Virtualisation security risk assessment for enterprise cloud services based on stochastic game nets model
2017; Institution of Engineering and Technology; Volume: 12; Issue: 1 Linguagem: Inglês
10.1049/iet-ifs.2017.0038
ISSN1751-8717
Autores Tópico(s)Blockchain Technology Applications and Security
ResumoIET Information SecurityVolume 12, Issue 1 p. 7-14 Research ArticleFree Access Virtualisation security risk assessment for enterprise cloud services based on stochastic game nets model Junjie Lv, Junjie Lv Business School, Beijing Technology and Business University, Beijing, People's Republic of ChinaSearch for more papers by this authorJuling Rong, Corresponding Author Juling Rong juling1223@126.com Business School, Beijing Technology and Business University, Beijing, People's Republic of ChinaSearch for more papers by this author Junjie Lv, Junjie Lv Business School, Beijing Technology and Business University, Beijing, People's Republic of ChinaSearch for more papers by this authorJuling Rong, Corresponding Author Juling Rong juling1223@126.com Business School, Beijing Technology and Business University, Beijing, People's Republic of ChinaSearch for more papers by this author First published: 01 January 2018 https://doi.org/10.1049/iet-ifs.2017.0038Citations: 3AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract Resource virtualisation is a prominent characteristic of cloud services, and it determines the resource utilisation efficiency and service quality. However, the virtualisation security issues also have a significant impact on the safety of cloud services. The security of virtualisation in cloud services is so complicated that current security risk assessment methods generally have some limitations when applying in cloud services. In this work, a security risk assessment model has been proposed for cloud services as a solution of this problem using stochastic game nets. Based on graphical tools, the virtualisation security risk scenario of cloud services can be described clearly, and virtualisation security risk factors can be evaluated accurately. The analysis results proved this method had powerful ability to simulate complicated and dynamic security issues in cloud services. Furthermore, our achievements can be used to help the cloud provider or tenant of the cloud service system taking corresponding measures to mitigate the risk. 1 Introduction As a new kind of servicing model, cloud services provide for all users with scalable computing applications, storage and platforms through Internet. Nowadays cloud-adopting enterprises are increasing rapidly due to that by tapping into cloud services they can dramatically boost their infrastructure resources or gain fast access to business applications at negligible cost. According to NIST, cloud services model comprises five characteristics, which are described as on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service [1]. These competitive characteristics are attributable to the introduction of virtual technology and distributed networking of cloud. Virtualisation is one of the most important technologies that make cloud services becoming ease-of-use, convenience, flexibility, and least management for the users. Virtualisation can help enterprises optimise their application performance in a cost-effective manner, but in the meantime, some major security issues in cloud services occur due to its virtualised setting. Under virtualisation technology, hardware and software resources such as CPU, memory, storage, network are allocated and provided to multiple tenants in the environment of cloud services. However, the virtualisation environment is complex and has some bugs or vulnerabilities which are considerable attack surfaces to cloud services security. The applications of clients are running on virtual machines (VM) residing on virtualised cloud computing infrastructure. Since VMs are not permitted to access underlying physical hardware directly, VMs are managed, monitored and isolated from each other by virtual machine manager (VMM) or hypervisor [2]. Sharing resources is the primary benefit that virtualisation brings, but if not carefully deployed, this benefit will be a threat to cloud services. Furthermore, hypervisors have flaws of weak security, if an attacker gain access to the hypervisor, the cloud service system would be at risk and all the VMs running on the hypervisor would be compromised [3, 4]. Each of above vulnerabilities, to a certain degree, would be a source of insecurity in cloud services system, therefore, it is necessary to analyse the risk scenario to find out the vulnerabilities. Supposing cloud services are secure, users must have a good estimation on the safety of service in order to obtain a relative confidence and make appropriate decisions about how to redefine new security policies. This paper aims to investigate