TY - GEN A1 - Torkura, Kennedy A. A1 - Sukmana, Muhammad Ihsan Haikal A1 - Kayem, Anne V. D. M. A1 - Cheng, Feng A1 - Meinel, Christoph T1 - A cyber risk based moving target defense mechanism for microservice architectures T2 - IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom) N2 - Microservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. The key advantages of MSA include inherent support for continuous deployment of large complex applications, agility and enhanced productivity. However, studies indicate that most MSA are homogeneous, and introduce shared vulnerabilites, thus vulnerable to multi-step attacks, which are economics-of-scale incentives to attackers. In this paper, we address the issue of shared vulnerabilities in microservices with a novel solution based on the concept of Moving Target Defenses (MTD). Our mechanism works by performing risk analysis against microservices to detect and prioritize vulnerabilities. Thereafter, security risk-oriented software diversification is employed, guided by a defined diversification index. The diversification is performed at runtime, leveraging both model and template based automatic code generation techniques to automatically transform programming languages and container images of the microservices. Consequently, the microservices attack surfaces are altered thereby introducing uncertainty for attackers while reducing the attackability of the microservices. Our experiments demonstrate the efficiency of our solution, with an average success rate of over 70% attack surface randomization. KW - Security Risk Assessment KW - Security Metrics KW - Moving Target Defense KW - Microservices Security KW - Application Container Security Y1 - 2018 SN - 978-1-7281-1141-4 U6 - https://doi.org/10.1109/BDCloud.2018.00137 SN - 2158-9178 SP - 932 EP - 939 PB - Institute of Electrical and Electronics Engineers CY - Los Alamitos ER - TY - GEN A1 - Podlesny, Nikolai Jannik A1 - Kayem, Anne V. D. M. A1 - von Schorlemer, Stephan A1 - Uflacker, Matthias T1 - Minimising Information Loss on Anonymised High Dimensional Data with Greedy In-Memory Processing T2 - Database and Expert Systems Applications, DEXA 2018, PT I N2 - Minimising information loss on anonymised high dimensional data is important for data utility. Syntactic data anonymisation algorithms address this issue by generating datasets that are neither use-case specific nor dependent on runtime specifications. This results in anonymised datasets that can be re-used in different scenarios which is performance efficient. However, syntactic data anonymisation algorithms incur high information loss on high dimensional data, making the data unusable for analytics. In this paper, we propose an optimised exact quasi-identifier identification scheme, based on the notion of k-anonymity, to generate anonymised high dimensional datasets efficiently, and with low information loss. The optimised exact quasi-identifier identification scheme works by identifying and eliminating maximal partial unique column combination (mpUCC) attributes that endanger anonymity. By using in-memory processing to handle the attribute selection procedure, we significantly reduce the processing time required. We evaluated the effectiveness of our proposed approach with an enriched dataset drawn from multiple real-world data sources, and augmented with synthetic values generated in close alignment with the real-world data distributions. Our results indicate that in-memory processing drops attribute selection time for the mpUCC candidates from 400s to 100s, while significantly reducing information loss. In addition, we achieve a time complexity speed-up of O(3(n/3)) approximate to O(1.4422(n)). Y1 - 2018 SN - 978-3-319-98809-2 SN - 978-3-319-98808-5 U6 - https://doi.org/10.1007/978-3-319-98809-2_6 SN - 0302-9743 SN - 1611-3349 VL - 11029 SP - 85 EP - 100 PB - Springer CY - Cham ER - TY - GEN A1 - Torkura, Kennedy A. A1 - Sukmana, Muhammad Ihsan Haikal A1 - Meinig, Michael A1 - Kayem, Anne V. D. M. A1 - Cheng, Feng A1 - Meinel, Christoph A1 - Graupner, Hendrik T1 - Securing cloud storage brokerage systems through threat models T2 - Proceedings IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA) N2 - Cloud storage brokerage is an abstraction aimed at providing value-added services. However, Cloud Service Brokers are challenged by several security issues including enlarged attack surfaces due to integration of disparate components and API interoperability issues. Therefore, appropriate security risk assessment methods are required to identify and evaluate these security issues, and examine the efficiency of countermeasures. A possible approach for satisfying these requirements is employment of threat modeling concepts, which have been successfully applied in traditional paradigms. In this work, we employ threat models including attack trees, attack graphs and Data Flow Diagrams against a Cloud Service Broker (CloudRAID) and analyze these security threats and risks. Furthermore, we propose an innovative technique for combining Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring System (CCSS) base scores in probabilistic attack graphs to cater for configuration-based vulnerabilities which are typically leveraged for attacking cloud storage systems. This approach is necessary since existing schemes do not provide sufficient security metrics, which are imperatives for comprehensive risk assessments. We demonstrate the efficiency of our proposal by devising CCSS base scores for two common attacks against cloud storage: Cloud Storage Enumeration Attack and Cloud Storage Exploitation Attack. These metrics are then used in Attack Graph Metric-based risk assessment. Our experimental evaluation shows that our approach caters for the aforementioned gaps and provides efficient security hardening options. Therefore, our proposals can be employed to improve cloud security. KW - Cloud-Security KW - Threat Models KW - Security Metrics KW - Security Risk Assessment KW - Secure Configuration Y1 - 2018 SN - 978-1-5386-2195-0 U6 - https://doi.org/10.1109/AINA.2018.00114 SN - 1550-445X SP - 759 EP - 768 PB - IEEE CY - New York ER -