Xing Gao,Zhongshu Gu,Zhengfa Li,Hani Jamjoom,Cong Wang

DOI: https://doi.org/10.1145/3319535.3354227

2019-01-01

Abstract:Linux Control Groups, i.e., cgroups, are the key building blocks to enable operating-system-level containerization. The cgroups mechanism partitions processes into hierarchical groups and applies different controllers to manage system resources, including CPU, memory, block I/O, etc. Newly spawned child processes automatically copy cgroups attributes from their parents to enforce resource control. Unfortunately, inherited cgroups confinement via process creation does not always guarantee consistent and fair resource accounting. In this paper, we devise a set of exploiting strategies to generate out-of-band>workloads via de-associating processes from their original process groups. The system resources consumed by such workloads will not be charged to the appropriate cgroups. To further demonstrate the feasibility, we present five case studies within Docker containers to demonstrate how to break the resource rein of cgroups in realistic scenarios. Even worse, by exploiting those cgroups' insufficiencies in a multi-tenant container environment, an adversarial container is able to greatly amplify the amount of consumed resources, significantly slow-down other containers on the same host, and gain extra unfair advantages on the system resources. We conduct extensive experiments on both a local testbed and an Amazon EC2 cloud dedicated server. The experimental results demonstrate that a container can consume system resources (e.g., CPU) as much as $200\times$ of its limit, and reduce both computing and I/O performance of particular workloads in other co-resident containers by 95%.

Yaguan Qian,Yankai Guo,Qiqi Shao,Jiamin Wang,Bin Wang,Zhaoquan Gu,Xiang Ling,Chunming Wu

DOI: https://doi.org/10.1145/3517806

2021-01-01

Abstract:Edge intelligence has played an important role in constructing smart cities, but the vulnerability of edge nodes to adversarial attacks becomes an urgent problem. A so-called adversarial example can fool a deep learning model on an edge node for misclassification. Due to the transferability property of adversarial examples, an adversary can easily fool a black-box model by a local substitute model. Edge nodes in general have limited resources, which cannot afford a complicated defense mechanism like that on a cloud data center. To address the challenge, we propose a dynamic defense mechanism, namely EI-MTD. The mechanism first obtains robust member models of small size through differential knowledge distillation from a complicated teacher model on a cloud data center. Then, a dynamic scheduling policy, which builds on a Bayesian Stackelberg game, is applied to the choice of a target model for service. This dynamic defense mechanism can prohibit the adversary from selecting an optimal substitute model for black-box attacks. We also conduct extensive experiments to evaluate the proposed mechanism, and results show that EI-MTD could protect edge intelligence effectively against adversarial attacks in black-box settings.

Amr Abed

DOI: https://doi.org/10.31224/osf.io/5uyac

2016-12-31

Abstract:Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.

Wenbo Shen,Yifei Wu,Yutian Yang,Qirui Liu,Nanzi Yang,Jinku Li,Kangjie Lu,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2024.3403920

2024-01-01

Abstract:OS-level virtualization (a.k.a. container) has become a fundamental technology in cloud computing due to the efficiency provided by the shared-kernel design. However, this design results in containers sharing thousands of kernel variables and data structures (termed abstract resources ), which are prevalent but under-protected. Without exploiting other kernel vulnerabilities, a non-privileged container can easily exhaust abstract resources to cause DoS attacks against other containers. Even worse, our experiments demonstrate that abstract resource attacks are a broad class of attacks that affect Linux, FreeBSD, Fuchsia, and all shared-kernel container environments on the top four cloud vendors. To defend against the abstract resource attack, we automatically analyze vulnerable abstract resources in the Linux kernel and detect 501 container-exhaustible resources. To confine these abstract resources dynamically, we propose two new techniques: the flexible in-kernel attachment for flexible resource consumption attachment and the tree-based resource accounting for efficient usage retrieval. Based on these two techniques, we design and implement a fl exible a bstract re s ource confinement framewor k , named Flask, to achieve flexible and efficient abstract resource confinement. Our evaluation shows Flask can efficiently limit abstract resource usage with less than 0.6% performance overhead.