security risk factors brought about by virtualisation and constructs an abstract model that simulates virtualisation risk scenario and quantitatively evaluates risks based on stochastic game nets (SGN). The main contributions are summarised as follows: This study extended the utilisation of SGN to cloud services security risk assessment due to its quantitative and graphical characteristics. A model is built to simulate risk scenarios of virtualisation for cloud services. Note that attackers and defenders activities are implicitly considered in the model. Evaluated virtualisation security risks using SGN in the cloud services system helping cloud clients determine which security measures should be taken. This paper is organised as follows: In Section 2, the related work on virtualisation security risks of cloud services is discussed. In Section 3, the topology network scenario of virtualisation security risks for cloud services is depicted and the SGN is introduced simply. In addition, how the method can be used to assessment risks in the cloud services is illustrated. Section 4 gives the result analysis. Section 5 presents our conclusions and future work. 2 Related work In this section, related works are analysed from three aspects. First, a literature review about virtualisation security risk is presented. Then the methods that are applied to assess security risks of cloud services are summarised. Finally, the useful ideas, results and hints and also the limitations of the existing methods are discussed. Cloud services provide virtualised resources to customers through the Internet [5]. Customers' processes are executed in virtualised environment that utilise the physical resources in turn [6]. Multiple virtual processes of various users are allocated to the same physical machines that are segregated logically. This gives rise to a multi-tenant environment in the cloud [7]. There are various studies in the literature discussing virtualisation security issues of cloud services. Chen et al. [8] and Zhang et al. [9] presented that traditional virtual machine monitors and operating systems cannot handle the threat of virus infection. Especially when virtualisation is implemented for a storage area network, it is most likely to transfer security threats like Trojans, viruses and malicious codes across the storage area network because every host is required to install virtualisation client to provide a uniform platform and communication between operating systems, making it vulnerable for malicious software, viruses and Trojans to infiltrate. Popek and Goldberg [10] reviewed the general threats that are unique to the virtualisation environment, including those attacks between VMs, between VMs and VMM, VM escape, virtual machine controlled by host machine, denial of service, VM sprawl. However, some threats can be avoided or mitigated by organised virtualisation security framework. Moreover, the study in [11] presented that virtual system security consists of three layers. The first is physical resource layer. The second is VMM layer that protects normal operation of VMs to be heavily facilitated with security mechanisms. The top layer is VMs that provides virtualisation services to consumers. Due to inappropriate security mechanisms used for virtualisation system in cloud services, there are several security gaps that would be exploited by inside or outside malicious attackers [12]. The attack actions can take place on account of three major vulnerabilities that include VM hopping, VM escape and VM mobility identified in hypervisors [4, 11]. Efficient security risk analysis lays the foundation for virtualisation security risk assessment and management in cloud services, so the risk assessment is also a key challenge for cloud services. To solve these problems, researchers have proposed several methods and techniques, but most of these researches focus on static risk assessment. Peiyu and Dong proposed a three-layered risk assessment model using analytic hierarchy process (AHP) in [13]. The authors in [14] presented a semi-quantitative method to evaluate risk for cloud computing. In IT security, the essence of the risk is the game between attacker and defender. These methods which researchers used are relatively qualitative and the effects of persons' rational behaviours are not considered. Yet attackers and defenders act interactively in the cloud service scenario. Therefore, game theory is introduced to the field of modelling and analysing security of cloud services. In Evrim and Ibrahim's work, a scalable risk assessment model has been proposed for cloud computing as a solution of this problem using game theory. Using this method, they evaluate the risk in the system [15]. Game theory offers a solid mathematical foundation for the analysis of interactive behaviours in cloud service scenario. It has been applied