Abstract
Cyber attacks on distributed systems have devastating consequences. Several cybersecurity solutions have failed to protect distributed systems primarily due to asymmetric warfare with cyber adversaries. Most cybersecurity solutions have to grapple with the tradeoff between detecting one breach vs blocking all possible breaches. Current cyber threats are sophisticated and comprise of multiple attack vectors caused by organized attackers. Most of the current cyber defenses are blackbox or set-and-forget approaches which can protect against zero-day attacks and are ineffective against dynamic threats. The asymmetric conundrum is to determine which assets (software, embedded devices, routers, back end infrastructure, and dependencies between software components) need to be protected. Recently, Moving Target Defense (MTD) has been proposed as a strategy to protect distributed systems. MTD based approaches take a leaf out of the adversaries book by not focusing on fortifying every asset and make the systems move to the defender’s advantage. MTD is a game changing capability to protect distributed systems by enabling defenders to change system/network behaviors, policies, or configurations automatically such that potential attack surfaces are moved in an unpredictable manner. MTD is also a cost-effective approach for intrusion detection, active response, and recovery in distributed systems. To realize an effective MTD based defense, several challenges have to be addressed. In this chapter, we provide an overview of the challenges and proposed approaches to mitigate them.
Keywords
- Cloud Computing
- Virtual Machine
- Intrusion Detection
- Cloud Provider
- Software Define Network
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptions
References
Amazon, “Amazon Web Services,” http://aws.amazon.com/.
Windows, “Windows Azure Platform,” https://www.windowsazure.com/en-us/.
Google, “Google App Engine,” https://developers.google.com/appengine/.
Rackspace, “Rackspace,” http://www.rackspace.com/.
F. Liu, J. Tong, J. Mao, R. Bohn, J. Messina, L. Badger, and D. Leaf, “NIST cloud computing reference architecture,” NIST special publication, vol. 500, p. 292, 2011.
A. Li, X. Yang, S. Kandula, and M. Zhang, “Cloudcmp: comparing public cloud providers,” in Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, 2010, pp. 1–14.
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds,” in Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009, pp. 199–212.
B. D. Payne, R. Sailer, R. Cáceres, R. Perez, and W. Lee, “A layered approach to simplified access control in virtualized systems,” ACM SIGOPS Operating Systems Review, vol. 41, no. 4, pp. 12–19, 2007.
H. Liu, “A new form of dos attack in a cloud and its avoidance mechanism,” in Proceedings of the 2010 ACM workshop on Cloud computing security workshop. ACM, 2010, pp. 65–76.
N. Luna, S. Shetty, T. Rogers, and K. Xiong, “Assessment of router vulnerabilities on planetlab infrastructure for secure cloud computing,” 2012.
R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J. L. Griffin, and L. Van Doorn, “Building a mac-based security architecture for the Xen open-source hypervisor,” in Computer security applications conference, 21st Annual. IEEE, 2005, pp. 10-pp.
L. Popa, M. Yu, S. Y. Ko, S. Ratnasamy, and I. Stoica, “Cloudpolice: taking access control out of the network,” in Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, 2010, p. 7.
J. M. McCune, T. Jaeger, S. Berger, R. Caceres, and R. Sailer, “Shamon: A system for distributed mandatory access control,” in Computer Security Applications Conference, 2006. ACSAC’ 06. 22nd Annual. IEEE, 2006, pp. 23–32.
J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Openflow random host mutation: transparent moving target defense using software defined networking,” in Proceedings of the first workshop on Hot topics in software defined networks. ACM, 2012, pp. 127–132.
E. Al-Shaer, “Toward network configuration randomization for moving target defense,” in Moving Target Defense. Springer, 2011, pp 153–159.
E. Al-Shaer and J. H. Jafarian, “On the random route mutation moving target defense,” in National Symposium on Moving Target Research, June 2012.
W. Peng, F. Li, C.-T. Huang, and X. Zou, “A moving-target defense strategy for cloud-based services with heterogeneous and dynamic attack surfaces,” in Communications (ICC), 2014 IEEE International Conference on. IEEE, 2014, pp. 804–809.
R. Colbaugh and K. L. Glass, “Predictive moving target defense.” Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States), Tech. Rep., 2012.
Y. Zhang, M. Li, K. Bai, M. Yu, and W. Zang, “Incentive compatible moving target defense against vm-colocation attacks in clouds,” in Information Security and Privacy Research. Springer, 2012, pp. 388–399.
J. Rowe, K. N. Levitt, T. Demir, and R. Erbacher, “Artificial diversity as maneuvers in a control theoretic moving target defense,” in National Symposium on Moving Target Research, 2012.
M. Crouse, E. W. Fulp, and D. Canas, “Improving the diversity defense of genetic algorithm-based moving target approaches,” in Proceedings of the National Symposium on Moving Target Research, 2012.
D. Evans, A. Nguyen-Tuong, and J. Knight, “Effectiveness of moving target defenses,” in Moving Target Defense. Springer, 2011, pp. 29–48.
J. Rowe, K. N. Levitt, T. Demir, and R. Erbacher, “Artificial diversity as maneuvers in a control theoretic moving target defense,” in National Symposium on Moving Target Research, 2012.
K. M. Carter, J. F. Riordan, and H. Okhravi, “A game theoretic approach to strategy determination for dynamic platform defenses,” in Proceedings of the First ACM Workshop on Moving Target Defense. ACM, 2014, pp. 21–30.
L. Wang, M. Zhang, S. Jajodia, A. Singhal, and M. Albanese, “Modeling network diversity for evaluating the robustness of networks against zero-day attacks,” in Computer Security- ESORICS 2014. Springer, 2014, pp. 494–511.
L. Zhang, S. Shetty, P. Liu, and J. Jing, “Rootkitdet: Practical end-to-end defense against kernel rootkits in a cloud environment,” in Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7–11, 2014. Proceedings, Part II, 2014, pp. 475–493. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-11212-1_27
Acknowledgements
This work is based on research sponsored by the Office of the Assistant Secretary of Defense for Research and Engineering (OASD(R&E)) under agreement number FAB750-15-2-0120. The US Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Office of the Assistant Secretary of Defense for Research and Engineering (OASD(R&E)) or the US Government. This work is also supported in part by Department of Homeland Security (DHS) SLA grant 2010-ST-062-0000041 and 2014-ST-062-000059.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Shetty, S., Yuchi, X., Song, M. (2016). Moving Target Defense in Distributed Systems. In: Moving Target Defense for Distributed Systems. Wireless Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-31032-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-31032-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31031-2
Online ISBN: 978-3-319-31032-9
eBook Packages: Computer ScienceComputer Science (R0)