Toward Smart Moving Target Defense for Linux Container Resiliency

Mohamed Azab; Bassem Mokhtar; Amr S. Abed; Mohamed Eltoweissy

arXiv:1611.03065·cs.CR·January 3, 2017

Toward Smart Moving Target Defense for Linux Container Resiliency

Mohamed Azab, Bassem Mokhtar, Amr S. Abed, Mohamed Eltoweissy

PDF

TL;DR

This paper introduces ESCAPE, a proactive moving target defense system for Linux containers that uses live migration and behavior monitoring to enhance cloud container security and resilience against attacks.

Contribution

The paper proposes a novel predator-prey search game model for container defense and integrates it with live migration and behavior monitoring for improved resiliency.

Findings

01

High container survival probabilities in simulations

02

Minimal overhead introduced by ESCAPE

03

Effective attack avoidance demonstrated

Abstract

This paper presents ESCAPE, an informed moving target defense mechanism for cloud containers. ESCAPE models the interaction between attackers and their target containers as a "predator searching for a prey" search game. Live migration of Linux-containers (prey) is used to avoid attacks (predator) and failures. The entire process is guided by a novel host-based behavior-monitoring system that seamlessly monitors containers for indications of intrusions and attacks. To evaluate ESCAPE effectiveness, we simulated the attack avoidance process based on a mathematical model mimicking the prey-vs-predator search game. Simulation results show high container survival probabilities with minimal added overhead.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.