Sailik Sengupta,Ankur Chowdhary,Abdulhakim Sabur,Adel Alshamrani,Dijiang Huang,Subbarao Kambhampati

DOI: https://doi.org/10.1109/comst.2020.2982955

2020-01-01

Abstract:Network defenses based on traditional tools, techniques, and procedures (TTP) fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we analyze the recent advancements made in the development of MTDs and highlight (1) how these defenses can be defined using common terminology, (2) can be made more effective with the use of artificial intelligence techniques for decision making, (3) be implemented in practice and (4) evaluated. We first define an MTD using a simple and yet general notation that captures the key aspects of such defenses. We then categorize these defenses into different sub-classes depending on what they move, when they move and how they move. In trying to answer the latter question, we showcase the use of domain knowledge and game-theoretic modeling can help the defender come up with effective and efficient movement strategies. Second, to understand the practicality of these defense methods, we discuss how various MTDs have been implemented and find that networking technologies such as Software Defined Networking and Network Function Virtualization act as key enablers for implementing these dynamic defenses. We then briefly highlight MTD test-beds and case-studies to aid readers who want to examine or deploy existing MTD techniques. Third, our survey categorizes proposed MTDs based on the qualitative and quantitative metrics they utilize to evaluate their effectiveness in terms of security and performance. We use well-defined metrics such as risk analysis and performance costs for qualitative evaluation and metrics based on Confidentiality, Integrity, Availability (CIA), attack representation, QoS impact, and target-d threat models for quantitative evaluation. Finally, we show that our categorization of MTDs is effective in identifying novel research areas and highlight directions for future research.

computer science, information systems,telecommunications

LI Lingshu,WU Jiangxing,ZENG Wei,LIU Wenyan

DOI: https://doi.org/10.11959/j.issn.2096−109x.2021042

2022-01-01

Abstract:Multi-tenant coexistence and resource sharing in the SaaS cloud pose serious security risks.On the one hand, soft isolation of logical namespaces is easy to be bypassed or broken.On the other hand, it is easy to be subjected to co-resident attacks due to sharing of the host operating system and underlying physical resources.Therefore it poses a serious threat to data availability, integrity and confidentiality in the container cloud.Given the problem that SaaS cloud services are vulnerable to container escape and side-channel equivalent resident attack, network deception technology increases the uncertainty of the cloud environment and reduces the effectiveness of attack by hiding the business function and characteristic attributes of the executor.Aiming at the security threat caused by the co-resident attack, combining dynamic migration and virtual honeypot security technology, the economical and reasonable network deception method was studied.Specifically, a container migration and honeypot deployment strategy based on the signal game was proposed.According to the security threat analysis, container migration and honeypot were used as defense methods.The former improved the undetectability of the system based on the idea of moving to target defense, while the latter confused attackers by placing decoy containers or providing false services.Furthermore, since network reconnaissance was the pre-step of the network attack chain, the attack and defense process was modeled as a two-person signal game with incomplete information.The sender chose to release a signal according to his type, and the receiver could only obtain the signal released by the sender but could not determine the type.Then, a game tree was constructed for the complete but imperfect information dynamic game, and the costs and benefits of different strategy combinations were set.The optimal deception strategy was determined by equilibrium analysis of attack-defense model.Experimental results show that the proposed strategy can effectively improve system security.Besides, it can also reduce container migration frequency and defense cost.

Neda Nasiriani,Yuquan Shan,George Kesidis,Takis Konstantopoulos,Daniel Fleck,Angelos Stavrou

DOI: https://doi.org/10.48550/arXiv.1712.01102

2018-04-26

Abstract:We consider a cloud based multiserver system consisting of a set of replica application servers behind a set of proxy (indirection) servers which interact directly with clients over the Internet. We study a proactive moving-target defense to thwart a DDoS attacker's reconnaissance phase and consequently reduce the attack's impact. The defense is effectively a moving-target (motag) technique in which the proxies dynamically change. The system is evaluated using an AWS prototype of HTTP redirection and by numerical evaluations of an adversarial coupon-collector mathematical model, the latter allowing larger-scale extrapolations.

Cryptography and Security

Xin Yang,Abla Smahi,Hui Li,Huayu Zhang,Shuo-Yen Robert Li

DOI: https://doi.org/10.1109/globecom54140.2023.10437647

2023-01-01

Abstract:Cloud computing provides users with cost-effective on-demand resource sharing, but the shared resources also creates additional security risks due to co-location with malicious tenants. In addition to static defensive technologies, Virtual Machine (VM) migration, a type of Moving Target Defense (MTD) technique, provides an alternative solution to mitigate co-resident attacks by dynamically migrating services/tasks among various servers. Although significant progress has been made in this area, critical gaps remain regarding the quantification of these techniques' synergistic effectiveness in cloud computing, as previous research focused on either evaluating the defensive capability of MTD or on examining the characteristics of static strategies. In this paper, we aim to use analytical modeling techniques to quantitatively evaluate the synergistic effectiveness of integrating MTD with VM allocation policies. We designed a synergistically defensive architecture and proposed a Stochastic Reward Net (SRN) model to describe the execution and attacking processes of tasks migrating among multiple servers under three commonly used allocation policies. Moreover, experiments were implemented using SimPy to verify the analytical results obtained from the SRN model and to broaden the evaluation scope. Our comprehensive assessment, using both SRN and experiments, evaluates the defensive capacity and corresponding features for different scenarios. The obtained simulation results were approximate, with an error rate of less than 3.40 %, reflecting the reliability of our methods. Several defensive suggestions were further summarized based on the evaluation.

