A cyber risk based moving target defense mechanism for microservice architectures
- Microservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. The key advantages of MSA include inherent support for continuous deployment of large complex applications, agility and enhanced productivity. However, studies indicate that most MSA are homogeneous, and introduce shared vulnerabilites, thus vulnerable to multi-step attacks, which are economics-of-scale incentives to attackers. In this paper, we address the issue of shared vulnerabilities in microservices with a novel solution based on the concept of Moving Target Defenses (MTD). Our mechanism works by performing risk analysis against microservices to detect and prioritize vulnerabilities. Thereafter, security risk-oriented software diversification is employed, guided by a defined diversification index. The diversification is performed at runtime, leveraging both model and template based automatic code generation techniques to automatically transform programming languages and container images of theMicroservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. The key advantages of MSA include inherent support for continuous deployment of large complex applications, agility and enhanced productivity. However, studies indicate that most MSA are homogeneous, and introduce shared vulnerabilites, thus vulnerable to multi-step attacks, which are economics-of-scale incentives to attackers. In this paper, we address the issue of shared vulnerabilities in microservices with a novel solution based on the concept of Moving Target Defenses (MTD). Our mechanism works by performing risk analysis against microservices to detect and prioritize vulnerabilities. Thereafter, security risk-oriented software diversification is employed, guided by a defined diversification index. The diversification is performed at runtime, leveraging both model and template based automatic code generation techniques to automatically transform programming languages and container images of the microservices. Consequently, the microservices attack surfaces are altered thereby introducing uncertainty for attackers while reducing the attackability of the microservices. Our experiments demonstrate the efficiency of our solution, with an average success rate of over 70% attack surface randomization.…
| Verfasserangaben: | Kennedy A. TorkuraORCiD, Muhammad Ihsan Haikal SukmanaORCiDGND, Anne V. D. M. KayemGND, Feng ChengGND, Christoph MeinelORCiDGND |
|---|---|
| DOI: | https://doi.org/10.1109/BDCloud.2018.00137 |
| ISBN: | 978-1-7281-1141-4 |
| ISSN: | 2158-9178 |
| Titel des übergeordneten Werks (Englisch): | IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom) |
| Verlag: | Institute of Electrical and Electronics Engineers |
| Verlagsort: | Los Alamitos |
| Publikationstyp: | Sonstiges |
| Sprache: | Englisch |
| Datum der Erstveröffentlichung: | 21.03.2018 |
| Erscheinungsjahr: | 2018 |
| Datum der Freischaltung: | 22.02.2022 |
| Freies Schlagwort / Tag: | Application Container Security; Microservices Security; Moving Target Defense; Security Metrics; Security Risk Assessment |
| Seitenanzahl: | 8 |
| Erste Seite: | 932 |
| Letzte Seite: | 939 |
| Organisationseinheiten: | Digital Engineering Fakultät / Hasso-Plattner-Institut für Digital Engineering GmbH |
| DDC-Klassifikation: | 0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 000 Informatik, Informationswissenschaft, allgemeine Werke |
| Peer Review: | Referiert |