to capture strategy behaviours mathematically in the field of theoretical analysis. However, it mainly concerns game theory between players. In addition, there are limitations to describe risk process in a graphical scenario directly and it is difficult to model the dynamic behaviours of players in cloud services. It is important to find a visualised tool that fits with the features of cloud computing security. In previous research findings, a mathematic and graphical modelling framework, based on SGN), is presented to describe and analyse specific events and behaviours in some kinds of networks, like enterprise networks [16]. Based on the graphical tool, stochastic game problems can be described clearly, and the model can be extended easily. This approach can be used to build comprehensive models to simulate the process of dynamic game. Therefore it is appropriate to investigate complex and dynamic game issues and to compute the Nash equilibrium (NE) and best-response strategies for enterprise cloud services. In SGN, graphical modelling could describe enterprises' cloud services security problems as a game including attackers and defenders, and their behaviours could be proposed. Administrators of cloud services can apply the results acquired through simulation to enhance security and performance of their networks. According to the uncertain and complexity features of cloud services security issues, SGN is suitable to model and analyse virtualisation security risk issues for enterprise cloud services due to its quantitative and graphical characteristics. It is that SGN could open a new avenue to assess security risks in the field of enterprise cloud services. 3 Virtualisation risk assessment for enterprise cloud services using SGN In this section, the virtualisation network topology is proposed which marks the attack and defend processes in cloud service environment. Then SGN model is utilised to describe main virtualisation security issues of cloud services. The transitions in our model are derived from the actions of attackers and defenders. Finally, the model parameters for the follow-up risk assessment are given. 3.1 Virtualisation security risk scenario In the virtual environment of cloud services, physical machines run as a cluster through cooperating hypervisors. There are two kinds of virtualisation server implementations. One is that a hypervisor is installed on a host operating system and then guest operating systems are installed on that hypervisor. This guest operating system interacts with hypervisor, and the hypervisor interacts with host operating system and host operating system communicates with hardware. Hypervisor cannot directly communicate with hardware. Other form is that to implement hypervisor and virtual machine monitor directly on hardware and then install guest operating system on that hypervisor. VMM intercepts all the request information from guest operating systems and provides necessary response or resources by communicating with hardware as requested by virtual machines. VMM is responsible for isolation and resource management between virtual machines implemented [17]. In fact, when the applications are running in the cloud, a virtual machine also called guest operating system is allocated to customers according to their demands. To analyse the virtualisation security risk of enterprise cloud services, the virtualisation network of cloud services is shown in Fig. 1. It describes the application of cloud services that includes web server, hypervisor server, virtual machine, physical machine and management host. Fig. 1Open in figure viewerPowerPoint Cloud services virtualisation network and its security role model The process of attacks and defences is marked as arrow lines in Fig. 1. The red solid lines represent attack behaviours. The green-dotted lines denote defence actions. The line number maps the behaviours profile in the right of Fig. 1. The action pair represents the automatic or manual recovery activities of cloud service system when returning back to normal conditions after successful occurrence of attack process. 3.2 Stochastic game nets Essentially, in cloud services, security risks are defined as interactions between the attacker and the defence system that is used to protect the target. In this situation, the defence system and the attacker are active players that their outcomes change depending on their interaction with each other. SGN is a quantitative, rational, extensible graphical research approach to simulate the behaviour between two players and to analyse the risk process. Firstly, the SGN have enough modelling tools to describe interaction relations for complex network structure. Secondly, the SGN method can model the dynamic behaviours of participators in computer networks. Besides, the SGN model is easily to update when conditions change. Thirdly, even