Tao Zheng,Yunxiang Qiu,Yundan Zheng,Qixu Wang,Xingshu Chen

DOI: https://doi.org/10.1109/jiot.2024.3361452

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The adoption of lightweight container technology enables the cross-architecture deployment of Tiny Machine Learning (TinyML) models, while the implementation of container escape detectors ensures the security of both models and applications. However, a significant challenge faced by TinyML-based detectors is model aging, which leads to a substantial decline in their effectiveness as attack patterns evolve. Most existing approaches address this issue by retraining models through the labeling of new samples. However, this process can be costly and challenging to implement for updating models in resource-constrained UAVs networks. In this paper, we begin by analyzing the correlation of threat data and observe that throughout evolution, different versions of container escape attacks tend to maintain semantically identical or similar system calls. This observation prompts us to approach the model aging problem from a novel perspective: if the model can acquire knowledge of these fundamental system calls, it will be capable of effectively detecting emerging new attacks. Based on this perspective, we have developed sysE to capture system call data that remains unchanged or exhibits similarities to container escape attacks during evolution. This augmentation complements six TinyML-based detectors. Experimental results obtained from a large-scale evolving dataset demonstrate that our proposed approach effectively mitigates the aging rate of these models, reducing it from 7.3% to 21.5%. Additionally, it significantly decreases the labeling effort required from 28.06% to 65.47%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kai Chen,Yufei Zhao,Jing Guo,Zhimin Gu,Longxi Han,Keyi Tang

DOI: https://doi.org/10.3390/electronics13234773

IF: 2.9

2024-12-04

Electronics

Abstract:With the rapid advancement in edge computing, container technology has gained widespread adoption. This is due to its lightweight isolation mechanisms, high portability, and fast deployment capabilities. Despite these advantages, container technology also introduces significant security risks. One of the most critical is container escape. However, current detection research is incomplete. Many methods lack comprehensive detection coverage or fail to fully reconstruct the attack process. To address these gaps, this paper proposes a container escape detection method based on a dependency graph. The method uses various nodes and edges to describe diverse system behaviors. This approach enables the detection of a broader range of attack types. It also effectively captures the contextual relationships between system events, facilitating attack traceability and reconstruction. We design a method to identify container processes on the dependency graph through label generation and propagation. Based on this, container escape detection is implemented using file access control within the graph. Experimental results demonstrate the effectiveness of the proposed method in detecting container escapes.

engineering, electrical & electronic,computer science, information systems,physics, applied

Vignesh Viswanathan,Megha Bose,Praveen Paruchuri

DOI: https://doi.org/10.48550/arXiv.2301.09892

2023-01-24

Computer Science and Game Theory

Abstract:Moving Target Defense (MTD) has emerged as a key technique in various security applications as it takes away the attacker's ability to perform reconnaissance for exploiting a system's vulnerabilities. However, most of the existing research in the field assumes unrealistic access to information about the attacker's motivations and/or actions when developing MTD strategies. Many of the existing approaches also assume complete knowledge regarding the vulnerabilities of a system and how each of these vulnerabilities can be exploited by an attacker. In this work, we aim to create algorithms that generate effective Moving Target Defense strategies that do not rely on prior knowledge about the attackers. Our work assumes that the only way the defender receives information about its own reward is via interaction with the attacker in a repeated game setting. Depending on the amount of information that can be obtained from the interactions, we devise two different algorithms using multi-armed bandit formulation to identify efficient strategies. We then evaluate our algorithms using data mined from the National Vulnerability Database to showcase that they match the performance of the state-of-the-art techniques, despite using a lot less amount of information.

