An Efficient Deception Architecture for Cloud-based Virtual Networks

Hussain M J Almohri, Mohammad Qasem

Abstract


Emerging deceptive systems present a new promise for the uprising security problems in cloud-based virtual networks, especially those operated by small and medium enterprises. The main goal of deceptive systems is to form a layer of defensive nodes in an Internet-accessible cloud-based virtual network to distract and deceive malicious clients. While numerous approaches provide distinct models for developing decisive systems,  misery digraphs present a promising decisive model for distracting powerful remote intrusions. Misery digraphs can delay access to targets deep in a cloud-based virtual network. A central challenge to the theory of misery digraphs is verifying their applicability in prominent cloud computing platforms as well as measuring the efficiency of networks that adapt them. Thus, an architecture is needed that can be realized with long-term support technologies and can be deployed for large networks. This work presents and analyzes a high-throughput architecture for misery digraphs, embarking on implementation details and a performance analysis. A full implementation of the architecture in Amazon Web Services imposes modest performance delays in request processing, while highly delaying stealth intrusions in the network.

Keywords


Architecture, Cloud Security, Intrusion Prevention, Web Application Security, Web Services

Full Text:

PDF

References


Lance Alt, Robert Beverly, and Alberto Dainotti. “Uncovering Network Tarpits with Degreaser”. In: Proceedings of the 30th Annual Computer Security Applications Conference. ACSAC ’14. New Orleans, Louisiana, USA: ACM, 2014, pp. 156–165.

Stefan Achleitner, Thomas La Porta, Patrick McDaniel, Shridatt Sugrim, Srikanth V. Krishnamurthy, and Ritu Chadha. “Cyber Deception: Virtual Networks to Defend Insider Reconnaissance”. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats. MIST ’16. Vienna, Austria: ACM, 2016.

Hussain M. J. Almohri, Layne T. Watson, Danfeng Yao, and Xinming Ou. “Security Optimization of Dynamic Networks with Probabilistic Graph Modeling and Linear Programming”. In: IEEE Transactions on Dependable and Secure Computing 13.4 (July 2016).

Jalal S. Alowibdi, Ugo A. Buy, Philip S. Yu, and Leon Stenneth. “Detecting Deception in Online Social Networks”. In: Proceedings of the 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. ASONAM ’14. Beijing, China: IEEE Press, 2014, pp. 383–390.

H. M. J. Almohri, L. T. Watson, and D. Evans. “Misery Digraphs: Delaying Intrusion Attacks in Obscure Clouds”. In: IEEE Transactions on Information Forensics and Security 13.6 (June 2018), pp. 1361–1375.

G. Badishi, A. Herzberg, and I. Keidar. “Keeping Denial-of-Service Attackers in the Dark”. In: IEEE Transactions on Dependable and Secure Computing 4.3 (July 2007), pp. 191–204.

Brian M. Bowen, Vasileios P. Kemerlis, Pratap Prabhu, Angelos D. Keromytis, and Salvatore J. Stolfo. “Automating the Injection of Believable Decoys to Detect Snooping”. In: Proceedings of the Third ACM Conference on Wireless Network Security. WiSec ’10. Hoboken, New Jersey, USA: ACM, 2010, pp. 81–86.

David Evans, Anh Nguyen-Tuong, and John Knight. “Effectiveness of Moving Target Defenses”. In: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats. Ed. by Sushil Jajodia, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang. New York, NY: Springer New York, 2011, pp. 29–48.

J. B. Hong and D. S. Kim. “Assessing the Effectiveness of Moving Target Defenses Using Security Models”. In: IEEE Transactions on Dependable and Secure Computing 13.2 (Mar. 2016), pp. 163–177.

Xiao Han, Nizar Kheir, and Davide Balzarotti. “Evaluation of Deception-Based Web Attacks Detection”. In: Proceedings of the 2017 Workshop on Moving Target Defense. MTD ’17. Dallas, Texas, USA: ACM, 2017, pp. 65–73.

Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. “Openflow Random Host Mutation: Transparent Moving Target Defense Using Software Defined Networking”. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks. HotSDN ’12. Helsinki, Finland: ACM, 2012, pp. 127–132.

Q. Jia, H. Wang, D. Fleck, F. Li, A. Stavrou, and W. Powell. “Catch Me If You Can: A Cloud-Enabled DDoS Defense”. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. June 2014, pp. 264–275.

Q. Jia, K. Sun, and A. Stavrou. “MOTAG: Moving Target Defense against Internet Denial of Service Attacks”. In: 2013 22nd International Conference on Computer Communication and Networks (ICCCN). July 2013, pp. 1–9.

A. D. Keromytis, V. Misra, and D. Rubenstein. “SOS: an architecture for mitigating DDoS attacks”. In: IEEE Journal on Selected Areas in Communications 22.1 (Jan. 2004), pp. 176–188.

Viliam Lisý, Roie Zivan, Katia Sycara, and Michal Pěchouček. “Deception in Networks of Mobile Sensing Agents”. In: Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems: Volume 1. AAMAS ’10. Toronto, Canada: International Foundation for Autonomous Agents and Multiagent Systems, 2010, pp. 1031–1038.

Patrick P. C. Lee, Vishal Misra, and Dan Rubenstein. “Distributed Algorithms for Secure Multipath Routing in Attack-resistant Networks”. In: IEEE/ACM Trans. Netw. 15.6 (Dec. 2007), pp. 1490–1501.

William G. Morein, Angelos Stavrou, Debra L. Cook, Angelos D. Keromytis, Vishal Misra, and Dan Rubenstein. “Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers”. In: Proceedings of the 10th ACM Conference on Computer and Communications Security. CCS ’03. Washington D.C., USA: ACM, 2003,

pp. 8–19.

Erik Miehling, Mohammad Rasouli, and Demosthenis Teneketzis. “Optimal Defense Policies for Partially Observable Spreading Processes on Bayesian Attack Graphs”. In: Proceedings of the Second ACM Workshop on Moving Target Defense. MTD ’15. Denver, Colorado, USA: ACM, 2015, pp. 67–76.

Partha Pal, Nathaniel Soule, Nate Lageman, Shane S. Clark, Marco Carvalho, Adrian Granados, and Anthony Alves. “Adaptive Resource Management Enabling Deception (ARMED)”. In: Proceedings of the 12th International Conference on Availability, Reliability and Security. ARES ’17. Reggio Calabria, Italy: ACM, 2017, 52:1–52:8.

T. Shu, M. Krunz, and S. Liu. “Secure Data Collection in Wireless Sensor Networks Using Randomized Dispersive Routes”. In: IEEE Transactions on Mobile Computing 9.7 (July 2010), pp. 941–954.

Lance Spitzner. “The Honeynet Project: Trapping the Hackers”. In: IEEE Security and Privacy 1.2 (Mar. 2003), pp. 15–23.

Angelos Stavrou, Angelos D. Keromytis, Jason Nieh, Vishal Misra, and Dan Rubenstein. “MOVE: An End-to-End Solution to Network Denial of Service”. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2005, San Diego, California, USA. 2005.

Marc Ph. Stoecklin, Jialong Zhang, Frederico Araujo, and Teryl Taylor. “Dressed Up: Baiting Attackers Through

Endpoint Service Projection”. In: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. SDN-NFV Sec’18. Tempe, AZ, USA: ACM, 2018, pp. 23–28.


Refbacks

  • There are currently no refbacks.


Copyright (c) 2019 Hussain M J Almohri, Mohammad Qasem

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.