though the unabridged state space is extremely large, we can study a small subset of states that are relevant to attacks and defences scenarios. In addition, it would be suitable to quantify the costs of actions and the associative transition probabilities in practice. SGN have several elements including places, transitions, arcs and tokens. The places represent states of being in the system and transitions denote a finite set of transitions in an SGN model. Arcs are lines from places to transitions or reversed. The tokens shown by black dots added to the place represent incidents. Furthermore, parameters are given in the scientific model to ensure credibility of simulation results of a complete SGN model. The detailed definition is proposed in [18, 19]. Definition 1.A Stochastic game net is represented as the nine-tuple vector SGN = (N, P, T, F, π, λ, R, U, M0), where N = {1, 2,…, n } denotes the set of players, P is a finite set of places, T = T1 ∪T2 ∪… ∪Tn is a finite set of transitions, where Tk is the set of transitions with respect to player k for k ∈ N, π: T → [0,1] is a routing policy representing the probability of choosing a particular transition, F ⊆ I ∪ O is a set of arcs, where I ⊆ (P × T) and O ⊆ (T × P) such that P ∩ T = ∅︀ and P ∪ T ≠ ∅︀, where ∅︀ is an empty set, for a convenience, we denote •x = {y |(y, x) ∈ F } the pre-set of x, similarly, x • = {y |(x, y) ∈ F } the post-set of x, R :T → (,2, …, ) is a reward function for the players taking each transition, where ∈ (−∞, + ∞) for i ∈ N, λ = {λ1, λ2, …, λw } is a set of transition firing rates in the transition set, where w is the number of transitions, U is the utility function of players, M0 is the initial marking, which denotes the initial state of the players. In this definition, P is the state set of the game, a token in a place p ∈ P denotes a player is in the state and a marking m represents a distribution of the tokens in SGN. Each token s in a place p ∈ P is related to a reward vector hp (s) = (h1 p (s), h2 p (s), …, hkp (s)) as its property, where hkp (s) is the reward of player k got in the place p for the token s. Each element of T represents a class of possible changes of markings. Such a change of t ∈ T, also called transition firing, consists of removing tokens from a subset of places and adding them to another according to the expressions labelling the arcs. Furthermore, the firing rule of the SGN need to be depicted A transition t is enabled under a marking M whenever, M (p) ≠ ∅︀, where (p, t) ∈ F, p ∈ P. Players get the reward R (t) = (R1 (t), R2 (t), …, Rk (t)), where Ri (t) denotes the reward gets by the player i, and the reward is recorded in the token hp (s) if the token is transported into the place P. Definition 2 (NE).For SGN, a mixed strategy NE is a vector π∗ = (π1∗, π2∗, …, πn∗) such that: where k = 1, 2,…, n, πk is any alternative mixed strategy of player k except for πk∗.For an NE π∗, no player has an incentive to deviate from its mixed strategy given that the others do not deviate. Moreover, there is no mutual incentive for anyone of the players to deviate their equilibrium strategies π1∗, π2∗, …, πn∗. A deviation will mean that some of them will have lowered their optimal expected utility. So, the NE is also known as best responses. Definition 3.For a two-player game, an NE (π1∗, π2∗) is one which satisfies U1 (π1∗, π2∗) ≥ U1 (π1, π2∗), U2 (π1∗, π2∗) ≥ U2 (π1∗, π2). Utility of player k is Uk (π1, π2) = Uk (π, M0). Theorem 1.For a stochastic game net, SGN = (N, P, T, F, π, λ, R, U, M0). If the integer n < ∞, and the two sets P and T contain finite elements, and then there exists a Nash equilibrium under the setting of mixed strategies. 3.3 Security model of virtualisation risk for enterprise cloud services In the scenario of the virtualisation network, an action pair (one from attacker and one from the defender) which causes the cloud service system to move from one state to another in a probabilistic manner is proposed as the basis of the virtualisation risk security model for enterprise cloud services. The transitions in our model are described from the viewpoint of attackers and defenders. When a player does nothing, we define this inaction as ∅︀. From the given actions, the transitions consist of all the actions they can take in all states. The attack actions can be described as{Scanning, Crack_VM_password, Malicious_registered, Embedded_malicious_code, Stealing_user_information, Run_DOS_virus, Scanning_vulnerability, Buffer_overflow_attack, Capture_VMM_permission, Side_channel_attack, Modify_configuration_information, Control_physical_server, Install_sniffer, Send_false_transfer_instructions, Rootkit_attack}. The action candidates in each state are whole or a part of above attack actions. The defence behaviours are mainly referred to the preventive or restorative measures. The actions of defenders can be