Cheng Lei,Hong-Qi Zhang,Jing-Lei Tan,Yu-Chen Zhang,Xiao-Hu Liu

DOI: https://doi.org/10.1155/2018/3759626

IF: 1.968

2018-07-22

Security and Communication Networks

Abstract:As an active defense technique to change asymmetry in cyberattack-defense confrontation, moving target defense research has become one of the hot spots. In order to gain better understanding of moving target defense, background knowledge and inspiration are expounded at first. Based on it, the concept of moving target defense is analyzed. Secondly, literature analysis method is adopted to explain the design principles and system architecture of moving target defense. In addition, some relevant key techniques are introduced from the aspects of strategy generation, shuffling implementation, and performance evaluation. After that, the applications of moving target defense in different network architectures are illustrated. Finally, existing problems and future trend in this field are elaborated so as to provide a basis for further study.

computer science, information systems,telecommunications

Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

M. L. Winterrose,K. M. Carter,N. Wagner,W. W. Streilein

DOI: https://doi.org/10.48550/arXiv.1407.8540

2014-08-01

Abstract:A model of strategy formulation is used to study how an adaptive attacker learns to overcome a moving target cyber defense. The attacker-defender interaction is modeled as a game in which a defender deploys a temporal platform migration defense. Against this defense, a population of attackers develop strategies specifying the temporal ordering of resource investments that bring targeted zero-day exploits into existence. Attacker response to two defender temporal platform migration scheduling policies are examined. In the first defender scheduling policy, the defender selects the active platform in each match uniformly at random from a pool of available platforms. In the second policy the defender schedules each successive platform to maximize the diversity of the source code presented to the attacker. Adaptive attacker response strategies are modeled by finite state machine (FSM) constructs that evolve during simulated play against defender strategies via an evolutionary algorithm. It is demonstrated that the attacker learns to invest heavily in exploit creation for the platform with the least similarity to other platforms when faced with a diversity defense, while avoiding investment in exploits for this least similar platform when facing a randomization defense. Additionally, it is demonstrated that the diversity-maximizing defense is superior for shorter duration attacker-defender engagements, but performs sub-optimally in extended attacker-defender interactions.

Cryptography and Security,Computer Science and Game Theory

Jietao Xiao,Nanzi Yang,Wenbo Shen,Jinku Li,Xin Guo,Zhiqiang Dong,Fei Xie,Jianfeng Ma

2023-01-01

Abstract:People proposed to use virtualization techniques to reinforce the isolation between containers. In the design, each container runs inside a lightweight virtual machine (called microVM). MicroVM-based containers benefit from both the security of microVM and the high efficiency of the container, and thus are widely used on the public cloud. However, in this paper, we demonstrate a new attack surface that can be exploited to break the isolation of the microVM-based container, called operation forwarding attacks. Our key observation is that certain operations of the microVM-based container are forwarded to host system calls and host kernel functions. The attacker can leverage the operation forwarding to exploit the host kernel's vulnerabilities and exhaust host resources. To fully understand the security risk of operation forwarding attacks, we divide the components of the microVM-based container into three layers according to their functionalities and present corresponding attacking strategies to exploit the operation forwarding of each layer. Moreover, we design eight attacks against Kata Containers and Firecracker-based containers and conduct experiments on the local environment, AWS, and Alibaba Cloud. Our results show that the attacker can trigger potential privilege escalation, downgrade 93.4% IO performance and 75.0% CPU performance of the victim container, and even crash the host. We further give security suggestions for mitigating these attacks.

Henger Li,Wen Shen,Zizhan Zheng

DOI: https://doi.org/10.48550/arXiv.2002.10390

2020-02-25

Abstract:Moving target defense has emerged as a critical paradigm of protecting a vulnerable system against persistent and stealthy attacks. To protect a system, a defender proactively changes the system configurations to limit the exposure of security vulnerabilities to potential attackers. In doing so, the defender creates asymmetric uncertainty and complexity for the attackers, making it much harder for them to compromise the system. In practice, the defender incurs a switching cost for each migration of the system configurations. The switching cost usually depends on both the current configuration and the following configuration. Besides, different system configurations typically require a different amount of time for an attacker to exploit and attack. Therefore, a defender must simultaneously decide both the optimal sequences of system configurations and the optimal timing for switching. In this paper, we propose a Markov Stackelberg Game framework to precisely characterize the defender's spatial and temporal decision-making in the face of advanced attackers. We introduce a relative value iteration algorithm that computes the defender's optimal moving target defense strategies. Empirical evaluation on real-world problems demonstrates the advantages of the Markov Stackelberg game model for spatial-temporal moving target defense.

