Visible to the public A Cyber Risk Based Moving Target Defense Mechanism for Microservice Architectures

TitleA Cyber Risk Based Moving Target Defense Mechanism for Microservice Architectures
Publication TypeConference Paper
Year of Publication2018
AuthorsTorkura, Kennedy A., Sukmana, Muhammad I.H., Kayem, Anne V.D.M., Cheng, Feng, Meinel, Christoph
Conference Name2018 IEEE Intl Conf on Parallel Distributed Processing with Applications, Ubiquitous Computing Communications, Big Data Cloud Computing, Social Computing Networking, Sustainable Computing Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom)
Date Publisheddec
KeywordsApplication Container Security, automatic code generation techniques, business capabilities, business data processing, compiler security, compositionality, cyber risk, diversification index, economics-of-scale incentives, Indexes, Logic gates, Measurement, Metrics, microservice architectures structure, microservices attack surfaces, Microservices Security, moving target defense, moving target defense mechanism, MSA, multistep attacks, program compilers, pubcrawl, Resiliency, risk analysis, Scalability, security, security metrics, security of data, security risk assessment, security risk-oriented software diversification, Software, software architecture, Transforms
AbstractMicroservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. The key advantages of MSA include inherent support for continuous deployment of large complex applications, agility and enhanced productivity. However, studies indicate that most MSA are homogeneous, and introduce shared vulnerabilites, thus vulnerable to multi-step attacks, which are economics-of-scale incentives to attackers. In this paper, we address the issue of shared vulnerabilities in microservices with a novel solution based on the concept of Moving Target Defenses (MTD). Our mechanism works by performing risk analysis against microservices to detect and prioritize vulnerabilities. Thereafter, security risk-oriented software diversification is employed, guided by a defined diversification index. The diversification is performed at runtime, leveraging both model and template based automatic code generation techniques to automatically transform programming languages and container images of the microservices. Consequently, the microservices attack surfaces are altered thereby introducing uncertainty for attackers while reducing the attackability of the microservices. Our experiments demonstrate the efficiency of our solution, with an average success rate of over 70% attack surface randomization.
DOI10.1109/BDCloud.2018.00137
Citation Keytorkura_cyber_2018