described as follows{Generate_random_passwords, Implement_PW_policy, Implement_registration_audit_strategy, IDS(Intrusion Detect System), Remove_virus, Remove_compromise_account, Shut down_unneccssary_privileges, Install_sniffer_detector, Remove_compromised_sniffer, Enhance_instruction_review, Improve_resources_sharing_measures}. It is assumed that the defender does not know where and whether the attacker takes actions. In addition, the attacker may have several strategies that the defender does not know. Furthermore, not all of the attack actions can be observed. Some main risk factors of virtualisation security for cloud services are analysed by SGN model. The transitions are derived from the above actions. The places denote the states after these actions are executed. The attacker model is shown in Fig. 2. The defender model is shown in Fig. 3. Fig. 2Open in figure viewerPowerPoint Attacker's view model Fig. 3Open in figure viewerPowerPoint Defender's view model In these SGN models, circles denote places. Circles that are appended black dots represent tokens. Rectangles represent time transitions which mean the actions of players, in among that the grey ones demote the attacker's actions, and the white ones demote the defender's actions. Black line segments represent immediate transitions which mean the choices of players. Fig. 2 describes a complete attack process that causes the virtualisation security risks in the cloud service scenario. All the actions choices depend on the reward values. In Fig. 3, it is assumed whenever the defender detects the attack actions, he must adopt the corresponding defence measures. By combining the two models from the viewpoints of attacker and defender, an SGN model simulating the scenario of virtualisation security risk in cloud services is established The combination rules are shown as follows [19]: Combine the places P that denote the same meanings in SGN models of different players. Take computational results multi-strategy π as the choice probabilities to transitions T in the whole model. Assume the preferences λ for each transition t ∈ T in the SGN, which express the different action abilities. The SGN combination model is shown in Fig. 4. In the SGN model, the grey transitions denote the attacker's behaviours, and the white ones represent the defender's steps. The SGN model simulates the procedure of the virtualisation security risk taking place in cloud services. Moreover, the SGN model can provide us with quantitative conclusion when given parameters. Fig. 4Open in figure viewerPowerPoint SGN combination model 3.4 Model parameterisation Security risks are evaluated based on the temporal aspects of the attacker and defender's actions. To quantify the security risk, parameters are needed for simulating the SGN model to capture the uncertainty in the attacker and the defender behaviours, The parameters include reward value for success attack r, action ability λ and choice probability π. Action ability λ is assumed based on difficulty of real attack steps and reward values r. is reckoned to represent the reward gained by the player when an action finished. However, choice probability π is computed corresponding to a Nash equilibrium. For the SGN, by Theorem 1, there exists at least one mixed strategy Nash equilibrium. Through the work of Wang and Vrieze et al. [16, 18, 20, 21], an NE of a discounted stochastic game can be found by solving a non-linear programming problem as follows: where are variables for value vectors, and 1 is a unit vector with appropriate dimensions, is the vector and the state transition probability matrix included by the strategy pair is For players, global minimum to this non-linear programme r presents the optimal conditions required, which solution (u1 *, u2 *, π1 *, π2 *) corresponds to a Nash equilibrium the game. The SGN model parameters are given in Tables 1 and 2 [18-20, 22-25]. Table 1. Parameters of the attack actions in combination model Transition Meaning r λ π attack actions T1 Scan_Vulnerability 10 2 0.8 T2 Crack_Password 15 1 0.13332 T3 Malicious_Registrations 10 3 0.11669 T4 Rootkit_Attack 60 0.5 0.20835 T5 User_Login 0 5 0.9 T6 Steal_Information 30 2 0.075 T7 Run_DOS_virus 20 1.5 0.2 T8 Scan_Vulnerability 10 2 0.9 T9 Side_Channel_Attack 15 2 0.3 T10 Steal_Information 30 2 0.5 T11 Buffer_Overflow_Attack 60 1.5 0.18432 T12 Parameter_Tampering 50 0.5 0.15 T13 Install_Sniffer 20 2 0.2 T14 Transfer_data_Spoofing 20 1 0.25 T15 Steal_Information 30 2 0.4 Table 2. Parameters of the defence actions in combination model Transition Meaning r λ π defense actions T16 Encrypt_Password −15 0.5 0.4 T17 Strength_Registration_Audit −10 2 0.35 T18 Secure_shell −30 1.5 0.25 T19 IDs_Scan −10 1 0.1125 T20 Remove_compromise_account −20 1.5 0.0405 T21 Install_Virtual_Firewalls −15 1 0.35 T22 Shut_unnecessary_Priviledge_program −50 1.5 0.525 T23 Remove_Malware −10 1 0.05 T24 Shut_unnecessary_Priviledge_program −60 1.5 0.2 T25 Install_Sniffer_detector −20 1 0.35 T26 Remove_Sniffer −20 2 0.2 T27 Perform_Instructions_Validation −20 0.5 0.15 Parameters r, λ and π of transitions offered as Tables 1 and 2, where r means reward which represent financial gain and loss, λ means the action ability, π means the choice probability. 