Evaluating the Security and Economic Effects of Moving Target Defense Techniques on the Cloud

TL;DR

This paper evaluates the combined security and economic impacts of three Moving Target Defense techniques on cloud systems, introducing mathematical models and strategies for optimal deployment in large-scale and E-health cloud scenarios.

Contribution

It provides a joint evaluation framework for MTD techniques using security and economic metrics, including new deployment strategies and an optimization model for diversity.

Findings

Combined MTD techniques improve security metrics significantly.

Optimal diversity deployment maximizes net benefits considering costs.

Strategies for VM placement and OS diversification are effective.

Abstract

Moving Target Defense (MTD) is a proactive security mechanism which changes the attack surface aiming to confuse attackers. Cloud computing leverages MTD techniques to enhance cloud security posture against cyber threats. While many MTD techniques have been applied to cloud computing, there has not been a joint evaluation of the effectiveness of MTD techniques with respect to security and economic metrics. In this paper, we first introduce mathematical definitions for the combination of three MTD techniques: \emph{Shuffle}, \emph{Diversity}, and \emph{Redundancy}. Then, we utilize four security metrics including system risk, attack cost, return on attack, and reliability to assess the effectiveness of the combined MTD techniques applied to large-scale cloud models. Secondly, we focus on a specific context based on a cloud model for E-health applications to evaluate the effectiveness of the MTD techniques using security and economic metrics. We introduce (1) a strategy to effectively deploy Shuffle MTD technique using a virtual machine placement technique and (2) two strategies to deploy Diversity MTD technique through operating system diversification. As deploying Diversity incurs cost, we formulate the \emph{Optimal Diversity Assignment Problem (O-DAP)} and solve it as a binary linear programming model to obtain the assignment which maximizes the expected net benefit.