|
Almost every organization depends on cloud-based services. The backend of cloud-based services are designed for multiple tenants and reside in data centers spread across multiple physical locations. Network security and security management are major hurdles in such a complex, shared environment. This research investigates mitigating the security challenges by taking a moving target defense (MTD) approach. Continually adjusting the system resources such as the topology of the data center, bandwidth allocation and traffic flow policies makes it difficult for attackers to compromise the system. New evaluations methods will be developed to ensure that these MTD mechanisms work properly in practice. The outcome of this research is to have cloud services that are more secure and resilient to attacks. This research is a collaborative effort conducted by researchers from three different universities, Arizona State University, Duke University, and the University of Missouri-Kansas City. Graduate students will be trained to serve the growing need for educating professionals in cyber security. The results of the proposed research will be incorporated into several courses taught at the respective institutions.
The MTD approach in a multi-location, multi-tenant data center environment requires a complex level of coordination. This research investigates defense mechanisms in the data center's virtual networking environment based on programmable networking solutions so that proactive attack countermeasures can be deployed with considerations of the system resource consumption, software bugs/vulnerabilities, effectiveness of countermeasures, and impact on consumers running applications. The research outcomes can be employed for applications that require security situation-awareness variables accurately predicted at a very fine grain resolution, from a few milliseconds to a few seconds. This introduces additional challenges, namely, developing new performance models for networking, data collection, big data-enabled security processing, and control. To address these challenges, this project has two interdependent fundamental research thrusts: (a) investigate a dynamic and adaptive defensive framework at both networking and software levels; and (b) deploy an adaptive security-enabled traffic engineering approach to select optimal countermeasures by considering the effectiveness of countermeasures and network bandwidth allocations while minimizing the intrusiveness to the applications and the cost of deploying the countermeasures. The outcomes of this project will include a set of software APIs and tools to integrate the measurement system and analytical models in a transition to practice effort.
|
TWC: TTP Option: Small: Collaborative: SRN: On Establishing Secure and Resilient Networking Services