4 Security risk assessment The attacks can take place and cause security issues due to four major vulnerabilities (denial of service, VM hopping, VM escape and VM mobility) identified in virtualisation scenario in cloud services. Therefore, the virtualisation security risk is analysed from four aspects that include the risk of denial of service, the VM hopping risk, the VM escape risk and the VM mobility risk. In this section, four security risk factors are compared with the following three indicators and the virtualisation security risk in cloud services is analysed further. Firstly, the probability of a successful attack also refers to the probability of occurrence of risk. Secondly, mean time for a successful attack describes the difficulty of attack or risk. Finally, the loss ratio denotes the economic loss brought by the occurrence of the risk. 4.1 The probability of occurrence of risk The probability of occurrence of risk refers to the probability of the attackers to complete a successful attack. The initial position contains a token, and the targets of attack have four possible states, as shown in Fig. 4. If a target contains a token, the attack is considered to be a successful one that means the corresponding risk generated. Hence, the probability of a successful attack can be computed according to the following formula: (1)As shown in (1), Ps and Pe denote probability of a successful attack and that of targets are empty, respectively. The probability of targets are empty can be calculated through the software package stochastic petri net package. The probability of successful attack or risk variation over time is obtained as depicted in Fig. 5. Fig. 5Open in figure viewerPowerPoint The probability of occurrence of virtualisation risk factors in cloud services (a) The probability of four virtualisation risk factors, (b) The probability of VM escape risk changes with different rate Fig. 5 shows the difference and variations of probability of virtualisation risk factors in cloud services with the system time, and describes the probability of occurrence of four risk factors is described in Fig. 5 a. They grow rapidly in first, and then gradually become stable. For the VM escape risk, the probability grows more rapidly and has a higher steady-state compared with the corresponding three risk factors of virtualisation in cloud services. Therefore, VM escape risk is the example to study the probability occurrence of the risk when the arrival rate of attack (λ) is different. The trend lines are illustrated in Fig. 5 b. Fig. 5 b demonstrates the probability of VM escape risk variation with the system time when the arrival rate of attack differ from 0.2 to 10. The faster of the arrival rate of attack, the higher of the curve peak. However, the probability of the steady state is basically hold the line. These indicate that the probability of occurrence of VM escape risk has nothing to do with the arrival rate of attack. 4.2 Mean time for a successful attack The attacker must spend some time to pass an attack phase of an attack path and to gain a new privilege. This time can be suitably modelled as an indicator that describes the difficulty of attack. In this paper, the indicator of the mean time of a successful attack is defined as average time to complete the whole process of attack. Each target could be accomplished by diverse attack paths, and one attack path would contain several transitions. Hence, the mean time of a successful attack (t) can be calculated according to the following formulas: (2) (3)where n and m denote the number of attack paths and transitions in an attack path. TH and T represent the throughput and response time of a transition, respectively, and k stands for the number of transitions. Mean time of a successful attack variation over time is depicted in Fig. 6. Fig. 6Open in figure viewerPowerPoint Mean time for a successful attack versus system time Fig. 6 illustrates the ascending trend of the mean time for all virtualisation risk factors in cloud services. The mean time of VM migration attack is slightly longer than that of others. Moreover, the mean time for all risk factors would reach a steady state after a period time, respectively. 4.3 Loss ratio for each security risk One of the most common indicators to assess the risk is loss ratio. Loss ratio represents the expected asset value loss due to a risk over time. The loss ratio for each security risk can be calculated according to the following formula:
Referência(s)