Critical Workload Deployment in Public Clouds with Guaranteed Security Levels and Optimized Resource Usage and Energy Cost
It is a common practice that public clouds adopt Virtual Machine (VM) multiplexing to improve resource usage and energy consumption. However, packing multiple VMs of different security requirements into a single hypervisor gives rise to major cybersecurity issues, such as VM to VM Interdependency-based cybersecurity (ICS) risks. For example, the chances of successfully compromising a secure Critical VM (CVM) are very high when an attacker compromises the hosting hypervisor after a successful attack on one of its less secure, non-critical VMs (NVMs). In this paper, we study how to securely and efficiently collocate CVMs with NVMs in public cloud clusters. Specifically, we model and analyze the ICS risks imposed on CVMs by NVMs using noncooperative game models involving two players, i.e., an attacker and a cloud provider. We then introduce a novel approach that can judiciously determine the allocation of VMs so that the ICS risks imposed on critical VMs are guaranteed to be minimized. Our experimental results show that our proposed algorithm can judiciously optimize the provider’s overall resource usage, energy consumption, and operational expense while minimizing the potential security loss given a successful attack on any VM.
KeywordsCloud computing Cybersecurity Game theory Power consumption
This work was performed when Mr. Homsi was an intern in the Air Force Research Laboratory (AFRL) and it is supported by the Summer Fellowship Program for Students with the Cyber Assurance Branch of the AFRL, Rome, NY. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the AFRL.
- 1.Homsi, S., Liu, S., Chaparro-Baquero, G.A., Bai, O., Ren, S., Quan, G.: Workload consolidation for cloud data centers with guaranteed qos using request reneging. IEEE TPDS 28(7), 2103–2116 (2017)Google Scholar
- 2.Kamhoua, C.A., Kwiat, L., Kwiat, K.A., Park, J.S., Zhao, M., Rodriguez, M.: Game theoretic modeling of security and interdependency in a public cloud. In: CLOUD, 2014 IEEE 7th International Conference on 2014, pp. 514–521 (2014)Google Scholar
- 3.Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, pp. 199–212 (2009)Google Scholar
- 4.Hadji, M., Zeghlache, D.: Mathematical programming approach for revenue maximization in cloud federations. IEEE TCC 5(1), 99–111 (2017)Google Scholar
- 5.Gai, K., Qiu, M., Zhao, H.: Cost-aware multimedia data allocation for heterogeneous memory using genetic algorithm in cloud computing. IEEE TCC (2016)Google Scholar
- 6.von Neumann, J.: On the theory of parlor games. Mathematische Annalen (1928)Google Scholar
- 7.Meng, R., Ye, Y., Xie, N.-G.: Multi-objective optimization design methods based on game theory. In: 8th World Congress on WCICA, pp. 2220–2227. IEEE (2010)Google Scholar
- 10.Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-vm side channels and their use to extract private keys, pp. 305–316 (2012)Google Scholar
- 11.Kwiat, L., Kamhoua, C.A., Kwiat, K.A., Tang, J., Martin, A.: Security-aware virtual machine allocation in the cloud: a game theoretic approach. In: 2015 IEEE 8th International Conference on Cloud Computing (CLOUD), pp. 556–563 (2015)Google Scholar
- 12.Zhang, Y., Li, M., Bai, K., Yu, M., Zang, W.: Incentive compatible moving target defense against vm-colocation attacks in clouds. In: IFIP International Information Security Conference, pp. 388–399. Springer (2012)Google Scholar
- 13.Li, M., Zhang, Y., Bai, K., Zang, W., Yu, M., He, X.: Improving cloud survivability through dependency based virtual machine placement. In: SECRYPT, pp. 321–326 (2012)Google Scholar
- 14.Han, Y., Alpcan, T., Chan, J., Leckie, C.: Security games for virtual machine allocation in cloud computing. In: International Conference on DGTS, pp. 99–118. Springer (2013)Google Scholar