Computer Science and Game Theory,Cryptography and Security

Paul Griffioen,Sean Weerakkody,Bruno Sinopoli

DOI: https://doi.org/10.1109/tac.2020.3005686

IF: 6.549

2021-05-01

IEEE Transactions on Automatic Control

Abstract:This article considers the design and analysis of multiple moving target defenses for recognizing and isolating attacks on cyber-physical systems. We consider attackers who perform integrity attacks on some set of sensors and actuators in a control system. In such cases, it has been shown that a model aware adversary can carefully design attack vectors to bypass bad data detection and identification filters while causing damage to the control system. To counter such an attacker, we propose the moving target defense which introduces stochastic, time-varying parameters in the control system. The underlying random dynamics of the system limit an attacker's knowledge of the model and inhibit his or her ability to construct stealthy attack sequences. Moreover, the time-varying nature of the dynamics thwarts adaptive adversaries. We explore three main designs. First, we consider a hybrid system where parameters within the existing plant are switched among multiple modes. We demonstrate how such an approach can enable both the detection and identification of malicious nodes. Next, we investigate the addition of an extended system with dynamics that are coupled to the original plant but do not affect the system performance. Here, an attack on the original system will affect the authenticating subsystem and in turn be revealed by a set of sensors measuring the extended plant. Finally, we propose the use of sensor nonlinearities to enhance the effectiveness of the moving target defense. The nonlinear dynamics act to conceal normal operational behavior from an attacker who has tampered with the system state, further hindering an attacker's ability to glean information about the time-varying dynamics. In all cases mechanisms for analysis and design are proposed. Finally, we analyze attack detectability for each moving target defense by investigating expected lower bounds on the detection statistic. Our contributions are also tested via simulation.

automation & control systems,engineering, electrical & electronic

Sushil Jajodia,Anup K. Ghosh,Vipin Swarup,Cliff Wang,X. Sean Wang

2013-01-01

Abstract:Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats was developed by a group of leading researchers. It describes the fundamental challenges facing the research community and identifies new promising solution paths. Moving Target Defense which is motivated by the asymmetric costs borne by cyber defenders takes an advantage afforded to attackers and reverses it to advantage defenders. Moving Target Defense is enabled by technical trends in recent years, including virtualization and workload migration on commodity systems, widespread and redundant network connectivity, instruction set and address space layout randomization, just-in-time compilers, among other techniques. However, many challenging research problems remain to be solved, such as the security of virtualization infrastructures, secure and resilient techniques to move systems within a virtualized environment, automatic diversification techniques, automated ways to dynamically change and manage the configurations of systems and networks, quantification of security improvement, potential degradation and more. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats is designed for advanced -level students and researchers focused on computer science, and as a secondary text book or reference. Professionals working in this field will also find this book valuable.

El Mehdi Kandoussi,Adam Houmairi,Iman El Mir,Mostafa Bellafkih

DOI: https://doi.org/10.1007/s10586-024-04604-2

2024-06-15

Cluster Computing

Abstract:Security challenges in complex information technologies continue to grow and diversify. To improve network security, many researchers have explored the game theoretic approach as a hopeful modeling tool. Knowing that the attacker can take advantage of vulnerabilities and explore existing weaknesses in the network configuration to gain access to the system for a successful attack, our objective is to benefit from virtual machines' migration as a moving target defense technique and honeypot as a deceiving technique to increase the attack surface's dynamicity. This paper presents a game-theoretic framework for modeling attack-defense interaction. A model based on incomplete information game and attack graph is developed. Our main findings reveal in which case migration of virtual machines should be established in a architecture where a honeypot is deployed and identify the potential attack paths based on system security parameters. This provides network administrators with the ability to find unsecure nodes, avoid negative externality and more precisely inefficient migrations which impact the quality of service.

computer science, information systems, theory & methods

Jin-Hee Cho,Dilli P. Sharma,Hooman Alavizadeh,Seunghyun Yoon,Noam Ben-Asher,Terrence J. Moore,Dong Seong Kim,Hyuk Lim,Frederica F. Nelson

DOI: https://doi.org/10.1109/comst.2019.2963791

2020-01-01

Abstract:Reactive defense mechanisms, such as intrusion detection systems, have made significant efforts to secure a system or network for the last several decades. However, the nature of reactive security mechanisms has limitations because potential attackers cannot be prevented in advance. We are facing a reality with the proliferation of persistent, advanced, intelligent attacks while defenders are often way behind attackers in taking appropriate actions to thwart potential attackers. The concept of moving target defense (MTD) has emerged as a proactive defense mechanism aiming to prevent attacks. In this work, we conducted a comprehensive, in-depth survey to discuss the following aspects of MTD: key roles, design principles, classifications, common attacks, key methodologies, important algorithms, metrics, evaluation methods, and application domains. We discuss the pros and cons of all aspects of MTD surveyed in this work. Lastly, we highlight insights and lessons learned from this study and suggest future work directions. The aim of this paper is to provide the overall trends of MTD research in terms of critical aspects of defense systems for researchers who seek to develop proactive, adaptive MTD mechanisms.

computer science, information systems,telecommunications