systems, 68, 175-182, 2017.

상세보기
S. He, L. Guo, Y. Guo, C. Wu, M. Ghanem et al., "Elastic Application Container: A Lightweight Approach for Cloud Resource Provisioning," in Proc. of 2012 IEEE 26th International Conference on Advanced Information Networking and Applications, pp. 15-22, 2012.
H. Jin, Z. Li, D. Zou, B. Yuan, "DSEOM: A Framework for Dynamic Security Evaluation and Optimization of MTD in Container-Based Cloud," IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 3, pp. 1125-1136, 1 May-June 2021.

상세보기
X. Gao, Z. Gu, M. Kayaalp, D. Pendarakis and H. Wang, "ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds," in Proc. of 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 237-248, 2017.
X. Xu, H. Yu and X. Pei, "A Novel Resource Scheduling Approach in Container Based Clouds," in Proc. of 2014 IEEE 17th International Conference on Computational Science and Engineering, pp. 257-264, 2014.
A. Chung, J. Park, and G. Ganger, "Stratus: cost-aware container scheduling in the public cloud," in Proc. of the ACM Symposium on Cloud Computing (SoCC '18). Association for Computing Machinery, New York, NY, USA, 121-134, 2018.
W. Peng, F. Li, C. -T. Huang and X. Zou, "A moving-target defense strategy for Cloud-based services with heterogeneous and dynamic attack surfaces," in Proc. of 2014 IEEE International Conference on Communications (ICC), pp. 804-809, 2014.
H. Alavizadeh, J. Jang-Jaccard and D. S. Kim, "Evaluation for Combination of Shuffle and Diversity on Moving Target Defense Strategy for Cloud Computing," in Proc. of 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 573-578, 2018.
A. Shaer, Ehab, Q. Duan, and J. Jafarian, "Random host mutation for moving target defense," in Proc. of International Conference on Security and Privacy in Communication Systems, Springer, Berlin, Heidelberg, pp. 310-327, 2012.
C. Lei, H. Zhang, J. Tan, Y. Zhang, X. Liu, "Moving Target Defense Techniques: A Survey," Security and Communication Networks, vol. 2018, Article ID 3759626, 25 pages, 2018.
P. Kampanakis, H. Perros and T. Beyene, "SDN-based solutions for Moving Target Defense network protection," in Proc. of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, pp. 1-6, 2014.
E. Al-Shaer, "Toward network configuration randomization for moving target defense," Moving Target Defensem, Springer, New York, NY, 153-159, 2011.
T. E. Carroll, M. Crouse, E. W. Fulp and K. S. Berenhaut, "Analysis of network address shuffling as a moving target defense," in Proc. of 2014 IEEE International Conference on Communications (ICC), pp. 701-706, 2014.
J. Haadi, E. Al-Shaer, and Q. Duan, "Openflow random host mutation: transparent moving target defense using software defined networking," in Proc. of the first workshop on Hot topics in software defined networks, pp. 127-132, 2012.
P. Dawson, and A. Butler, "IT Market Clock for Server Technology and SDx, 2014," Gartner Report 2014. 9.
A. Gupta, L. Vanbever, M. Shahbaz, S. Donovan, B. Schlinker et al., "Sdx: A software defined internet exchange," ACM SIGCOMM Computer Communication Review, 44.4, 551-562, 2014.

상세보기
A. Darabseh, M. Al-Ayyoub, Y. Jararweh, E. Benkhelifa, M. Vouk and A. Rindos, "SDDC: A Software Defined Datacenter Experimental Framework," in Proc. of 2015 3rd International Conference on Future Internet of Things and Cloud, pp. 189-194, 2015.
N. Handigol, B. Heller, V. Jeyakumar, D. Mazieres, and N. McKeown, "Where is the debugger for my software-defined network?," in Proc. of the first workshop on Hot topics in software defined networks (HotSDN '12), Association for Computing Machinery, New York, NY, USA, 55-60, 2012.
A. Voellmy, and J. Wang, "Scalable software defined network controllers," ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 289-290, 2012.

상세보기
F. Chong, "National cyber leap year summit 2009: Co-chairs' report," NITRD Program, 2009.
J. Cho, D. Sharma, H. Alavizadeh, S. Yoon, B. Noam et al, "Toward proactive, adaptive defense: A survey on moving target defense," IEEE Communications Surveys & Tutorials, 22.1, 709-745, 2020.

상세보기
M. Green, "Characterizing network-based moving target defenses," in Proc. of the Second ACM Workshop on Moving Target Defense, pp. 31-35, 2015.
H. Okhravi et al., "Survey of cyber moving target techniques," Massachusetts Inst of Tech Lexington Lincoln Lab, 2018. Available: https://apps.dtic.mil/sti/pdfs/AD1055276.pdf
B. Hong, and D. Kim, "Assessing the effectiveness of moving target defenses using security models," IEEE Transactions on Dependable and Secure Computing, 13.2, 163-177, 2016.

상세보기
A. Alshamrani, S. Myneni, A. Chowdhary, D. Huang, "A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities," IEEE Communications Surveys & Tutorials, Vol. 21, no. 2, pp. 1851-1877, Secondquarter 2019.

상세보기
Y. -B. Luo, B. -S. Wang, X. -F. Wang, X. -F. Hu, G. -L. Cai and H. Sun, "RPAH: Random Port and Address Hopping for Thwarting Internal and External Adversaries," in Proc. of 2015 IEEE Trustcom/BigDataSE/ISPA, pp. 263-270, 2015.
J. Park, Y. Lee, K. Kang, S. Lee, and K. Park, "Ghost-MTD: Moving Target Defense via Protocol Mutation for Mission-Critical Cloud Systems," Energies, 13.8, 1883, 2020.

상세보기
Y. Huang, and A. Ghosh, "Introducing diversity and uncertainty to create moving attack surfaces for web services," Moving target defense, Springer, New York, NY, 131-151, 2011.
M. Taguinod, A. Doupe, Z. Zhao and G. Ahn, "Toward a Moving Target Defense for Web Applications," in Proc. of 2015 IEEE International Conference on Information Reuse and Integration, pp. 510-517, 2015.

LOADING...

표제어: PCR

동의어: Packet Collision Rate

용어 설명 출처 목록 (6)

용어 설명: PCR은 세균 특이성이 있는 primer를 이용하여 적은 수의 세균이 있을지라도 쉽게 검출할 수 있는 유용한 방법이며, 이를 이용하여 구강 내 치면세균막이나 타액에서 직접 세균을 검출할 수 있게 되었다[8].

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 논문명, 저널/프로시딩명, 저자 , 발행년, 권, 호, 시작페이지, 끝페이지, 발행기관 관리번호, 논문명, 대등논문명, 저자 , 저널/프로시딩명, 발행기관, 발행년, 발행언어, 권, 호, 시작페이지, 끝페이지, ISBN, ISSN, 주제분야, 키워드, 초록(한글), 초록(영문), 저자(소속기관)
저장형식	Text(ASCII format) Excel format RefWorks Direct Export RIS format (for Reference Manager, ProCite, EndNote), Scholar's Aids, Mendeley
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증